berbew | 2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2

Analysis

max time kernel
31s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
Size

93KB
MD5

18a8f4b24baffffb3fe3f94467bad127
SHA1

b0c17ce214f1ee8c5844f797ad30f15a3d6cb0ac
SHA256

2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2
SHA512

45e6654e2d374958cdf277cbb4e8842b59b52d8eff4b2a793027aee0dd73ca7d947d58a9b374e10c124a0a510749754cc14fa9b33500417c49c369ee9302dd9b
SSDEEP

1536:b9NSgZTH63LcdpXiPf6KJkSmiBlWNM21DaYfMZRWuLsV+1h:bnj+LcdmPm4cNM2gYfc0DV+1h

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadpgggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 48 IoCs

pid	Process
2792	Nofdklgl.exe
2584	Nadpgggp.exe
2760	Nilhhdga.exe
2580	Nhohda32.exe
3016	Oaiibg32.exe
332	Okanklik.exe
1492	Onpjghhn.exe
2200	Onbgmg32.exe
1040	Odlojanh.exe
2564	Oappcfmb.exe
1760	Ocalkn32.exe
3000	Pmjqcc32.exe
1948	Pgpeal32.exe
1820	Pgbafl32.exe
2308	Picnndmb.exe
2476	Pfgngh32.exe
1624	Piekcd32.exe
1360	Pckoam32.exe
3068	Pbnoliap.exe
1532	Pmccjbaf.exe
828	Poapfn32.exe
2364	Qijdocfj.exe
2656	Qkhpkoen.exe
3056	Qiladcdh.exe
1800	Qgoapp32.exe
2100	Acfaeq32.exe
1564	Akmjfn32.exe
2724	Achojp32.exe
2632	Afgkfl32.exe
2628	Afiglkle.exe
2640	Amcpie32.exe
2336	Abphal32.exe
1104	Afkdakjb.exe
764	Afnagk32.exe
2252	Bilmcf32.exe
1776	Bpfeppop.exe
1924	Bphbeplm.exe
1420	Bnkbam32.exe
848	Biafnecn.exe
1936	Bonoflae.exe
2960	Bbikgk32.exe
2952	Balkchpi.exe
2316	Behgcf32.exe
1788	Bfkpqn32.exe
624	Bmeimhdj.exe
1140	Cfnmfn32.exe
2008	Cilibi32.exe
2660	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2312	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
2312	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
2792	Nofdklgl.exe
2792	Nofdklgl.exe
2584	Nadpgggp.exe
2584	Nadpgggp.exe
2760	Nilhhdga.exe
2760	Nilhhdga.exe
2580	Nhohda32.exe
2580	Nhohda32.exe
3016	Oaiibg32.exe
3016	Oaiibg32.exe
332	Okanklik.exe
332	Okanklik.exe
1492	Onpjghhn.exe
1492	Onpjghhn.exe
2200	Onbgmg32.exe
2200	Onbgmg32.exe
1040	Odlojanh.exe
1040	Odlojanh.exe
2564	Oappcfmb.exe
2564	Oappcfmb.exe
1760	Ocalkn32.exe
1760	Ocalkn32.exe
3000	Pmjqcc32.exe
3000	Pmjqcc32.exe
1948	Pgpeal32.exe
1948	Pgpeal32.exe
1820	Pgbafl32.exe
1820	Pgbafl32.exe
2308	Picnndmb.exe
2308	Picnndmb.exe
2476	Pfgngh32.exe
2476	Pfgngh32.exe
1624	Piekcd32.exe
1624	Piekcd32.exe
1360	Pckoam32.exe
1360	Pckoam32.exe
3068	Pbnoliap.exe
3068	Pbnoliap.exe
1532	Pmccjbaf.exe
1532	Pmccjbaf.exe
828	Poapfn32.exe
828	Poapfn32.exe
2364	Qijdocfj.exe
2364	Qijdocfj.exe
2656	Qkhpkoen.exe
2656	Qkhpkoen.exe
3056	Qiladcdh.exe
3056	Qiladcdh.exe
1800	Qgoapp32.exe
1800	Qgoapp32.exe
2100	Acfaeq32.exe
2100	Acfaeq32.exe
1564	Akmjfn32.exe
1564	Akmjfn32.exe
2724	Achojp32.exe
2724	Achojp32.exe
2632	Afgkfl32.exe
2632	Afgkfl32.exe
2628	Afiglkle.exe
2628	Afiglkle.exe
2640	Amcpie32.exe
2640	Amcpie32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cdepma32.dll	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Pgbafl32.exe	Pgpeal32.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Nadpgggp.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Mhdqqjhl.dll	Nhohda32.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Odlojanh.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Ibafdk32.dll	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Onpjghhn.exe	Okanklik.exe
File created	C:\Windows\SysWOW64\Ocdneocc.dll	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Picnndmb.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Docdkd32.dll	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
File created	C:\Windows\SysWOW64\Dcnilecc.dll	Onpjghhn.exe
File created	C:\Windows\SysWOW64\Odlojanh.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Pmccjbaf.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Nhohda32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Pmjqcc32.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Oappcfmb.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Daekko32.dll	Onbgmg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	2660	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofdklgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaiibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhohda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgdenbm.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2792	2312	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe	30
PID 2312 wrote to memory of 2792	2312	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe	30
PID 2312 wrote to memory of 2792	2312	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe	30
PID 2312 wrote to memory of 2792	2312	2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe	30
PID 2792 wrote to memory of 2584	2792	Nofdklgl.exe	31
PID 2792 wrote to memory of 2584	2792	Nofdklgl.exe	31
PID 2792 wrote to memory of 2584	2792	Nofdklgl.exe	31
PID 2792 wrote to memory of 2584	2792	Nofdklgl.exe	31
PID 2584 wrote to memory of 2760	2584	Nadpgggp.exe	32
PID 2584 wrote to memory of 2760	2584	Nadpgggp.exe	32
PID 2584 wrote to memory of 2760	2584	Nadpgggp.exe	32
PID 2584 wrote to memory of 2760	2584	Nadpgggp.exe	32
PID 2760 wrote to memory of 2580	2760	Nilhhdga.exe	33
PID 2760 wrote to memory of 2580	2760	Nilhhdga.exe	33
PID 2760 wrote to memory of 2580	2760	Nilhhdga.exe	33
PID 2760 wrote to memory of 2580	2760	Nilhhdga.exe	33
PID 2580 wrote to memory of 3016	2580	Nhohda32.exe	34
PID 2580 wrote to memory of 3016	2580	Nhohda32.exe	34
PID 2580 wrote to memory of 3016	2580	Nhohda32.exe	34
PID 2580 wrote to memory of 3016	2580	Nhohda32.exe	34
PID 3016 wrote to memory of 332	3016	Oaiibg32.exe	35
PID 3016 wrote to memory of 332	3016	Oaiibg32.exe	35
PID 3016 wrote to memory of 332	3016	Oaiibg32.exe	35
PID 3016 wrote to memory of 332	3016	Oaiibg32.exe	35
PID 332 wrote to memory of 1492	332	Okanklik.exe	36
PID 332 wrote to memory of 1492	332	Okanklik.exe	36
PID 332 wrote to memory of 1492	332	Okanklik.exe	36
PID 332 wrote to memory of 1492	332	Okanklik.exe	36
PID 1492 wrote to memory of 2200	1492	Onpjghhn.exe	37
PID 1492 wrote to memory of 2200	1492	Onpjghhn.exe	37
PID 1492 wrote to memory of 2200	1492	Onpjghhn.exe	37
PID 1492 wrote to memory of 2200	1492	Onpjghhn.exe	37
PID 2200 wrote to memory of 1040	2200	Onbgmg32.exe	38
PID 2200 wrote to memory of 1040	2200	Onbgmg32.exe	38
PID 2200 wrote to memory of 1040	2200	Onbgmg32.exe	38
PID 2200 wrote to memory of 1040	2200	Onbgmg32.exe	38
PID 1040 wrote to memory of 2564	1040	Odlojanh.exe	39
PID 1040 wrote to memory of 2564	1040	Odlojanh.exe	39
PID 1040 wrote to memory of 2564	1040	Odlojanh.exe	39
PID 1040 wrote to memory of 2564	1040	Odlojanh.exe	39
PID 2564 wrote to memory of 1760	2564	Oappcfmb.exe	40
PID 2564 wrote to memory of 1760	2564	Oappcfmb.exe	40
PID 2564 wrote to memory of 1760	2564	Oappcfmb.exe	40
PID 2564 wrote to memory of 1760	2564	Oappcfmb.exe	40
PID 1760 wrote to memory of 3000	1760	Ocalkn32.exe	41
PID 1760 wrote to memory of 3000	1760	Ocalkn32.exe	41
PID 1760 wrote to memory of 3000	1760	Ocalkn32.exe	41
PID 1760 wrote to memory of 3000	1760	Ocalkn32.exe	41
PID 3000 wrote to memory of 1948	3000	Pmjqcc32.exe	42
PID 3000 wrote to memory of 1948	3000	Pmjqcc32.exe	42
PID 3000 wrote to memory of 1948	3000	Pmjqcc32.exe	42
PID 3000 wrote to memory of 1948	3000	Pmjqcc32.exe	42
PID 1948 wrote to memory of 1820	1948	Pgpeal32.exe	43
PID 1948 wrote to memory of 1820	1948	Pgpeal32.exe	43
PID 1948 wrote to memory of 1820	1948	Pgpeal32.exe	43
PID 1948 wrote to memory of 1820	1948	Pgpeal32.exe	43
PID 1820 wrote to memory of 2308	1820	Pgbafl32.exe	44
PID 1820 wrote to memory of 2308	1820	Pgbafl32.exe	44
PID 1820 wrote to memory of 2308	1820	Pgbafl32.exe	44
PID 1820 wrote to memory of 2308	1820	Pgbafl32.exe	44
PID 2308 wrote to memory of 2476	2308	Picnndmb.exe	45
PID 2308 wrote to memory of 2476	2308	Picnndmb.exe	45
PID 2308 wrote to memory of 2476	2308	Picnndmb.exe	45
PID 2308 wrote to memory of 2476	2308	Picnndmb.exe	45

C:\Users\Admin\AppData\Local\Temp\2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe
"C:\Users\Admin\AppData\Local\Temp\2422cd0831637ca2091a5dca914b6d9ab2660b58f1ceaf4f3046ce8a872a53f2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Nofdklgl.exe
  C:\Windows\system32\Nofdklgl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Nadpgggp.exe
    C:\Windows\system32\Nadpgggp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\Nilhhdga.exe
      C:\Windows\system32\Nilhhdga.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Nhohda32.exe
        
        C:\Windows\system32\Nhohda32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Okanklik.exe
        
        C:\Windows\system32\Okanklik.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 140
        50⤵
        Program crash
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abphal32.exe

Filesize
93KB

MD5
6866ea9fe2814ecb08e372f1101e9cbd

SHA1
13971fc40c604046360c3c83d6b2d57847b33507

SHA256
570f2de67bd5805a0f6d9ac2d326c79fb270188425cc38d670c2177bd36f5587

SHA512
24700e12acaef756cab2e8d4a6cf7c2c67d782f11242fb7d717859df21da750e2a3ac999937e1cbb9e6ca6b8f0129cf0139fb48cb56d8d27b1f4313f62682b76

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
93KB

MD5
1737c2db5d1d2a5a43d7a362810ca0b4

SHA1
167d748db73d66b95232530aecd957fb48d7c143

SHA256
f219923a445b85daa21ced1897cf52c46cb382dff5a43964bf574d4cc5a13875

SHA512
bda8a851070fda9ac6ddd941f13fe610689f4710f6b8936c88d0e0c0174057fdc2d34600040881fb3c70615bfe0e82efe784166d828c92dcd548ac1a182414a0

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
93KB

MD5
e967265c5d09ea2a3a160a29cb2ce325

SHA1
927e5990253c9b347f83b2f0b4074b4fc27103a7

SHA256
93be9cf2b56bbd2cb9499a62faa37480457243a7d1f4bd4eabaf6d77b5c5bf99

SHA512
56d5bfd6b06dfcdaa07305b0418c227d83661d1b3dac707e920232ecb3e9c71417c2d9d15de54032a1a91dd3b91b5da5a98febaee880c628d330936bdb03213f

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
93KB

MD5
2fa0d32a172232bdf7e2023421169351

SHA1
672824e608af635f92c5c6af392bd2c997f6a47f

SHA256
9b0a58cc85be8a6871c2421e19a43cfb66b3cec2b8b28220228840a4355cabb8

SHA512
3917dd081c967f66c9a520d5085e9f2eb7f417a0bda63186b575a4b7c2a4b07be1ef30eabd2737375bfc3ef8dacb00c6aa2d6d0e31ca810fa04e2dbbeb31c0ec

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
93KB

MD5
fbd5eb9014ec13fe1f8e50cbbb7278fd

SHA1
4629deed0706af52b6086b4de22382ecfceec907

SHA256
89b40b40d97dc25b7e22bb679f5543c403163a5d587977c5a9590d04d547c557

SHA512
89b02ec8f4aec18b294c4c2897d945d3c4b8e90287b12ed347407f480332c3a5a4dccc5742a14f1cc1f4682a92b3628e1267b0dc7c3f8a6a10bc7d0bff24e36c

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
93KB

MD5
e627840127c00f2008b940caf11e4834

SHA1
9921ef8f4a6c70659062e1e35e6a1791db004f42

SHA256
c2efa701ae007b66521a4ccc8e1bf7b77d0552bbf06569fe5c9d8df2d2ff4154

SHA512
c14b0f7cb78aa08ebe560ba6c4801e0947f72a815d01d0869bbf7c52cb117f4a89fc8fd326030281e4f17dfa254cbe3d7bead901b3c6cfcfc000c7d7e37700ce

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
93KB

MD5
6756122c25c071ec315e0103ab70a8f2

SHA1
7f9127ab1d5164561add09790b8ebb8fc6c02cdb

SHA256
34ac129fa06d447c96233e3495736e15771f45e5b13df7012cd30ff72d2e4b2d

SHA512
b6839d1d0af0fc950e3bfa540e868284e7bb57c817b32cb2e7731a6a126c49eafe1bf90c7ec0530587ffb2dc1c765f3cd0dd7dedd3234573d941dbbdc0e81422

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
93KB

MD5
73605a40eae677544744341cdca2bbcf

SHA1
592aa2e2bfcba7903976bb0bce54da2af1e63d0f

SHA256
7c371f318555df030ecc86c857f2487b3d3cf41692b218409f84a3107e486e4c

SHA512
fa05126c409ee78d68ace03778064e99b9db01c720e10e60b7b361e9c6dd713c37c8f2387d846aac608a0628200c6f28b4031f6e020019ee052c860742f964e9

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
93KB

MD5
7a4dc98866efd43a469d7ed39246c379

SHA1
8c2ff68656c478d6b2311ee7a9ceb7ac988ffb82

SHA256
fa31cc17a60ab245553cb7ecd7a3bd82cf229c4ad0d5e9554223a164fcf82073

SHA512
70a8be3a66de082a18507bd8eed0e6e108eca3e13918aa6769f0ea7b752f82c5441df386ef95e9484edf44d83d906e61bb47524f78bf00705838c0cce423a0f6

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
93KB

MD5
5e9f18ca14b3ec5c1bb82321820dea91

SHA1
9295f876313d010e76cf3cd83300efffcf321653

SHA256
f8c64415c2ef0c474457a90fdcad23db4e15f912a4b31f67eaeba14da8d52516

SHA512
dc9180c5bcf375d0c8176d5d88721b14dc234972593f6e291b91f8837460068454b0699deb318b03f666f3c00962eadfaed9fd17f1dc0c2203c2cabb9de9cd89

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
93KB

MD5
da0215663434faa2d5dbc36a86f54693

SHA1
023e02ce3861c697e30bb0f457880eca634db43f

SHA256
e9dd135ebbe0d42e40b426dd915723c54b2686c312fe2b10f8b371626bb1a917

SHA512
e761462631899bfd33beb1804d17d5d1c6e043d1edad423ea358aa420e41ad203e9c652e3f6c094d871f33c9ba32776a895cdb41002b63b568fc33da1a4797da

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
93KB

MD5
5a722a9a32d55855b90297ce931444ad

SHA1
14542ac543e20d67bb7bcdbb6ba11ab5fd4448d7

SHA256
7f375de7981c30c53cfd5f3550487ce4673736fa52d8b2278497aef210659050

SHA512
68912a0c6c9a05ef802a4960c899162ad237aab3a094002e8662d47245be2e49326531d6469fa1fe7def19f9b11b1b50fad0effaa1bf73e92f5c915a6c56f124

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
93KB

MD5
33444eaf276dd4067cd81d311406756e

SHA1
dbfcf534e974c2ed86e51667ef05f0e93a3f0567

SHA256
8c6244ee11efeb27a745d238a47f99229803001e1bbd97b046abee7e58a5962f

SHA512
6d6705dd78260d3f9d03c698f456c1e36a2607736224c17133d4714d9b5a71df24c65375c1891252f0ccf1e2e5bfadeb64d50d175d9e9c2c8001ca8b01486336

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
93KB

MD5
250359da43bea8d0de37b35ba48c7007

SHA1
e0fcef6f227003955827ae415e2edb13331cbda1

SHA256
8d78c9670770f26ecf0d19d93b2e98d7be5c8038f985d2e85e98f07d5922c9ab

SHA512
1866c5090ff963a5c4d379b22f0ea13d16817e5a91a4dc86daf43367b5f6a63cb1d1da3418edcc1afd0a918082c71be6136dfe8f6939722968804683a76d9716

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
93KB

MD5
efcd4eb67a8cc8231afd8eb9a2f14084

SHA1
abd018d254346494b7821fddee13572d73ef85bb

SHA256
ff612f495ea45fb56b7cd2043706c1a43230aaa5c075216531a1488990d2c682

SHA512
6683beb0ae5f64d690f82ac068f7cec824a2b78eff590d394eab1eda6aab8dc3ff17c6ab6b245c979b5bae556c515647e6b94bfbce3324e0f91544299bdb5183

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
93KB

MD5
5fe005eef7fc45930bc5af66ca2a719b

SHA1
9d0a7a585690018ae973502d3fea3c0bfcb92d69

SHA256
96751804cab3091c0e5a42c260b2d16d22fa175057c937d6df767708c9a874a8

SHA512
309e1f9f653a77825d75d41dc682977c7486363a928dd58560dce78292a28ffbe501c9369ea92a526a84389a002aeed50c416e6d44d8fd25dc901008f739be39

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
93KB

MD5
b4a1435e5a30092dd5219b3b03eae7c8

SHA1
77de441012641c35821390c7bf292115ef03a406

SHA256
c038b922f7794f98ddbae995cf8f3aa34ff34028e6401f3a14eb8fcb343eab0c

SHA512
516ded8cfbb8a92e8796882489b4ac2cf292132d3255b0399477b3e0f87e42c0d777d7770dc8271245eeee1c7d0d19f3553724a4b25189068b46a1fa09b47d9b

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
93KB

MD5
c7b29a0abf4e78fc94cbd477dea4db32

SHA1
3d74461f66f3926183ddc99a08c4f42441a28ad7

SHA256
63af2d8bf2fcbc10d033f2bd5ab3be4a12c7542ff9b11aed109c6fb9cbd9422e

SHA512
641bc799f95ce7160d3d049dd943b6a8e166d2c146c353944aba0ed948e8ba56bd79f7ec89ab955c3d955313221f80f5b697409fa3b970c84bfdf9ac25adda17

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
93KB

MD5
16212cc0d1f8840232e80d889f839d70

SHA1
e158aea26de761a9caccef52bf1a03d3d748320e

SHA256
4da41afd244b19d8babbbc27d3b92177f3570be6f37168e6611ddc3a07873004

SHA512
199103b8f3258535df71d3725cdd879f8becbd524e82564d9b4e41a014e9b9d2ab050b0af821da1628a4a6f716d02a1a1a880fa6769b539098de06d2a1751d9c

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
93KB

MD5
37bec1f09bed7e1ed35d2d829e17323d

SHA1
efd1a25e5e6da7b0f0de94d05c1a4370b066b7f5

SHA256
7651d5c3271f582fbd0817bc08a6ebeeccaf3dc10d89b086cc353c259e6ad817

SHA512
d109cbd3d378e3efbb5ea3929e27ed8992f6a487aea12cedd0cd359d17ffead797744302696ab0b0998cf61b515a640c9b52822ee5b56e66a1a562c6cd02c10f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
93KB

MD5
a89d8efb6c31f3ba43b4f8621a16b700

SHA1
c35abb73e1fd9bfb768164f849e9ae1651228f61

SHA256
e0766a306c7b463bf6cf805138c6a700189cd27072160262e3fbd1ce958f8d32

SHA512
b54c20ce89e782ba1e17f27bf58dcb943a0d1ed3eced3b23bf4071936a251d2339fb8d2c3278913b8524924f1d6370fb2936c8da6b973c33f5ee200e3e3ce99f

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
93KB

MD5
468e0c47b57871b764aa7eaa11935f0c

SHA1
fad6f1632e013d6f4dab9971e022272e90f48c7c

SHA256
011b012789e8c0ede5f66882b5d2c74da0e86eec64a3142f660a27d0b9f76a6e

SHA512
54b9fbe5af3ae5f532fea0687788dd4e6adeaf6fd5783587d3191c42765d0f3d681164cc9b7d9188997e750c8c8878f16768734678f2861f27443dabf7373a94

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
93KB

MD5
cbaf1e2268596a98f00d95e9ef972165

SHA1
549fc879312ced9dd52a8e5d2e6dac45db223576

SHA256
b3f62f4dd22562e79785ccb23481f544b4daa31381e42fcea265213e449013dd

SHA512
0c5145150f8c9dd47a46106dae0cbb934cdae543f34e8ef14567c074ff4aa12806be16bf4acc554dd4f6d6569091c536a652e0b6fb248551e2023252096b6b34

Download Submit
C:\Windows\SysWOW64\Nadpgggp.exe

Filesize
93KB

MD5
4dca51a28294ae3234835e0c5325ec9f

SHA1
fb0f8d0b32a9ff9e90bd3b62ff9a244c5e2d84b8

SHA256
7bc451e0d174f05111b37cbe3c0ad7df60b36711baf2a64747027ebf62d68a5e

SHA512
7c99cf1660a31fd44287cfdea30af9dfc3f68c2e90a787294f86deed3849b974a5714fa70656ff6b64bca758b3c56daa14e04d944ce1384da9342382ff684c2d

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
93KB

MD5
41cd011e085b483b20095b9b51982ae0

SHA1
9ca426d46cb7c2711d6c864c13831a84b9333497

SHA256
ea58210bd5cfcfcfeeb46352595365fa00737da9f57f81fee1a201e421b887bb

SHA512
a90f610a7c4c1c573861753a48e0062d658176db959a6be43263fd28bb4e920e7103b2e0c51fdea14b5d91f75bf4d62cffa8825714c4ce2473872d7a31eb6276

Download Submit
C:\Windows\SysWOW64\Nofdklgl.exe

Filesize
93KB

MD5
3567a551f6867c1924f0487ee5f03225

SHA1
a33c00b03eab0f46f4a6866143048fdb490b815f

SHA256
c3e54197153b57b2094e2f483a41e9aa759a158ce395f9d5de86a75aeb2a4f17

SHA512
6525d87e3c016290354362f952c54c4ed67e262bf959dca2c7e0873a7f42eba679af64f83ba270a380c8521f772c0aee88984b4f9e73c8d8bdf5efdd980f4bd5

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
93KB

MD5
f75d9446d0001e5dcfafcf77972d6dad

SHA1
999f3fb71ba17ec3d0a6c092c6935e19ecdba171

SHA256
2ef1e985a3f2af897bf2c6da0321e2f069af1e3a99edb6348b75ac82b410b68d

SHA512
e8765432f13d03413b4b25f088c2b956b1957296d7b390d33c0b23e9e1f8ae594400d88d39e1fc4a6f4d071dbe219820abc09f69d84fa41b744864e8dfd1f383

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
93KB

MD5
8b73bb6e2cc54d1a5964c5987f9e829a

SHA1
fae8ed2b3d3b3216b6b9960d1bd15cc01dabea7d

SHA256
1f14023ec19e8878d328eefd9fb6e85fe2029f4e1ff97989b49f1d5a4f09c004

SHA512
c8377bb11962283accebc4af0d19315118a8f3a786c322682d0099c1cbf05102b34a8f81ac9a09299b9d4d5e0a8d43ccaf137e943e6cc5ee06abd9fd9e09dd48

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
93KB

MD5
372d74329f78993a7368f33a0a3b66e8

SHA1
7b4a4b2db188b7587f64504527847d92b4a182ac

SHA256
7a226e8ac1262654883b7ec3840ba8eabf2a6a383bd71305323e8e8d84bb55fa

SHA512
bf343cb2e2c47a79bb7dce81349ccfe2fdaeac5c88f2dbb1872b96ad6fddd153730420a7e3bf1e2d7c3aee0d4da7d8676b36b25512784963eea436e93789f4ef

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
93KB

MD5
040f2106aa1a41f8dea20593eaab9ef0

SHA1
3ddcd0e52a9b8564424830b3923815009d6cce0a

SHA256
f8d06562fad8a05bc9357bd5c49065dd3cfb0c4fd0a6ebd806cb047feb267103

SHA512
07b3ffbe9eb154448a284113d35eefd6b86447f04aadd62a26e6426645cb7625778445bc4b3fa957c155a3b28e59b878941e120978f778a519fddc09435e8fb7

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
93KB

MD5
6072b021e8a3676060511d4be38f60f4

SHA1
eb4a411dc1459fefa3a8b3b94cb5ccb1bfa26337

SHA256
df78e825e97e57c34ff274e6a095e0e2dd4237e07d47fb234c37046079a52ee6

SHA512
8f8d1cd12256f15fc6506dc9af1a7958e1fd7a58f208b31cfa668425974a2ddea74f8f194018e3f1e29dcf6910782273f7568f82737c8b957274f4d9fae7097e

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
93KB

MD5
80f0514346124ec3ee2e76c044673236

SHA1
9a23bb46700454f66ded3eb7dd16aa22ba234034

SHA256
2f17667f17922ad125d7135b1f8f973cef5519d62cb95cdd6196883ef73e5b41

SHA512
5468669311995ed75821ea8fed1846ac48e81a7ff016d68456122e712132cd074a32e0a33a3ca403e3eab66a859f0211b080bdbbc81820377cc52f1b06f97573

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
93KB

MD5
f05e28e2a1427b97efe40012b10754c1

SHA1
53ffcc271d15888d895bda1acbee3662f5089413

SHA256
f829fde2169eec58cdb5a5c8ad8c285e70e58ee85b9ef59643acc166a7d39b77

SHA512
8d394104dda556af3d4ed045942cb98cd74bd648299259b1b500874a40f913c96a26e610af08b0c25d37a18102beab4681c9423b348b8b5529ea9fc73f084915

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
93KB

MD5
814c9504f8e77462a1a9a9a9003b3a34

SHA1
0f2662987b21243e4eee92862be9a3a9247cd434

SHA256
0ad3f59c2d7b2733d2cc786b9f706502c63197bb048a37d8c829628f23457ba9

SHA512
b97b4107f4f15d68055066ff7ce881fc4361a3642be92b59dbe8d2c6e038fdcf562bbb425dea9bba542beae622ce198de84504d6c567b38840181bc30b622178

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
93KB

MD5
b4d618a018e45365b7fe1f5eb39d2a35

SHA1
f2966a73f24c3b2d1b96f27964043b6ae67f7864

SHA256
9b00fb573a05f0da76671cfedc5f818977dbb29bda97634f9074b57464812d41

SHA512
9f58548eb247477bdcee7c6e7244ee173ccd490cb865d8a1332ba3c670754b09dce59fdab80e7685f1416c476282f17f26a69adf6368fba8e4fb1b1e72f64eb1

Download Submit
\Windows\SysWOW64\Nhohda32.exe

Filesize
93KB

MD5
4bdfabaccb4254e841fb6eaf2a524d96

SHA1
3081b2098afc18d8992e5a9305a73ffbcaaa44b4

SHA256
8b38e90148f6b69f2aab9a427896251d8a8bfa8a9ef5a5c6b6e21e76ca0b8f23

SHA512
d398e563c76de12f76abe496be062b4f75d90b66b5e0d067fbd02b2d10ae5dc84615055d9347c9722c83203101aaeb1fb029e7e86ef74d7ad96a16c6931841cf

Download Submit
\Windows\SysWOW64\Oaiibg32.exe

Filesize
93KB

MD5
174c52a844fe3b8577b24f0f32c9e62b

SHA1
24a4c0bb96d5f6cb969d4333e87684047eae8766

SHA256
75e6b514bb8b89fbdcacc2b91ad972c5a53eb99a41553fe37cce7f8bea2bc8a8

SHA512
f1da022b67947995fa83ad1ddb4a78452b03c8a61e95d8ed3d2c2beb297c7a24188a5eb8aae5602314df56301ae9b210e67755a445e2f688052f3f131aa2e7fd

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
93KB

MD5
472db63319fa022a7e57fdc724136984

SHA1
96c452513ee6fb95776e0b9651f585be17e2619e

SHA256
b36683b954af8c6858887e25c907f07bc09da66de9dceace51c92738134b730a

SHA512
8cb3e30d9002e54657abdb958925574db686f02cf0bb708be01044ec32a52469b40cb72387bb16862e2318bb10b0da2ff9520178116fb831131577e58b83fd97

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
93KB

MD5
c7b76b3469625ac965add3fd782dfc74

SHA1
520a8d9ddbb2aaa843180b4b0f8c14fc66ac8542

SHA256
d5605946a8cfa25aae095f531b7f0371aa4a56e870654954dc50926eea0e4078

SHA512
3600102f51b66b2727861af151f8f023d116c5b709a905bc2b1021e528f118af31a058c095d8bee29b6a3c4394f2de3dd84d08f0386817804f334ae670bab508

Download Submit
\Windows\SysWOW64\Odlojanh.exe

Filesize
93KB

MD5
cf18d6c88daf8352a2e2405045c8e4f9

SHA1
7c3b9ecebcd8c80462fb8d0b93279e574edbffca

SHA256
4749c15a869afc1792f06a15c9973f73dc9ad329a98122ff68b4520a79888d14

SHA512
d71c6e64cf60b9bc1325b8d843f42e19bd73980fc6373de6b2b18e89b091eac0243f67ad12cc5fb9467340fc4c06f192d18f6d9bd1bcf994c00f1f573704661c

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
93KB

MD5
a5a2a51f51bf89f8711ae4d1d1f081e5

SHA1
0aed4385f12518d89964eaf21759d85d2b8f25a0

SHA256
9e91da00114c36c0635885c70ae415e9011d05afdbd776f583a97c7287f075de

SHA512
151a916a9833a160485a45e398f85d69fdef84599f3bbf442db42e08ed21c459391ca5c1b6ceaa9ca36d2184ffbfb90e5e5e3d4361e901de7b1fbfbd71334a68

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
93KB

MD5
17480d0ffbe4855eb547946bb0e8000d

SHA1
604d137a6e1066a2a28d31cb1e114a0182aabdc9

SHA256
cc9590df4d694c641e06f689f8aa8d4fa3d2fa0aec68036c709a441cfb6ae41e

SHA512
d872902b5fde4d55a468dad9ac49d430270fdd0ff8aa6790cdb490a57de07b66be26997802294d5786919d2a11292c2c19a294dadb76541ce0066512f8ff83ed

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
93KB

MD5
2d013e3b31bb0fac942c5305a7535390

SHA1
d0673bc006f6b46395da73945624654309dd1de9

SHA256
240b0571395b0892db9428545739d890b7023a3b8ec44e470036479077562b63

SHA512
9be1a597f7fcdc3ee4817e2fa619937b0e7a1b8a628577342d5a10234b674ff0bfbcd31ba549715b266a331a5e29effc58882595a828612fb10f64d64f69f916

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
93KB

MD5
b87446689680240e62c05f85a6af30f2

SHA1
25b5bc25062be072b733fd3bbf555277e7cab4f6

SHA256
844d53b2249f37dbbbfde388a57afaab3bb7cf9929f781626e3f59fcfe7af3b5

SHA512
e84f8fad4684df08d899d2fdbbf8040cdf98d1e0c3427fd382df0ff34df88453d30ce07a7b008e3c60e4e27b94ef81e3706524997a0684f26ed39ade95d12395

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
93KB

MD5
8730735b18557319a4ebcef6d3eaf10c

SHA1
6443793faeda847fbdc5577ce0c4bc162dd149ab

SHA256
6d54becccfaf61c4cf0e0be4572a28d42f59dd13c35a416f3217e7995845ae94

SHA512
03eac7b174e1f072ec6109936ae766cb9def5c5f483f22a305f846b5adc1cb6bd87c60a8bf96ea98d28f6f3af22920caa6aec258f732e1517837461f679f4aba

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
93KB

MD5
ac7851df5c7b35ecc9096c84f6d24fd4

SHA1
9ec93f2f483c9b804e88ff303e5b387be98adb1e

SHA256
fe29f640e4aaeb7473ed759a4b7c3fc424fd49c8a151533494b29c5eadf8aabf

SHA512
6bfb7508db73aa6295381f8ed27291113606819efb3159def99b609954cfef26f4466c8471f891e63f5e2510536fa3ba84468be61e3981e0f1dac24f3a900110

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
93KB

MD5
24568ee4e9173bf56a474c71d2cf04d9

SHA1
18e081a8a901d5b70cda65792e20ace69ab5d244

SHA256
7bc4609583fe67e5cd21504b7029a2cbc1a6677b1ca79f783186203d38340ddc

SHA512
8e8a34eb6c1f71153d0ee49c6250b396d770ea72914969a01402ef9319234733ecbe05ea0dc056da4fd79a13e69d06e8764157693aef40e5fce024c27fb720a1

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
93KB

MD5
aa7f582240b7f8be964fbf74d932b954

SHA1
e59ad4c1eca00bb5270e8b8ee7cb57129e924ac7

SHA256
1216191e072045b1a806a28d71993db61964c45a772961c66fb5505cf16cdd0a

SHA512
cddcd7ce6b4ae629b46754e709d9cfbea1a45508e05ff3e0353c8c9ce95ca39ac54811ef1fab25709d355d58237ba33a3c77f982ae2de745166427f9753f8af0

Download Submit
memory/332-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-129-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1040-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-398-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1360-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-452-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1492-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1564-335-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1624-232-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1760-155-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1760-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-498-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1760-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-519-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1800-312-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1800-311-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1800-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-438-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1924-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-478-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1936-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-479-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1948-181-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2100-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-319-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2100-323-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2200-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-420-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2252-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-208-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-24-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-25-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-378-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-509-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2316-507-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2336-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-220-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2564-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-410-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2580-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-68-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2580-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-366-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2628-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-365-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2632-354-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2632-355-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2632-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-373-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2640-377-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2656-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2656-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2724-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-344-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2760-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2792-32-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2792-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-496-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2952-495-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2952-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-484-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/3000-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-168-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3016-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-301-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3056-300-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3056-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-257-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3068-255-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3068-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads