berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
121s
max time network
183s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/04f43cc6be15c60aeb943bbe5bd3973a.exe
Size

128KB
MD5

04f43cc6be15c60aeb943bbe5bd3973a
SHA1

dc32a52d972f79f7d438d1053d005ef90318d321
SHA256

7a4a52dc6ebfe359b1ec3953ca0e5590516d14805d70fe0819deed2f031eddd4
SHA512

f3f8f4ba4f8c519b15f22b4473b420343b3606231eb2cf216b3526497fb0632e09489ff42268f28687c4e838f9c8f0b74613d4791cc75b89b66df58a9fb0e18d
SSDEEP

3072:jaM1nl1DuJDJ9IDlRxyhTbhgu+tAcrbFAJc+i:jJh2DsDshsrtMk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	04f43cc6be15c60aeb943bbe5bd3973a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjmni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpclce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	04f43cc6be15c60aeb943bbe5bd3973a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
29	3336	Process not Found

Executes dropped EXE 34 IoCs

pid	Process
4432	Mpapnfhg.exe
2464	Mfnhfm32.exe
3564	Mpclce32.exe
5064	Mcaipa32.exe
2852	Mfpell32.exe
2056	Mohidbkl.exe
1636	Mcdeeq32.exe
4376	Mfbaalbi.exe
2748	Mlljnf32.exe
2412	Mokfja32.exe
2304	Mhckcgpj.exe
4876	Momcpa32.exe
1832	Nqmojd32.exe
640	Nckkfp32.exe
3360	Ncmhko32.exe
3248	Nijqcf32.exe
1332	Ncpeaoih.exe
4676	Njjmni32.exe
4564	Nofefp32.exe
1492	Ooibkpmi.exe
968	Objkmkjj.exe
324	Ocihgnam.exe
3364	Oqmhqapg.exe
4252	Ojemig32.exe
3052	Ojhiogdd.exe
272	Pbcncibp.exe
4720	Pbekii32.exe
4328	Pmkofa32.exe
2180	Pbhgoh32.exe
4320	Pmmlla32.exe
5032	Pbjddh32.exe
3708	Pmphaaln.exe
3400	Pblajhje.exe
3820	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbcncibp.exe	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Mpclce32.exe	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mcaipa32.exe
File created	C:\Windows\SysWOW64\Jfpqiega.dll	Mcdeeq32.exe
File opened for modification	C:\Windows\SysWOW64\Momcpa32.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mfbaalbi.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Momcpa32.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Nckkfp32.exe	Nqmojd32.exe
File opened for modification	C:\Windows\SysWOW64\Nofefp32.exe	Njjmni32.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Mcdeeq32.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Ojqhdcii.dll	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Pbhgoh32.exe	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Mfnhfm32.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmojd32.exe	Momcpa32.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Fdflknog.dll	04f43cc6be15c60aeb943bbe5bd3973a.exe
File opened for modification	C:\Windows\SysWOW64\Mohidbkl.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Pbcncibp.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Egcpgp32.dll	Mokfja32.exe
File created	C:\Windows\SysWOW64\Ajhapb32.dll	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Oqmhqapg.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Mcaipa32.exe	Mpclce32.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Ooibkpmi.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Objkmkjj.exe	Ooibkpmi.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Ojemig32.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Hcoejf32.dll	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Mohidbkl.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nckkfp32.exe
File opened for modification	C:\Windows\SysWOW64\Nijqcf32.exe	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Nlhego32.dll	Njjmni32.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Bhcmal32.dll	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mokfja32.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mokfja32.exe
File created	C:\Windows\SysWOW64\Fpnkah32.dll	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Objkmkjj.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Khlaie32.dll	Mpclce32.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Anlkecaj.dll	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Pmkofa32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nijqcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3716	3820	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbaalbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mokfja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpapnfhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbcncibp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblajhje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofefp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmlla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohidbkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcaipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjmni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbekii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckkfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooibkpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04f43cc6be15c60aeb943bbe5bd3973a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcdeeq32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3108	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	04f43cc6be15c60aeb943bbe5bd3973a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll"	Mpclce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agolng32.dll"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	04f43cc6be15c60aeb943bbe5bd3973a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	04f43cc6be15c60aeb943bbe5bd3973a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjmni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofefp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	04f43cc6be15c60aeb943bbe5bd3973a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofefp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Mcaipa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4432	4560	04f43cc6be15c60aeb943bbe5bd3973a.exe	84
PID 4560 wrote to memory of 4432	4560	04f43cc6be15c60aeb943bbe5bd3973a.exe	84
PID 4560 wrote to memory of 4432	4560	04f43cc6be15c60aeb943bbe5bd3973a.exe	84
PID 4432 wrote to memory of 2464	4432	Mpapnfhg.exe	85
PID 4432 wrote to memory of 2464	4432	Mpapnfhg.exe	85
PID 4432 wrote to memory of 2464	4432	Mpapnfhg.exe	85
PID 2464 wrote to memory of 3564	2464	Mfnhfm32.exe	86
PID 2464 wrote to memory of 3564	2464	Mfnhfm32.exe	86
PID 2464 wrote to memory of 3564	2464	Mfnhfm32.exe	86
PID 3564 wrote to memory of 5064	3564	Mpclce32.exe	87
PID 3564 wrote to memory of 5064	3564	Mpclce32.exe	87
PID 3564 wrote to memory of 5064	3564	Mpclce32.exe	87
PID 5064 wrote to memory of 2852	5064	Mcaipa32.exe	88
PID 5064 wrote to memory of 2852	5064	Mcaipa32.exe	88
PID 5064 wrote to memory of 2852	5064	Mcaipa32.exe	88
PID 2852 wrote to memory of 2056	2852	Mfpell32.exe	89
PID 2852 wrote to memory of 2056	2852	Mfpell32.exe	89
PID 2852 wrote to memory of 2056	2852	Mfpell32.exe	89
PID 2056 wrote to memory of 1636	2056	Mohidbkl.exe	90
PID 2056 wrote to memory of 1636	2056	Mohidbkl.exe	90
PID 2056 wrote to memory of 1636	2056	Mohidbkl.exe	90
PID 1636 wrote to memory of 4376	1636	Mcdeeq32.exe	91
PID 1636 wrote to memory of 4376	1636	Mcdeeq32.exe	91
PID 1636 wrote to memory of 4376	1636	Mcdeeq32.exe	91
PID 4376 wrote to memory of 2748	4376	Mfbaalbi.exe	92
PID 4376 wrote to memory of 2748	4376	Mfbaalbi.exe	92
PID 4376 wrote to memory of 2748	4376	Mfbaalbi.exe	92
PID 2748 wrote to memory of 2412	2748	Mlljnf32.exe	93
PID 2748 wrote to memory of 2412	2748	Mlljnf32.exe	93
PID 2748 wrote to memory of 2412	2748	Mlljnf32.exe	93
PID 2412 wrote to memory of 2304	2412	Mokfja32.exe	94
PID 2412 wrote to memory of 2304	2412	Mokfja32.exe	94
PID 2412 wrote to memory of 2304	2412	Mokfja32.exe	94
PID 2304 wrote to memory of 4876	2304	Mhckcgpj.exe	95
PID 2304 wrote to memory of 4876	2304	Mhckcgpj.exe	95
PID 2304 wrote to memory of 4876	2304	Mhckcgpj.exe	95
PID 4876 wrote to memory of 1832	4876	Momcpa32.exe	96
PID 4876 wrote to memory of 1832	4876	Momcpa32.exe	96
PID 4876 wrote to memory of 1832	4876	Momcpa32.exe	96
PID 1832 wrote to memory of 640	1832	Nqmojd32.exe	97
PID 1832 wrote to memory of 640	1832	Nqmojd32.exe	97
PID 1832 wrote to memory of 640	1832	Nqmojd32.exe	97
PID 640 wrote to memory of 3360	640	Nckkfp32.exe	98
PID 640 wrote to memory of 3360	640	Nckkfp32.exe	98
PID 640 wrote to memory of 3360	640	Nckkfp32.exe	98
PID 3360 wrote to memory of 3248	3360	Ncmhko32.exe	99
PID 3360 wrote to memory of 3248	3360	Ncmhko32.exe	99
PID 3360 wrote to memory of 3248	3360	Ncmhko32.exe	99
PID 3248 wrote to memory of 1332	3248	Nijqcf32.exe	100
PID 3248 wrote to memory of 1332	3248	Nijqcf32.exe	100
PID 3248 wrote to memory of 1332	3248	Nijqcf32.exe	100
PID 1332 wrote to memory of 4676	1332	Ncpeaoih.exe	101
PID 1332 wrote to memory of 4676	1332	Ncpeaoih.exe	101
PID 1332 wrote to memory of 4676	1332	Ncpeaoih.exe	101
PID 4676 wrote to memory of 4564	4676	Njjmni32.exe	102
PID 4676 wrote to memory of 4564	4676	Njjmni32.exe	102
PID 4676 wrote to memory of 4564	4676	Njjmni32.exe	102
PID 4564 wrote to memory of 1492	4564	Nofefp32.exe	103
PID 4564 wrote to memory of 1492	4564	Nofefp32.exe	103
PID 4564 wrote to memory of 1492	4564	Nofefp32.exe	103
PID 1492 wrote to memory of 968	1492	Ooibkpmi.exe	104
PID 1492 wrote to memory of 968	1492	Ooibkpmi.exe	104
PID 1492 wrote to memory of 968	1492	Ooibkpmi.exe	104
PID 968 wrote to memory of 324	968	Objkmkjj.exe	105

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04f43cc6be15c60aeb943bbe5bd3973a.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04f43cc6be15c60aeb943bbe5bd3973a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\Mpapnfhg.exe
  C:\Windows\system32\Mpapnfhg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\Mfnhfm32.exe
    C:\Windows\system32\Mfnhfm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\Mpclce32.exe
      C:\Windows\system32\Mpclce32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 240
        36⤵
        Program crash
        
        PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3820 -ip 3820
1⤵
PID:1928

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTNERkY4MUYtMEU1Qy00NzI5LUI3MjMtM0M2OEFCODY5MzVBfSIgdXNlcmlkPSJ7OEJFQTE0RjQtM0NDMy00OUJDLUJEMEUtNTQzOTE3NUQxNUFCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUQzREQyRUItQUNERS00NkNBLTlEMUUtNkE1NjY5NDIyNTkyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU0NjcxODcxMCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcaipa32.exe

Filesize
128KB

MD5
d618254979f463c95606542cd8813148

SHA1
0440c5ddaa3c1571b0915ab31557d34252fa4792

SHA256
243dbebc019d58be66aa5fcc4a07e8a049c02d1533797574815df2533ad732f0

SHA512
555ce12e2d9e5f20c2db54a20bcb3f930952b2490bc6eba5371baf0147e9f39e9038a7aa60f492c5688e672934c365a4a5a3a8bd7372763542e0ca643b3732d0

Download Submit
C:\Windows\SysWOW64\Mcdeeq32.exe

Filesize
128KB

MD5
d5118ea40962c8962936b97aafa2f495

SHA1
8a14bbcede02ded03c4d263bd53ab51946d5c99f

SHA256
0295620c6ae8aa20cbb3f5f695b4440b633adad870febdb89941bb32dc2bb780

SHA512
15865e4dd5e16725f34c95e3ef685d43fec38bd19d9d6b11864c561ce15919f9454b17349922708ee1aab09b790cbb5612dd22aaa1e031e9285ebff07b36a63f

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
128KB

MD5
a7e90ef1f4a8a295d68e634eff885deb

SHA1
e4b290e1da89db8c5ace1ae47e6300c06803c91e

SHA256
8fd17ad00aa4204d46d1f43a482db7d9e47c20dae246ba22f0f5460f948ed1a6

SHA512
7e98e6ad6bd9bb1abef77b64ddc5de6dc759d29d7666e37ef120f40e5fd55646883949bb12f5a7b44520c21d2f033d9778b80cd20481afa4afbd60b41250b2f0

Download Submit
C:\Windows\SysWOW64\Mfnhfm32.exe

Filesize
128KB

MD5
f4926904f0f736571d525a7283aec15d

SHA1
c06499fab7d16e3c0361aae5304ab27561114146

SHA256
16402164260d80ea7390a28dd1cd881e7ecf0acdd4f4fce8c361ffbb4c3def61

SHA512
53d14de8910a82b2bba4ae48e1b756e4b1ad585e58df71de9e7fbea3742d07369306cdb213a862b935440454f70b6d8ac0bc4437872fafaf2df0153e8131c757

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
128KB

MD5
3d783e353a8dfa58cf169ceb1c99a5b7

SHA1
716b69c5cd6b8deca1d9d033f049fa41d9e5e02a

SHA256
6094dea541a94a607784899fc6ce66ebe4b6337aef72ff927941ab1a44b0fc8c

SHA512
f7f0e23d5e407f7cc52b3dbe4fa7049f2feaa9babd000d5b7cd230602708b1d1bb0e625b85b59d628e575900ff00bef41cfcabc72c10c6911a743881a7771391

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
128KB

MD5
1950a78591ab7f559caf4ab3205b4586

SHA1
d9a347bfc187ad2e3f73695146999314b8f9d0f4

SHA256
6e32c63355bea5838ff68c5716618552d8365cb593b5364f86a1b15832c8d213

SHA512
3e4d781dc2ea524e6d62f8a6bcf719ec86a34fd64e6f8bd9d9bfe71cfbdc3e645c705df4b167d622c08f3fca058bcc6fa9e32c72285b02d86ee4a3eecc03a71b

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
128KB

MD5
02f53ec57cd0dd4e094a953f3905b3af

SHA1
9c720cab8ba018a1310cbb7607501f68f4ffb3ce

SHA256
e1c4a5c05faf5c844ed63260ab2497f1688c88d750fc4eca00fbb5c8caa8234c

SHA512
8f2610fb845c4dc2bd2c7fcbe97ae7271f5b48e232b4ac16a485b217c1c4a24a08ef5917c6225f8c6bddf5ff96e1179456caf0dc08c40e11c610c57d764fcaaf

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
128KB

MD5
ce55fc92f0ea1189b2db5e4b6364f1bc

SHA1
bccb770e0bfc3e5b56075626548caf3550cec931

SHA256
e643ff21d2a975d27062c41ed1a51d119bdb9cd5dc552e13cecb5fd1bd672c79

SHA512
b526e4090564b1ff8f8027faed5891fe05417b57ee4becc13711c978a2197786ebc0e3729a5f49671d5ad0ac7a8e83a853aa5cc6e9c3aeef371d3e6bbc575bb1

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
128KB

MD5
a652719d4f236e277406db61be4501af

SHA1
1de26f1467f3f7da7e2e39827ddcc8ee3eebbbd2

SHA256
ee19c1eefe899e6c067c53f7e184654f5593ce79a6a6dca00dea57bdcc601cc6

SHA512
004b9687ed505a18dae1517dac54194b7efb2541a35cc9878c3b642d3a71ff64e7db770b53557c888e50cec03bff7964ca506fe7f45c274899c433d3622f699b

Download Submit
C:\Windows\SysWOW64\Momcpa32.exe

Filesize
128KB

MD5
be8bb55be35d86fe4eabb1af28f999e0

SHA1
dd92c5da7ccd5534a64dcfc9c4880707eb3773fe

SHA256
410767630dca1de02f52941797301fd889b3df2bf7a2846f28888e26c7f525f8

SHA512
7b02dcf34d754149bdcb710d9c95aa4d137a46377aa41e3f1a249437483665c2af3884953b51fe33a7a48cbf944cfe8414c5e5876fef0e3b6db79a5f59e853fc

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
128KB

MD5
c86d298340527e9e83e587f0ad5281bd

SHA1
510f1b108b2594283ea1cfc8a6f737e392e97422

SHA256
8b139df4cb87847675fd216c4caf083eae2ffe8de54a753b54fb1f5e8b8a7a8d

SHA512
483874df45b238d4581ebd04b83024998378d17bafaca971b8755bb007d086e99e901d21a4a329501a6b792d48f41cfd7bdf677121cc654c4ff39185e19cf63f

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
128KB

MD5
fa0c532a7e15b336e72248b8e94f936f

SHA1
59d675213864d056403aeb384ff1ba7cae4bb3f8

SHA256
09ebe583a74261ed1c07033a2de7e5d68dfa2b91d6548862365b6609a650467c

SHA512
c0721a36bc6dfd1ff7c5ebfc70e9a34921ac13054e191ed39070c2ce1b09fcd4a7228ceee74f0f7ccba35e921707023cbb49a9c3698fac8c940fb7494c4ef3f8

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
128KB

MD5
27caeebbfcc66ec19e187970a74fc4c9

SHA1
4d4bfb8099b1c81cdbc6edc81a1071acba1ea31f

SHA256
66bb1567d00cb87ad819750c0fbcfa0282f634f6b80df39f4116f27c88e949b3

SHA512
b1744560c2a9c315f6facfd3128ce605e836813ee3205dd4056062e7737028745f9a649366e608795aa1907665fa30c176c5b94ac117cd7ab43cd303b82e3873

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
128KB

MD5
d9e8e876fa982a55b453401dde813a96

SHA1
592ee96e072e8e8fb6c4c65efa33c907efbf9111

SHA256
b4992d9c8975628259d0bb4db2ac5ec9088d24bf5b8c1b8edcb2ee2a0689f2f5

SHA512
c992c6109348eb4de521820e9d7b92fb023e58984de3563dfd598d21dd4c8020d4a18bbb8e69343106db5ac4eda400d000c593d66bfe87740f061e0337e99994

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
128KB

MD5
ded11f958cf358f4b58ab4672cbc455c

SHA1
8187699723d9dbda8082c2b7a7947e265c19a0d7

SHA256
9d3ab6e8b90b0bc65f20dca657a06e6887b5c7edc8ff7b888d281f21664a9885

SHA512
dcb7a7b142355cf0263e34739281d9bc009df52efb2d11852e5435ff53de7e429fccdb94a7cab9fbed6aa7fba78a4b7b4d92601b3fa338dce782f1d3f464868f

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
128KB

MD5
856b6ad9c3dad3800e909163801a696c

SHA1
c9a7b660a4a4bc8812a79d49a99f608e63810655

SHA256
962bc6b3dc4268cee0819c213012bc3b8cf15efc265efeec0bae160b3fcdd7fe

SHA512
7ee18ee79e4d11618917c872c334411843aa984a937d802cce928b027dda442acbe0d8699c328b517ea909c928cff4958d6d599584a0ab488552dae45621fefa

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
128KB

MD5
9d6033b3d244aa8f877ea5ef4b4c79a0

SHA1
3bf52d7b1cb371c2fbcb3b0c546c2c37cc52fbb8

SHA256
c007ab1edbc7e1270bb75cfbe8e27084a8bf5ea34b53d5c413f47eb076b8ed81

SHA512
d33a7b9dacf095cfc2a75a2794c6616a805ac3cfa4819d6fbc7c5cb09085fb1ef24bda990c79acc341eece59a24463941d2b49e3ad354c7e0b28308d2cde6a35

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
128KB

MD5
640fa64e0673f1f7c05a9334fad59e9d

SHA1
ac092a37b8c566d2a0bef82e7fb052980cb88833

SHA256
e0ce88935f0e6b8e3c96a4e15252e098ec1ddbe70226f653d90ffe75e7f9d076

SHA512
7c83e301f3c5fa0119440ec1ea24a26e9fbe5867e00594693bfb3b3efe66c1f543a06ca3737ae8df37f25b70eb7594773ab59606bf49f0436bb9689bdfd08be9

Download Submit
C:\Windows\SysWOW64\Nqmojd32.exe

Filesize
128KB

MD5
1268867d55a4eeb281e980ff7fe797bf

SHA1
8c50263d334f2602d9316a7538119b04268fa606

SHA256
d6c9c6ffe084d6d39db3ab944722f23385e791b8f2dfbd3582d3a327169cc0c1

SHA512
41c072aefa307aa3feb82ee4ba21d010b2dc651a8c9be8b612248e9edbcc0ba758cf9b6300ceacc65b54881e0f98db0572f2671d6a1bc1a43dc304a20a64eeaa

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
128KB

MD5
f3bd9de531dd71fd0403e2f0a339ebc8

SHA1
6a3834eef47980dd5aac67bc0ce38e788dbc3292

SHA256
9df9a9b6477e3b2d0db7ebf161039cb71b1806e4a0368f60fbb470963ea7624c

SHA512
bbf1cd60a1dac2141153539adf56c46f32e407213dc6c84f6e88e27857bee89f283edb2df9ad03b9124a8d3e73556ca043ac84d36b7f2ce11b1dbe4008bea567

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
128KB

MD5
aaad859ea9f7691dd4669f25e71fe540

SHA1
bb1264f3473e7d207b606146d47562b7bdecce47

SHA256
389234320b6c6dc200dc5840766a2eb8ba013634c03b2c29b5691b8595f09f39

SHA512
42ef7791a82bd069115780c5b6b4315133d6b644c2329d4139be3e0c81e2df45b8fc38ac38ee069eb785686550c0c4ee5d9d7a3117c37c754d2d1879561b936e

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
128KB

MD5
323c094634a62ffb1dac43b6b32869a4

SHA1
0293c79737e22da6efc5044c513ce09ff59cf4fb

SHA256
51fdbd2618d76776f0c968edf4432de1113fd25eee1ddcc7a92fe5b0f19189e3

SHA512
f3c1b00bfc1ae316f56e92ee5a1d16b3867a1e95688a6d117e04cf9f3ac1a9f970fa80225107c51f77860aaead921da17a7ff0461d8824fa2759586af605d81d

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
128KB

MD5
24cf07229328dedc1fa4e68d9b5fcf9f

SHA1
1c6b3f5e36ad22f73511843762c06f786c1d6c94

SHA256
3a4d6d8f54656c8de41f45265b18628b46aefe13f43711700f6a340869204fc1

SHA512
3c4ec2c945171557cd86d602b95650f8ce6bdd798a755a60d3022eeaf05f82aa9f7c725719570530cf8a3ce84e05bdd487ae42ae14a89f569feb45579a0c4686

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
128KB

MD5
5cafa4ec1dc438d40d2f8491b4718d75

SHA1
e4a90046bd564b1c8ae63ec356d27e71325a73fa

SHA256
e6a62dff3e19d788c1eb8080cfb38ace412cbfb47652fbe07452858dacb45e81

SHA512
33d3d0a38270d5c2eb4f4c136f7a4dfd8e5d0a26fd4ef4165878dbb49c38dad8195554ece14564ec0ef59a72e0dc3c7605ce6ad5ede7d49a0a3a33b103e03870

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
128KB

MD5
51820f169c96b251acea7b99873a8adb

SHA1
edd8d90095875b80da4cf463dcd6806d3ee0d862

SHA256
2af656cb58c44b99745c107ba4f7c9284f8061f0733ef8a3aada450c8a073f55

SHA512
b3b63b0eaddf333da6f66916756288c5337028f404ba8532c2628ef278c824df851302175fb391ae762c5051f598c7034a804149df7d98fca0679fb480cffa07

Download Submit
C:\Windows\SysWOW64\Pbcncibp.exe

Filesize
128KB

MD5
18d4b2ce2dc606b56e2dfdc14d0729f1

SHA1
e8b5163475bfaf43edc70b3b13464174c14f7ddb

SHA256
6d9bc641dc6818c40c067d07afa5a59bf400cf0df2d9cc09c09de3ad0009d481

SHA512
fcae8b75cc48a68b4cab026bb841d50d7201c17c27026000d4ec29745d21dff345b912ab5d152b9ad1a6f5964a16f57c33b12b3c35efa7a08d7df18933d2ab86

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
128KB

MD5
b23b045b9927962b9aad140f9b07574a

SHA1
b4fb3064d9b6eaed9a2044c414f2078304d39ef5

SHA256
b9a2681fa5504b94b87159b122aa897f652e56828821262f1d20ebe20153b2ee

SHA512
89a2227789905cea59c872d38c68b807f7c35216db2235e3eefb6ba26b0650b67cd36fe0e721ac4645ee5501ab382c347ff8cedbac574022250232f1a35ae106

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
128KB

MD5
edfc94282d671f04bb6ec9a16b9f2246

SHA1
0dee0c4bde95978c866abdc922ccf03d6d260732

SHA256
afa0a25f611aae5668a600d7dff9ed5f48f8ff8f44bf6499229fe29e3105963a

SHA512
2ea3244a4df6cd0d75afacd39c7fd04d5cf944958197e13a074e26d8f39bf8cc6bb39af33bcaa9a3524996ee8535c0080e4e2e1a771b3c69e9205b454e5ad1c1

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
128KB

MD5
915fd5b5761e3f545cb2331c172365f6

SHA1
32112354de3b5123c14b980f900223de8b9489f2

SHA256
e2357dffa9b819b4952b4a99d7afe59579bfee858e79474f1b550a6289f23136

SHA512
94306d670c509ad66b4101d5f2022f1eddbb036239aa878ce9a3f1796c7515424163901f743159fa417e54ba1a9c987148aa19d4a4ade7726a08ef9cae82c320

Download Submit
C:\Windows\SysWOW64\Pmkofa32.exe

Filesize
128KB

MD5
c1971b75821b8c8ad7a3fecf57cfe37e

SHA1
2da83bbe076557261cbbe417e0288202c32a1c51

SHA256
912f1ed15d6648e692170a5bf5118fdf81f0ee97235e462ff4b206f0f62c697d

SHA512
015c33996f99c6256de77a614a9ff4e62eef02fe865d0634474ad675d41a86dbca2132de9c20ae61041bca324cf29472b8dc941438dfe48642e42b63404b9483

Download Submit
C:\Windows\SysWOW64\Pmmlla32.exe

Filesize
128KB

MD5
f634689ce2f0c22207a710c49a7a32fa

SHA1
41296f6a96d3c0d10800c0372de3537ea07326c7

SHA256
4d9b1fcd1102d42d1575a0d536dfc5cdcf232aee3307377e3c7e31496299b7e1

SHA512
5cfc0d8d515404e070f4408c4c200ea38cdf1403700cde09d90f991f9958ba6e45b37082b34c125ffcb565f0970696936b0e86f38a37e89917d3b5f4012a88dd

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
128KB

MD5
4447cac6983f089d73958ffc9ed83a64

SHA1
68b929b29ca315d605cd2a66d4250465c6229f5f

SHA256
5210199b2abfdf91e55326ef8115d639a1b34a7caa4931a7495a99aac7e9a66b

SHA512
848dffcaaa152d0be1b8f4ca30f29570f14e47e082d4a7792e34d8f3494d4e97c838be32523facd3e5a2e064f968db4168b261befa3fa9adf7e560688d8a871e

Download Submit
memory/272-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/272-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/324-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/324-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3248-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3248-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4560-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads