berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
80s
max time network
174s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/05639c84db366253210163a5c6c5f69b.exe
Size

364KB
MD5

05639c84db366253210163a5c6c5f69b
SHA1

a6eae64366a6c171f10324e164760f8eba5c76d7
SHA256

9c62f841d57be4567a1c0c767d186ec5f33411a61bfaed1dd7b5e0678a59d3a4
SHA512

81bbd81771ec28dcffef0afb9d117677100a468a482b82a082466162c8ed902e5e8a3a28e08827693b05e2834080b1f5e2740b15de03feea881532f06ebe36c0
SSDEEP

6144:ZcxSGuYNh/817qKn0U0KNh/817OfJIRh/817qKn0U0KNh/817:ZOuOhQT0UdhQCfJKhQT0UdhQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	05639c84db366253210163a5c6c5f69b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	05639c84db366253210163a5c6c5f69b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnln32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
17	4440	Process not Found

Executes dropped EXE 27 IoCs

pid	Process
2348	Nqaiecjd.exe
1984	Ncpeaoih.exe
2972	Nmhijd32.exe
1120	Ncbafoge.exe
1748	Njljch32.exe
4048	Nmjfodne.exe
4748	Nqfbpb32.exe
3444	Ocdnln32.exe
4300	Ofckhj32.exe
4528	Ofegni32.exe
3024	Ojqcnhkl.exe
1116	Omopjcjp.exe
4328	Oqklkbbi.exe
3028	Ocihgnam.exe
1236	Ofgdcipq.exe
4352	Oifppdpd.exe
1568	Oqmhqapg.exe
2668	Obnehj32.exe
3340	Ojemig32.exe
1720	Opbean32.exe
1068	Pqbala32.exe
3740	Pfepdg32.exe
4600	Pidlqb32.exe
4592	Pmphaaln.exe
4720	Pakdbp32.exe
1532	Pfhmjf32.exe
708	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nmhijd32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Nmjfodne.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Ojqcnhkl.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Gejqna32.dll	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Nqaiecjd.exe	05639c84db366253210163a5c6c5f69b.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pqbala32.exe
File created	C:\Windows\SysWOW64\Ogmeemdg.dll	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Ofegni32.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Ojemig32.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Gbhhqamj.dll	05639c84db366253210163a5c6c5f69b.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Nmhijd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Jdockf32.dll	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oqmhqapg.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Ofckhj32.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Opbean32.exe	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pidlqb32.exe
File opened for modification	C:\Windows\SysWOW64\Nmjfodne.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Ofegni32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Maenpfhk.dll	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Ofgdcipq.exe
File opened for modification	C:\Windows\SysWOW64\Pidlqb32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Jclnjo32.dll	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Ofegni32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbala32.exe	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Ncbafoge.exe	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnln32.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pidlqb32.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pfhmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Njljch32.exe
File opened for modification	C:\Windows\SysWOW64\Ofegni32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	05639c84db366253210163a5c6c5f69b.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Ncbafoge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	708	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojqcnhkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfepdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbala32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjfodne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofckhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofegni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omopjcjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgdcipq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifppdpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhijd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidlqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05639c84db366253210163a5c6c5f69b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqaiecjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2216	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opbean32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	05639c84db366253210163a5c6c5f69b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	05639c84db366253210163a5c6c5f69b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agolng32.dll"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll"	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll"	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	05639c84db366253210163a5c6c5f69b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnjo32.dll"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	05639c84db366253210163a5c6c5f69b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	05639c84db366253210163a5c6c5f69b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2348	3204	05639c84db366253210163a5c6c5f69b.exe	83
PID 3204 wrote to memory of 2348	3204	05639c84db366253210163a5c6c5f69b.exe	83
PID 3204 wrote to memory of 2348	3204	05639c84db366253210163a5c6c5f69b.exe	83
PID 2348 wrote to memory of 1984	2348	Nqaiecjd.exe	84
PID 2348 wrote to memory of 1984	2348	Nqaiecjd.exe	84
PID 2348 wrote to memory of 1984	2348	Nqaiecjd.exe	84
PID 1984 wrote to memory of 2972	1984	Ncpeaoih.exe	85
PID 1984 wrote to memory of 2972	1984	Ncpeaoih.exe	85
PID 1984 wrote to memory of 2972	1984	Ncpeaoih.exe	85
PID 2972 wrote to memory of 1120	2972	Nmhijd32.exe	86
PID 2972 wrote to memory of 1120	2972	Nmhijd32.exe	86
PID 2972 wrote to memory of 1120	2972	Nmhijd32.exe	86
PID 1120 wrote to memory of 1748	1120	Ncbafoge.exe	87
PID 1120 wrote to memory of 1748	1120	Ncbafoge.exe	87
PID 1120 wrote to memory of 1748	1120	Ncbafoge.exe	87
PID 1748 wrote to memory of 4048	1748	Njljch32.exe	88
PID 1748 wrote to memory of 4048	1748	Njljch32.exe	88
PID 1748 wrote to memory of 4048	1748	Njljch32.exe	88
PID 4048 wrote to memory of 4748	4048	Nmjfodne.exe	89
PID 4048 wrote to memory of 4748	4048	Nmjfodne.exe	89
PID 4048 wrote to memory of 4748	4048	Nmjfodne.exe	89
PID 4748 wrote to memory of 3444	4748	Nqfbpb32.exe	90
PID 4748 wrote to memory of 3444	4748	Nqfbpb32.exe	90
PID 4748 wrote to memory of 3444	4748	Nqfbpb32.exe	90
PID 3444 wrote to memory of 4300	3444	Ocdnln32.exe	91
PID 3444 wrote to memory of 4300	3444	Ocdnln32.exe	91
PID 3444 wrote to memory of 4300	3444	Ocdnln32.exe	91
PID 4300 wrote to memory of 4528	4300	Ofckhj32.exe	92
PID 4300 wrote to memory of 4528	4300	Ofckhj32.exe	92
PID 4300 wrote to memory of 4528	4300	Ofckhj32.exe	92
PID 4528 wrote to memory of 3024	4528	Ofegni32.exe	93
PID 4528 wrote to memory of 3024	4528	Ofegni32.exe	93
PID 4528 wrote to memory of 3024	4528	Ofegni32.exe	93
PID 3024 wrote to memory of 1116	3024	Ojqcnhkl.exe	94
PID 3024 wrote to memory of 1116	3024	Ojqcnhkl.exe	94
PID 3024 wrote to memory of 1116	3024	Ojqcnhkl.exe	94
PID 1116 wrote to memory of 4328	1116	Omopjcjp.exe	95
PID 1116 wrote to memory of 4328	1116	Omopjcjp.exe	95
PID 1116 wrote to memory of 4328	1116	Omopjcjp.exe	95
PID 4328 wrote to memory of 3028	4328	Oqklkbbi.exe	96
PID 4328 wrote to memory of 3028	4328	Oqklkbbi.exe	96
PID 4328 wrote to memory of 3028	4328	Oqklkbbi.exe	96
PID 3028 wrote to memory of 1236	3028	Ocihgnam.exe	97
PID 3028 wrote to memory of 1236	3028	Ocihgnam.exe	97
PID 3028 wrote to memory of 1236	3028	Ocihgnam.exe	97
PID 1236 wrote to memory of 4352	1236	Ofgdcipq.exe	98
PID 1236 wrote to memory of 4352	1236	Ofgdcipq.exe	98
PID 1236 wrote to memory of 4352	1236	Ofgdcipq.exe	98
PID 4352 wrote to memory of 1568	4352	Oifppdpd.exe	99
PID 4352 wrote to memory of 1568	4352	Oifppdpd.exe	99
PID 4352 wrote to memory of 1568	4352	Oifppdpd.exe	99
PID 1568 wrote to memory of 2668	1568	Oqmhqapg.exe	100
PID 1568 wrote to memory of 2668	1568	Oqmhqapg.exe	100
PID 1568 wrote to memory of 2668	1568	Oqmhqapg.exe	100
PID 2668 wrote to memory of 3340	2668	Obnehj32.exe	101
PID 2668 wrote to memory of 3340	2668	Obnehj32.exe	101
PID 2668 wrote to memory of 3340	2668	Obnehj32.exe	101
PID 3340 wrote to memory of 1720	3340	Ojemig32.exe	102
PID 3340 wrote to memory of 1720	3340	Ojemig32.exe	102
PID 3340 wrote to memory of 1720	3340	Ojemig32.exe	102
PID 1720 wrote to memory of 1068	1720	Opbean32.exe	103
PID 1720 wrote to memory of 1068	1720	Opbean32.exe	103
PID 1720 wrote to memory of 1068	1720	Opbean32.exe	103
PID 1068 wrote to memory of 3740	1068	Pqbala32.exe	104

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\05639c84db366253210163a5c6c5f69b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\05639c84db366253210163a5c6c5f69b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\Nqaiecjd.exe
  C:\Windows\system32\Nqaiecjd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Ncpeaoih.exe
    C:\Windows\system32\Ncpeaoih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\Nmhijd32.exe
      C:\Windows\system32\Nmhijd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 452
        29⤵
        Program crash
        
        PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 708 -ip 708
1⤵
PID:1960

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUE4MEJGOTYtMUQyNi00NTU2LThGOEYtOTNBMzQ1Qzk3QzNDfSIgdXNlcmlkPSJ7QjU0NkQ0M0EtNTJGQS00RkIyLTkzRTMtN0YzNjNERkQ0REI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODBFNDBCNTgtMUNGNy00MEU2LUFERTktOUIwREI2OUUxQzYzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDE3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTg5MzQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI1NjkzMjAzOCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
364KB

MD5
05d6f43f1bbd07cdafb8d6941fca3105

SHA1
7a2250d47cb11d8c3935e1c3c7f74ac0759d1805

SHA256
f33af16fb3771873ff1cfc16cd9d697143515829a649d965f668b3e21edb5109

SHA512
9276db958a990406b767cca9031cce525e0a7636b2ce25bafd0216a9963f6930e49d2a6338b30eb62bf0010971e37f173da1775544f46e814f9182042889c3c6

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
364KB

MD5
a04e84ee536a4ed54972e49098f30ebf

SHA1
b95806253a23f89d953b02edc88a1747793c4ba0

SHA256
c380c1fe6039ebc03ff3c87b23bc43f2d7820f9c5e56f702a7b7d586d3de99f6

SHA512
6caf07c31132c9e0a51daf5e7c4cc32135a0ec678d6dd56dafb5a25456961163cb36c2d55b93fe9b7fa795453dd2dc22800ab3916be48e199b3bf2b2fbd5e753

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
364KB

MD5
87c04ccd5515871b90b4397c5af5ade6

SHA1
4aa9976fc5d386eef15a9c59ca2cba5f98961448

SHA256
de150397cd5ee25a7de6f23b18fe02c733e97aa6372a4a929c50469d170319cc

SHA512
46c39aad71f0ce865ae70d27f8d622202a0cec27b64078504c2d52cc1461c759d60bdc0de418516f60bd6410620ad756b384c4596e545f5ea6874cdfb8f971df

Download Submit
C:\Windows\SysWOW64\Nmhijd32.exe

Filesize
364KB

MD5
9bcb172e46559ed97e7f086ebfe029e4

SHA1
78a7a4b0e2f555edcae024919b9242d0df96de80

SHA256
fc6f6e231c93630017c8c7bf380c38293e408a97d7c01c72776179ade3035fc2

SHA512
0192ee2b4afc437c1c7e89521167305330c043e6b33a73c94d86d103ee5fd8aa93c73466318d3026013225c4713771867f0d66c2e77631849cacfe23e193bd6a

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
364KB

MD5
0353735ea2c9b9f117205861953cda6a

SHA1
c910739a8800ad2d60ddd810bfb03315ba7ad230

SHA256
1098296f846f1cf51078aad02c38f0b74ffc44b6ceedf03c7619ed463528ffe1

SHA512
8064fa719b63784bc32c3ad58761c92be4bba09570900cd2c4fb02cb0876904a8006d5fe3a246a15486fbefd831afc88a0b945a377aed2f180f95c188230e950

Download Submit
C:\Windows\SysWOW64\Nqaiecjd.exe

Filesize
364KB

MD5
e5f96d507c152dfa38efadf14bcf8522

SHA1
c3caa7e573a799bf3bfb93e8feda9138959cbeca

SHA256
97e754cb22011c3d2e3bdbbc5ef6f37e97b66a1571d3d233ce57918bd57fcab4

SHA512
3307697682714966c7bd4b56c7faab3bbc8bb6fefd224b594bfefb533dbc8f83e698c3f4e6a7510b2c003d32bd77b210af07f57e870374a7c138ed1a2b4ca080

Download Submit
C:\Windows\SysWOW64\Nqfbpb32.exe

Filesize
364KB

MD5
80eaa54a9d80d4370dc4cb43cbd16db4

SHA1
ef05026be3c02fc832e7d810a36038314492463d

SHA256
d40c86167c4d54d8ee80f992f1d4d18cde6dfd1f109171d277c8cac2985e0f38

SHA512
f08d9012b19d4d1d5854118ceaf120fbfefc77e025b9f89d4b89feb6c3081a5cd83689b12a860b356021bb4cfa4ea04273b53f2a304ea02c54ee19291da64094

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
364KB

MD5
9f5a954319c54d7f0d3adbb6ee733479

SHA1
ad16868bfe93e8b9b2c6c3ad611782868716b3e8

SHA256
0f9fabe44b364abfd0d70c6a59a89bdea6f1c45a79edac048892ea2306f26d9e

SHA512
5a7444ff138dc34e6829df05a31cb54765c50ec6c32e5ac9a4393f46b1e29a803fe2afbf09e59207c69818457ce6251b3a98d5ac72321efbbea60d38f46067bc

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
364KB

MD5
06d62379366be55c2eee4660b8a90533

SHA1
74f7b17057cec79a6186b892e61647f4ead76d4c

SHA256
3e352c603af099836944f3a17a6d7bc0c4c912c4ece0b47f1a586d8a4ed84874

SHA512
b984f6665e1e39e60307cfa784476f89d046ee041f5afc5b0a04e965297e77ada1a05499eb2190caf37db33d32fa8527a06336d86334f3f754dd241ea7e76b22

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
364KB

MD5
69bb68bff93b2165eeb5f37e759e388e

SHA1
1b5aed41b08df9fb6bdf6db721457ec2e5244d47

SHA256
4168442d21d2e5d4046e45d9177466ef8f8e53fb8dad2425ba69eef36472f08f

SHA512
54a8ac18db6a00fd6bd7641af598336e1240ca2da9871045491db87ee586c77e970d5905bba31369ad58b3e6e2454b92199c3f54199d4714656a33594d0124ef

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
364KB

MD5
12fb519f715da8eda778266be359787f

SHA1
b56c04c15f03d1cb363104f076dfa4f792cfae38

SHA256
ebabe35ee805db1de10b8998e249814232b057da769834a53a28af2bad2928de

SHA512
fadff73fa66d1702a2c0664ce35d5a4787128adb7bd1adcdbb19363d4763bdc74b4452c0b4aa376df6441e75c1683ebedb4fec76488cde71bc7f815d7081b3a2

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
364KB

MD5
baf9f2f3db837856ded01d22ff09bec6

SHA1
ae274a671caaf8437a6995051ae194d353692730

SHA256
b4701502d5fbabecfd25b59c65926874a723cf382953df178eb7ed6160fcb6cb

SHA512
f4d268a43d495c1eccf293f316a9fade0eea697be4d87338605907e40c6546c7f19686454a216be595a50dfe879c33be2eb60972c71535a76e49a5f6a8b0fffa

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
364KB

MD5
7b834bdb6280964f2af16e6982f8763f

SHA1
972a4bda9bddcdf06ff3c1af30a5c517ee8d70d9

SHA256
41263c4bb180627fca8a3e5f1f6d4fefe11d2e22521751b1e4df8d2570bf501f

SHA512
c79afc2f4d5107d0e916cb78ecc27d18de8623e14a119f8f0f88977fcb3892f4ec7f10069dd6c10bc3919f710a6bc1c781fc1fcf0b24b6bb248f06e0c5283086

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
364KB

MD5
13cdddaa926a3ca9adcc86c6bf18b7dd

SHA1
c4d81437f09ee4e2fc2e8d81c4410cc7f873c52d

SHA256
d81b36d5d711088cd437e15f1c62b236af01c1e15f3dc04ef94a62580513a34c

SHA512
45ca04ba735e57b124ee7ea7ee1c5a108ddf1a48ef1523266d8cd87fe8bfccbc411e9e799bd88aa549e3fbe29205a477bdf39670d1cf3b452e8d1e79ebcd8a06

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
364KB

MD5
be0ab8ed04c39a618e71bc513bc4d350

SHA1
cb96927d0f54de961a17fd1a462b6f83b1208728

SHA256
968b353c33db868aace572f9f3ab7619e5e1e958b45487ad3a6737f732fc3df7

SHA512
63d0048e393504464246d2abc9cc49f4e6be3cd678af152918c5d7106e3825a54507a43078a49c7e90936f21e3a5edaf33104f2d25edf744620f49e96e293ab6

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
364KB

MD5
341befaaf53ade09448b116bd7646bf1

SHA1
5f46609f84ceafde703e3c9617f63b1dc4ca7a78

SHA256
596255d4a51e6a4bfd7fe3d2e39187136349002811625fcb0e5b7eaec08bf25b

SHA512
7198257fbd6788b1c40bf11b6ec96551461fb379688cc736b670a335df0f243b81dc8cb6084ba60abd8c5d50122bd1a0e4ea13064fb0b4e179ebeb67622e56de

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
364KB

MD5
d981d44ed8eefd49ffdbc695ce743f15

SHA1
861f235c471c18671ca42c616ff4b9a9138d2734

SHA256
5879acee01d45165734350b16fd9bd8e8ed44ce373e0fca08bd138afddcdc004

SHA512
86b2425b1f9e7e09000249bff859bf4754c415c25a10c92437638ea81298a7183b4e0e1ecd52f54757fc432263ea0bfcc9c07922f606288a149f7b38e64bb58b

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
364KB

MD5
b0c1160ceda077bc5f5a3a75ae1917d4

SHA1
a10082bc86a8aa710abcd56fcbace4bd8c2b757c

SHA256
d36004cbadca62a68aed2a94b2d447de58a2261381c1df2085ea94ebe9b65f7b

SHA512
c556203df0076c59d0e58b846632da4aacb775ba756370825625c5af49a3d659c6f790407baa88b3749576edb1c2c0378ab07e7d3cba79ec5644155ab3c38d65

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
364KB

MD5
15adee74b1b3cbb6966aa46c615d3bee

SHA1
381a916d53695aff4a06d328bcdad094fd548da6

SHA256
0fcc49fdfb392e093c99e24d3c39d604ff53cb86bad8c53bcb47da1b966f5eb0

SHA512
d4e904d3b260f4cd939e08f933035905af1f52add96794ec353a4bb4b964c9de9cfef887f1ba43fd237443061fcd9f6bd3dc3e2d7e3c2bca3b96d58bf9887609

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
364KB

MD5
9bfd0e5147f0b33f59eb636e158b586a

SHA1
0e4212603199b19ef8e2d55715a8d9df6cb5c85c

SHA256
be3c19b6576620a0eec497e0c021790e7162d7e2b607b3926d9e69e951ed79d8

SHA512
d8c9cb4618cb27a01c5a4cf36777e0c06218c7121c1cfcf8222ebe13c3de24576503a159c3ccf57de01cac0c9142df7b178b3537d2c9b08ea965db2050a51360

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
364KB

MD5
aa109d660322842e1ef9eb3ff262d032

SHA1
c4e23ad7ad95b50a8fd5c8b9e3a328855d5c74a3

SHA256
f5cbdef1c0aadf78a1d1ef9c950c32c52d56389e424d67d765462728223d92c5

SHA512
73c6a5389b5c66ca17265c7bafb6860c0adc426423ba8211e1fcc7ea43e3b80aab474fec22224a0775ab8f469c904490bd03f69b80c808b1b965a34adb9aeda3

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
364KB

MD5
eb5a32ac4e8ae35df519e4857205c809

SHA1
8acedae3172af3fa0eae784f85f63ae8982e9214

SHA256
3fdc1dcc994888fde2693668e22015461c7dab50a0c2a696a05963d8edef305a

SHA512
ef723f9a82dcdd3484f0165d7b01f043399e6b77e0a4c47b14ce90b2444fc703d884d06fd4c81354d2bceda83949c70336015f521e44abcd434e5c88827969f6

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
364KB

MD5
57c4fcaab4db9763c19ad290f1285557

SHA1
4b72562d843cb7a078cf8e129444338fe24cda56

SHA256
dfaf2169cec92d6abf1e90494f30e6d1b3aebfc4a5bb07ff349d2bb59128a5e3

SHA512
322b527bddb551c6de2d018e5fc68365edafbab0d531e2539728f565bd55d1243b5b4e355eb46eaad82e36d43c474e68d7a4d70dbf12655a26212270a2a1e19e

Download Submit
C:\Windows\SysWOW64\Pidlqb32.exe

Filesize
364KB

MD5
c314fe3bf0872cd5a2241d807585c880

SHA1
f2f7a6fa88b42c7f51ea55eb4df07a2c69d000d3

SHA256
4dd578d99ea2b9a52c31bdca9f7d8c59ac30ebcb1519e633723d2768e51222bf

SHA512
08c0cc8ce5f058ea73bf2e21dfcc2cca1242dcf7260aa8dcd842c020ec2f8291745ef907e946d239d039c221a56d89374f5ba51380ff6b62bbcc43a1b5e7e099

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
364KB

MD5
c84cb145f366cfbe0c376b0e40581f75

SHA1
20a7684719c463bd43308936c118dea80c723aff

SHA256
a22bffd64eb42c540f21851bf5d5944450c12d5d230e5da076345875a25e2ba7

SHA512
73fefbb2f5c8814c7cb788977538c94e9771e0140193ce76428a1174852264f5ff68c3405e95ce90e674b67295304d37a8478aee05d281e0c55a213e4042840b

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
364KB

MD5
e3b4469099d6834002b17186ed582d1b

SHA1
f2bae3bced469bb4dd420640ce27d2eb6ece4150

SHA256
9fd12e56679833fec70b143b575846148e56dec3ab028c24a246976b4b8adcfa

SHA512
e5ddae9baf8021c9d1c417f1a2451aae6c14b35e65f669d29ae343f7e9470ba13c68d6d5d82398a69280fb2102c5ba9595cf35d9bd1828b5b00620db22053fc7

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
364KB

MD5
a2a12e610f159330dbcda5cfeb4068fc

SHA1
22321269d4a2742e5d3e64c23254e89689cbd89d

SHA256
2f8a8c316f56ddf6b37c3d42c0b1681a6e51cec3b789d3b674b85b54ad7f30f9

SHA512
21bf98b1abe70e50bcc4528b8c3ea1a0c8f118f1716804cc6619ee9418d7899b1dfbe077826cae6f1808e505ebbdaae8ddd5b314f9d59bd02ac84a0c2801d376

Download Submit
memory/708-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/708-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads