berbew | 39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66add

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
Size

368KB
MD5

d19670c134812616d5d1f743d96284a0
SHA1

3c613ef0407b2dbc4e72b959d4efb3063252cb69
SHA256

39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66add
SHA512

5c7da9793f2940088516cc579cb8f71efdf5bcb2b347454c95cb7224018dcd80186a70b7fb6a498ef255e747c18ef410f15d6273b935595f4cf6257840ac8962
SSDEEP

6144:ToN0IlcdcJ/oHeN+uqljd3rKzwN8Jlljd3njPX9ZAk3f:4QYQ4+XjpKXjtjP9Zt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3016	Ldoaklml.exe
2544	Lepncd32.exe
4496	Lmgfda32.exe
4320	Lgokmgjm.exe
116	Lphoelqn.exe
896	Medgncoe.exe
4784	Mmlpoqpg.exe
3688	Mpjlklok.exe
4020	Mgddhf32.exe
4556	Mibpda32.exe
3188	Mlampmdo.exe
1932	Mpoefk32.exe
4984	Mlefklpj.exe
4580	Mnebeogl.exe
2552	Ncbknfed.exe
3424	Nilcjp32.exe
828	Nljofl32.exe
524	Ngpccdlj.exe
4888	Ncfdie32.exe
4040	Nfgmjqop.exe
3928	Nfjjppmm.exe
1268	Ocnjidkf.exe
4904	Opakbi32.exe
2744	Ojjolnaq.exe
4216	Odocigqg.exe
3580	Onhhamgg.exe
2480	Ocdqjceo.exe
1056	Onjegled.exe
2608	Ogbipa32.exe
1956	Pqknig32.exe
4552	Pfhfan32.exe
1680	Pjeoglgc.exe
2888	Pcncpbmd.exe
2676	Pjhlml32.exe
2380	Pqbdjfln.exe
264	Pdmpje32.exe
948	Pjjhbl32.exe
2188	Pcbmka32.exe
4908	Qnhahj32.exe
4372	Qdbiedpa.exe
2596	Qjoankoi.exe
432	Qddfkd32.exe
3044	Qffbbldm.exe
3532	Ampkof32.exe
5040	Acjclpcf.exe
3452	Ajckij32.exe
860	Ambgef32.exe
520	Afjlnk32.exe
1064	Aqppkd32.exe
980	Aeklkchg.exe
3536	Andqdh32.exe
2856	Aeniabfd.exe
3152	Afoeiklb.exe
1236	Aminee32.exe
3508	Aepefb32.exe
2728	Bfabnjjp.exe
4488	Bnhjohkb.exe
1396	Bagflcje.exe
3260	Bcebhoii.exe
4112	Bjokdipf.exe
4632	Bmngqdpj.exe
4052	Bchomn32.exe
1388	Bffkij32.exe
4880	Bjagjhnc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5612	5528	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3016	3288	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe	82
PID 3288 wrote to memory of 3016	3288	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe	82
PID 3288 wrote to memory of 3016	3288	39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe	82
PID 3016 wrote to memory of 2544	3016	Ldoaklml.exe	83
PID 3016 wrote to memory of 2544	3016	Ldoaklml.exe	83
PID 3016 wrote to memory of 2544	3016	Ldoaklml.exe	83
PID 2544 wrote to memory of 4496	2544	Lepncd32.exe	84
PID 2544 wrote to memory of 4496	2544	Lepncd32.exe	84
PID 2544 wrote to memory of 4496	2544	Lepncd32.exe	84
PID 4496 wrote to memory of 4320	4496	Lmgfda32.exe	85
PID 4496 wrote to memory of 4320	4496	Lmgfda32.exe	85
PID 4496 wrote to memory of 4320	4496	Lmgfda32.exe	85
PID 4320 wrote to memory of 116	4320	Lgokmgjm.exe	86
PID 4320 wrote to memory of 116	4320	Lgokmgjm.exe	86
PID 4320 wrote to memory of 116	4320	Lgokmgjm.exe	86
PID 116 wrote to memory of 896	116	Lphoelqn.exe	87
PID 116 wrote to memory of 896	116	Lphoelqn.exe	87
PID 116 wrote to memory of 896	116	Lphoelqn.exe	87
PID 896 wrote to memory of 4784	896	Medgncoe.exe	88
PID 896 wrote to memory of 4784	896	Medgncoe.exe	88
PID 896 wrote to memory of 4784	896	Medgncoe.exe	88
PID 4784 wrote to memory of 3688	4784	Mmlpoqpg.exe	89
PID 4784 wrote to memory of 3688	4784	Mmlpoqpg.exe	89
PID 4784 wrote to memory of 3688	4784	Mmlpoqpg.exe	89
PID 3688 wrote to memory of 4020	3688	Mpjlklok.exe	90
PID 3688 wrote to memory of 4020	3688	Mpjlklok.exe	90
PID 3688 wrote to memory of 4020	3688	Mpjlklok.exe	90
PID 4020 wrote to memory of 4556	4020	Mgddhf32.exe	91
PID 4020 wrote to memory of 4556	4020	Mgddhf32.exe	91
PID 4020 wrote to memory of 4556	4020	Mgddhf32.exe	91
PID 4556 wrote to memory of 3188	4556	Mibpda32.exe	92
PID 4556 wrote to memory of 3188	4556	Mibpda32.exe	92
PID 4556 wrote to memory of 3188	4556	Mibpda32.exe	92
PID 3188 wrote to memory of 1932	3188	Mlampmdo.exe	93
PID 3188 wrote to memory of 1932	3188	Mlampmdo.exe	93
PID 3188 wrote to memory of 1932	3188	Mlampmdo.exe	93
PID 1932 wrote to memory of 4984	1932	Mpoefk32.exe	94
PID 1932 wrote to memory of 4984	1932	Mpoefk32.exe	94
PID 1932 wrote to memory of 4984	1932	Mpoefk32.exe	94
PID 4984 wrote to memory of 4580	4984	Mlefklpj.exe	95
PID 4984 wrote to memory of 4580	4984	Mlefklpj.exe	95
PID 4984 wrote to memory of 4580	4984	Mlefklpj.exe	95
PID 4580 wrote to memory of 2552	4580	Mnebeogl.exe	96
PID 4580 wrote to memory of 2552	4580	Mnebeogl.exe	96
PID 4580 wrote to memory of 2552	4580	Mnebeogl.exe	96
PID 2552 wrote to memory of 3424	2552	Ncbknfed.exe	97
PID 2552 wrote to memory of 3424	2552	Ncbknfed.exe	97
PID 2552 wrote to memory of 3424	2552	Ncbknfed.exe	97
PID 3424 wrote to memory of 828	3424	Nilcjp32.exe	98
PID 3424 wrote to memory of 828	3424	Nilcjp32.exe	98
PID 3424 wrote to memory of 828	3424	Nilcjp32.exe	98
PID 828 wrote to memory of 524	828	Nljofl32.exe	99
PID 828 wrote to memory of 524	828	Nljofl32.exe	99
PID 828 wrote to memory of 524	828	Nljofl32.exe	99
PID 524 wrote to memory of 4888	524	Ngpccdlj.exe	100
PID 524 wrote to memory of 4888	524	Ngpccdlj.exe	100
PID 524 wrote to memory of 4888	524	Ngpccdlj.exe	100
PID 4888 wrote to memory of 4040	4888	Ncfdie32.exe	101
PID 4888 wrote to memory of 4040	4888	Ncfdie32.exe	101
PID 4888 wrote to memory of 4040	4888	Ncfdie32.exe	101
PID 4040 wrote to memory of 3928	4040	Nfgmjqop.exe	102
PID 4040 wrote to memory of 3928	4040	Nfgmjqop.exe	102
PID 4040 wrote to memory of 3928	4040	Nfgmjqop.exe	102
PID 3928 wrote to memory of 1268	3928	Nfjjppmm.exe	103

C:\Users\Admin\AppData\Local\Temp\39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe
"C:\Users\Admin\AppData\Local\Temp\39dda8ab4301e47981d376904d27745f1904a7070dd476d34d8e4e498ef66addN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\Ldoaklml.exe
  C:\Windows\system32\Ldoaklml.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\Lepncd32.exe
    C:\Windows\system32\Lepncd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\Lmgfda32.exe
      C:\Windows\system32\Lmgfda32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        25⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        47⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        66⤵
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        74⤵
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        77⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        78⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        81⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1732
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        87⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        88⤵
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        91⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4016
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        95⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        103⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 216
        106⤵
        Program crash
        
        PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5528 -ip 5528
1⤵
PID:5588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
368KB

MD5
658dfe23cc2bb3436e002dccc8b03a60

SHA1
236413c6ba31718f7e9cecd744b08b16f30b246a

SHA256
9c3650e3768df6e4d5e9366f344bb02195595e15bdc7252f0b14ed3a6279f859

SHA512
7948da0fa56f10e4ffb79db3b35b9e60d78926055244aaa5da934160d91540745ea0336e297088da89a33c24f706bf74051afd512b902d5ab3197652af254c75

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
368KB

MD5
2833ef92c80f68811e3456a39d17d8f8

SHA1
26cf9fbd1fedeb0be032f7c26d04e508977def51

SHA256
cf4ae5922b3401d381880e1d125155782a2e5eeec43830447787e6f3b365160e

SHA512
c6a577fd96a85306bcd85256aef392f3ae7d5e0cd517ea2e1821da1d6334b61f35f9977cdb82ae8c08697ebb64a13eeb097ed9a21d072656a6bae3bad4396d35

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
368KB

MD5
d0f053cf4bf870314fb8c9665e86f3f5

SHA1
1e9303230852f52d8f6f992e341ab4ae21fbb00b

SHA256
99a0c3b537f0204564e62be84024402b6917440d60df65ec195682811822dde8

SHA512
2a63270b9ddeb92520644064046ae927f4b2fe7beb83cdb901c1879e5e3b68ff7eae2e749d8a096db5fe9ecae47fcb4e8a059f9c27837c5da1192811ee9f9d34

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
368KB

MD5
92654ac4213fbc3cc1793a4c467c76cf

SHA1
eeaac36be16d4cc3d3920eeb1eab8f98038c7707

SHA256
f45ae2a9d04e7f1ae5db821ce49589e851ec98eb977fce439e7f55433d7001a7

SHA512
0d0527efcc7cf2135d138eb1cc1cbfe7b2d1b638f30ccff41290ba9caa10c454c3d18e20114d5193912ee06e42e4ab33631dc424edc64f045e739e6f3441b865

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
368KB

MD5
905ffbb16c5e6f0eb33a0fb638c944b3

SHA1
8834714daaf76b8ab5645e4d465ea07fb71d8109

SHA256
98102e71cdf393dfbb4d49f1984a9f14cb6e432caaf83e07eade704eb7fadf41

SHA512
d0cf18d141f60762147ee4b30ba4de69b8be631d539f39aea38d592f5077c3c609a3b19f1634b0b040f9a330c7f2ba626278f01a0310b3058e2090d4bbef8bbc

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
128KB

MD5
c989230bb757736f1d69cea09982e17a

SHA1
33b6489969de2b0d9bcd9a7e084a134d9a5ddf94

SHA256
8e2050605e44250871c7042db89684b4bc2fdc72f42eea557226f0646866cedc

SHA512
dc3d2aeec2377986fe6b7b192d94cccb15264948cd7362e62d2e4ada41afabcd68cfd50600d389578efff76e1b06ab4027cf3cffc8fc88dab6f5ee26e79514ef

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
368KB

MD5
26ba15cab9d0f7a11d5a7ae3ed2dbfad

SHA1
cb5a646939b8fb04ba368f402cb2e2b96b7711d7

SHA256
479f8bc957b5f9324820eadff58e89c0d7bff3ddfc4c24f369e9f1454929c8ac

SHA512
4d8cd7408a6dcf5fb42ee61ff6f93d7bb39133a881392f852010dce2de1d642618ca27eedae77503ac3bba50a8e5a5ab516e4d94b23890fc18f1f5a9ef28889d

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
368KB

MD5
516e477d412d352faf71edfeb2dffc60

SHA1
5b7cc028a59497295eaee954be1e2a76271ba2a5

SHA256
f81a4315db99e0c2daf88cfb80caec78e56d92ebaed6c3b9472232125da13bcf

SHA512
24fa5ed16b3d1b063193effcb0e958a446c158d2dce84fbc4db1d090fb2f0be2431f3e20f9142accff3c8ae6b8b995d1b767daa8370f25ef6c9af27e961f77ae

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
368KB

MD5
53f755725b522a6ea1ffe37c14e25b95

SHA1
eaf914480cf7c65ea77449ced9dba582d2cb5b71

SHA256
eb692d3368d797e3c1e22fa9d10c7a58984771828eb4201476e7d3e412b3d086

SHA512
abc177048c75d681d937d0c29e3acc4da853a8894988b0eac984e2240f988ee3b6b2fb383405a42677384175ff0dcc7cbb59ed8c4b1f72808c504f5374a7a025

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
368KB

MD5
6d3fe446dc70d94fe9ed5bc767efd2e6

SHA1
ab36d835e28651807ac46f847d09ca9af6e19746

SHA256
ae96bf0938cf13b8c8eaa14425c681a0083ca2e038cf1101afd72760705efae4

SHA512
33013f9dd8308586f07054d2b2ff4a048086c3bc4a4c58f77afbad27cfac32335dc8761f94f6f74555483d13c383d0417a3bf4a73e833468ebeb2dcdce8bd785

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
368KB

MD5
7961783244ca2f8114e6862c096fa79c

SHA1
866eb9cd5d66d39996bb875a3430f865504d7f22

SHA256
f9e759f6953567b37ad22be271da31e35dca427d558b6bae52920d3f81ad6281

SHA512
e91a588aa7000905bd22a2340e0e6292f19f83cbf3e27f50bad57b3f37df2975d5873ae1b02da853fd92d7f4e62c10ce335b6c5f009c32c6164ad4f976b5479e

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
368KB

MD5
ebc65113fd222175174bea45b6c00626

SHA1
9fe1229c1f8be10d973b15a5dacff6530219eee8

SHA256
6177e456abda60a8970c99dacdfbf4f6d06d67831f4131fac9fdac50ac2f3617

SHA512
64eadff882a61cc452fd0f171b99dfa33d773fa588d15bdb10e72f4538e10fe7d4878e9c659fc466a5401cb27c84d4ca3aa5f3271b6afeee39d29e5e302f28c7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
368KB

MD5
1c1095fd3ae9c020c8daff605a9e46eb

SHA1
6396380c5dc63b121fadc58a2fee95e55a620538

SHA256
31bfcd6eb9c0f501f493d83ffa0aad6d0ebc235a75efba452259985bdb587076

SHA512
b1a3129ebaac1b993d732fc109cebe05cc6df682589a21b7d40d683d3be5f27130c2c3dd193911da686379a39e50b69824e4febf8f871fdb3a8e94b84ebac6f2

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
128KB

MD5
6a3ef371baae8b740f0729e2990cb752

SHA1
3206992237af35855063e8c62468b0cefc51d428

SHA256
39a7ba3e65733a80c01e26312a4b8628698f97af68dc0d46633030750d076ecd

SHA512
148f03081250d6e6561e96133b843e06e78bc627524e5c2ebb541213964b3210df8325940e4ec215a05d0523c52019861ef8c955838330582efb5a75fa1f49cd

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
368KB

MD5
db94e4ccaa5f680d90c5359eacba3cf9

SHA1
5a7569218b1354e6cf9d94b42a26ea3d05c912cd

SHA256
be7569eee6ceb71d430ac8be0116142f43e81038d3121d5794ceccc1b477ceb2

SHA512
e3ffa85b0be4e758a9e94500eab3b75c2b2878986866a7533b334f68f13a610af8ee71de34ead58a7a9fc3f1227a617fd0b73b359d2724d651c94450eb247c0d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
368KB

MD5
ac1e4e526d6988bd20f97e5bb390fdbc

SHA1
732a5c127be6ec15d8856022c14946a92a974202

SHA256
71996c30fea67cfc5ba88d344814239cf1c590bf3f9741a1a931ebf40e0c3cf8

SHA512
567ed76785cc7d8811f86838c151de7fe59efb7a3bb5ebf840e44990451eceb035dfcc7c17a0f55749a9e4d340119ad4bd58ba96d7b1c3f16dfbdc8eac687ad2

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
368KB

MD5
fadda3a37e7507e2a371df3da7d23003

SHA1
1ecf08ad33476503eeef273900238651eafeb138

SHA256
e4df50df54076f832da05a5d9519a25650e1284668d22cd2de88784c1cfd512f

SHA512
4800f3fb34f726bff9c58e09e77f19f1cdd11699bed57af4569811f680b0dc98bcd39a9d025911e2f199883da35fc8bdc11144393e925651f3a5ffb1d6986678

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
368KB

MD5
20577dab96ee44b416f64f658a3c3519

SHA1
0cbeb8437cc08d87436f4da18702f5df06a162b6

SHA256
35c162a102d3bd479e81e19988d9e9fa8668b6fb11152d1fcca0a1c6bb989469

SHA512
3997a2aa97593b4c8fe4376c24fb672bf6aabe5edf46b58d13745cb3a058986528fb750020d138026eba1ec10a18692f24ae4a1e7a30ccbda5aa6e76d457001e

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
368KB

MD5
29d71b800ea83aa1131a3eb0112c4b8a

SHA1
14ce33aacfe515351161d15a3ce5a7a35ce3d14b

SHA256
240bedfab501ee3338868ac720158861a1cd5126c6fc0849a400b4f182adce8d

SHA512
e37eab8d51de2dc2a2336c9327103dbae45899c3dba3c7354a64e7f293fe84153ba788a7456d8ebebc02105dcf4f3102f82f704a722762975a3e8cacc1ea58a2

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
368KB

MD5
c4012aa886a1c37e4984f3d832e00f1d

SHA1
d67002a03cd8812ae3696fde1f8f2bc0a04d3bc3

SHA256
2aceedc37a47c9346c40083900871906e5d8b3a35caa3d57529de70b707a5d32

SHA512
66c87ce79ffc77880068307d02cf2a4245ea7d8b9800a6f9a49b482e522c464835e08cdadc8e5ad7c2b4053f348a7adb4898b344c0546a274298aa4536da4886

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
368KB

MD5
ac88c571237f63927c21c356948309cf

SHA1
92cbbf153b565e321db703b786f98598b1d20a5c

SHA256
3996d0b7c8bb82c858a6a756db763cc28cfd3c70409624385ddda0a4d1eee60d

SHA512
85b5c56b0d8b1524873e27d3d6065b40eb1aa73c95f96a37b833f0a43a81e831a2727e57d68b48aadacd1fc92ef21207bc4795535aedce205d1d59f6d0e8249f

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
368KB

MD5
39327d373d6af2353b0aadd3dd1f4aad

SHA1
db1abe8320626d4318e7b5fa7309536f47513d57

SHA256
55264102bf5fec7fa4b848155738f9d06038352d6120af3ef9943040a942ffae

SHA512
27889e43d95e347d6ff24d425603cc29ec8227cbd98e609221bb96b7e77ae1b37ec66cdf66e9f14719388683b1b744111e931a107d4f51f2955776089b48f5f1

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
368KB

MD5
503f06c572b45c58845bd67f7774b4e5

SHA1
cce87e8827ec4fd9b1c565e07b0f6eb9ad597ed9

SHA256
b3c18ab51f9cf93deec9d993f71bcfbdf3826db0fb7be383526b72a96902ad07

SHA512
85eed6551718970c2dd925f66e5109718a1bdcd5705159bb445ecb66c60a3efad1f3371ebebfa3846c4d96c7d3e59efdd01eea37e780b2abf0ac0d6ddf80d3b0

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
368KB

MD5
19bdea1779cdc3bde6e829bc06f75533

SHA1
0684e702e4a2262664fbafb2f6be4c9bd35e3b50

SHA256
64dcc3023f4b75ce6f313e004363dc1969acb7ee487ca283cb5b226471eeede2

SHA512
e21c4624527a0df7f44346a4835cdbf9a2affe6ec1f10510acb5d2fcc3a336f371f4130ee22cbe7aa229f5965e3430723068340e7171de4021b85056c47b507d

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
368KB

MD5
95ea8df445042560f23bc6ef8bb98578

SHA1
6b23239438d093a6829663a56b0e4ef8608cdc8b

SHA256
4e90a8da95b433d5f521cdd855e47dd2c6ff9913b05801b002c5a2a9d998eda5

SHA512
e5b2823275c8be24d9871d9fe06d16d14c17ec76a2532babd23cfb471a585246880e03b34fa10e0ddb1367772241f6a5255e7e542a988854ed0431a751d633d2

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
368KB

MD5
c73f179e09c6dae3ae7867acedee29ce

SHA1
ab231c41f3ef3c4fd3003df60e66c2b72f403734

SHA256
242351b97ed9b6ec89e7771d3978ae4b9ecf91f40e4f943e97a339065495b419

SHA512
0d40e0f64d5c5dd614e68213e0b485675b86682d970ff32f18eca4ee6c8e88acf998a549a00406e496c891b31f05e671c879a41522f493dfdc3e50e97792def6

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
368KB

MD5
b9904cd2bb7a8ba396bc50e78b2a6583

SHA1
8d9436555c906e8f80c75e969a99b8078f07fa1c

SHA256
d810721cd1bc22fda2dd12bf5f143be9b3c142fcfb85ab6d0cd1154aec234e7e

SHA512
202e6d624f484cd40fa8e0b5b56e0722284dddf80104c048269f3d33c0e256b6108ef15b19c885d5eb65283528fad92bb696c764430e6666088e0062deaf1c49

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
368KB

MD5
ea9bfd6a5d745e2d873048e51084217a

SHA1
dad888622dfc1a010e1a7b349e9be73a8e3b2654

SHA256
6ae41d8c9d9ac9bb641d2c44c2c491bd86243226bfb9ba49e3805e352e0d429a

SHA512
00d80ca041c0f056c85382aac13cbc416760da9810a3a8747e0ee5227081ce9c30676e3c49c059580bee8ff40a13b7ef33d3d1089522e70b59cfa851898c09c2

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
368KB

MD5
536758c9cdcdbfa20e93383884668af1

SHA1
6e2e5fb02e864a33baf6f878609faec08f8efafc

SHA256
71210908d9a1eeddc96aac1572d8a7e84f3e567461b59912a09f007cdc7fdfa9

SHA512
81b44d61b425b6106e6c46b2db74468b5a4a0a0ac15b4406a279f628c2b5a2220129beed90ab755a97416c0de30a1274cfea272725210249cfe36662e0c46546

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
368KB

MD5
f8f6023d7b1a2ae4365b67ef8ca3bbf6

SHA1
5cbeb79154aed03f6978e7d98b9d17b326c1756c

SHA256
2ee7621a3cb6a616d694e0ae4422460c7d1efc625c69699a466326b4e30a65eb

SHA512
cec9d86d106a335955ea39a2ca1bec8f2160288e8ab94c54fbcbe7995718b8c08eeda425a1788d18fa5ade57753fb8801b594eca7fc361d7e71fcfe6855bcc8a

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
368KB

MD5
a6a0508ceb1a27dd756a6ec4b458de65

SHA1
22b67a7502fbcbd2dc29de81bcd4d30afd7eba8d

SHA256
b9bfdcab123c11d6c5b16694751716c8d28d56b402af6a22083cf897529b71b6

SHA512
bb345ff22bf0497ea718a91c9a1717f60140c81dfe6a5d962b3c1bbc7b03eb252f1110953b89ccd7af63523ec8ee885c8e75296d90489caadf0cecedf4eab545

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
368KB

MD5
262bcaeae447de32090a48a5180c0f6a

SHA1
391107c2b8c21120d9c75a0b1881c9fc144445ad

SHA256
7c0f7f49060531301fe49dc38e917685f78e3d347639528b55708165b50a5293

SHA512
9662603cab6ff9ae2ad46d8023383a95dfe4fda173c2e80aa9b3c9cad66fb3d259810e1e4785b1c3667365e2191f29e4f3a2715f0cb60fe138295e6737054ef2

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
368KB

MD5
0b371a5b764fa3f129d54f389c0b4c30

SHA1
c76523abf31392fd25b22ccc94c844e053a7689c

SHA256
990a59d6ce84737bbe7ae16dcfa153b20d8c136e0a8eeac579e3445b4e852f60

SHA512
3140428b7ff6ba35df9b32c5d948de28bd28481ebd036c48b2fd89ce83c2f0b8d7ba37aca8d2e7505a80ef501807fc3443713b50cee7e7a8277a77bb2d6570b5

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
368KB

MD5
ba26ec74236b5968c9bb624a718b5992

SHA1
6f9612b629bd63a981a2a3a72fc8fb840d779fc5

SHA256
37028da109ff2e58cb00a838839abbff8a0d5768b9e3ea5e9a16923463823577

SHA512
40b188997ca44b20a0edabb15491c23d54c05e17b7ff3474bd1ffa091a696c674cf743f17885874223df63c9a09611077a2ecada3344d7d9da6e6df080ca6159

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
368KB

MD5
cc3f46ad31335a1a35e549070564b2b4

SHA1
6d23e5aeff835706505119da810d341365fdf4c7

SHA256
fff7c9a09a743c866ef88c1c77f7599a76b0d4b9985a26c4442b3a66f3cc6b55

SHA512
de1dd275a68b0466e9be1ff46f6697a5eb1069948221c6c476baa126ae08bd1c2ba1145b57501802bc36e79e864d0fabcfbf326e8c7b37927b8109b8a18d7989

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
368KB

MD5
9636422bdba5dce850828f4c21fc41ca

SHA1
05fecb105e6a771c5d5508335f0cdff63d22ea62

SHA256
17d71b8c4ece731c6ac6496b7df6a423f409f528f39a880896722f5dbbe3190b

SHA512
69af6d6de21f8777341394637bb46070c86ef4f850f39249d0f176ce1eace40d047f0ec1bd878016f11f1d25228e4a77d8ed2334b5cbc62c33bd6ecdd1d4e216

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
368KB

MD5
80d36121c86b5977b0e561495f2f5fb3

SHA1
56729171690a06eab605d13cafd6792189ef71dc

SHA256
194ede2caee570182d23ddf367991e38bfa4ad15bf4c2fcb3f38f16c9b756e50

SHA512
d8aa7ec5d051000ebcddc9b275c147379044f78cbe4d53b5b836234f044cb773e7f268040b3b84db7d450ee89285ff90683f4855d2c75b9baf108b1c78b5686d

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
368KB

MD5
b9924f53c79410e024076dc110ce2bbb

SHA1
a9a97318a89ff551871104bb0f4526f8e938ba52

SHA256
3891e55e5f620cc75f413b084dda3c2518f467cc7d2263da8162ce59f8548296

SHA512
45d9d9f232352122d38286221698c3b79feb8ed8405546a72dd7eb5f63d343e7fd7134645ec62a84cb0937f8d677e65dc810206ad0d717f0be05d2728ea37b50

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
368KB

MD5
49d895416615e4818b1a350ca93f31ac

SHA1
5768f05c3e574d19cdf4566a6f0607af867f0900

SHA256
cba5c4880f3875deb281de153d52cac624eb8530a7183cdacc03f4a7e53f3fe3

SHA512
2aed000cbe4e73055c7e94de33d1f8beeb78cdeb6e449834c427085bbc46299c06827b341acfdd0b86c7c849c244279c45cdbd574d705faa1e25187da392f995

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
368KB

MD5
a7aa4683e94b3beb4126688d016402f1

SHA1
7cd171a68c3d1c1d43720dd3750ab6bb7b804baf

SHA256
8020a138eaea57b4610c50edbb40c8354cccb226d8b794271aec2de81ab40e47

SHA512
a1b0ffbbf2e984e90767912575bde4fa98cee43fac57b57624d5d56450cf339c1edd929cbcc8e663e45d9b620b1d890ef018b05583f5f143890977300db95336

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
368KB

MD5
7bcf31984193c7890c7169b197de4239

SHA1
34897b2c0b4263b55cbeb2b103ca2395a36d3660

SHA256
297756fd6d430d6e6142c97057af5157ff249c35a98b3577db56c52a4ba2b1ea

SHA512
890fd77c34507040721cdcd36feaa479e42cb66fc87e9aa1291f039b1f33ebc04b13e4063eddc1a1d7e7b048f571f0296ffb2bdf21a4afc1773d4ee66499439c

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
368KB

MD5
67f8fc414effe47eeec13a1e3a4c7c8f

SHA1
9767f814e0dbba3e2beaa6ecd758bece3aceb3d2

SHA256
503015b5eaac2e4ab703eb2235ae2705163ab2b15c7ad30a899725ad72be7f7c

SHA512
c64c83f8f96d88c34d6ea36cc1354f97efe3cc9ff809720edc7c76de3bb92c33d3a4959ca21cda794d0fdfcf75e1f4cbe55ca7a2d45a55ae6abedf41e5f1a4e0

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
368KB

MD5
eae3f74193190b8eaf693628281ebc01

SHA1
1d4ae0291606c9cfa8eccacc8147760b2421edf6

SHA256
04097b32425696e7258539ff27cdd913de0e6c50f209e6a4622aad16a9bec8e2

SHA512
112a4aaaed8ae71036e82ab2e2559796148e4c53b42a90347b9873a74a8a96e23192f08a31ea36f8bce4bcdca114190ad8d869ace767e01de97dee81d10115b8

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
368KB

MD5
545f25b180dd31a708e04d9267f01e06

SHA1
08283d312f261affea5a7f6d4d1f9879739c4fd7

SHA256
15f1c9845b0bb8d07b7887bbea333294e2e2a2b6d4244a58fcbb3c021cb484be

SHA512
3fb48113fd308ca503ff31705599d5f5fca51d0ea92b7da3731f0abd4b0716c5dcfec8ccd75407ca8e495277dc959987ccd639402e4dad37f58af7a3defa9805

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
368KB

MD5
8d339247ded4ec8bc2637c60bbc03849

SHA1
bc6a7c95505c38bce978446b717c1cf2a97fc784

SHA256
3d6593188ccd6a03a018ee7da0d70f8f031e52e4e996086ec6096079f595b2fa

SHA512
6889b5d478fd41634d6f8ced89c833ec775b9547ecbba7ac3ea40c092df5afd79dd766e5fafe56109a53227f690e4e5027fd472197b6cbf64735af493c1511d8

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
368KB

MD5
07b9b808f6bd0b7722a7f420c6b7caac

SHA1
dd3a4ab22e3aebde45bdf1fddc9ec88838494bf1

SHA256
a2e0a305bbc7fc70d3baa0436e40fde9cd9995d651b785264cb0b75a3a145d11

SHA512
a2a34e01e2a1afb1fe440680bb6114b8c1434cc99d76ef283a36e098a693dead308cea6b592de2081706813d208a460e16a311393a5bec388aad42f3fb40e790

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
368KB

MD5
87f049ad9e919ad08500a712eea10979

SHA1
176a195728b30711765738e7c17f1f06415a983b

SHA256
ad484a9593bd69ca1549a836f4f8fc138a1bb70c8a61461ae547ecf3a2ebd480

SHA512
2c1acbfa67ec4d53d40fcad9052aab401b856c4e697e5988e4d1d8707d26c8e3df4e312f3e5b63c4f7ac4e3932db20d8b498628598dc6def670bbd922643ebad

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
368KB

MD5
b07929034d5120c656c60d17c82c57aa

SHA1
b24e543d92d4581dc05d89d21e697b786149de5a

SHA256
3f5aba7a2f1a46166d88e5abf04d4f18e2deaf3c4346e0ed18559c4db257d7b2

SHA512
f5b9e941bc24fe48f4e15d65f5b39459e5be8209d86d5d5b1ba157b22344fe9b24af7f9e5b30fdc90b265b2d18706522dc62c1f03b7f00969c00f8138ca8b093

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
368KB

MD5
9f072aa59c29646f23b995b3c5e86abf

SHA1
71802df24c3db3275e012f1255459b3ef0e2b5ae

SHA256
5cc29e3e8ba3e7ba3592b464f9c89df7651f9a47152ef4bfe64b052f61b5b7dc

SHA512
63a7686effc04a2ae6e1ecad29398b09374c18e085a8fd87ba39cd6bb379339bb2b700dc1b49720c0cc6db8488785514f106302f890bc463bd758a3c00110420

Download Submit
memory/116-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/116-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/264-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/264-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/520-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/524-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/524-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/828-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/896-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/896-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/980-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1680-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1680-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2480-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2480-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2888-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2888-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3016-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3016-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3152-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3288-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3424-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3424-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3532-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3580-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3580-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3688-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3688-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3928-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3928-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4216-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4216-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4496-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4496-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4556-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads