berbew | 65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe
Size

81KB
MD5

5af5a718cda039f1a96bfad60fa1fb10
SHA1

169e6d3d107c44e592e44fe0a73e5846016e611f
SHA256

65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19
SHA512

23c6bfed66995263a1e29c18df3d943a20db3b01e1fa564a1ee55068aec52b23acd3aad71cfcade8bdacf9c5bb37027dabef38701dd1d5d86d1c99ede37777eb
SSDEEP

1536:BqFHebDNta2CpDITzK71diFxH07m4LO++/+1m6KadhYxU33HX0L:sFHAJBLTqdi/0/LrCimBaH8UH30L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inebjihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilphdlqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iajdgcab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogopi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1824	Hemmac32.exe
1092	Ilfennic.exe
4984	Inebjihf.exe
3020	Iijfhbhl.exe
1804	Iogopi32.exe
4364	Ieagmcmq.exe
3272	Ilkoim32.exe
3732	Ibegfglj.exe
1872	Iiopca32.exe
4548	Ipihpkkd.exe
2352	Iajdgcab.exe
3540	Ilphdlqh.exe
880	Iehmmb32.exe
5008	Jlbejloe.exe
4528	Jaonbc32.exe
2972	Jppnpjel.exe
3040	Jihbip32.exe
3436	Jpegkj32.exe
4684	Jimldogg.exe
796	Jojdlfeo.exe
2300	Jahqiaeb.exe
3776	Khbiello.exe
2080	Klndfj32.exe
3764	Kefiopki.exe
1328	Kplmliko.exe
2344	Koonge32.exe
2556	Khgbqkhj.exe
436	Khiofk32.exe
2944	Kabcopmg.exe
1396	Kcapicdj.exe
2296	Lohqnd32.exe
1340	Lindkm32.exe
3740	Lllagh32.exe
4384	Ljpaqmgb.exe
3840	Llnnmhfe.exe
3240	Lakfeodm.exe
3820	Lfiokmkc.exe
3672	Loacdc32.exe
3432	Mjggal32.exe
4636	Mpapnfhg.exe
1672	Mablfnne.exe
752	Mhldbh32.exe
4608	Mfpell32.exe
3760	Mpeiie32.exe
2544	Mfbaalbi.exe
980	Mlljnf32.exe
5100	Mbibfm32.exe
3204	Mlofcf32.exe
4880	Nciopppp.exe
3724	Nhegig32.exe
4220	Nmaciefp.exe
2268	Nbnlaldg.exe
4484	Njedbjej.exe
2840	Noblkqca.exe
2008	Nijqcf32.exe
3368	Nodiqp32.exe
2564	Ncpeaoih.exe
4572	Nmhijd32.exe
1928	Nqcejcha.exe
1068	Niojoeel.exe
1152	Nqfbpb32.exe
4840	Ofckhj32.exe
764	Ommceclc.exe
5076	Objkmkjj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lakfeodm.exe	Llnnmhfe.exe
File opened for modification	C:\Windows\SysWOW64\Mfbaalbi.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Mbibfm32.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oophlo32.exe
File opened for modification	C:\Windows\SysWOW64\Ieagmcmq.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Pninea32.dll	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Fkaokcqj.dll	Mablfnne.exe
File created	C:\Windows\SysWOW64\Ojgljk32.dll	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Nqcejcha.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Niojoeel.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Hlqeenhm.dll	Kefiopki.exe
File created	C:\Windows\SysWOW64\Omopjcjp.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Ilphdlqh.exe	Iajdgcab.exe
File created	C:\Windows\SysWOW64\Lkjaaljm.dll	Jimldogg.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Nbnlaldg.exe	Nmaciefp.exe
File opened for modification	C:\Windows\SysWOW64\Kabcopmg.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lllagh32.exe
File created	C:\Windows\SysWOW64\Kjmgil32.dll	Pqbala32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Jpegkj32.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Ofckhj32.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Objkmkjj.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Padnaq32.exe
File created	C:\Windows\SysWOW64\Njlmnj32.dll	Ilfennic.exe
File created	C:\Windows\SysWOW64\Nciopppp.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nodiqp32.exe
File opened for modification	C:\Windows\SysWOW64\Iajdgcab.exe	Ipihpkkd.exe
File opened for modification	C:\Windows\SysWOW64\Lohqnd32.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Njedbjej.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	Kplmliko.exe
File created	C:\Windows\SysWOW64\Cknmplfo.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lfiokmkc.exe
File opened for modification	C:\Windows\SysWOW64\Llnnmhfe.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Mablfnne.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Nodiqp32.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Aglmllpq.dll	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Ibegfglj.exe
File opened for modification	C:\Windows\SysWOW64\Jahqiaeb.exe	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Ppgomnai.exe
File opened for modification	C:\Windows\SysWOW64\Inebjihf.exe	Ilfennic.exe
File opened for modification	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lllagh32.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Piapkbeg.exe
File opened for modification	C:\Windows\SysWOW64\Ibegfglj.exe	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Jppnpjel.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Lllagh32.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Njedbjej.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Noblkqca.exe	Njedbjej.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Oophlo32.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Padnaq32.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Ilkoim32.exe	Ieagmcmq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
440	1848	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpapnfhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nciopppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfojdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefiopki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mablfnne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbnlaldg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omopjcjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfennic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lindkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgomnai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbejloe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jihbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgbqkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omalpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hemmac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbaalbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ommceclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofckhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbala32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajdgcab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilphdlqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpegkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khiofk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcapicdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oonlfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhegig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibegfglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiopca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jppnpjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimldogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlcjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaonbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jojdlfeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koonge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogopi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpeiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lindkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilphdlqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Khbiello.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iajdgcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglmllpq.dll"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll"	Inebjihf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Kefiopki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omalpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll"	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipihpkkd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1824	3748	65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe	87
PID 3748 wrote to memory of 1824	3748	65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe	87
PID 3748 wrote to memory of 1824	3748	65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe	87
PID 1824 wrote to memory of 1092	1824	Hemmac32.exe	88
PID 1824 wrote to memory of 1092	1824	Hemmac32.exe	88
PID 1824 wrote to memory of 1092	1824	Hemmac32.exe	88
PID 1092 wrote to memory of 4984	1092	Ilfennic.exe	89
PID 1092 wrote to memory of 4984	1092	Ilfennic.exe	89
PID 1092 wrote to memory of 4984	1092	Ilfennic.exe	89
PID 4984 wrote to memory of 3020	4984	Inebjihf.exe	90
PID 4984 wrote to memory of 3020	4984	Inebjihf.exe	90
PID 4984 wrote to memory of 3020	4984	Inebjihf.exe	90
PID 3020 wrote to memory of 1804	3020	Iijfhbhl.exe	91
PID 3020 wrote to memory of 1804	3020	Iijfhbhl.exe	91
PID 3020 wrote to memory of 1804	3020	Iijfhbhl.exe	91
PID 1804 wrote to memory of 4364	1804	Iogopi32.exe	92
PID 1804 wrote to memory of 4364	1804	Iogopi32.exe	92
PID 1804 wrote to memory of 4364	1804	Iogopi32.exe	92
PID 4364 wrote to memory of 3272	4364	Ieagmcmq.exe	93
PID 4364 wrote to memory of 3272	4364	Ieagmcmq.exe	93
PID 4364 wrote to memory of 3272	4364	Ieagmcmq.exe	93
PID 3272 wrote to memory of 3732	3272	Ilkoim32.exe	94
PID 3272 wrote to memory of 3732	3272	Ilkoim32.exe	94
PID 3272 wrote to memory of 3732	3272	Ilkoim32.exe	94
PID 3732 wrote to memory of 1872	3732	Ibegfglj.exe	95
PID 3732 wrote to memory of 1872	3732	Ibegfglj.exe	95
PID 3732 wrote to memory of 1872	3732	Ibegfglj.exe	95
PID 1872 wrote to memory of 4548	1872	Iiopca32.exe	96
PID 1872 wrote to memory of 4548	1872	Iiopca32.exe	96
PID 1872 wrote to memory of 4548	1872	Iiopca32.exe	96
PID 4548 wrote to memory of 2352	4548	Ipihpkkd.exe	97
PID 4548 wrote to memory of 2352	4548	Ipihpkkd.exe	97
PID 4548 wrote to memory of 2352	4548	Ipihpkkd.exe	97
PID 2352 wrote to memory of 3540	2352	Iajdgcab.exe	98
PID 2352 wrote to memory of 3540	2352	Iajdgcab.exe	98
PID 2352 wrote to memory of 3540	2352	Iajdgcab.exe	98
PID 3540 wrote to memory of 880	3540	Ilphdlqh.exe	99
PID 3540 wrote to memory of 880	3540	Ilphdlqh.exe	99
PID 3540 wrote to memory of 880	3540	Ilphdlqh.exe	99
PID 880 wrote to memory of 5008	880	Iehmmb32.exe	100
PID 880 wrote to memory of 5008	880	Iehmmb32.exe	100
PID 880 wrote to memory of 5008	880	Iehmmb32.exe	100
PID 5008 wrote to memory of 4528	5008	Jlbejloe.exe	101
PID 5008 wrote to memory of 4528	5008	Jlbejloe.exe	101
PID 5008 wrote to memory of 4528	5008	Jlbejloe.exe	101
PID 4528 wrote to memory of 2972	4528	Jaonbc32.exe	102
PID 4528 wrote to memory of 2972	4528	Jaonbc32.exe	102
PID 4528 wrote to memory of 2972	4528	Jaonbc32.exe	102
PID 2972 wrote to memory of 3040	2972	Jppnpjel.exe	103
PID 2972 wrote to memory of 3040	2972	Jppnpjel.exe	103
PID 2972 wrote to memory of 3040	2972	Jppnpjel.exe	103
PID 3040 wrote to memory of 3436	3040	Jihbip32.exe	104
PID 3040 wrote to memory of 3436	3040	Jihbip32.exe	104
PID 3040 wrote to memory of 3436	3040	Jihbip32.exe	104
PID 3436 wrote to memory of 4684	3436	Jpegkj32.exe	105
PID 3436 wrote to memory of 4684	3436	Jpegkj32.exe	105
PID 3436 wrote to memory of 4684	3436	Jpegkj32.exe	105
PID 4684 wrote to memory of 796	4684	Jimldogg.exe	106
PID 4684 wrote to memory of 796	4684	Jimldogg.exe	106
PID 4684 wrote to memory of 796	4684	Jimldogg.exe	106
PID 796 wrote to memory of 2300	796	Jojdlfeo.exe	107
PID 796 wrote to memory of 2300	796	Jojdlfeo.exe	107
PID 796 wrote to memory of 2300	796	Jojdlfeo.exe	107
PID 2300 wrote to memory of 3776	2300	Jahqiaeb.exe	108

C:\Users\Admin\AppData\Local\Temp\65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe
"C:\Users\Admin\AppData\Local\Temp\65b8ff16a8145b9556d471b738bdef70ddbfa0f1a217deec60fedca970465f19N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\Hemmac32.exe
  C:\Windows\system32\Hemmac32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\Ilfennic.exe
    C:\Windows\system32\Ilfennic.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\Inebjihf.exe
      C:\Windows\system32\Inebjihf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        30⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2040
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3992
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 400
        85⤵
        Program crash
        
        PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1848 -ip 1848
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hemmac32.exe

Filesize
81KB

MD5
8614df26e3e8a0de3511f48ff143265a

SHA1
ba2c54cdf29360c30e1bcb1a3cae99b51204f451

SHA256
33459a93731cfe74f5a67701cd613bda53ff8731dfcf24580682961d05147ad0

SHA512
0a077c9744830860b95c61f6ca4bc60dd7b00b4a0c7836ebecc526b7c1e380b8bd0f36179172027a473dc74eea8b65f6a675fe90f150ae1ed92550b4f702161c

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe

Filesize
81KB

MD5
1f2434fe370962b7cf4faaee93eff550

SHA1
fdd6e81b6bef702f57620d00bdf8136439193fea

SHA256
0776dbb22480a640e2f85907dbf40fcf5201a75ae5d3b62ad291c7f258989326

SHA512
7668417edd940b92910d5b9f06dd909f1dc6941971263563739893b3dd331c48de88e53006926f5729cf3d71d2b873538651da6f5de699c8deff03e53cdec519

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
81KB

MD5
dcdd88d3b32199f7d2b501022b3ad1d7

SHA1
f960bf50810865dea05e3f89a60bff8cf51ae1ae

SHA256
c0155c1e2a880f46ee07b0b8cf458d98cb3e85e7380eedaa1e5c759b0e488d99

SHA512
d1e89141acbbafcd9e71fe8346cc4fb63df64e196d1d4c76346702bb958593bf794e4d8ad9918f8b307578ada011f5eec06748bcf2a20f548688f3d1eacfe5c4

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
81KB

MD5
8450168c364025c20c9ccb254e838d18

SHA1
c60a62d31eb65be8fc74bcc9ead5c5b16bc790d6

SHA256
a8f58e6d364f8fbcb0600ae76db0e223f4964731ed604c04bdb7f7f90216bf4d

SHA512
80bc37dd3ebfe98e23c86c0233f60186ff4179b230ffbf48545a46a86fe370e053bbed25240818f27f08deaf071e0f54314d24267b01dc4f342b25d2275b3b6a

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
81KB

MD5
1774e8f247cb02893ed5aa2d81ba4e39

SHA1
f337d1aa949b30cd87e86e743d0407b40865cf93

SHA256
4399097c72be465fcc374a2af9034d598fbbc6345c09d597df3291d48baa5158

SHA512
64294546d41738b298b974785b71aab753ca226461df1e2ba4eeabd70618280448161461bb9e41ca27725c15d0136fa53c074f75729dbd8885d014bd505a6fb2

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
81KB

MD5
74fd3a2e8dc79b701130313ba1d5f90a

SHA1
9a3613b945c95176973bc9c692e948d1c8bc1410

SHA256
405d1e7def5c2ac051e40bd181867a7cc87d14b25d2ee51546e08af1ebb1ad26

SHA512
d5efb904d219c65c9270388e651ce17f41efb3f2acb3d262a2d2bbd0b7c771c88f0361fc776227552cb2c9c0468abcc014a6fb70678e9a61ffdeaface640ea7f

Download Submit
C:\Windows\SysWOW64\Iiopca32.exe

Filesize
81KB

MD5
fbb8e8dab58bbfb4fc5e1d779aeba7de

SHA1
bfe751e9d931c8952c2bd420eed3d95ea100514c

SHA256
a83f7861b1357f6beb4c4b96cefba921de4e78f69bebfd2742b85bb20b6b187a

SHA512
60eaf1934d0be4e2d9dcd02daef05cdf111a7bab25437895f76ba3d294aeb2a9844d226c8b8d867160f9269849049fab195381d601eb002d54c035ebeed7e97b

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
81KB

MD5
d6c08e23ec86b394fac3baa3b69b2e99

SHA1
80917412431da359bde570eaebddd5acc4220863

SHA256
4b8589cd4fc041fa1d840bc71dce567975890b6ada6c04f7ada4314c5341d22a

SHA512
ad78b90d7a1fde82e22a2744f4444bb5803f4c3a3fa19df5ae6688c75417e045eb58f29928b367bc04acb9476ee1f41112ab8e6f0fd3f948c1b322360645034c

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
81KB

MD5
90bb574a402e24aa628fd8729f936db6

SHA1
567d9426ba8b4e4e6788cd385f416f74bfc0bca3

SHA256
59dbf67898a61600055fdfa5993769a357b66c55eb6d3b00b7d565a871f29535

SHA512
20d6f9bb2e0dc0d3d2d0d6c220a67c3f7646c8a71bea0821a8f337633bc50b2f22b4fd6a7d6c340b380746b21a71943b20b2c767d9fe10944cfbb560c2bf74be

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
81KB

MD5
e6a25223f1af055ef17a981ce57204ba

SHA1
d9c002ce5e9bc16d544045b8ebd363d89e35edb6

SHA256
095c7df073c96bb2562ce673aca4474c46804303c08b5890061de479eb04109f

SHA512
dd52bd9eb8e025dddcb07a80cc9ff159696329c2fd1db9adba301b3034ed8dc32a2f503aa72ad83f1ea6ee8803375dabfbf9d9427c925192880e82839ae7c9fa

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
81KB

MD5
6b89cd1a09438e39e0958bcea94ea1c4

SHA1
eb2058b6fb1d069099e6e9e3fc4cd2c9990b6324

SHA256
28828e94e10b77bf42387fa4ebc848535d05e8ca071aa79c7ac5b21ae189529b

SHA512
4d7d3de9434807a419b2bae99766d6e65e9c787dc50ca6394be54c408fe2f4ad28713475fa4f98f68101b240416b440e38b87f3a467df5e9f3ee3f6c5cbd7a0b

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
81KB

MD5
15b58268eed8e03598628f49c52cfb07

SHA1
54d9d19cebeb0ac09ac87fd8631570b4fe372a20

SHA256
0bb24c4c604a3d4bae5af990d35708886bc4f33749ff52e8a0637287df71e055

SHA512
65d5560290587030e01e17741d244bfb8a81bf9cfc6a657900e88ad78c59d71a27a91cadd193c633b95bec82edc059b2b86460e89fa8ca928a7da1e9efe7f444

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
81KB

MD5
adfac58f80bae25f3674ed72987a72d9

SHA1
4bc168981de862241ebc2a0c4188e0f7f3f0dfe9

SHA256
c26df83719a13e3377d665f97bc88ae83e8d1488a0d26716134d62b8cc8bfb83

SHA512
899a763ca75a7d66e0346a58555678a20a53a14eba12d52173f78756a3cb7509f34840ee3796ba502a3934a6339e2ed1652fb936e88ba78e34acb2b9da3348de

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
81KB

MD5
d38a36774cbaa3311747b3ec5c3fd064

SHA1
5d23f2a28e527607ef1dc9588a92f2d344df102c

SHA256
9691f051f65e302c27cf4c7a43f813becf7104b4dec19e5b167acb2d209d5a47

SHA512
0f3b04000a925926eecde5903358acee254484be027b6e8c6a327bbd7aeb442ea4f0c2c68270b45ee11fc352db38c9f864d950bbe233e2e559517395bfb503ee

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
81KB

MD5
bf86053a25387e9a9ab12efa870380cd

SHA1
0433c991b43f14aab080eca3683d12fc20a3be9a

SHA256
daff6b53dfd2ddac8125ea8d88a474e7cbedcc19aa04e1862ceb62dda3e9be21

SHA512
45fe4e22e9a705d33a649f6df1649165efc3ec7e76a1088ae6d32aa7edcbc0c8bc4af6726b56bafd51bbfce571be11cc24291288da73cbcd55ff13a73dd325d6

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
81KB

MD5
30083df853393cdbd37d30a2623024a7

SHA1
78a3140bc9e05e2514366fe2dc63824d965ef07c

SHA256
aeea626c2fb0ecca70e5704e87a5048c8b9cf228158856ab5d3979660e29d3a4

SHA512
142171dad1384e986f6cec4bb8543483931d04aa0559b1f5d192cd1014aa1f8b5a3f1ad9d1c8dae42dca801720d3364fe833be6dd148fa7433a09ee14226aa8b

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
81KB

MD5
bc32223720cdabce2bf4dd817d991c54

SHA1
7cda5259b3ca79f652486b5ad9c2e111c5e1f03c

SHA256
628111b2c0ded2424957888bfa80905a4085157fd319f4f2618828e8b015d4cf

SHA512
09e1c558f172499e6e3cec9f2d656a784ef3733aa34553600f7790d3e243c9ea9640993e8b4a3c1d9fb744043ad1afd44d0775ca5ce371754138baa578b85e79

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
81KB

MD5
aaf9a22a348b14d9669c986b1433f37c

SHA1
52fe93736f9c8a401322c8ba09e4ab75867d2dcb

SHA256
6918a8b39dc6821473f3bd8388a41579b7286c7b29d749d82814e43194c164ec

SHA512
7390e5a0459131705a3e35981bccb6d10c29769160d94076cf095fba156d52efb7e36649fd221baac27c26a9f48ffc31b9b233b1b36c5519998bbd42023d5818

Download Submit
C:\Windows\SysWOW64\Jojdlfeo.exe

Filesize
81KB

MD5
87027b629ea59fe1173939db5efcb05f

SHA1
cceb2c85494eaaf22345ae16a59cd5aa5fc017a3

SHA256
0e3ea3241f2dd21988e9ac23a392174a5264cb13ba6a4d28ee67a170c2099f78

SHA512
28704a9130aed286c02c7b5324108fb2f9d49ea06ff7b0adcc244b66b843d32aa0e5cc22ec84b5a213bb70b57d54639579b41ac9a84985ddf0e2927537cd5d7c

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
81KB

MD5
b2163bc03f64765eaad06732b31a8ed4

SHA1
b68be42bbf0e1115547b767d19fa4be3611002bb

SHA256
7eb93f0798e7095dfb934e152b1aef286791fbfaea343db9bc0e7482d4de96f9

SHA512
167ca142bfa43fdd51e7c8ca842e1b7c934888a0df657eb0d7da1271dc2276a5c0169945b454910210ccc0c46bd2dfd5b8f44723f9d1042e62211ea18ae113e3

Download Submit
C:\Windows\SysWOW64\Jppnpjel.exe

Filesize
81KB

MD5
4e485b62b2a5ae6697480d79fd5472d7

SHA1
4b900d2b9b4252405a7d83077db7b283a0c02986

SHA256
ceb731f4484d7fba130469bf50cd628dd3a3301d52c0823fb697d5e8c7003f44

SHA512
32608de5fcce5600a5a2f108afe472a0b144e4b988a92c5132e6f8a42c620f3a80f8d932eb0eecd828d819c760175e55f96a1bd0659c35fb32746eb4f34939ab

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
81KB

MD5
b0dd5f7af99cfb8cd503a942536b747e

SHA1
32b652736224a3891bea69c6cef3bc586b9d5662

SHA256
696d07cdf846138dcbac0e1e7215e19a275e070fe48169ff6b1ed523e36101dd

SHA512
e969bc06258c5f228666923edf5306390067f0f520cf4fcd9fd64b3df6579463708d06ff92a16413d0b7c8b11d2ab8550a508164a9ca3e05e3f3d6c5f4b823ed

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
81KB

MD5
52c3c0546af47e9f088d063b8d713f4b

SHA1
7226b74950ca39bf653f517b6cd4e468f6592bb1

SHA256
b1329939059385318f30c658c593d9fd37b240dc1afc558837f4cc582e450029

SHA512
6b75ccb1290fb61fef757557e2d4ea27b81565d9adc98e6c51100dab6aca36a34611054b5d04e16d5c1bf5702f1b492b2078b70984be1e1815647a8627c212cc

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
81KB

MD5
af130db06310bbc1397115ed9844ba7f

SHA1
f1761b6107f71d5c412c2bbf4a7c66f16b235e9c

SHA256
642345fa62fce6a8d0f49d2c3dc51118d10a0cdd140e6f9edd23fc99b0643337

SHA512
66253a12d573bb34d2349c48cae4fbe80fc0707eb4156b9935b21cc613aa0339668ef5deb7eba38b3dd7cfd4932349201cbc7e3b1322278eb55f712254812496

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
81KB

MD5
8cee1535d8c43ca7ef5c62530c9c9681

SHA1
2554456d34e70bbf8fdc42f87b258a5818c702c0

SHA256
b761b28e8eb8e2affeaf0c4fb18e56ee7e8e43c3bd7109e79b15ea8bd26449dd

SHA512
bf19013a3a7131d2762882fdf7e3131537be11ba9682c3b2e9460265883c939db8f0f3ef7b322d37fbb5714d8c10e5435bdb0046c9f8bcc8a823417ab76dfd8c

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
81KB

MD5
3812a6de8c3b7eb6f6652f7b294c43f2

SHA1
9a93e0e7a8996049a64a9ba645d99785c842bc95

SHA256
6e8a11fc7f6aab9ef430ba02a5fd045942bf4acedc4668683014f38b2cce7971

SHA512
5abb42a3326a5a67f92822214b22dbf00cc5e9c2ed6708d4a65d3ef8e028e26689d7c44dfdcef0720f73ee7c40ce6b4aa7d16bff167333983348c685a9b6565c

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
81KB

MD5
005d12729bd39bd1f5ea535b3fac692e

SHA1
72f9ea74d6ee6c6bbed3631d2a4b221e09fc9c44

SHA256
003b779d4623e8db279d860a9e79dd3f8fac21e6f9a0e53392da673bec95d94d

SHA512
7d3f460fc947b295dca6d69cd6bc567271747bd9168b7b5cafebf66f4b4f34941eb343548efa96583d041f9a4c56b5f81e31c1e1531ec83a8f46aa37279a9b90

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
81KB

MD5
4e72d3940aa0141715b2b68149dc2ce2

SHA1
be7690c029b9b8b3ab52f130ad525badafef6302

SHA256
eabeb91238f025acaa4ba9f2deda4eba3fec810e17a456c4b00a35b2fb76951f

SHA512
8714c8fa3e930c5898c54d09728202fd0d402953e3ea16b7ca2adb4538b5967ff53dbc5910303021596e45501d29e62240ff09f8239628f62efb2ab3fe2e181d

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
81KB

MD5
93eb2fa7d8d1ae4e2e6a9ad09a05e49e

SHA1
23723bb6056a1842701e2cd54e3effa062583b25

SHA256
6ea5fe21220eb3b27961c25951327891a06a662e2b0dc6ca28b260d20fa7cd28

SHA512
7a859f9b709a465a430f885df01f68f794aee9f94dd506e7f68741dad3d5bb33aee6835481610894b65533530296de090e0e507e856f2ec357aeb303ec81a376

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
81KB

MD5
560bd077269565ba14382ae0da36d25a

SHA1
129dda434f5b3c3f6b57c3c1752d7b62efd0685d

SHA256
f004b85604833b4fb446959bf92d1847cc02137b4ef4d8fa1e3b3fb71e4844c8

SHA512
7f8f52ef2237f1f53da58ddcc6487e38b488afc4a55d15f70355848986f9fff994ebe5f8dfbe4c9a9d886d1a27d4dfb7ff6e028268794f6b9f7c6a43c57ec31d

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
81KB

MD5
a3bf11da5e249528a6f92bd045cf7ddc

SHA1
79af4f28ae8fc4b504588bc6f88aec02a7f9ad9d

SHA256
2cb7630c46025d29607b717eecb7c4c235badebae5eb1baf9a8933906942a418

SHA512
90dc944b510ef238cc49d1e325d2c8fee90237d945ff1abf06a3506d63310b18cdffdf9a3da51b186cba99a9075ed44f87f50747f938fe49be89923f9a09c879

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
81KB

MD5
d7986873c541992eb86abef0ea538913

SHA1
25138e4c961ed6684b0429c69687815dffe64554

SHA256
4791db44c88b88efeca349ab2d55016e211c9389d04fa74dc0a0ec65f36f730f

SHA512
ff52c997d71261211db58a1d2f50684f4f5690eed8ecc9fcfc65ed43eaa35324a677959134fe2eaf4b37f2033f38fe381339252bb04f3842d55ab2a16eb791e5

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
81KB

MD5
4a00f6cbef84161d551d42370bd12aa1

SHA1
2f59428dfcb6c536df2791e02549fb94e2875206

SHA256
c13e4866984b04bad4d0c67d3e05e09233566d2e66078a3a42b1e47852da495a

SHA512
1c327a797e4a7582311620dac4c846d8f8df23436d91a6840d0656d81969325cdb4a8dcca620a40b45ddd0d76b372ed32c773d59fe246680bc4866b108aef137

Download Submit
C:\Windows\SysWOW64\Mbibfm32.exe

Filesize
81KB

MD5
70c845ece06a7fdc5fe7ea4e58739a7b

SHA1
b64c885ef57c152c2a2016749d353f4989411a71

SHA256
65318c6b21d1e7812ff2e896330ed118274c122911e8e4e71e2b4b8a1d0d3f07

SHA512
622622cf5d4db64fedb45572f195e7754ae01cfe3d4c343f3d76fa1b6885d94731d711f2c3b8849a5d73ae50368f30471f3161771ade9fc5110efdfa6f2ca4db

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
81KB

MD5
ce1728b376c14c57664176ede09582fa

SHA1
15649fcb56ff54f701842ddb2ac52a3b8c9b17bc

SHA256
7523a528f171c1227fc6d969008d5e4aa64772dc6c2bf686d74b35b82554d18b

SHA512
0facda14d9ae3feb26b85f355e7a8e1fc68d47f9e76563b758cdb85276c67d82e545828da0df664806b70e83e7896775bb760d4f8ff289c5cc283c2cb7f687dd

Download Submit
C:\Windows\SysWOW64\Nciopppp.exe

Filesize
81KB

MD5
62bb204d9d887cf1bf4ee5dcd1b1f8e8

SHA1
d24e2bb87bc527b45415a98e4c6379c3b627d9bd

SHA256
fc4f6f7dfee8e88bf4a83aa8a7b767a06d66d83e82f749b6b0a64c20427cdbfb

SHA512
29724f6c73387c558618b2b8c97d4c8553d9264d4a1ab083e4fb686ea14a934e1625e57a3c387d408011edf704a65f9886960ff5fb228a1500166a52a4cb8f56

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
81KB

MD5
de8b2f9ec2633498a98021b41ad63140

SHA1
0d2da706f5774ad3e3be1b2c14348ebe23ca206d

SHA256
8506ef9fbdfb1645a353105a78b1e62869c522e38027f78c3ee01bd11e089318

SHA512
c75f792deaf302353541207e6fa12cd19b4a8373a551248396d2913ab5bc2c0bafa5d7c846fe26a7103548fb821441fdb3a38848d2387afd069bde91eca1aa37

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
81KB

MD5
b94d87cc6c7f1a082c62f233c191f29d

SHA1
eb72f98bbd45d81e350fa7ae96cb0848e0e13a6b

SHA256
c300b98f81545a9399fe9087489371f92be6ae9f2ab6e07a8c4eaa5a901e6835

SHA512
66c87176fa6f960e8bb2b345d3c214d893f2c300971fc398312671965b8cdd46184a7a006cc8302a6ab482812ca4bf125130b57c24a50b5c9954bfa5c9ed65e4

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
81KB

MD5
f749307f2d3ea6183bedbeb7da6a44b0

SHA1
9cdeabdc50fd168b39fb7c5efee0189ccd59b6e3

SHA256
9e63d39f6b2a6b93c02ba219988a75c6d65ff183da93134cb2c867a552199fa9

SHA512
f6b9e60c31944a58f60e3be5f9e995992036ce643f52b4a0243ff5a2f757c2f1c503cc591bba9fb0b2768174d771bc847aac08971f58d5cb1673bbee31ca1dbc

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
81KB

MD5
9a34a6485d52d09d56320158d2514138

SHA1
9365243e83c7be2ab08b32f5eec447a7e0845a30

SHA256
36a2643cd58679097b50c341f70d68971490ffc5401ee99e24d93e675a9ac462

SHA512
6e9bc7d858f7821662a7a378d7fd68f0fe325852607cddf189e86d003dd611c967c12fef47bfcfa92a126de2656bf0c22cab3c5ecfb5ac92bba80e6f9180e821

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
81KB

MD5
41ea3e321509305b5d7a62eba9379e79

SHA1
208812c3482e0a2658ef823f84f70b1ee77701ba

SHA256
673184b537fe98edd1e1a305eedf2854fefeec83dd9a0b8e2d62ed9e13f64395

SHA512
f69e715b1d09bce7eb8b56be4cb190b718f5f4ea945eddb8a48f3ea85e50e457d1f5ddb7a70789305b82477f6548463eab7995808b2d155220e230df18846e31

Download Submit
memory/436-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-623-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-689-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3748-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads