berbew | 8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1

Analysis

max time kernel
94s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
Size

337KB
MD5

db011b5286b3c1969d78e6e7578b333a
SHA1

1172c5c0dbbe2f78a6fd4ed9a38700c1fd064ca8
SHA256

8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1
SHA512

00e41ae75c8f6640130bdd0f40973b7418d6f559178935f30449c99a5765f033a311e758623d9ed24a6d14d41719a207334d02a3cb7ca9ab04fdb1e764e61970
SSDEEP

3072:oGLUWibFoqWbOgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:o3bSZbO1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
3512	Lbabgh32.exe
3648	Ldanqkki.exe
1168	Lmiciaaj.exe
1856	Medgncoe.exe
1444	Mchhggno.exe
3960	Mlampmdo.exe
2980	Miemjaci.exe
1076	Mdjagjco.exe
4736	Mlefklpj.exe
1468	Mcpnhfhf.exe
4620	Mnebeogl.exe
636	Nepgjaeg.exe
4964	Ncdgcf32.exe
320	Nlmllkja.exe
4556	Ncfdie32.exe
3584	Npjebj32.exe
2228	Nnneknob.exe
1756	Nggjdc32.exe
4968	Ocnjidkf.exe
872	Ogkcpbam.exe
2584	Ocbddc32.exe
4644	Odapnf32.exe
1008	Ocgmpccl.exe
2284	Pnonbk32.exe
1576	Pjeoglgc.exe
2388	Pfolbmje.exe
4512	Pcbmka32.exe
2080	Qqfmde32.exe
4368	Qnjnnj32.exe
2336	Ajanck32.exe
3600	Ageolo32.exe
3568	Aclpap32.exe
4404	Aqppkd32.exe
4308	Agjhgngj.exe
4860	Andqdh32.exe
1200	Aglemn32.exe
1972	Anfmjhmd.exe
5084	Agoabn32.exe
708	Bebblb32.exe
4752	Bjokdipf.exe
4236	Beeoaapl.exe
4768	Bnmcjg32.exe
4288	Bcjlcn32.exe
4660	Bnpppgdj.exe
640	Bclhhnca.exe
1564	Bnbmefbg.exe
4832	Bcoenmao.exe
376	Cfmajipb.exe
3444	Cabfga32.exe
2444	Cfpnph32.exe
4264	Ceqnmpfo.exe
744	Cfbkeh32.exe
2732	Cagobalc.exe
3528	Cjpckf32.exe
2736	Ceehho32.exe
2628	Cffdpghg.exe
3748	Calhnpgn.exe
776	Djdmffnn.exe
3804	Dmcibama.exe
2680	Dfknkg32.exe
4352	Dmefhako.exe
4412	Dhkjej32.exe
3448	Dodbbdbb.exe
428	Dfpgffpm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	3944	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3512	4928	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe	82
PID 4928 wrote to memory of 3512	4928	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe	82
PID 4928 wrote to memory of 3512	4928	8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe	82
PID 3512 wrote to memory of 3648	3512	Lbabgh32.exe	83
PID 3512 wrote to memory of 3648	3512	Lbabgh32.exe	83
PID 3512 wrote to memory of 3648	3512	Lbabgh32.exe	83
PID 3648 wrote to memory of 1168	3648	Ldanqkki.exe	84
PID 3648 wrote to memory of 1168	3648	Ldanqkki.exe	84
PID 3648 wrote to memory of 1168	3648	Ldanqkki.exe	84
PID 1168 wrote to memory of 1856	1168	Lmiciaaj.exe	85
PID 1168 wrote to memory of 1856	1168	Lmiciaaj.exe	85
PID 1168 wrote to memory of 1856	1168	Lmiciaaj.exe	85
PID 1856 wrote to memory of 1444	1856	Medgncoe.exe	86
PID 1856 wrote to memory of 1444	1856	Medgncoe.exe	86
PID 1856 wrote to memory of 1444	1856	Medgncoe.exe	86
PID 1444 wrote to memory of 3960	1444	Mchhggno.exe	87
PID 1444 wrote to memory of 3960	1444	Mchhggno.exe	87
PID 1444 wrote to memory of 3960	1444	Mchhggno.exe	87
PID 3960 wrote to memory of 2980	3960	Mlampmdo.exe	88
PID 3960 wrote to memory of 2980	3960	Mlampmdo.exe	88
PID 3960 wrote to memory of 2980	3960	Mlampmdo.exe	88
PID 2980 wrote to memory of 1076	2980	Miemjaci.exe	89
PID 2980 wrote to memory of 1076	2980	Miemjaci.exe	89
PID 2980 wrote to memory of 1076	2980	Miemjaci.exe	89
PID 1076 wrote to memory of 4736	1076	Mdjagjco.exe	90
PID 1076 wrote to memory of 4736	1076	Mdjagjco.exe	90
PID 1076 wrote to memory of 4736	1076	Mdjagjco.exe	90
PID 4736 wrote to memory of 1468	4736	Mlefklpj.exe	91
PID 4736 wrote to memory of 1468	4736	Mlefklpj.exe	91
PID 4736 wrote to memory of 1468	4736	Mlefklpj.exe	91
PID 1468 wrote to memory of 4620	1468	Mcpnhfhf.exe	92
PID 1468 wrote to memory of 4620	1468	Mcpnhfhf.exe	92
PID 1468 wrote to memory of 4620	1468	Mcpnhfhf.exe	92
PID 4620 wrote to memory of 636	4620	Mnebeogl.exe	93
PID 4620 wrote to memory of 636	4620	Mnebeogl.exe	93
PID 4620 wrote to memory of 636	4620	Mnebeogl.exe	93
PID 636 wrote to memory of 4964	636	Nepgjaeg.exe	94
PID 636 wrote to memory of 4964	636	Nepgjaeg.exe	94
PID 636 wrote to memory of 4964	636	Nepgjaeg.exe	94
PID 4964 wrote to memory of 320	4964	Ncdgcf32.exe	95
PID 4964 wrote to memory of 320	4964	Ncdgcf32.exe	95
PID 4964 wrote to memory of 320	4964	Ncdgcf32.exe	95
PID 320 wrote to memory of 4556	320	Nlmllkja.exe	96
PID 320 wrote to memory of 4556	320	Nlmllkja.exe	96
PID 320 wrote to memory of 4556	320	Nlmllkja.exe	96
PID 4556 wrote to memory of 3584	4556	Ncfdie32.exe	97
PID 4556 wrote to memory of 3584	4556	Ncfdie32.exe	97
PID 4556 wrote to memory of 3584	4556	Ncfdie32.exe	97
PID 3584 wrote to memory of 2228	3584	Npjebj32.exe	98
PID 3584 wrote to memory of 2228	3584	Npjebj32.exe	98
PID 3584 wrote to memory of 2228	3584	Npjebj32.exe	98
PID 2228 wrote to memory of 1756	2228	Nnneknob.exe	99
PID 2228 wrote to memory of 1756	2228	Nnneknob.exe	99
PID 2228 wrote to memory of 1756	2228	Nnneknob.exe	99
PID 1756 wrote to memory of 4968	1756	Nggjdc32.exe	100
PID 1756 wrote to memory of 4968	1756	Nggjdc32.exe	100
PID 1756 wrote to memory of 4968	1756	Nggjdc32.exe	100
PID 4968 wrote to memory of 872	4968	Ocnjidkf.exe	101
PID 4968 wrote to memory of 872	4968	Ocnjidkf.exe	101
PID 4968 wrote to memory of 872	4968	Ocnjidkf.exe	101
PID 872 wrote to memory of 2584	872	Ogkcpbam.exe	102
PID 872 wrote to memory of 2584	872	Ogkcpbam.exe	102
PID 872 wrote to memory of 2584	872	Ogkcpbam.exe	102
PID 2584 wrote to memory of 4644	2584	Ocbddc32.exe	103

C:\Users\Admin\AppData\Local\Temp\8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe
"C:\Users\Admin\AppData\Local\Temp\8ce6dd41ba6a7f3690268d4c1ebef232f9a56fcaa1a5f75e560c7afe16fc11b1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\Lbabgh32.exe
  C:\Windows\system32\Lbabgh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\Ldanqkki.exe
    C:\Windows\system32\Ldanqkki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\Lmiciaaj.exe
      C:\Windows\system32\Lmiciaaj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 396
        68⤵
        Program crash
        
        PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3944 -ip 3944
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
337KB

MD5
80a056817d2d1c67c5b0a0a28ba74aa6

SHA1
448f7cca908131c4966ca0a0a5ab2e2b964e295b

SHA256
c8639b82515b2fdceaef9af06d2989d2e6777fc8b49a1e8de674a0f7a5315bb8

SHA512
d164f4f8331d61292bc1d3e02c5146ad83216db5c181451601f9d81390ff62a44ac7e03e077e979140703d199b9b7c77eb1d6b1726e4afb33a548216020c0a24

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
337KB

MD5
f3e8fb55373a51bbcd5330c12f0dd30c

SHA1
22a281924c1e0a5115df2f34aae2a8e59be6aeae

SHA256
e22e2b54cad31d89a1a434f7a494b1c10d36e3490d47806eafd28fbf9129109f

SHA512
5b18bbd7378f7a8fcfd797a91cc696ffde19f78d818f3c9958a50212725b92eb06357e2c3e773469e3baa1a37c7fddccb28a6c88785895a3ef65530ca095df31

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
337KB

MD5
02000c0a130aa60146416ab670c60f5f

SHA1
7942b83652276f4202bebc50a23139cc77f77302

SHA256
9c2670bac88582b7b8d23b54504163cef4dc2e643cf075f05661d721e8f6ef2b

SHA512
d78c9ba26a5f772e49b535b3ffdac8f0c2bd3319013a93383e818887148b3c1ffd360fd656171597b4d19f540c0afe9746c86c7caf94dda0a51818d042f092d9

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
337KB

MD5
48aba1e959660b75df31eb6f5c8eaeac

SHA1
dbcadb9b605dee3294b51d165b5ee61f71af102d

SHA256
053293fa2cd0a0d248de69d998437f347699770aca6e7e1b43b43eacca835b44

SHA512
a7670cff80738dfeb77a30812ab34aa595f1170a09a6f77a276d22fb1a577bc1f6078114d1c933bc40c3b4932df3ee0d8d58f74f11e8f927299e036ebba30a22

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
337KB

MD5
49bbb36575c15ed5f7c737bfabe60b86

SHA1
889b83806b7f48c7930e4e2973c5dc748b59a8c7

SHA256
5326cd8701b2522ee5aefecdd1bdfda74befb74e52212e5e877014442c529791

SHA512
4ea3e75801698e24f176d5edeb8b7f9d483ba637125193e0955e60141bba1e7e7307efc0a13fd84049acd9130060d537aaaee24cc8b3bce73b66d02141523119

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
337KB

MD5
878746450da01880fa69e90a3057b65a

SHA1
73b26f22f552ef1390d20309a1bdd075c75b05e9

SHA256
40ffc3b10ce8b78f87f5e0c5c9c902cd413af64dd8baf1d6bc6cba6c661c38c8

SHA512
f8f7a7d8fc9e2d3c66a62c6febfe6852324890104507f29e384b12d866e0943f125f7b7d31f9a27c96d614aa1c1b27e23997846e4b0add7b054daa26a993b022

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
128KB

MD5
46fe41af9edcee7ebec5989adeeebbcd

SHA1
4706c378483607fff266a1fc1ecb35be2a307ffc

SHA256
609e908e54f4bbd67ae0104dd90f5bd175c093c3c5e2d5f60f64b3f9c66ca3ac

SHA512
45bbc12608bd87901147c8a428bfe844840cff7cb35229bc79e72a9a8a28e21ed9404b588e601108284525cabbdff818d30106f512b3ef6666b1877f7a77400e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
337KB

MD5
8f38fccacb333a3c74cfbc2f487ded52

SHA1
142fa2f85a1130f9ec5503a155ab659ce5d6fa57

SHA256
2e53274d27a51d3fa12fa020d1ad047fd2e9dea72a8a02b5b4128f833a95fb9a

SHA512
db58a0b3b3506b7753a443bc5e21f638bd93509432c786336de23ba773bbb01c03783490eef6d109e81ae28b91d0b02dcf9dac5dc6ba5a8888dc2b8124716566

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
337KB

MD5
07fc10d3896a31f037eb6d6754d6be7d

SHA1
3c83a22e9a3323e5c33cae06aff24fa7807ac8f6

SHA256
8fc05dde7161deee64497ed27b8bf6d74c4eed39ac57761f53c9a343808d27ce

SHA512
ef5a6ae82a8754042c801781fe4fe79a6185550b32597d3a13dcfe45452ee647080790a25a235b9f8e0f28677bf1f5d98ee90e2d0776409ed49564138be74cf5

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
337KB

MD5
cc3383741f1212fb87ac900f02b20407

SHA1
0703247ea2c4a713ddd88c978aac4062c6b798f5

SHA256
d259661feb5e4be1d40db11de706891396008e97b2ad243ec4264324f651adde

SHA512
e2a4cf6ee951c5e7dda1a64df0bfa7503235db8b76c39916d993eb7658d9a0fe1c8b0d7102b8076f0c7ad8b2a9a2dc89eb46a23fde310598032e68d71eb049cc

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
337KB

MD5
a6f11f8cf49f2b7ad4e8b398419d7f52

SHA1
e77d75e18471be394454cdd865b3defedf018d57

SHA256
b3bf6e85f057ef615f8b0b38260b856e862e1b929528f942b5dfe2ff11740733

SHA512
189604a26e1c745e4f6ca768bb9e388fe069fcd919c3c184d8ebc8bcb34be7ad0244cfba6d2000e3da6fd3f054e49c35229efa964c5af75d6d5e6d1922d70222

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
337KB

MD5
ba920b0bc0ccb209c9730068adb4ff61

SHA1
dd8d0f24b693aefc27ed082521da1b42bcc7ce19

SHA256
d35a1a37592e520be1f41dc556f397b90c218630d0917960f7ba82f314e614d9

SHA512
62e8e768eaabc8ea2a8e76c76d174981572f7182bd39cd753ddc3a9eeaf8b3f2bafa43a4408105a8a78cf01ec657be2dec50d3f743b9922ddcbcfd4098b79edb

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
337KB

MD5
7e6e8e464dde2ebeacb7be43f31a1579

SHA1
c16cc29c072dfbcd883a329fcc337b8f768f2650

SHA256
47ce84e054b77338b5a9cb6928ab523b892720983707c6fe67c8d2f560d67a2d

SHA512
e0cd8ad049fe988843ba523494fdfb950d85c6fa5a38b6fb917204d1ab17b3d650896d8da8665f7ccef78d2c78dffcd4042dc8822549c3337716af0c24c17684

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
337KB

MD5
10ef1b7a8802c94d11963fae7581fcae

SHA1
41016a6227e84dfb12b3efd859ff7d02f3c72f1a

SHA256
78155343c6760f8678d489d0706e85dceb011883772b1c563b1bb7aff7d129e7

SHA512
8c5eba29e375b2b7ae6941a5bf3c977f8dd39290fbf692e96bc94431e1ba3825608c1ffea52473cca7e026d961c4c022965767534000022bc3b51016bf265234

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
337KB

MD5
dd026afb8c12b7c34b7299a2c3baa018

SHA1
bd863d7fd6d1ab77271728cbdcfc61a39c00e201

SHA256
7403ad92f0eefc6133af734ae421e9e8f90894b0ac3d00268c2a9195fe7ab8bb

SHA512
c18fc2074ae926d987a20c6a18f6c3450f13752a82127e9a6e937fcd8edfc338bf2f6f1f320af677fe67dbceeb20779ead9f79a5348ee47c33499c272ae857b4

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
337KB

MD5
d2aeb7db0713ad13ffcf0137b46ce926

SHA1
3605c4f92f69bc239dd3f1bb5ccac82e7a32f464

SHA256
b80675b177cd017d31dddfd2e79b1c423a6fec41f31e0967fd18308027fef977

SHA512
068b76a2eb4735fdd6f0f4ceb34b9cbe01885aefa7ccf3848f1d54619703b9e1b2c7c6f536cc7066c2258e9e2d1bca9130b3afba578878b4411c2c3667afed4d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
337KB

MD5
544cd6915e65f808918ce5aa36252aaa

SHA1
e9ef62a45f19285c3c0b07392068d98724b6311f

SHA256
664efbfe8d4f409e30580f8cc069876e06758cd285d573ff424adfbcf6d2d0cb

SHA512
bad7a55ab1ce4a4fa0a6d4351871364876d587f431cd5e7fb4a2df0a1bd92494be0cb4dc7cb5d4c4c57c9efaddc1590d966f8267a85c60fd7b3b70e210b59d9a

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
337KB

MD5
50cd303b54c7b88d8e40350ffbfeeebe

SHA1
aee609f9f321ad033aa9c98d86b1b130b1cfd930

SHA256
571a1b2170174d671b295484f48244375d0e76fceae0d6fb3d536315393712da

SHA512
db1e36362f8acb142d3d76c83e48b49e698df5fdbec5127d6f23a566aef00d5ce0e537616111a9881f8844d4fccdbf34f6a6d9b660c308d564b78f95af14adfa

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
337KB

MD5
f50721277672b39d8e125c036607de9e

SHA1
e20686081b1c9e61490ad1290d3c888df3c06155

SHA256
8892c52f538686b4b62119ffaf1aacb72ffd99ea5269cb788d591001a756977f

SHA512
6964a601f9d73806023899d007fbaba8bdb83b48d58649ae3c47e285ad2cff4a8b74458a77b3b88f10577a21836f27c85577579519c3a038d097ef23ec8beecc

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
337KB

MD5
5eaecb74ccbe3824f064ae635557e707

SHA1
f5ee91bfa4df51bacbd50bdd73f8c2226c918b1e

SHA256
b0074d44b54829625368602ac35d500221b129e4b5bd5037854a4a92002bcec4

SHA512
d29f8a28b4b223807222c439eb0931819104ceb3aac3aa7fef1150b55ebdd193e22926c2c920fc61e633dbf2826da5bda37d7ba63c70386c92acf5f2946e14f1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
337KB

MD5
f7c879fdf521aad77cf17d12c5c8fa7e

SHA1
f18e3aa5d4dc7894804017eefa29858c8e28f1d8

SHA256
4d4ed21e04d148bcc371252a5114605c18c24cfd7a48e081c977aa784d6bd849

SHA512
e776cb830aa297116030c76d67a08806a96441436c7e0f517b9f9793183d931319a8a1db3d1aa5cd1fda5e1960da6566f9a7a65d4edfac9e2574e22be19ab614

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
337KB

MD5
1a2f8fe0e727cd3ab09fcbaf9094cadd

SHA1
e7bfd513f1379bacd13b2b81afaf4dfad68d4b72

SHA256
8bb41b86b6dda8ce93d6f493678fe1abb1d0c5e71fe334686a05be72f2f090eb

SHA512
e2aea4fbd547dc47995c1e04433d3a2ccef5081a5115027107932082808348f9e0c75930d91d1d6385fd3ce65d0de9d3c1bef324638228e12439f6021b68f69f

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
337KB

MD5
ad36788772911c2ae70c881b95c7194e

SHA1
009f0d7d166de377830eda9a4f4690a000ef29db

SHA256
9a10bde4f53d6ffd7a32b3f9a66c89703123fe0d0ce1555382d6486fe725b5ab

SHA512
7ac876102d620d00e59442c1975310990e835ad6f93327d3b4af8c0c038bd309f8acdf40b102d603a4b4a6d102b413189ab4e4cc035cd364143032a9de70caf1

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
337KB

MD5
4a03b834f0a489f612a3b53d7abff7e7

SHA1
2e587b8872f362ea9041547e908f0faba6793896

SHA256
a24263006d0ffd5a0956e1f41b57ccb4f5a6ea30230e605052524b631069c4a1

SHA512
b9748562933be4c97f56835e2dce59ebca53275021374e385eb6d92e79e81640daded10e2210e0e56c785fc0c09959d9b22452cb28a34e4bf032e88baca65f36

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
337KB

MD5
5745bac4d18a1fe391f1172c18fb5d89

SHA1
20f27dfe3d979d8e157c4c976507d7ebd708b9af

SHA256
42e95a23008d19e1737993a79d4a453becce40fb93e2e0821a34548518690a01

SHA512
6f4eab7d9ec10f7ab6e9ed8b3932ec164f11deb502e9f0ca3ffcfc1e9f85f328826a27de38be78457bafbb500c79d9d3a6a120402d2dbdc16e9aa3ae4c280d5f

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
337KB

MD5
84d4a4385c6ed43573a02a790e252c3a

SHA1
1d360c9eaf54aa42fd330969a4758ffdc70ee6eb

SHA256
1c3fa1b7c8388b5ca99f2ee464c0b5c47959b63bd349b62971d37383161a1c9d

SHA512
9793fa02f9fca8f418ccbcf5d1ac43f30b74fc547e8f94b2b167d408923b8eba3da37288661df2700367d2693683cf2e24e393e3bd3b2b00727535a86d3e6291

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
337KB

MD5
1af1f83351a84a46753a6365dc3f3cad

SHA1
5544dc57c1c86b67a705dda09d76807922a473e8

SHA256
9130b368ebbbb67e4f89c16ecb5b91451c6891cf5629e23fbe6d4540dcffa359

SHA512
117636047c7885b1d1f8a2f62b1f9468319973a6560aa42b5e67deea4804e1b6428f9456d4dceda16a2e124231fc2949c9063f3113cc2131d7e29d01b8c3d878

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
337KB

MD5
a9bd54081ab61d61a4393d4e237cfd0c

SHA1
ddc38605baf9cb11cd0bd7bd1caa568a17856c51

SHA256
5d3f3660e5239a15ba970c17c58a32ac95c9c1faf3e16759765c0fcc4a483ca4

SHA512
aa49b869baa60404f08e9752d87460b868c6218664f668d474d98e39108c00fb473f6f103c3627d8605d43909e2e4cf6840ad710de50881ee381923057a98467

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
337KB

MD5
8c7c70a5c5f0bb6dc6fdc23abb09a011

SHA1
9204e436ad6b1eecf6d2d08e2d09a7ce7df6e056

SHA256
f507b3ac6a8e41a307cd24bc431916f6a97b3909301101a0ec01cc2920347948

SHA512
9e6c492395e0b0fc4540ac36dea431e26f247c42dc94eaf3d41ca19a2476a381228d9d93163460379b26d3edbe43e39512677b26fd49438f70493f1b0da0af59

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
337KB

MD5
7378b14cc0a99e0100350925dfb2bd14

SHA1
66376ae3ef4eef611234bd59ec5e70aa964ef8ad

SHA256
5ad1ed65ad8293837ca9aa155a6c5eeb7bc703f145e9a14cd744011d0a514054

SHA512
286170f78cdba1b0f822e86ef6cda8523d2ec29bf56a904c0d0121f225fdce67c9ac669d1d3f4c028e0eee84e901edab77d6c0772fb221cdd67efb15391dcdad

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
337KB

MD5
0c89edb882d1c0fc4d6467a3dd1d3e2c

SHA1
a6e741a2803cd0d9ced2cee5e7941744028aa58c

SHA256
59940fce96bb1ef25906769836d49e43b19b0d98f97c1944e1d170c24099cf30

SHA512
95dc9de63fabc86c7e938eb6e8ff3bb021edb7b72c372899272529e884623843fd7068353cd0b1798dae44172983c3e8b506568a14cf9e2cf46aefb785c6e1bd

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
337KB

MD5
ddb273fbe42a919b44186b00441320c3

SHA1
bae044c06623b864f0e35f9d9652911e38ee808b

SHA256
fd071cbfbd8802fbb53756af2d9e23eab0dd3065c38cbcb98d4a9c93ba09b564

SHA512
ea9bc267d288017312fa8fc2572c049a62780644f0098e2f626471a4eab926a9b37d7e54904c9c1fac0a1c1145c58cb070767c4b2a8a864ca5ed434e397e1a45

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
337KB

MD5
4cf09fb072fd7625e7a1f06ba8297359

SHA1
d2520f07a294ffc426d8de7bcf4f30e0e1efcfcb

SHA256
8c083d73ceb87a43eab3b6f9e38341bdebd78942a4b94cf6416cdaf0d9e05d8e

SHA512
c5492ab9bcc835a4e70e5c6f5d69c2040650f71bb8b66c84d8b0db7c61327346c69b832d82c713db348a9f28518063af8804ebd8d873592490ad8947c3b6c71d

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
337KB

MD5
2c222caf843eb4191c6a89f5b12ae4e9

SHA1
ab6ca2f177f6fe608595691e403e95a17290a6f1

SHA256
f07630c35e2346c462104fddcc62cf694820acdac5d8c08e255c7aa20d957532

SHA512
944acb8f2f9acd313328303d485e98167d66d0face5cc04b46b019b95a38e4ed536f93cff2619d54388f3f598e0361d4b2e7c8f86f9a04417f9dc6644c61abe8

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
337KB

MD5
a465fb2646d8110d5b5468aa770529ff

SHA1
168636a2153d8dfb296b550b9dbd7a197d8a6514

SHA256
57ccd7d6bf7543ae52f6a870186edb571305b3d8265cf443b5a7ef2da7c896d7

SHA512
4f7e802f850d89cd5e8b5bc1ebd1a19e5b6635f77bc5f07d82ee511fd5cd959d52acaebba95c7c4928c4dd7fcc9098b830ecd58ea31e7d277039a81ad0de160f

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
337KB

MD5
c0737b3c56bb9864eb2a3ea3b637cba0

SHA1
c7e0adf720349e9e445d90a730ab51e24c652fc3

SHA256
129b2d31b2c9e4bf2d4a8700d29ffa6423a895d9f0aea3b31fbd9f6430217a21

SHA512
366f5b4a87323cdbf015e85e01d32a783d6049c81cbf1d8e68d796dc547ce9cf086880040e4d072707e04034aaa4b325caf3d8b556e035200fc9095f89b7de0b

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
337KB

MD5
7cc70424a7d5b17ad9b334a2de0bb675

SHA1
bd6e4fe7fef6d4ab45c25ea1d4a790561750bf71

SHA256
1d55250c0ec9c8f84ff0561c17976f1284d2ab997ce255388bb420a503c0e410

SHA512
d15d6f46c25a1f7516535d53333265c3084ed4ccd74785d69d3e6b007b09d5b6fd33b34182cbe22fcea7d5846e041b79b38b61f02db2f6c396aa40fce8538761

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
337KB

MD5
d9aaf2b3ea1cbc9224afd62ba981a5ec

SHA1
c00282cd0f53edfffa472b94d28f615a89d7004e

SHA256
4ee4b382c29c915f5866e99449669e7200e14afc2f3bf6b798f237d076b44200

SHA512
4b1f5454249e419fb32bc50ccf478eee8b4ae8101cb0d1a2db1dd1f55debdb06133050a758d170c04e337b66dc94430a5ca182f50d4fff7f0a5790d897a9bbbd

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
337KB

MD5
870999216261fb5daad8dc6ae7a5ae07

SHA1
14a80aca9920b281136ea41d541617453a71ef07

SHA256
77053116feb32658cdd049227d96c24b43f48062d56159c7345791ff033e7543

SHA512
eba7d029c420b02845142ed019eda000900c39c5886de10c7b50357db99417dd551dcc7e4770faa7a0434a0a17f8881475590d8b72b1fb32a4782ddaa63c997b

Download Submit
memory/320-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4928-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads