berbew | ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe
Size

1.5MB
MD5

1453e242ae43c3c71f6abbb61a465390
SHA1

2ce92413dcc773644caee7c1a774d66be44f29d7
SHA256

ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7
SHA512

77c67952662aa4a918ca4201e2009590e05a8a847a4f86b4de5bf87871bf77311d90bc150764a0efe7bf1fed1f5609e4798b6d050670a8586a1ea3ab68fd6a1f
SSDEEP

24576:Q5Mw7fyvzecvHPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWAU:Q5Mw7fyvKcvXbazR0vKLXZ6U

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1588	Kibgmdcn.exe
2780	Lffhfh32.exe
3448	Lmdina32.exe
4948	Ldoaklml.exe
2848	Lgmngglp.exe
3924	Lmgfda32.exe
3880	Lpebpm32.exe
1032	Lbdolh32.exe
4420	Lingibiq.exe
724	Mdckfk32.exe
4464	Medgncoe.exe
1660	Mlopkm32.exe
3348	Mdehlk32.exe
3956	Megdccmb.exe
956	Mmnldp32.exe
412	Mplhql32.exe
5080	Mckemg32.exe
1732	Meiaib32.exe
2624	Mmpijp32.exe
3204	Mpoefk32.exe
1904	Mcmabg32.exe
4648	Migjoaaf.exe
2804	Mlefklpj.exe
3012	Mcpnhfhf.exe
2728	Menjdbgj.exe
4548	Mnebeogl.exe
4012	Ncbknfed.exe
3216	Nepgjaeg.exe
4848	Nngokoej.exe
2368	Nljofl32.exe
3532	Ndaggimg.exe
3648	Ngpccdlj.exe
4944	Njnpppkn.exe
4632	Nlmllkja.exe
4404	Ndcdmikd.exe
3492	Ngbpidjh.exe
4868	Njqmepik.exe
320	Nnlhfn32.exe
2844	Npjebj32.exe
3564	Ncianepl.exe
4952	Njciko32.exe
872	Nlaegk32.exe
2700	Ndhmhh32.exe
2500	Nggjdc32.exe
2336	Njefqo32.exe
3952	Olcbmj32.exe
5096	Odkjng32.exe
4180	Ogifjcdp.exe
2756	Ojgbfocc.exe
4272	Olfobjbg.exe
5116	Odmgcgbi.exe
3396	Ogkcpbam.exe
2716	Ojjolnaq.exe
2696	Olhlhjpd.exe
1424	Odocigqg.exe
3044	Ognpebpj.exe
4384	Onhhamgg.exe
3068	Olkhmi32.exe
4244	Ocdqjceo.exe
1900	Ofcmfodb.exe
2300	Onjegled.exe
3456	Oqhacgdh.exe
4028	Ocgmpccl.exe
3504	Ofeilobp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5408	5316	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1588	4336	ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe	82
PID 4336 wrote to memory of 1588	4336	ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe	82
PID 4336 wrote to memory of 1588	4336	ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe	82
PID 1588 wrote to memory of 2780	1588	Kibgmdcn.exe	83
PID 1588 wrote to memory of 2780	1588	Kibgmdcn.exe	83
PID 1588 wrote to memory of 2780	1588	Kibgmdcn.exe	83
PID 2780 wrote to memory of 3448	2780	Lffhfh32.exe	84
PID 2780 wrote to memory of 3448	2780	Lffhfh32.exe	84
PID 2780 wrote to memory of 3448	2780	Lffhfh32.exe	84
PID 3448 wrote to memory of 4948	3448	Lmdina32.exe	85
PID 3448 wrote to memory of 4948	3448	Lmdina32.exe	85
PID 3448 wrote to memory of 4948	3448	Lmdina32.exe	85
PID 4948 wrote to memory of 2848	4948	Ldoaklml.exe	86
PID 4948 wrote to memory of 2848	4948	Ldoaklml.exe	86
PID 4948 wrote to memory of 2848	4948	Ldoaklml.exe	86
PID 2848 wrote to memory of 3924	2848	Lgmngglp.exe	87
PID 2848 wrote to memory of 3924	2848	Lgmngglp.exe	87
PID 2848 wrote to memory of 3924	2848	Lgmngglp.exe	87
PID 3924 wrote to memory of 3880	3924	Lmgfda32.exe	88
PID 3924 wrote to memory of 3880	3924	Lmgfda32.exe	88
PID 3924 wrote to memory of 3880	3924	Lmgfda32.exe	88
PID 3880 wrote to memory of 1032	3880	Lpebpm32.exe	89
PID 3880 wrote to memory of 1032	3880	Lpebpm32.exe	89
PID 3880 wrote to memory of 1032	3880	Lpebpm32.exe	89
PID 1032 wrote to memory of 4420	1032	Lbdolh32.exe	90
PID 1032 wrote to memory of 4420	1032	Lbdolh32.exe	90
PID 1032 wrote to memory of 4420	1032	Lbdolh32.exe	90
PID 4420 wrote to memory of 724	4420	Lingibiq.exe	91
PID 4420 wrote to memory of 724	4420	Lingibiq.exe	91
PID 4420 wrote to memory of 724	4420	Lingibiq.exe	91
PID 724 wrote to memory of 4464	724	Mdckfk32.exe	92
PID 724 wrote to memory of 4464	724	Mdckfk32.exe	92
PID 724 wrote to memory of 4464	724	Mdckfk32.exe	92
PID 4464 wrote to memory of 1660	4464	Medgncoe.exe	93
PID 4464 wrote to memory of 1660	4464	Medgncoe.exe	93
PID 4464 wrote to memory of 1660	4464	Medgncoe.exe	93
PID 1660 wrote to memory of 3348	1660	Mlopkm32.exe	94
PID 1660 wrote to memory of 3348	1660	Mlopkm32.exe	94
PID 1660 wrote to memory of 3348	1660	Mlopkm32.exe	94
PID 3348 wrote to memory of 3956	3348	Mdehlk32.exe	95
PID 3348 wrote to memory of 3956	3348	Mdehlk32.exe	95
PID 3348 wrote to memory of 3956	3348	Mdehlk32.exe	95
PID 3956 wrote to memory of 956	3956	Megdccmb.exe	96
PID 3956 wrote to memory of 956	3956	Megdccmb.exe	96
PID 3956 wrote to memory of 956	3956	Megdccmb.exe	96
PID 956 wrote to memory of 412	956	Mmnldp32.exe	97
PID 956 wrote to memory of 412	956	Mmnldp32.exe	97
PID 956 wrote to memory of 412	956	Mmnldp32.exe	97
PID 412 wrote to memory of 5080	412	Mplhql32.exe	98
PID 412 wrote to memory of 5080	412	Mplhql32.exe	98
PID 412 wrote to memory of 5080	412	Mplhql32.exe	98
PID 5080 wrote to memory of 1732	5080	Mckemg32.exe	99
PID 5080 wrote to memory of 1732	5080	Mckemg32.exe	99
PID 5080 wrote to memory of 1732	5080	Mckemg32.exe	99
PID 1732 wrote to memory of 2624	1732	Meiaib32.exe	100
PID 1732 wrote to memory of 2624	1732	Meiaib32.exe	100
PID 1732 wrote to memory of 2624	1732	Meiaib32.exe	100
PID 2624 wrote to memory of 3204	2624	Mmpijp32.exe	101
PID 2624 wrote to memory of 3204	2624	Mmpijp32.exe	101
PID 2624 wrote to memory of 3204	2624	Mmpijp32.exe	101
PID 3204 wrote to memory of 1904	3204	Mpoefk32.exe	102
PID 3204 wrote to memory of 1904	3204	Mpoefk32.exe	102
PID 3204 wrote to memory of 1904	3204	Mpoefk32.exe	102
PID 1904 wrote to memory of 4648	1904	Mcmabg32.exe	103

C:\Users\Admin\AppData\Local\Temp\ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe
"C:\Users\Admin\AppData\Local\Temp\ad898744581cc4577a6a73d053ec6a2df7c9cd1c83f320efcbba7a316f18d8f7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\Kibgmdcn.exe
  C:\Windows\system32\Kibgmdcn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\Lffhfh32.exe
    C:\Windows\system32\Lffhfh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Lmdina32.exe
      C:\Windows\system32\Lmdina32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        37⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        55⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        66⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        67⤵
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        70⤵
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        71⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        72⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1200
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2796
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        85⤵
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        86⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        93⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2108
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        98⤵
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        102⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 408
        113⤵
        Program crash
        
        PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316
1⤵
PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
1.5MB

MD5
9725bdcdd876c3370315b48b4d9772ef

SHA1
b8fada5a48dd0e728a1a6c4dd7ece426e76d3fa8

SHA256
03acf15eb7aa0af09db8a763ca39c5c5d138c8c80cf6035ad80bf68c563508fd

SHA512
185d816a66266060b839320d6c1b3cfa4b2fb0198ff382f0ff27a638406f61e1f58d33d9fcc2a62ab245fe812e539291790a8589d6b871379df15581692a5c13

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
1.5MB

MD5
64c7318a87ca7806bfb286d48bce0b4d

SHA1
33114fa6ef4dba581c572c5aa239be34754a1710

SHA256
5f5ea6d45e0cee21c7aaefb653fd20e39dbb01f6d508203d62ce58c33d81c928

SHA512
1427a2ed6c2e98c9aaa2cb29b41e630c68c765a920ec7370d269d86ce386284330cfece08e1bf1bbb90508a2dc07546ca0cfdec122dc027e9eb215a573829efd

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
1.5MB

MD5
df6460b02583d1a60770c50639cd4456

SHA1
05578de1d41db9b1ae509d3403197641a10a746d

SHA256
4d71458bea37cc5b03377824754bbd3d91afb4983efd82d5c97992185fe8f41c

SHA512
ca802f32172c23661f2326e044ae7a067678e8a23b10116fbec597a5b6c497998a9574ea89006cc1046a7c595af731deb466db9bd975cd14cf4cbdb6f756df2a

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
1.5MB

MD5
67d08b15e12cfe3de1d45e16248471dc

SHA1
de04b458b203d6034a5979f13dc362dd90fba4f2

SHA256
65a0b5fe1c0d2fa0d2222e188394bb8b9ea4e782c2563f7f6294047250a87d72

SHA512
948038c86d038e1fc32ba3e453f1ca39066f1796633ce03f3df2e598bb068d49ea7f28258cddf1e601a4d0c0110dc833cb7a96f8016d87e2aa0a620d2980fb54

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
1.5MB

MD5
993e9343ab2d54964883d0bc14ebf54a

SHA1
a3be6a22918f0b59fd0c650da81d3742cb728678

SHA256
7ee91230593a6e96f5c0f4cbf3e611b1facef1386e31c14d23c4b58e2e419f22

SHA512
ea2eee0237a8b1764c6a016de831d883cbcb49a132b3c8aabd75068f5c1b3a8fa4806ae0bc08e6ef1ae1f83436a101875a287081196ee5d40295d2269a3061cf

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
1.5MB

MD5
ed77975573d6eea49a670df0b6080c19

SHA1
cc3a9c9d20a8a0c7a62e89e980248c748342e3eb

SHA256
de126b341db627163b73ab603310ada1eafde13e0d376e9daea24cf24e3ebfda

SHA512
a1220999782bdc4cecfdb523de78e827416264a74d5f8ba4599a5725938676df67b7a8eeec83e0dc8306b0c7dfdf6135f974182d7c74e916d7b9b82abce3a54d

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
1.5MB

MD5
3c1a7c4e59b3191e1c9638d8d7934575

SHA1
2f10225c006796df4ee5854400d65ac69320b2f2

SHA256
ade89dac5ed9b70831c0909cc87ab0c6c492510a6c2af1c8606060689bb0ea4a

SHA512
7fbd58f21936286fd682b1defa9408db536e58f0acaa41c58fd00e8c3c3e6a3097bcaf9828d149c171b1fc2d60cf300976990089d2413169b3fcbc9813ebda04

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
1.5MB

MD5
594fe5a252e8dac11760b44436cd7029

SHA1
2886d1ff54e24da33d51f56fa64cf85a03af18d7

SHA256
cd3e923af82e74b14ab65855032f6bed8090c0b55763164bba9b2d6d04c7cf5b

SHA512
88b0579560e820b0894c0556e1db232be6fd6ed5e8b1e9ed7cbc1f80f754e2e9d6d54139c906a1e255a765561a20599df6287e993b6f88e09153a6bb32a1f52d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
1.5MB

MD5
4fe357db23fc0864a10fab9044908b77

SHA1
a9c146104b5a2660ca09e7b6ee230e40450347d1

SHA256
423f5c01d28a1311e2628f4683b1aaeb5039b4bbe371bd95e43b36ccda3c2002

SHA512
82283e558cfcf6d3979bdbd8f768385ddb75b773083f4b341ec7874a9594bcdf80d1a5eaa3d03d294ba13839e9839d2f1c7634543d7dc899b7a97b0a3a6bf5ad

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.5MB

MD5
b121afc27796d9b6c9e014f3802e68f1

SHA1
65241b9e629d3cd6745fb05f8d77cae9d504e879

SHA256
7a4ecc880b340b4dfd4967554bf2df3a5d6fe81923cf2ccda19512d559649865

SHA512
8deefb7a6b3a7c6c16fd09a807ea287d71f2ee5ce34d48a90e591ab0f3f78b2f639f15d26dd20356eb2bfe006c217255d0099fbc904f2d4ccf34d58c735a10a5

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
1.5MB

MD5
67f550f64e755e7a3f21edbe32adfaa9

SHA1
5fc1a1d8604b9a147176b9da1127ec8a0455c11b

SHA256
10972cde534e443fd5e9f30a9bd0ca45eb8fbfcdbe190a9ef87aa8ae8f327c0e

SHA512
ae7673cdaf4f181c2c4c2368cb7cca92bd451cbd01f88f0f06feeb1cbd600498f8821b9e23513e60dd69b52e488f8d50ec2258098a98e1fe29a12e9d88384a87

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
1.5MB

MD5
efb570aba06454fa433a840961881e12

SHA1
60c06370b6e9f04841868a6c690d457a12070ae6

SHA256
f937b3855ab9c94cb4ca2929b4eace8dc55bcc870577e4eb30354aa2640694bf

SHA512
8e5853bbe7d8af61bface9c372b1f22b07a80febdb575c3cf0126a251f7b151aa928f21f983a06b83aa7483208667b193d2d9b501087d7ba379c04c65122cb7b

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
1.5MB

MD5
9854da83d6fa8122223435eeb5814ada

SHA1
58cf4a6700d7a36acd658a21b4bb4138b1d9c932

SHA256
f520af2fb447aacb532181c376cb300e417cedacc7d0bed7dd8bfa7b37a38fb8

SHA512
0cfa14a2c6fa1d213a2f0f7dd38bd16f7321aee4d676353fa9e705068744c64ad56e7af3b60ae6f3069fc757eaa927940d8cabaf5e005a120eaee6fe18c48b90

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
1.5MB

MD5
fc206642edbb61e590e307fc72ee237e

SHA1
8a4060ae67ee72a3f4407632fd5e9059eb311e84

SHA256
088faba8bb8c491e930814422a31820c621bc78ed9d4242f2c45eec362b830d9

SHA512
aed04c3c8bf08357e92489df14ec81f3d725135a9295e36f1f84ba3cedd50a22724760e170decbf193254fb1349f80501deb6903f574459f921032b214aa0764

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
1.5MB

MD5
e81bc1fa4367d53d12b6ebaec8b8b7f8

SHA1
17ddbc2509be73936e43eb6a35fc76c06b51c0f6

SHA256
398e68feae689a9adce61fdac65303a5f39d9a28ecc9173da1b266c19dc65192

SHA512
9de2af0656339bc5f6be9865196b2bd679f1fdccd9a3f351b9020bf932b5fda2e5eff448d0723b8ade9c3b940cf2f7725c1ae5189e7cf9c0537e59df29d4df2c

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
1.5MB

MD5
99eebf3d3c81bbb072e0ffec8afb16dc

SHA1
ce2a5d030be7d004def466d3f0c6e0ec5889ed13

SHA256
d63d907e121c640b4010f8ea3cc6c80b41e223bdb497fa8e331cce4d383118db

SHA512
66f6b26023a104e9be414c7f4cdb1ea84baa0953dc379cd35701c80479c0b44a9df1f3469175bf0e9b1366b830764996ff9ea07836d7753b9389741241a198b6

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
1.5MB

MD5
673d80b1134e50e2db500efc03af5204

SHA1
51984ffec38ac025706c8f9388f1e671d1937853

SHA256
394171d7c0a8ac4d5d0efa04640561d4ff150347cf2a17a68a03b7732ed1cce2

SHA512
f692309fc1ee430e1b481819842dce52bed595ff76de3cafd31fa475a4b1b2bfd9a7fbc2712106770430ece15488a7db9283f6f99c28df437aa83b91dcf5f4f7

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
1.5MB

MD5
1920a914c7db0eb718a86d333818c64a

SHA1
faf805fcbb67e3ae0bcc2ad0d0e3c587f09efca3

SHA256
7c85a37ca90206688557102b35761659633bcf5c6229ba79d88130e0499eb48d

SHA512
41f226d642b8f08921182b905909bd20ae7a107caeea2bc4e8f591677c98b861b15d580246f3a7d5c5d555327c8120b28e78226b799eb8fa79deacac967237f5

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
1.5MB

MD5
077b4826bd260325726796e8af762bee

SHA1
f3f1fff4a727d38d665cae275fd324e8d209dd2b

SHA256
99bbcf86eb364cfabe88fc9853d1f801b82f048eb893da4b629c51f08d4f6ae0

SHA512
f929a3d849fc49e4d2247317872c08df2e1e6263f135e5303b65c42a3011487490fff5670a1fe5436fd8af3755096213961bd2965631084e4594a2b940bc3cd6

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
1.5MB

MD5
b4003542bc6c25db928c68dda84ddf72

SHA1
9e4f26de218278452a5d46b95b1de279d86b1c86

SHA256
4a496cc12810ad7c8b0e29ffe72ea6a3406e4adb7b4e22ee6f52429be154fd1f

SHA512
40c7c0b081408f66b1ad10a77ecdc667bc0ac57061251098d74f5b6c00f84962d4e19de8ce7102f7efbd7c0a9dd4d50c421d5f093758abd6f97c7ccfcd2bd58d

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
1.5MB

MD5
36831080690d0537080be00650f22aac

SHA1
dda3fd1dc407bcab5003b4c632cdc5349a471100

SHA256
1c3fe877552732d56826573d1e701346b7426b26d3bc00af877da92387ab1441

SHA512
6c7d56c1ace9c25cc29fd662b072a2f5ba85ad44e2ace679056fa2a837f1db428a31fa31c05b26f13f05fd3796a28e496b5fd1d8eaf747e965d63c08cb18924b

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
1.5MB

MD5
ba80659afe3474b7cc5b0722cdeee58a

SHA1
35ca8dcc7330412877f3531d74df6c63ab02f156

SHA256
67fa63c0de32d7e7519762655f756cc856f87e535b48a87d032fc02fca38064f

SHA512
b06cc800e2643a6b9686bc1eb087a6c679161f810f21ef1eff252b35ac3497b614d4488e3867ea4ee0a82d672d4658f9a7221fb164981941936d94552e40aff0

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
1.5MB

MD5
6515ce5af032c73bfe1f14925b480695

SHA1
3e7664b937371ad707204001671615f4f97ce209

SHA256
350c7c4e9dfbe1d55b411cae655e581726b258f2dfc80f833888dc7337d9a884

SHA512
c9b00bd5bd254c7bb660813579e4b32f5816b0aae454412701ff467831566348e2533dee134d251569ab888606f6735ecec047be2ff292d656f37fbb35762b29

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
1.5MB

MD5
8eb45728266b5dddd2946cde3247d26f

SHA1
220a6189fd8cff7511944ddf3586446a6d986eac

SHA256
47b065daa47bcafb996cb80afa0286d39c06004a1ddbaf65ce48ac3ac3a335b1

SHA512
15ea73264382ba3cbc811082a56998922889ad8ecee6059797647eca5675ee627193f3ea2716fb92daf9693459069daa5510e4485530dc6c5d6c0c5fd124b66c

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
1.5MB

MD5
e4927b2ffb7f793760817af88933ad11

SHA1
13a1b9ad98f672166e449738cff0705b2e41e5e1

SHA256
92a71d186ef9e9ac643c09cfebe96c20f040b2a9c861dba754616cbe787bc903

SHA512
596c3ff484695e1ae2b9ccafe5c7a98558653458f4513a245de913eab29fe3b1bb06af670a99073d135265f16a42c09cd15c6c476ef93aef43c46e33ad0dd291

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
1.5MB

MD5
6c8ad8e86487380263fb0242f54c9ff2

SHA1
a4e6c176e420e8974c36814704ad2402ebec7765

SHA256
91b3750253a4f9f1c8619cbb813365c5a45e8fc5bc986877be28f80c35a912a9

SHA512
b6169715ac5d8545a277348224ba560c81b572aff052076ca76fbb4e143d240aca588beeb5e766ebe73bd968a7f6e12738b017d76680b59f81c7dc30fbc02332

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
1.5MB

MD5
90adffebdc3658558f2330f1676cc2e5

SHA1
0d3cb73db49f3ae95b615f5e9d262ae0afdf51ac

SHA256
653c5c35ad27d9f50bdcf7cc321567065b5a4b6824011ccf61057072a6c5364c

SHA512
b9bcbe22e1939e5029fe81c3c4a9a3d08b3d7b91bb4e46ea3682b4d1b87b02490cb461d25082812cdba9bf1f444c09d74cc75d1e034197b84cadab5e6c44f4a4

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
1.5MB

MD5
54fa3d1e7348dc3bf09a0ee62c52aa48

SHA1
9b781692a0f94caffd497d05b6fcc89aee56675d

SHA256
c86af7db33b163179a6e12be14da9108ddf78b58184d2ea9e0a6be9dfad93140

SHA512
6db63a0012ab2222d8460678906430948e25b17c844a50ddc77cf09a72dac0c982606627511c3682eaec70c23088d80c8c5e70a689103756dd357e811c522632

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
1.5MB

MD5
9387d2c9000acb930a6570e976bad65c

SHA1
39b17d23a8c1d4e107935047298b1d3955be898e

SHA256
b1e21946540afa90f487a3782201d1d2019728efb62b072dc8b1f52f94ef89dd

SHA512
8fe99a89ef4f99ff233747c1365c986db344c6db633993393d08717bec822f50dec28819d58e9260ff112a4a485d447ade03b44bc6ccc5ed42ca9b976321df41

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
1.5MB

MD5
22e0c678b5323d3bfe01c91702e9d532

SHA1
aa98b7046a94e35fe03016423d3058123d8c5975

SHA256
191ab9951375e2df84339942451c0cb68e1e184cb9db83580152f86d3340ea75

SHA512
8169dc495572a7f307ea40c23a3a548b0a5871d37e438dec59f81dc3c1e0314f4c448f72fb209f51ca33c4b3e96e35d62f5d770da6675cb7bde3c70706b6d478

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
1.5MB

MD5
16fdc5d7d277bcc91e8dcf3b5c6d879f

SHA1
14087eae5985a2c4569c5f8705e1aa39c8aff9b5

SHA256
52bc2aa488e429a8428655788f8c20b672e2014bf267c80504230ba6d946553d

SHA512
723e648f2d08740c824a350087317bc3598bfb90b24069a8d3d017235d251c86008361fa192af459bb8e980cce449f3abfcfe6ee901d2df7d07e947dbcabd72f

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
1.5MB

MD5
d4dbbf7b40bfdfa122bbaddbee62abd7

SHA1
4b9db08e1dbf7fbda2861d706081280c67f07b73

SHA256
9e060bcc4e9c932cb034783f28beff68ba362214a973ca0ee681719969a13c57

SHA512
fac8bd287e29bfc175ba7a65adb67a6f84833eb9c2fb26fc7cda920003b3df0da235f01f0855467ae7c9c3a5b33bd704eab1ce21cfef388f324f7c2b66fb7713

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
1.5MB

MD5
8bb2a020926e8bac0b3cd651de335b17

SHA1
cbaede31789a399e3dc5853664e86b5f7b3f32fd

SHA256
4f15e0d97caaa5eec2fc3c035ab10fe09eb5aa973c53b09b052aced612d811d5

SHA512
5260dc8371167ffd93953d83526b8e1d61f3d78f094ed1a66d845114a5d7b9855ab56b861bece2906c24b90dafe225d3b809c222058355e1d6d4d1e790e1019c

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
1.5MB

MD5
7c4016387d0ed6023918c1408334cd70

SHA1
5e15d8c8db0c4d4819e4e3ab43105b4bc89da7c8

SHA256
c9bc4edf874e799827608d8396f6474e772b8bf06fea4d55edcf84034f326c14

SHA512
dc34164217caf138bd80508f609242cb8a6ad6af14680806e719635d325d48cb558b7596fd63cb8c6addcb7b86460ab6ccf92849a9b3c4cc77c94761fb3386f4

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
1.5MB

MD5
33c0a21db836e559326d46b13cf7e386

SHA1
8a4fa8d335472fa53420aa485122f572efd060ce

SHA256
384027c59c1af4182b1296bdd7529e587dbe93bfc8cc93eb15ba2b14c4729898

SHA512
5e351a5348b9937e8044d7fbb2f22f8b1053ff7e93691afa69e64bea8dfd9ea1cc60e9e4dc14352e272b13ba00a234c65ed09eea8681a22be680afde9d60e4e9

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
1.5MB

MD5
acab69a892251d8792a57fb69b122544

SHA1
a64fec00c2e406c0269a1fa93e82227e48a8d62f

SHA256
323a9c4fe107dad20de8e8312603ffa0912d3c90e6d1443740e10afee5098bdd

SHA512
6b26195057a2f94a8b6ef3d2c63319a703a96d6012252aa1d642a0cfde13b417dba50a7e4e530da81067807baff373a68812a93e8b45bf3fd1f9249e6126cce5

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
1.5MB

MD5
929e25e5499dff50b2ac6cb6f7ef4e47

SHA1
3cccc94bf61a59e6c875a9437d542ff12fb697b3

SHA256
9888df9df91432cb58f385cf06e2921e1ef7e08776e90924ed32311ff31ba64c

SHA512
f1612b1ad943bee0e1a82d452cd14ac855e4317376f327d035170a9d082140e903cc043c481c75235c6c34b6042c8c0753faa5376d554dff061bcf79122597d4

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
1.5MB

MD5
849763e9e3ec61a3a80a33833a888518

SHA1
8a120694fea94c7b19c09e50154d7d52f100857c

SHA256
d1275267a8bb18e543d8f8259e605945fc1dbcf2c120f7423dafbac854a20c2f

SHA512
8cf91c806efce433db1fad662c1183226d86080ce068a0f2cbc61a044e35f346472b1c3b7290b12b6b2c4d8b834f314ea01e10a86112189c108fdd224e7c86c9

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
1.5MB

MD5
e6c100674cf525d1a0d8ebb78c042f30

SHA1
6d06734ddf22b9658ec3f517eaeb54019065788e

SHA256
14cabdc5351b6635f6635bd15fef947c96547de4f1424a3c7863bad1a4905319

SHA512
db9f1a135fc6d855f6011df19a2ebb08cc6085d81805cca98228acc895201c75493c57f8164676fd1995c1853434e09f7931a0a5a891d2bbd57aa72e671d92dc

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
1.5MB

MD5
5c34b369ab7762466c734ffe58cd0f14

SHA1
313253fe4df555e23d0bbfcceb67581b2733e85e

SHA256
e17e43837aeaa23f0ed0c47a9078aafb4700360ff30c319586dd66fd452e13f8

SHA512
5ad71cc47bb4514433356093c5208f4530584538c21e751026bb957be49215d6417e883706d39dd9ba40a7bac98002205bb091104e333d184648bed52a9a3390

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
1.5MB

MD5
71e7a6496c7a404e1f445d9ea21e3fe9

SHA1
f200f2e5d0b502d3a9c3f82730cd679801b84797

SHA256
ca84d5f3da897c064d2c0b7227e11e2bbe4efceec77878b7f379d3acd7af98c4

SHA512
6a2f307eec6393bfd59346e59c0f092e1cc1c8e16d508bb3b5a8129a3f66dd479271306a438ffa4478c5c7ea5c6dc3e9c612f8fdaef48a713a5b2ed74dd15c59

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
1.5MB

MD5
e48fd4d164a6fdf8b4ab9fad95c68ddc

SHA1
8324f3012d08476c3a86b7047cfeb802e6decc53

SHA256
eb60d81708a593e3f7ce9f2fd03bbd8786782d16ea0eb9d9c16ae73bdafa6037

SHA512
bfc82f0ee5776a6ded2fc7b3ad38cc41d82f6f1b71ed6be485afccc454d853107eafde09cac32d1b32c28cc377a1d10c6ba09964524db672fe6b59a0c7166397

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
1.5MB

MD5
9d3c466aa4e2165f317cdf7640bc3c2e

SHA1
f17d6169d0044e87a7140491f1aa0622372e1b28

SHA256
d7690f554732e0511d3f4f3af8dd564906da5b69a455af80a8478fec495fe915

SHA512
949a83de8537890db45c3223d0f578de7f245dae2551c8d382cd85754030dcb5b8b47c1f1435678052c01bf16db57110eb8e3ff64292615970bbe6380bc05ec0

Download Submit
memory/232-499-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/320-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/724-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/904-547-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/956-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1288-487-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-511-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-523-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-445-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2336-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2376-572-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2624-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2712-565-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2728-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2780-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2780-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-571-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2844-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-541-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-517-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3396-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-451-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-584-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3504-463-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3564-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3956-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-457-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-481-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-475-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4180-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4244-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-469-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4336-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4420-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-505-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4460-534-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4464-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-529-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-493-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4952-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads