berbew | be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00

Analysis

max time kernel
93s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Size

276KB
MD5

ad35e6fd75daff89c91f9f25f1509320
SHA1

c13f687147209c4df42f6d3b2718832760e3d4d0
SHA256

be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00
SHA512

08ab7209e555306146769d00fc5cb4d0e204c39074ab3d46ec429621568c3c6c81f0ef838340588c36d76acda2e97738fb5edd6bc5c9a0f199d547f2b97f931b
SSDEEP

3072:W3W9Hsg2msS3NS0PNgozeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDrM8d7w:WG95sStFgozdZMGXF5ahdt3rM8d7TtLa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfjbn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnckki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpdankjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Naegmabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omfnnnhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpmjcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmqkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iomcpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckmpicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfjmake.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piohgbng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piadma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpboinpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jecnnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maoalb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maoalb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bikcbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbmkfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbmkfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckmpicl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpniokan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Addhcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lophacfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdpnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncipjieo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qemomb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qemomb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnnlboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lajkbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Albjnplq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbcaome.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnemfa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onamle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imhqbkbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnemfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odflmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpdankjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhdpnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naegmabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpniokan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Addhcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjlemlnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdefnjkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iomcpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onamle32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfjmake.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpboinpd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bikcbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnckki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckhdg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 52 IoCs

pid	Process
2660	Gpmjcg32.exe
2828	Gmqkml32.exe
2696	Hjlemlnk.exe
2520	Hdefnjkj.exe
2904	Hnbcaome.exe
424	Imhqbkbm.exe
936	Iomcpe32.exe
3048	Jnemfa32.exe
1952	Jecnnk32.exe
2152	Kckhdg32.exe
1324	Kfnnlboi.exe
1200	Lajkbp32.exe
592	Lophacfl.exe
2336	Lpdankjg.exe
2864	Mhdpnm32.exe
1980	Maoalb32.exe
1012	Npfjbn32.exe
844	Naegmabc.exe
1156	Ncipjieo.exe
1852	Nckmpicl.exe
832	Omfnnnhj.exe
2456	Odflmp32.exe
1936	Onamle32.exe
2052	Pmfjmake.exe
1732	Piohgbng.exe
2068	Piadma32.exe
2636	Qpniokan.exe
2752	Qemomb32.exe
2348	Addhcn32.exe
2556	Afeaei32.exe
2908	Albjnplq.exe
1728	Bpboinpd.exe
1544	Bikcbc32.exe
2124	Bojipjcj.exe
2012	Bggjjlnb.exe
1144	Ckecpjdh.exe
2020	Ccqhdmbc.exe
1336	Cfaqfh32.exe
776	Djafaf32.exe
932	Dbmkfh32.exe
2172	Dnckki32.exe
3004	Dkjhjm32.exe
1620	Dklepmal.exe
968	Egcfdn32.exe
2260	Eqkjmcmq.exe
1516	Eifobe32.exe
1276	Ejfllhao.exe
2088	Ebappk32.exe
884	Elieipej.exe
2652	Eebibf32.exe
2728	Fnjnkkbk.exe
2536	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2120	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
2120	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
2660	Gpmjcg32.exe
2660	Gpmjcg32.exe
2828	Gmqkml32.exe
2828	Gmqkml32.exe
2696	Hjlemlnk.exe
2696	Hjlemlnk.exe
2520	Hdefnjkj.exe
2520	Hdefnjkj.exe
2904	Hnbcaome.exe
2904	Hnbcaome.exe
424	Imhqbkbm.exe
424	Imhqbkbm.exe
936	Iomcpe32.exe
936	Iomcpe32.exe
3048	Jnemfa32.exe
3048	Jnemfa32.exe
1952	Jecnnk32.exe
1952	Jecnnk32.exe
2152	Kckhdg32.exe
2152	Kckhdg32.exe
1324	Kfnnlboi.exe
1324	Kfnnlboi.exe
1200	Lajkbp32.exe
1200	Lajkbp32.exe
592	Lophacfl.exe
592	Lophacfl.exe
2336	Lpdankjg.exe
2336	Lpdankjg.exe
2864	Mhdpnm32.exe
2864	Mhdpnm32.exe
1980	Maoalb32.exe
1980	Maoalb32.exe
1012	Npfjbn32.exe
1012	Npfjbn32.exe
844	Naegmabc.exe
844	Naegmabc.exe
1156	Ncipjieo.exe
1156	Ncipjieo.exe
1852	Nckmpicl.exe
1852	Nckmpicl.exe
832	Omfnnnhj.exe
832	Omfnnnhj.exe
2456	Odflmp32.exe
2456	Odflmp32.exe
1936	Onamle32.exe
1936	Onamle32.exe
2052	Pmfjmake.exe
2052	Pmfjmake.exe
1732	Piohgbng.exe
1732	Piohgbng.exe
2068	Piadma32.exe
2068	Piadma32.exe
2636	Qpniokan.exe
2636	Qpniokan.exe
2752	Qemomb32.exe
2752	Qemomb32.exe
2348	Addhcn32.exe
2348	Addhcn32.exe
2556	Afeaei32.exe
2556	Afeaei32.exe
2908	Albjnplq.exe
2908	Albjnplq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipbolili.dll	Pmfjmake.exe
File created	C:\Windows\SysWOW64\Bojipjcj.exe	Bikcbc32.exe
File created	C:\Windows\SysWOW64\Jnbppmob.dll	Djafaf32.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Odlkfk32.dll	Eebibf32.exe
File created	C:\Windows\SysWOW64\Hllgegfe.dll	Jecnnk32.exe
File created	C:\Windows\SysWOW64\Lmglihnc.dll	Naegmabc.exe
File opened for modification	C:\Windows\SysWOW64\Cfaqfh32.exe	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Djafaf32.exe	Cfaqfh32.exe
File opened for modification	C:\Windows\SysWOW64\Dklepmal.exe	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Egcfdn32.exe	Dklepmal.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Maflig32.dll	Iomcpe32.exe
File created	C:\Windows\SysWOW64\Eeebeabe.dll	Lajkbp32.exe
File created	C:\Windows\SysWOW64\Ogcgmi32.dll	Lophacfl.exe
File created	C:\Windows\SysWOW64\Pmfjmake.exe	Onamle32.exe
File opened for modification	C:\Windows\SysWOW64\Ccqhdmbc.exe	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Fngpfnqg.dll	Hnbcaome.exe
File opened for modification	C:\Windows\SysWOW64\Eqkjmcmq.exe	Egcfdn32.exe
File created	C:\Windows\SysWOW64\Bekmeeno.dll	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
File created	C:\Windows\SysWOW64\Noggch32.dll	Mhdpnm32.exe
File created	C:\Windows\SysWOW64\Cfaqfh32.exe	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Hnbcaome.exe	Hdefnjkj.exe
File created	C:\Windows\SysWOW64\Npfjbn32.exe	Maoalb32.exe
File created	C:\Windows\SysWOW64\Albjnplq.exe	Afeaei32.exe
File opened for modification	C:\Windows\SysWOW64\Bikcbc32.exe	Bpboinpd.exe
File opened for modification	C:\Windows\SysWOW64\Dnckki32.exe	Dbmkfh32.exe
File created	C:\Windows\SysWOW64\Mnmcojmg.dll	Elieipej.exe
File created	C:\Windows\SysWOW64\Kfnnlboi.exe	Kckhdg32.exe
File created	C:\Windows\SysWOW64\Bdohpb32.dll	Bggjjlnb.exe
File opened for modification	C:\Windows\SysWOW64\Ejfllhao.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Gpmjcg32.exe	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
File created	C:\Windows\SysWOW64\Imhqbkbm.exe	Hnbcaome.exe
File opened for modification	C:\Windows\SysWOW64\Lajkbp32.exe	Kfnnlboi.exe
File created	C:\Windows\SysWOW64\Hkagib32.dll	Odflmp32.exe
File opened for modification	C:\Windows\SysWOW64\Bojipjcj.exe	Bikcbc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dnckki32.exe
File created	C:\Windows\SysWOW64\Cpokpklp.dll	Dklepmal.exe
File created	C:\Windows\SysWOW64\Hjlemlnk.exe	Gmqkml32.exe
File created	C:\Windows\SysWOW64\Naegmabc.exe	Npfjbn32.exe
File opened for modification	C:\Windows\SysWOW64\Omfnnnhj.exe	Nckmpicl.exe
File created	C:\Windows\SysWOW64\Ndfkbpjk.dll	Qemomb32.exe
File created	C:\Windows\SysWOW64\Bikcbc32.exe	Bpboinpd.exe
File created	C:\Windows\SysWOW64\Khqplf32.dll	Dnckki32.exe
File created	C:\Windows\SysWOW64\Gmqkml32.exe	Gpmjcg32.exe
File created	C:\Windows\SysWOW64\Eojkndbh.dll	Hjlemlnk.exe
File created	C:\Windows\SysWOW64\Hnbcaome.exe	Hdefnjkj.exe
File opened for modification	C:\Windows\SysWOW64\Jecnnk32.exe	Jnemfa32.exe
File created	C:\Windows\SysWOW64\Piohgbng.exe	Pmfjmake.exe
File opened for modification	C:\Windows\SysWOW64\Eebibf32.exe	Elieipej.exe
File opened for modification	C:\Windows\SysWOW64\Hdefnjkj.exe	Hjlemlnk.exe
File created	C:\Windows\SysWOW64\Oengjm32.dll	Jnemfa32.exe
File created	C:\Windows\SysWOW64\Mhdpnm32.exe	Lpdankjg.exe
File created	C:\Windows\SysWOW64\Ijjkhlkg.dll	Lpdankjg.exe
File created	C:\Windows\SysWOW64\Qemomb32.exe	Qpniokan.exe
File opened for modification	C:\Windows\SysWOW64\Bpboinpd.exe	Albjnplq.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Ckecpjdh.exe
File opened for modification	C:\Windows\SysWOW64\Kckhdg32.exe	Jecnnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncipjieo.exe	Naegmabc.exe
File created	C:\Windows\SysWOW64\Onamle32.exe	Odflmp32.exe
File created	C:\Windows\SysWOW64\Afiganaa.dll	Onamle32.exe
File opened for modification	C:\Windows\SysWOW64\Qpniokan.exe	Piadma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	2536	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odflmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lophacfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naegmabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnemfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpdankjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imhqbkbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfnnlboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikcbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmqkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jecnnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoalb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albjnplq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmkfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdefnjkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnbcaome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajkbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhdpnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklepmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfjbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckmpicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfjmake.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfaqfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpmjcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piadma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Addhcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bojipjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egcfdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iomcpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piohgbng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjlemlnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpniokan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncipjieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onamle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpboinpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggjjlnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kckhdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeaei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfnnnhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qemomb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpboinpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpniokan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oengjm32.dll"	Jnemfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Albjnplq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekmeeno.dll"	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncipjieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckmpicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhegcc.dll"	Piohgbng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piadma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afeaei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iomcpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npfjbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnckki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omfnnnhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qemomb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lajkbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbmkfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfaqfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egcfdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckmpicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhdpnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Naegmabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djafaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njecbced.dll"	Hdefnjkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcgmi32.dll"	Lophacfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfjbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qemomb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmcojmg.dll"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jecnnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lophacfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcmlh32.dll"	Gpmjcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onamle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endjeihi.dll"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmqkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnbcaome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgihifq.dll"	Qpniokan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdohpb32.dll"	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maoalb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpdankjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophppo32.dll"	Bpboinpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfagoln.dll"	Kfnnlboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odflmp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2660	2120	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe	30
PID 2120 wrote to memory of 2660	2120	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe	30
PID 2120 wrote to memory of 2660	2120	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe	30
PID 2120 wrote to memory of 2660	2120	be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe	30
PID 2660 wrote to memory of 2828	2660	Gpmjcg32.exe	31
PID 2660 wrote to memory of 2828	2660	Gpmjcg32.exe	31
PID 2660 wrote to memory of 2828	2660	Gpmjcg32.exe	31
PID 2660 wrote to memory of 2828	2660	Gpmjcg32.exe	31
PID 2828 wrote to memory of 2696	2828	Gmqkml32.exe	32
PID 2828 wrote to memory of 2696	2828	Gmqkml32.exe	32
PID 2828 wrote to memory of 2696	2828	Gmqkml32.exe	32
PID 2828 wrote to memory of 2696	2828	Gmqkml32.exe	32
PID 2696 wrote to memory of 2520	2696	Hjlemlnk.exe	33
PID 2696 wrote to memory of 2520	2696	Hjlemlnk.exe	33
PID 2696 wrote to memory of 2520	2696	Hjlemlnk.exe	33
PID 2696 wrote to memory of 2520	2696	Hjlemlnk.exe	33
PID 2520 wrote to memory of 2904	2520	Hdefnjkj.exe	34
PID 2520 wrote to memory of 2904	2520	Hdefnjkj.exe	34
PID 2520 wrote to memory of 2904	2520	Hdefnjkj.exe	34
PID 2520 wrote to memory of 2904	2520	Hdefnjkj.exe	34
PID 2904 wrote to memory of 424	2904	Hnbcaome.exe	35
PID 2904 wrote to memory of 424	2904	Hnbcaome.exe	35
PID 2904 wrote to memory of 424	2904	Hnbcaome.exe	35
PID 2904 wrote to memory of 424	2904	Hnbcaome.exe	35
PID 424 wrote to memory of 936	424	Imhqbkbm.exe	36
PID 424 wrote to memory of 936	424	Imhqbkbm.exe	36
PID 424 wrote to memory of 936	424	Imhqbkbm.exe	36
PID 424 wrote to memory of 936	424	Imhqbkbm.exe	36
PID 936 wrote to memory of 3048	936	Iomcpe32.exe	37
PID 936 wrote to memory of 3048	936	Iomcpe32.exe	37
PID 936 wrote to memory of 3048	936	Iomcpe32.exe	37
PID 936 wrote to memory of 3048	936	Iomcpe32.exe	37
PID 3048 wrote to memory of 1952	3048	Jnemfa32.exe	38
PID 3048 wrote to memory of 1952	3048	Jnemfa32.exe	38
PID 3048 wrote to memory of 1952	3048	Jnemfa32.exe	38
PID 3048 wrote to memory of 1952	3048	Jnemfa32.exe	38
PID 1952 wrote to memory of 2152	1952	Jecnnk32.exe	39
PID 1952 wrote to memory of 2152	1952	Jecnnk32.exe	39
PID 1952 wrote to memory of 2152	1952	Jecnnk32.exe	39
PID 1952 wrote to memory of 2152	1952	Jecnnk32.exe	39
PID 2152 wrote to memory of 1324	2152	Kckhdg32.exe	40
PID 2152 wrote to memory of 1324	2152	Kckhdg32.exe	40
PID 2152 wrote to memory of 1324	2152	Kckhdg32.exe	40
PID 2152 wrote to memory of 1324	2152	Kckhdg32.exe	40
PID 1324 wrote to memory of 1200	1324	Kfnnlboi.exe	41
PID 1324 wrote to memory of 1200	1324	Kfnnlboi.exe	41
PID 1324 wrote to memory of 1200	1324	Kfnnlboi.exe	41
PID 1324 wrote to memory of 1200	1324	Kfnnlboi.exe	41
PID 1200 wrote to memory of 592	1200	Lajkbp32.exe	42
PID 1200 wrote to memory of 592	1200	Lajkbp32.exe	42
PID 1200 wrote to memory of 592	1200	Lajkbp32.exe	42
PID 1200 wrote to memory of 592	1200	Lajkbp32.exe	42
PID 592 wrote to memory of 2336	592	Lophacfl.exe	43
PID 592 wrote to memory of 2336	592	Lophacfl.exe	43
PID 592 wrote to memory of 2336	592	Lophacfl.exe	43
PID 592 wrote to memory of 2336	592	Lophacfl.exe	43
PID 2336 wrote to memory of 2864	2336	Lpdankjg.exe	44
PID 2336 wrote to memory of 2864	2336	Lpdankjg.exe	44
PID 2336 wrote to memory of 2864	2336	Lpdankjg.exe	44
PID 2336 wrote to memory of 2864	2336	Lpdankjg.exe	44
PID 2864 wrote to memory of 1980	2864	Mhdpnm32.exe	45
PID 2864 wrote to memory of 1980	2864	Mhdpnm32.exe	45
PID 2864 wrote to memory of 1980	2864	Mhdpnm32.exe	45
PID 2864 wrote to memory of 1980	2864	Mhdpnm32.exe	45

C:\Users\Admin\AppData\Local\Temp\be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe
"C:\Users\Admin\AppData\Local\Temp\be6c5dab6d81a094ea979731c612a3135ca27aed6207289f087ca7170239aa00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\Gpmjcg32.exe
  C:\Windows\system32\Gpmjcg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\Gmqkml32.exe
    C:\Windows\system32\Gmqkml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\Hjlemlnk.exe
      C:\Windows\system32\Hjlemlnk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Hdefnjkj.exe
        
        C:\Windows\system32\Hdefnjkj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\Hnbcaome.exe
        
        C:\Windows\system32\Hnbcaome.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Imhqbkbm.exe
        
        C:\Windows\system32\Imhqbkbm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Iomcpe32.exe
        
        C:\Windows\system32\Iomcpe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Jnemfa32.exe
        
        C:\Windows\system32\Jnemfa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Jecnnk32.exe
        
        C:\Windows\system32\Jecnnk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Kckhdg32.exe
        
        C:\Windows\system32\Kckhdg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Kfnnlboi.exe
        
        C:\Windows\system32\Kfnnlboi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Lajkbp32.exe
        
        C:\Windows\system32\Lajkbp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Lophacfl.exe
        
        C:\Windows\system32\Lophacfl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Lpdankjg.exe
        
        C:\Windows\system32\Lpdankjg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Mhdpnm32.exe
        
        C:\Windows\system32\Mhdpnm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Maoalb32.exe
        
        C:\Windows\system32\Maoalb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Npfjbn32.exe
        
        C:\Windows\system32\Npfjbn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Naegmabc.exe
        
        C:\Windows\system32\Naegmabc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Ncipjieo.exe
        
        C:\Windows\system32\Ncipjieo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Nckmpicl.exe
        
        C:\Windows\system32\Nckmpicl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Omfnnnhj.exe
        
        C:\Windows\system32\Omfnnnhj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Odflmp32.exe
        
        C:\Windows\system32\Odflmp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Onamle32.exe
        
        C:\Windows\system32\Onamle32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Pmfjmake.exe
        
        C:\Windows\system32\Pmfjmake.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Piohgbng.exe
        
        C:\Windows\system32\Piohgbng.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Piadma32.exe
        
        C:\Windows\system32\Piadma32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Qpniokan.exe
        
        C:\Windows\system32\Qpniokan.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Qemomb32.exe
        
        C:\Windows\system32\Qemomb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Addhcn32.exe
        
        C:\Windows\system32\Addhcn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Afeaei32.exe
        
        C:\Windows\system32\Afeaei32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Albjnplq.exe
        
        C:\Windows\system32\Albjnplq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Bpboinpd.exe
        
        C:\Windows\system32\Bpboinpd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bikcbc32.exe
        
        C:\Windows\system32\Bikcbc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Bojipjcj.exe
        
        C:\Windows\system32\Bojipjcj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cfaqfh32.exe
        
        C:\Windows\system32\Cfaqfh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Dbmkfh32.exe
        
        C:\Windows\system32\Dbmkfh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dklepmal.exe
        
        C:\Windows\system32\Dklepmal.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Egcfdn32.exe
        
        C:\Windows\system32\Egcfdn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 140
        54⤵
        Program crash
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Addhcn32.exe

Filesize
276KB

MD5
48ec36949a570ce49695e102accfc5d3

SHA1
011823c899757bf40395a4463d9da5f9d8013e8b

SHA256
6ed229c9a5ce2f447ade1b83c8b7aef626e8e6e8f2d2e3636a59b7b826f2ecb2

SHA512
cf91e9ab4146f2c314debd81daca0733f4464d6fd9bb2eb83ca66531927fd955067709bb8ef1f7cda734c9383f3e6cfa67cd3243ef900f4eb86860ea73010cea

Download Submit
C:\Windows\SysWOW64\Afeaei32.exe

Filesize
276KB

MD5
348f987c266cf3b305d45327466b2419

SHA1
6866b30d4237a198b649e443397a4e0ae6cb3739

SHA256
824a81d70433058b3a38196cad0f935fca1d11521ab3c2088b67f957ca903ccb

SHA512
39b7d93cff0d96fe9c46cf2a7d03320e94c8c15e191eb59509aae9c0163da3b41ab0239ca4b1e5c0cfe163e9c31ea38299109149520fb486efe16f3886aa59fb

Download Submit
C:\Windows\SysWOW64\Albjnplq.exe

Filesize
276KB

MD5
6566c4c1769922e699b3a18a0dbab255

SHA1
6cd4cbcaf6114d7b7d577660a0aadf59ad313dba

SHA256
5fd23785c119de3492715f897f62671cb63adba53fb3bc66b15866573d88ad03

SHA512
649f26e60e5b5447f8603915391c3641843b34209c3b92510a233980f56a36a467c823debc0db2775410cf238080b58f8f4f193a78931641d1234ceea0a907d0

Download Submit
C:\Windows\SysWOW64\Bggjjlnb.exe

Filesize
276KB

MD5
ccb6850f12cbd6e21126a56c850bea20

SHA1
5b382cfae8da234d555404f49e205814cf89e896

SHA256
0a27721a55c8c1d2c9730dbf9c01e0ba2796c48f021ebed6b3d6da8b1431c31d

SHA512
ba29c87850370efcdfa8b9bacb986702ffabe0de801ec0d63c38d182eef2f929ae75e087eae0cf3584dbeef685584cbba6f1b77a5a114c976319464558f5bd26

Download Submit
C:\Windows\SysWOW64\Bikcbc32.exe

Filesize
276KB

MD5
6b53c304052b247d230678863997cccc

SHA1
a165da5871ecac2633cab7cd7b195b5576f3bd3f

SHA256
216cfa0838e6eee5b3c1546c3b56c5a36bb3fe286836f03ae568e967b5146a42

SHA512
5d5eb1b9ca045e79f6fdb58b8c3f98bfe64400f9a77495c0e4bd0422a860cc99cb6bb657f6a048f242bbdefdbbdb9fd411d00c9a82c9a6f0ee03974e3af7a45b

Download Submit
C:\Windows\SysWOW64\Bojipjcj.exe

Filesize
276KB

MD5
4f0450533d8ddc9387b1a894896a99a8

SHA1
51db60dfa4c96c44892f74738386fab928d5fd9a

SHA256
114c1999ecdbad9bc271a69d0ea4aadbc624f7c18b8432a20ebaac722da1cba2

SHA512
86899fdcc162fe6d0ae13930705d5164de39dd662206d0f764a928632d26e4f97d75d585a78161e27e4d3024748bede5d01f33af49da1be3d786493dc5b21da9

Download Submit
C:\Windows\SysWOW64\Bpboinpd.exe

Filesize
276KB

MD5
743fcf76efac515f458fed33b9b9b2a0

SHA1
99f32527f67100bda59e39dbdc1ff1a40ff36efb

SHA256
2da6c38535cc0e2e7c75e7719867f6f812c364796e572076c78179bfeb715d5f

SHA512
20fe53692887650b0cca4896b47cc5940475563f53872ebcf3462f45062a3c014f5c82a3bec114d90083922ecddb2600c6d6edb5c676745bc8aa1ee6841a2bfc

Download Submit
C:\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
276KB

MD5
2f431de4b159304178c1106e59c94f0a

SHA1
68170c15203b94a322849ea294161b959ce9e2eb

SHA256
f2632e64e94edd8e3c7a26ebeeed09bc07b17c50211b9b99c5bf8b715215cf5a

SHA512
fc847f75a8b60e5ba1607dcaf946b6924b43db1c1ad7162af6d68a37d8ef1763ca9fd3260c25a316af784d96ff6f0638ae6c1286a64340004a17652ce71d5957

Download Submit
C:\Windows\SysWOW64\Cfaqfh32.exe

Filesize
276KB

MD5
190aca9d17339373ac771a24a0407a78

SHA1
c256ebbfe49a98a1e8fd81fb2bc02c9da5d75fe0

SHA256
d6a206aa3e6dc92c8751b879cec270bbb48edaf94dacd0176f1cabfee92dc88a

SHA512
4e771bf4b1f1e17fc218de1a6fc1c60a9c4f1c38db48a696da0880c97e425340ed05ac0cf21cb37cf01af510f970fb8cbec90579feca07cb138d7d1b849fdf0d

Download Submit
C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
276KB

MD5
de0c639aaf442ee92d327f7f16dbd803

SHA1
b6db5acdc81873570d162538080592a0ac78d666

SHA256
017da397364754359d4fd5ff8cab568f3e6531a19c6ba37d854cfda25b4fba60

SHA512
6c5cb6e164176d61dd799d41e516ecabbcf373273eee4f06c17c42f3bbf66853bfaae4589bebe4697f080861b3d2c51550a45a31f0d27440bf90e7aadafc21de

Download Submit
C:\Windows\SysWOW64\Dbmkfh32.exe

Filesize
276KB

MD5
e1b133bdf68a861490fc022ef97eca91

SHA1
7f82f94f8d2eebd82d46adcc7d4cdb5ac181122f

SHA256
8281d707d5db6243703fba0177884b92a87151986f0036482df36f424c0004b7

SHA512
c186377752a8724043d84f3601eedb1c11083ed343632eb285f71997467c42b99784ece246cbcf416f0571c27d704373a4a1a800866b2879ad53e32dad228217

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
276KB

MD5
6e238a7ebdfaca54afecfa72d845e85a

SHA1
e33b98b12a362c6b46351ac4c779d0162eaa2890

SHA256
3f4547bb873f6d81a3e9452086e2a3609dbc0aa880e6d66d5dc7201add33b477

SHA512
c67f0e8302c6383cb0bb5a5fd44d13e0abd0ed01c73977433b4a31cd4e5db9e5f8ef76e7aa64ce06ca2e494cdc6f9e183bef4638a60451606b9f80ad02739b23

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
276KB

MD5
b2d3b3d99065b06e7d30fbf8d0f663cf

SHA1
d3e70fb57cce21a915adf0c120a3ee7bfce064c0

SHA256
ff3e49d7c2b262dc74560f18d75b2c974a81eba7fd3012c16f94a375e1437d76

SHA512
b45fe08350822fbc8f528caf72fbc41dd73aa31c9e83d330ce46b7e707419233c93c73a233a10e2aa60363994ce3c2a7f5f0d7844aca0f0f7d924002f6f16f1c

Download Submit
C:\Windows\SysWOW64\Dklepmal.exe

Filesize
276KB

MD5
cf4b34c84e7dee49ce44e1880eab7d57

SHA1
ec989a26abc9ab793d94ba763429dcf9f5d10577

SHA256
8f7a927e06fb6494741c335d5d3ad02670ab777c770cc45f9115e33e989e1ff1

SHA512
d97fe9925ee2f39d7b5f06d4e0ef55eeb7d41985c37ea35a4142e6a85891732c92b38cb7046632cdbc7a34f25a0fcd582f11f3190a19e19a3034830d256c6b69

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
276KB

MD5
b22f52d9f4cbc521947a4e291712a59c

SHA1
23bf349e0a0fe106cebab0f6e55d8ca159657e85

SHA256
93eec44478fa7776ee048f08c738312bd6a3215585f8cf84978b704c8695c2bf

SHA512
bd2a73117f8d068cd0aefcd5fd7ca3c76b9c55e519ebfc49575738f43fe58e8855ec20ba93b1d3ddd8020d03591133b9814d798a4326f2e749a3bc89c232d976

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
276KB

MD5
68e6561bc5cf530ae9a9e91dbf37bf82

SHA1
09f3bce0c8fe965c399a9c947f908cd624368713

SHA256
2e23c6c10ee0d83b9c62fc34454f2f7e75e465fb8889c6bb6ca617313185ea95

SHA512
35cea167ff8737a5b3ed45ed03723290bdfc700bd36d28c0c7261f42d28ce69387425f35c29e068e5d5b4d465cc3e734ed37546a3db04d8e782c328f80cd7dc1

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
276KB

MD5
7b22db8d946e9004e8d847d4da895b05

SHA1
3acb81f68d76d87445e3ca72fd1ad824fded18de

SHA256
73e6b1a06d4dbdeed5e8fef56641125ea592506073790fab258db724ebeec1ef

SHA512
c7f855f165b72f5a43cc3aeb0a05f01a6289f14f708f41b201a16a8de7dd1253b7a07ecc0b91c93c5d9e170e5bff4bb47d807da07b923021e2d485cb2f771b09

Download Submit
C:\Windows\SysWOW64\Egcfdn32.exe

Filesize
276KB

MD5
d4e120e979d2d58595e4565c3379cd95

SHA1
4988be6a0fcaa221a5c4b213eef05047509adc8d

SHA256
ced1191f9390116614e5819501053e666d1436785d9336a2b35e46b579c65092

SHA512
3cb7e3cd86a1a2904cafae6ded152f3ccbb759db3189ff8d78458629f10e8e05bfcf253edc559b73a97e939e706939a4c2780a7701cbaab45bbe745ac0c25dac

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
276KB

MD5
29794d4e480d15554110af82fd33dcac

SHA1
2565376cc7a6bdcad387a036419a98fc7c2d8f7c

SHA256
f0d0b42992c8cc71e23b4dc067e1d742ec61b9feb64e79b994c694fb351dddfe

SHA512
690d949c094d8d9dda4672fd787eab4cd901fa889cc9e441bf95143de95f37726437e5273c9c4df69e03e8ca348d161d698b2c550e87f97492fed81ef3bf5e21

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
276KB

MD5
4332d8932c3037ad0d36701fbea251ed

SHA1
c9e8ec415a061d27cc1977f195df9838596025c2

SHA256
888126c7f1380d56f7c021bb3a979e9438f75b8da3f319831867e81c8729ad96

SHA512
0d4a3e18c418f324409fdcf11aa737dd8dece14a19a30453635b1bd741676a3311dd2e2fc185d0c8192f83882fb2db3f7a6c5d7bf1597d64b6c2119b95d4521c

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
276KB

MD5
20002d0d9ada31f01f2f9fd66617e6ae

SHA1
edbe6c7bdfd3e442be1673a54e3013077b0e7517

SHA256
ae6e135adcb1f18649faca228012b987513e09b675eb2414fadbe3293345d8f0

SHA512
67d08e056585aea2ced35523d9dd6151106360b80b3fd9db47d105f65e79bf9428fbabcc6b48b2245bccc9e29ecd55ab2fff5ababb565c856dbe523adad9c070

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
276KB

MD5
fb7a71bd1fd07dfb30eff7d702e1d285

SHA1
b1abbcd01454909b4d610236d51f95286b5f6592

SHA256
136a0afcb4d6e638cd32e8dc05979b30534762b3cf52425ed9a826938f9cfc34

SHA512
eb833bd1091634ffbdfbf59b48706f7075b9b0ad2e04eda24b7842f835702b2d697003afea3a1afd454be20385ba44d5398ea817ee8117aadfd8cd89e58a54a0

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
276KB

MD5
83a7849ec588db9b2544c0ed304bd051

SHA1
6068093b998af4ac579fc38a0eba943e9d77d8f7

SHA256
21ba443b9720f5beb49659fcb626ad9a617f98df2ca35e925da134f404e7d4a8

SHA512
032aaefc9a0bc57588776fefebe6470aa7ad27b33b88f07ca61dd229cb034f7029344d49312c63fbff4aef23cb68b139a0ffe9439ce9d09b6fe2c2d2bd50cda9

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
276KB

MD5
ae444892b9f54a765c2c692ca05d867e

SHA1
91ee5e80f4bb2991b736322f48d946879d423d11

SHA256
9be28b0b0fa2141a401faa068126e464ba0577ea6b9ad334a568d0c9a7f81be5

SHA512
763e03becbcfcaec7b6fe55ff4fe3431d005e759eac093a6f4a45c8e5cb024eb81e5bd56a4ea389d048f1fced6d75dbc7cad2f287f71f450873b42d76cf13592

Download Submit
C:\Windows\SysWOW64\Gmqkml32.exe

Filesize
276KB

MD5
5c7c0fb98fcd69a5c28c298fad48495b

SHA1
ceb90f327492b9700afec5baa4f2872fbdf00eb9

SHA256
0b799d05a22b42bfecc05096620ee75f4704ca146f39aead6b8186b5d2c56344

SHA512
e9da2b9f020cacf9474bd2219c6635decd638716af066ce42a56fb4c02ada01dffe8be68d5294c700db1cc322a8d7a302e3dd21babd6c9c43fc871f2f861e9ff

Download Submit
C:\Windows\SysWOW64\Imhqbkbm.exe

Filesize
276KB

MD5
a743f3bf42a4783754269a525a9640a5

SHA1
c95a48def03e63dfe7ffb9105b65c863db83a604

SHA256
200900266a59468d6087bfdb22b81a5e3135601188b488b4414332feda55c8f2

SHA512
bc0040d12df1a4e977b7a5a6ac38ee3b8b53ba66235ef53ad16000509839cfccd4ecece6f5ad0244b60474df053af6ff6b08195ac9b1a7812507b793bedcf116

Download Submit
C:\Windows\SysWOW64\Naegmabc.exe

Filesize
276KB

MD5
05d72f23ebdbc1f83cf901a80c79d0de

SHA1
4ea67a34b257e4b876519c32be0f3187ce864eb2

SHA256
3869f3be002993cb7509d5e62999b1dcc36fae22ecbf940126c8a5e6eb7f0e3d

SHA512
aae09344815161e9cc766770b9d052e7be3f42c2f74400532d1b920a13e8ea162fcc7bfa11432acb7a91e6b79c331a03c0a460f8cefecea17581602584e8c8e9

Download Submit
C:\Windows\SysWOW64\Ncipjieo.exe

Filesize
276KB

MD5
1a1ce3fccb0cd70c47a1b429391d2cb7

SHA1
4bbef5446c24c6508a95cf464b96346e76a6effb

SHA256
263c6973557a1a00bc5b428928ee062dbaac00617bd01295c09b71a37da112ca

SHA512
b40f0c2d4e62d8a1fcff17abcf7e0a6d0ac5d3ea7e03697d0f394f113f6554d7ed79356467f1f4ec1118b63d918e330768dc17c0cc6594cc395c03db0185d5f6

Download Submit
C:\Windows\SysWOW64\Nckmpicl.exe

Filesize
276KB

MD5
46c5cb29356e52d5073efe955f55d146

SHA1
1af540d18c0a41a1f26d7633fcc6c2bb815a1ce0

SHA256
f19f68f9fa9ba064d0e3d996d7f4c7b7ad170131f96cb8870414d819237552cc

SHA512
ea5d9964d68fa91267cab85b4b9de8c63bc1053a7373f00e0223c6852b267b977a5cbd661f6458307da4caa39da84323a6578373260cfe9a356be7cdf00c81f1

Download Submit
C:\Windows\SysWOW64\Njecbced.dll

Filesize
7KB

MD5
b57704ad8ec001359bb35dfbdafcbeb9

SHA1
767d33c5566834e51052525835e5ec7864b0cb36

SHA256
78a30629a2cd6a23778d1219693068d3e6135d0a9d0a89fa105938d3f80537fd

SHA512
7282e9789dc61fea9dceda6c65f1e3badf03b464e3194cd4d256e718db82f34196df6d2eca7d50d7b6b423d7c8f86dbe1a26528a94ea73f17ecc646a307c67f6

Download Submit
C:\Windows\SysWOW64\Npfjbn32.exe

Filesize
276KB

MD5
1718d3d56ba86b62b6237f296fc50e52

SHA1
e76981df931e59dd4b2893d559924b06422596b7

SHA256
bcef9c0215cf715e26081b7dbdb36850373fc8a6963a0ab2a766047dd35f0c42

SHA512
c909597f5a08fd585c9576f776908f852d4880a263329fde7c84fdd488821c1e18635b75a89f7f858938d02ea990605049c70b77d3834245624bb422b191a5dc

Download Submit
C:\Windows\SysWOW64\Odflmp32.exe

Filesize
276KB

MD5
15ef5874d3e2355a8498606ad990ccfc

SHA1
5be2696bb6b488360c0904c0da8eaf4e27ae611b

SHA256
c4e9e221e2081b2a0454f2eb459f0b3d6664cedafea224142836f28a6aaf31a0

SHA512
7552d44525a4b7870deeef52f5df28757bcc490aaf13157f115cf738e8b6b23d096b269425934d66a25a1086c3f5b110b9fd5efe9f2f10ed6dab3d85c55f14cc

Download Submit
C:\Windows\SysWOW64\Omfnnnhj.exe

Filesize
276KB

MD5
7890d69df6510e88ebd2827b7ca2dbf5

SHA1
23a46fd68ad1ee591459be4cfab397166692d17d

SHA256
a67ef483316cae99463df936464ae42d86f3ca1c6913e08c3b6745397d9cd13a

SHA512
24085dcc579db0d53a3772db64ff388d933bd308821327873e093005ff1dcea443b3a1f4b9716073f1b4079cc0ee673f95409a5f3851e45f57132a8f198ba7a9

Download Submit
C:\Windows\SysWOW64\Onamle32.exe

Filesize
276KB

MD5
ad8ca8622b29b6ef8c30bb8a1b149ba1

SHA1
f74263795ad88bc1ee422685536eb6ea20e62446

SHA256
58a08c5db5e74dd91ee23fb54e24e5cd49c522fb368485ad315c85907778c826

SHA512
3c946aa414f3a714278cb0729d444eb8273749f4beeabd94c7bf4cc450c6f5616b83f3606f81517825718d10fa178c351598724b2b7b41fe1d89efee18f44a3b

Download Submit
C:\Windows\SysWOW64\Piadma32.exe

Filesize
276KB

MD5
0e1483b83c61bcceb46e7d135461cdcd

SHA1
ed7e4a557380455c5d999b72802d9815cc9b1b16

SHA256
1171b9496a60a46d888d09ad2fa7096d58ade24144db1f05de8a88832d97ef6c

SHA512
1c80848ebca7902dfa5c646d91ef7e33bb82b84630485b63cb5d86cd75b6f5eb2c7b147a05c76383b24f676cca340186a268f3f558d4adeaf795ab90d85214cc

Download Submit
C:\Windows\SysWOW64\Piohgbng.exe

Filesize
276KB

MD5
935ce254824b665f57db7026450a4923

SHA1
793d1bf016321412f3dbb27ab4e10d0c63d0da76

SHA256
22b495c14d6bb0b37ab3dbc27c5faf9e307a8a0b8d64fb1e1cdc7e20fd5c190e

SHA512
baadf16494e08b74578f663f0664d072471fb9ac2e25f8b1707942b17de6e75c8eace71480784e12f5b611c97a4e25bb0d07c426c0a93f8cfcd0c77e88ca86fa

Download Submit
C:\Windows\SysWOW64\Pmfjmake.exe

Filesize
276KB

MD5
912337f86de480b43cb1b712caa32c24

SHA1
5de19c5dc25cc73a23dae49e941a145d25a01e2a

SHA256
a0af2ff5846ba14b52518837bfecb1137d63936e93e869eb6f79af92601d9ee0

SHA512
91776f4ed405bdcda0bf837098248bbd32c3bcad0956f328a72da147012eb28f327250c7e7b9e574ae90e9b6407a4fbf7f68f1de3970c9105be359149e94ca5d

Download Submit
C:\Windows\SysWOW64\Qemomb32.exe

Filesize
276KB

MD5
8820472cfa847208e2539033561c4ec6

SHA1
482d62c6d8d58e6f829239acc7abc8ffb494a742

SHA256
3ab505bdc990cd0bf10cf9a148932f65ca721b9de9ba06c9b13e1a7c12fc8c25

SHA512
967450f032d96bf2e980657f9125f30949264db59ae5a75331d76a7adbde35dc192b1d27e6e0bb78af40b9131662ac6c807d3da62089c28179c3bd269159b296

Download Submit
C:\Windows\SysWOW64\Qpniokan.exe

Filesize
276KB

MD5
60712cf06f1153420499f07eb01a9195

SHA1
a46a966a04502b6f460c929036f4c7e5a2e37268

SHA256
d813e4b3e3e1d73bee2c577de8e04bf63df2b35fb4d273757cb3d0231789d99f

SHA512
5753a58efe668b32c54cbc8a3251128ec6330b1d22aca3a18ef5c35aec156006c596f1363006e66e16e412dc1296613814807d7a483e6b5b35a90643c0773370

Download Submit
\Windows\SysWOW64\Gpmjcg32.exe

Filesize
276KB

MD5
1c0a6cdbf0ef6c85ec5cc87b02a9d3a5

SHA1
724cf40bc12fdd2fc361b049c23b60f034c4d779

SHA256
1cf73990546aa463dcfe3c580e7eff600f9bd592ee9c889115265ee9cc7ac393

SHA512
d0d0274859a7d3f5ea3fbf636701f98ada4552fdf57bbf919f726687e8305d818ed17a4ff9de5443cc4ca3e62cc711a6c7a25d3a9448ae44253b2dd2e10e4a94

Download Submit
\Windows\SysWOW64\Hdefnjkj.exe

Filesize
276KB

MD5
b56f38ebd97a05940d9145c5353531c5

SHA1
772ed0635fac7aab6ad63b2f688a15d8edcdbee7

SHA256
3321cb909ef76442b1e5c0fe6986d00ef2edf849efc5a9e325c375a1438397cc

SHA512
8ccfb77ea6394ebc367e5648209e471f77199f510eeabf9c43b72d433769ea5f3225047fb1bc43933e92b9a1b2886d4847bc4d7401a7a1ba5618c79236598ec4

Download Submit
\Windows\SysWOW64\Hjlemlnk.exe

Filesize
276KB

MD5
7cb9a34c87d16598d88e77f830a9a746

SHA1
5abb8764e26c7d09a67370d95920ad7f8614cb88

SHA256
e431919035b396c3517d472785e7b259bd8f35fd69e14f93d2b68f08fa942c63

SHA512
7b2c4d4dc34e9b60ac1ed2d09c8e71ed94c060d828154c1bbaee741aefe53f99b46fa12895afa88af1f083ae842d9de178003ed56efdece930c020a22e2919b4

Download Submit
\Windows\SysWOW64\Hnbcaome.exe

Filesize
276KB

MD5
b1972c540d32048ad4e00e4cbe426610

SHA1
e77daf1526288b7184973eddacc63b0752325e4e

SHA256
e3e1181393f9a4db83a5059eb753ca89ba7f077a4aa3a11406998b410d132d03

SHA512
06bb61c7329944778ab36cb0f88ec19902ab1ffa2e268923c6b3723de97ec8b50b23a63279dec2d18877982760000e46f71a38f6fdf27f70434d8f0dab838385

Download Submit
\Windows\SysWOW64\Iomcpe32.exe

Filesize
276KB

MD5
d44373a08b79d69e619a0cdbc8df2901

SHA1
7bfdfdf6ebc4f4397f068339906b13f37553a7a4

SHA256
263a2b5dee797028e73af1669411cf0ffb7deecaac33be3430bdfd2c965c07f0

SHA512
f2aeaf916c5d877cab0ed934655cd4f272cccd9a498213f7f8395c1c62a83e581c745b94cca7972a6e43cd9879fbb6665c8b4b2b497a6435a0054b3c41895a7a

Download Submit
\Windows\SysWOW64\Jecnnk32.exe

Filesize
276KB

MD5
ad5ef08e948c04f876fec11511abaf48

SHA1
5e6c775195a0685f354cdbb160af54ba3770c45f

SHA256
a2d4ec9a26ff9ee2782cc1a37bd933bcbf3196938c070025bd3471c340018621

SHA512
efbff8adeb8ec7e5cfbd7875713080821817137284d3321f5a6fa5262fe801f362170b0c7c62c78b98164ab52e12ef3e4b9436ad6c798edc29e688d0f21dcd2e

Download Submit
\Windows\SysWOW64\Jnemfa32.exe

Filesize
276KB

MD5
8e5efc0d12c6d9544dce36296f23b8f2

SHA1
7f071d6a70f2c31dfd4f2c40a4464ce31b88e82c

SHA256
80d8b29eb8515c4a7d59e428947c8028f7b089d7879cd0f5934bbe75184eeab2

SHA512
122adee59a756404fe884d21bfff8fc70abf9a2bf98ca30b5847c51cba8bf140122e2e5be58603d9266d7dfba77a70d1178426d956cc3eb46fffff0d9d4253b1

Download Submit
\Windows\SysWOW64\Kckhdg32.exe

Filesize
276KB

MD5
a3af45d3e13e71d1c0189b8673706c38

SHA1
503fc12a867ed00d451a5bfcfe610115dfcf0dbd

SHA256
161554867fd43c87f8b280271f1a66254800fe8f6e07e5dd06931acb1d004ec2

SHA512
9021a8b0d694ee244e5183daf6a69a2b3f4f66b79358e35a60ff75eded87c1a7533dc96b2b5c4ae124d2aa909ec1fdd333958b7b4471b13f182c41b1ac1b56cb

Download Submit
\Windows\SysWOW64\Kfnnlboi.exe

Filesize
276KB

MD5
96b4a67b97612119be8874e60ffe6e04

SHA1
29fa7b7bccba6cc639d2853e284de01d1eafbfc5

SHA256
de501195c53f0c82615f4d22a80b410d6332c3024fed2d919df1fac4ee883897

SHA512
aad3b7ef63b41e2c80b4203d2bc8d723f9c4414e6a5131f90042de3fb29a0b5279770f531f2af4c1c069a071784a62338def67f3f6b3b633dd1e32769d5a5cf6

Download Submit
\Windows\SysWOW64\Lajkbp32.exe

Filesize
276KB

MD5
8a3e54343404f8e4f9803f0ed10d08d2

SHA1
d64dccb69dfd75e5d56570e7a92c32014b1c640e

SHA256
9b5ba9091c28d723cfd5ef3dd0237a823175a83d62214ff5d7370a4bfab8d2ac

SHA512
201dccdccb330c692bebe86c6a8a6d5dd02733207a8144cec21cac52cc5d1690109fc037edd35e101d9179624f4d55efcc2f976d18b041764473013f68e299e7

Download Submit
\Windows\SysWOW64\Lophacfl.exe

Filesize
276KB

MD5
699dcd206c8449ca6efb79cd7290bb00

SHA1
e412adedf4192efe7875d7ac1fddd435923e307b

SHA256
b0382a3858181a30917afe45439908a1ebf709c9e5c0a56830848003133119d9

SHA512
e5a79b2e510f93a6295964cdb61d367ed0c9093b6041dc9ef58917ca5e7f5e76e8c4c0aa9d75cc77c6c9294867b0aa6fb380866d6d50edccede920cef2ae4008

Download Submit
\Windows\SysWOW64\Lpdankjg.exe

Filesize
276KB

MD5
28f45ab56417e6d44d77af603814da29

SHA1
a227bd1ecd849518df653e10ece117170958613b

SHA256
739d06b82fb8903fe494e6b2dfda891e82fe61916442ee09a05f55f7ffb0a97e

SHA512
5fd81ccdd660286de3d3d36f7e0503082f599ca03d1cb6f7bf714f75ab1bfb75caf5663b7f9c18daaabfa1821f0c139af4c636fc1d647a9a4b63bdaf6c2a5e19

Download Submit
\Windows\SysWOW64\Maoalb32.exe

Filesize
276KB

MD5
0f62ca5f8c8281018851e6289deeacbc

SHA1
9ca7938481240641c34435d78b4a79106e392a3c

SHA256
ef00a483528c417c30367ddb255da208839cc6054a857902652f294922408975

SHA512
6b1afff952152cf0385c05053595542da1f1399e07218e15c0a6afde2f0c108c4d4b746309e7a1909c945cf95a1942c4ff64ff5663898e952ef5b7785884b28f

Download Submit
\Windows\SysWOW64\Mhdpnm32.exe

Filesize
276KB

MD5
b97c3c9b5ec0bad0e558ede4ccad4942

SHA1
147fb4d332027207b9b8c26d034509dc1b50e794

SHA256
d5c3ad2df6aae2db726e3dbff8f3893c3e86d8b09deb977174eff302873eadf4

SHA512
201df3c60c5135cf451b1bf699bc655d323a8b5dea6c6e8bece1a491587e402873c1ba20529bfcc4b9434fb5d63800892c35fea3e08e30caa143e63dbb5186de

Download Submit
memory/424-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-414-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/424-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/592-187-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/776-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-479-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/832-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-274-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/844-242-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/932-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-422-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/936-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-233-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1144-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-443-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1144-444-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1156-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-170-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1324-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-157-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1336-468-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1336-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-316-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1732-312-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1852-264-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1852-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-296-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1936-294-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1952-457-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1952-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-130-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1980-226-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1980-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-431-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2012-433-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2012-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-454-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2020-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-455-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2052-306-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2052-302-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2052-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-327-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2068-323-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2120-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-340-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2120-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-341-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2120-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2120-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2124-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-419-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2152-475-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2152-143-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2152-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-199-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2336-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-364-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-362-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2456-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-284-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2520-387-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2520-62-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2520-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-371-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2636-339-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2636-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-26-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2696-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-49-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2752-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-36-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/2828-361-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/2864-214-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2904-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-81-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2904-80-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2904-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-398-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2908-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-385-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2908-386-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/3048-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-116-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3048-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads