berbew | 6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2

Analysis

max time kernel
78s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
Size

337KB
MD5

45d3ea33dfaa87ec4644d596a050a350
SHA1

858914de8d65d06cabe801f06b9fb8f3ed4477ca
SHA256

6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2
SHA512

44a9c9632b558650dc174c757e92a267558a5bddc5b2ab057554523ef5410d0cae68540d64993264a0ca89591eea205757d9ccbcbd57b90c612ac7cc66b6a553
SSDEEP

3072:M78Io1oEVgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:TIo6EV1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibqqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obmnna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkndhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nedhjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olbfagca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnaiol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgjnhaco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplimbka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opglafab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqklqhpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mimgeigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibqqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obmnna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnkffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnaiol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkndhabp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qndkpmkm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 50 IoCs

pid	Process
288	Lhnkffeo.exe
2316	Mkndhabp.exe
2332	Mqklqhpg.exe
2188	Mnaiol32.exe
2892	Mgjnhaco.exe
2780	Mimgeigj.exe
2688	Nedhjj32.exe
2504	Nibqqh32.exe
2824	Nplimbka.exe
3064	Nmfbpk32.exe
2896	Nhlgmd32.exe
2512	Opglafab.exe
2364	Olpilg32.exe
624	Olbfagca.exe
2404	Obmnna32.exe
672	Pljlbf32.exe
1692	Pmkhjncg.exe
692	Pkaehb32.exe
1520	Pdjjag32.exe
1736	Pghfnc32.exe
2268	Pkcbnanl.exe
2264	Qgjccb32.exe
1644	Qndkpmkm.exe
876	Qdncmgbj.exe
2348	Alihaioe.exe
2340	Apgagg32.exe
2244	Akabgebj.exe
2388	Afffenbp.exe
2852	Ahebaiac.exe
2416	Ahgofi32.exe
2696	Aoagccfn.exe
1700	Adnpkjde.exe
3016	Bmlael32.exe
308	Bfdenafn.exe
3048	Bnknoogp.exe
2996	Bgcbhd32.exe
2956	Bbmcibjp.exe
2056	Coacbfii.exe
536	Ccmpce32.exe
1144	Cnfqccna.exe
952	Cbblda32.exe
900	Cpfmmf32.exe
1732	Cgaaah32.exe
1744	Cchbgi32.exe
2216	Clojhf32.exe
1620	Calcpm32.exe
568	Ccjoli32.exe
2260	Cfhkhd32.exe
1688	Dnpciaef.exe
1940	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1488	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
1488	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
288	Lhnkffeo.exe
288	Lhnkffeo.exe
2316	Mkndhabp.exe
2316	Mkndhabp.exe
2332	Mqklqhpg.exe
2332	Mqklqhpg.exe
2188	Mnaiol32.exe
2188	Mnaiol32.exe
2892	Mgjnhaco.exe
2892	Mgjnhaco.exe
2780	Mimgeigj.exe
2780	Mimgeigj.exe
2688	Nedhjj32.exe
2688	Nedhjj32.exe
2504	Nibqqh32.exe
2504	Nibqqh32.exe
2824	Nplimbka.exe
2824	Nplimbka.exe
3064	Nmfbpk32.exe
3064	Nmfbpk32.exe
2896	Nhlgmd32.exe
2896	Nhlgmd32.exe
2512	Opglafab.exe
2512	Opglafab.exe
2364	Olpilg32.exe
2364	Olpilg32.exe
624	Olbfagca.exe
624	Olbfagca.exe
2404	Obmnna32.exe
2404	Obmnna32.exe
672	Pljlbf32.exe
672	Pljlbf32.exe
1692	Pmkhjncg.exe
1692	Pmkhjncg.exe
692	Pkaehb32.exe
692	Pkaehb32.exe
1520	Pdjjag32.exe
1520	Pdjjag32.exe
1736	Pghfnc32.exe
1736	Pghfnc32.exe
2268	Pkcbnanl.exe
2268	Pkcbnanl.exe
2264	Qgjccb32.exe
2264	Qgjccb32.exe
1644	Qndkpmkm.exe
1644	Qndkpmkm.exe
876	Qdncmgbj.exe
876	Qdncmgbj.exe
1580	Allefimb.exe
1580	Allefimb.exe
2340	Apgagg32.exe
2340	Apgagg32.exe
2244	Akabgebj.exe
2244	Akabgebj.exe
2388	Afffenbp.exe
2388	Afffenbp.exe
2852	Ahebaiac.exe
2852	Ahebaiac.exe
2416	Ahgofi32.exe
2416	Ahgofi32.exe
2696	Aoagccfn.exe
2696	Aoagccfn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Nedhjj32.exe	Mimgeigj.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmkhjncg.exe	Pljlbf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkaehb32.exe	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Pkaehb32.exe	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Lhnkffeo.exe	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
File opened for modification	C:\Windows\SysWOW64\Mnaiol32.exe	Mqklqhpg.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Ddaafojo.dll	Olpilg32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Pdjjag32.exe
File opened for modification	C:\Windows\SysWOW64\Qgjccb32.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ieocod32.dll	Nplimbka.exe
File created	C:\Windows\SysWOW64\Akafaiao.dll	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Nibqqh32.exe	Nedhjj32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Leblqb32.dll	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Mimgeigj.exe	Mgjnhaco.exe
File opened for modification	C:\Windows\SysWOW64\Obmnna32.exe	Olbfagca.exe
File created	C:\Windows\SysWOW64\Nlcgpm32.dll	Mkndhabp.exe
File created	C:\Windows\SysWOW64\Cfnmapnj.dll	Mgjnhaco.exe
File created	C:\Windows\SysWOW64\Olpecfkn.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Lhnkffeo.exe	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
File created	C:\Windows\SysWOW64\Mkndhabp.exe	Lhnkffeo.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Gfdkid32.dll	Nibqqh32.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Olbfagca.exe	Olpilg32.exe
File created	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Mqklqhpg.exe	Mkndhabp.exe
File created	C:\Windows\SysWOW64\Mnaiol32.exe	Mqklqhpg.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qgjccb32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Olpilg32.exe	Opglafab.exe
File created	C:\Windows\SysWOW64\Pkcbnanl.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Nhlgmd32.exe	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Alihaioe.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Afffenbp.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Jeoggjip.dll	Lhnkffeo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2588	1940	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mimgeigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplimbka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nedhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olbfagca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibqqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfbpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlgmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opglafab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkndhabp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjnhaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqklqhpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olpilg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obmnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnkffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnaiol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnaiol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nedhjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaaidm.dll"	Opglafab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkndhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll"	Mnaiol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll"	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgjnhaco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mimgeigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibqqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cbblda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 288	1488	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe	31
PID 1488 wrote to memory of 288	1488	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe	31
PID 1488 wrote to memory of 288	1488	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe	31
PID 1488 wrote to memory of 288	1488	6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe	31
PID 288 wrote to memory of 2316	288	Lhnkffeo.exe	32
PID 288 wrote to memory of 2316	288	Lhnkffeo.exe	32
PID 288 wrote to memory of 2316	288	Lhnkffeo.exe	32
PID 288 wrote to memory of 2316	288	Lhnkffeo.exe	32
PID 2316 wrote to memory of 2332	2316	Mkndhabp.exe	33
PID 2316 wrote to memory of 2332	2316	Mkndhabp.exe	33
PID 2316 wrote to memory of 2332	2316	Mkndhabp.exe	33
PID 2316 wrote to memory of 2332	2316	Mkndhabp.exe	33
PID 2332 wrote to memory of 2188	2332	Mqklqhpg.exe	34
PID 2332 wrote to memory of 2188	2332	Mqklqhpg.exe	34
PID 2332 wrote to memory of 2188	2332	Mqklqhpg.exe	34
PID 2332 wrote to memory of 2188	2332	Mqklqhpg.exe	34
PID 2188 wrote to memory of 2892	2188	Mnaiol32.exe	35
PID 2188 wrote to memory of 2892	2188	Mnaiol32.exe	35
PID 2188 wrote to memory of 2892	2188	Mnaiol32.exe	35
PID 2188 wrote to memory of 2892	2188	Mnaiol32.exe	35
PID 2892 wrote to memory of 2780	2892	Mgjnhaco.exe	36
PID 2892 wrote to memory of 2780	2892	Mgjnhaco.exe	36
PID 2892 wrote to memory of 2780	2892	Mgjnhaco.exe	36
PID 2892 wrote to memory of 2780	2892	Mgjnhaco.exe	36
PID 2780 wrote to memory of 2688	2780	Mimgeigj.exe	37
PID 2780 wrote to memory of 2688	2780	Mimgeigj.exe	37
PID 2780 wrote to memory of 2688	2780	Mimgeigj.exe	37
PID 2780 wrote to memory of 2688	2780	Mimgeigj.exe	37
PID 2688 wrote to memory of 2504	2688	Nedhjj32.exe	38
PID 2688 wrote to memory of 2504	2688	Nedhjj32.exe	38
PID 2688 wrote to memory of 2504	2688	Nedhjj32.exe	38
PID 2688 wrote to memory of 2504	2688	Nedhjj32.exe	38
PID 2504 wrote to memory of 2824	2504	Nibqqh32.exe	39
PID 2504 wrote to memory of 2824	2504	Nibqqh32.exe	39
PID 2504 wrote to memory of 2824	2504	Nibqqh32.exe	39
PID 2504 wrote to memory of 2824	2504	Nibqqh32.exe	39
PID 2824 wrote to memory of 3064	2824	Nplimbka.exe	40
PID 2824 wrote to memory of 3064	2824	Nplimbka.exe	40
PID 2824 wrote to memory of 3064	2824	Nplimbka.exe	40
PID 2824 wrote to memory of 3064	2824	Nplimbka.exe	40
PID 3064 wrote to memory of 2896	3064	Nmfbpk32.exe	41
PID 3064 wrote to memory of 2896	3064	Nmfbpk32.exe	41
PID 3064 wrote to memory of 2896	3064	Nmfbpk32.exe	41
PID 3064 wrote to memory of 2896	3064	Nmfbpk32.exe	41
PID 2896 wrote to memory of 2512	2896	Nhlgmd32.exe	42
PID 2896 wrote to memory of 2512	2896	Nhlgmd32.exe	42
PID 2896 wrote to memory of 2512	2896	Nhlgmd32.exe	42
PID 2896 wrote to memory of 2512	2896	Nhlgmd32.exe	42
PID 2512 wrote to memory of 2364	2512	Opglafab.exe	43
PID 2512 wrote to memory of 2364	2512	Opglafab.exe	43
PID 2512 wrote to memory of 2364	2512	Opglafab.exe	43
PID 2512 wrote to memory of 2364	2512	Opglafab.exe	43
PID 2364 wrote to memory of 624	2364	Olpilg32.exe	44
PID 2364 wrote to memory of 624	2364	Olpilg32.exe	44
PID 2364 wrote to memory of 624	2364	Olpilg32.exe	44
PID 2364 wrote to memory of 624	2364	Olpilg32.exe	44
PID 624 wrote to memory of 2404	624	Olbfagca.exe	45
PID 624 wrote to memory of 2404	624	Olbfagca.exe	45
PID 624 wrote to memory of 2404	624	Olbfagca.exe	45
PID 624 wrote to memory of 2404	624	Olbfagca.exe	45
PID 2404 wrote to memory of 672	2404	Obmnna32.exe	46
PID 2404 wrote to memory of 672	2404	Obmnna32.exe	46
PID 2404 wrote to memory of 672	2404	Obmnna32.exe	46
PID 2404 wrote to memory of 672	2404	Obmnna32.exe	46

C:\Users\Admin\AppData\Local\Temp\6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe
"C:\Users\Admin\AppData\Local\Temp\6458461b844a760717c8bf6cb5198b622c97e7a3fcfa933858999b5ed26300f2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\Lhnkffeo.exe
  C:\Windows\system32\Lhnkffeo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\Mkndhabp.exe
    C:\Windows\system32\Mkndhabp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Mqklqhpg.exe
      C:\Windows\system32\Mqklqhpg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\Mnaiol32.exe
        
        C:\Windows\system32\Mnaiol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\Mgjnhaco.exe
        
        C:\Windows\system32\Mgjnhaco.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Mimgeigj.exe
        
        C:\Windows\system32\Mimgeigj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Nedhjj32.exe
        
        C:\Windows\system32\Nedhjj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Nibqqh32.exe
        
        C:\Windows\system32\Nibqqh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Nplimbka.exe
        
        C:\Windows\system32\Nplimbka.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Nmfbpk32.exe
        
        C:\Windows\system32\Nmfbpk32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Nhlgmd32.exe
        
        C:\Windows\system32\Nhlgmd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Opglafab.exe
        
        C:\Windows\system32\Opglafab.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Olpilg32.exe
        
        C:\Windows\system32\Olpilg32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Olbfagca.exe
        
        C:\Windows\system32\Olbfagca.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Obmnna32.exe
        
        C:\Windows\system32\Obmnna32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pljlbf32.exe
        
        C:\Windows\system32\Pljlbf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 144
        53⤵
        Program crash
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
337KB

MD5
38199fbd114401cdcfd8d54a720d06ce

SHA1
f2232da721761a647e17c824d480f165c85546f3

SHA256
e28956cec768ef35ed008b08be0fc76ec34015c83f041e130979c7d93f9eab82

SHA512
b3338441490858defedfe724db5dae163a29314372786cfd5540da9612d39c57ce3bb8c6e714191c150b288c0a80751f87c66e6eaabd277de85391dc2f2de8c1

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
337KB

MD5
24524de6d5d16874cbf5c48112854c15

SHA1
ef5084b4d2f0617e857abdd95f459a6ba07413a5

SHA256
73201ae68d076a62a0241b3be04ca44a257596a8d4d07307f32bad4796c016f7

SHA512
275efdd976fd9f757071af8fcbb5c36d87c22f44f6c8f5f91ab9f0978356ade06037502d03171b5bec343dcaae77bf2f56901a8f07f5fe5f33b195ebf09a77cb

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
337KB

MD5
946ca624ab8bd7e811f98f27e57c03d4

SHA1
615acd02d298955a9829e403cec5cb0513487d22

SHA256
fa328948612565c2794a5ccf5fead56d28d9256053ccf1b1a3c695cd44b402ef

SHA512
105e30af199aaff65ba97ca91d6b5fd0b00d57f1f92c5d283483c73c5c0c68a10cf0adba869209cee152f8662cd89e1c24a4b1e07b9e5b050255fb745b70b9aa

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
337KB

MD5
12c81519b28e67f927a6e6382864218c

SHA1
fcc866eacaf85ecc5573a2d6182e709ef88acfcc

SHA256
55ff55ae74c75476fbb8a558ccbd2a3e3bfb8e07bccba624540a8a5a0254d0df

SHA512
1a55f05de9e2103564440b9f939735e5685ab33d0019e0a605b1142f0b8f33cee20986e0ad3a96342ae34ba8de661bcf465380d9a476ae9fc3120ae80b3423ec

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
337KB

MD5
3e8e030346f4a38b4b9b9b648109028e

SHA1
23e82aa0f0c344894935b6e64ceddfd6ab07fc85

SHA256
fc80fa2259eabcb78b3d7006d433a9ae9c55c4742732a15ff6ced866d5407226

SHA512
8dc6e1b9a08f9cd42330e1e69c8345094a25b9ef888b857dca1af26a34523c4aab6d0c0d0762411b2085bda1486f8ec86f5944e879f49c09fc61fdd5af2c9b14

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
337KB

MD5
b030cc1a24626289ee9a0cfd39f40847

SHA1
abd40420bac68d8887da0d50d9af64897fd9f908

SHA256
fa27f451df6265de4d52374966b34a3c647045d67f9b3d1e220cc0002bc37b56

SHA512
9e73898c5b2293f57aecc4a1863c14ee9709279f4e6c6b7e0531b55e34658b8a34d7eaf1ea594d74d288323b3e93692513c2528036e505cb413840a791d588b8

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
337KB

MD5
2ab6bea14ba775905892958da17cfc60

SHA1
0776847d5e26e903060434496147781b2ca0d1af

SHA256
8f3b3202caddee38fe386bf99ff749fd8186a37e2cdf21cb9ff6d0599d1d1259

SHA512
d188c0efecd56ea94bb1a04446dea4def374f7850516836a6b22a5d7e9ed9ca50df6802c9f2b5c695ce5b1e470e64b981043c4a9cb7b067bc929f7053bf4f045

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
337KB

MD5
e62f2a3a1cbdcd7d84c9794574f3c036

SHA1
c4544310ffd400029442c634d3e88a03a557a7c6

SHA256
31a63e1afe0c300481f86d693cce9c26943cbd17118d9515f3722433dd6a36c7

SHA512
0f227c1ae7e94f2d3d110b2777b0e64bb588624f1726d8691c0d8d2fe97970c9317cc2babaf49ecf7601f0aa19d9b606bdbf66965730751c27de973fa40104ce

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
337KB

MD5
2a8e4e0b27175b8bce70446b89a6deb2

SHA1
295acb6f42fc0dea156e5d3f86b1a681939003cb

SHA256
a90c287c7bc2ace33b1e5ec68c33dc5f0b50d9fa187fd5a1d6304d6c821fe6ce

SHA512
2f5845227fae123a1fb6be20fd2d7128458c712cf3e61c2de15e9d1e02896a9b1934417fd4150bce374bf7eff56226c76c2f21c9e0bafb3f6d0d0531ada822be

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
337KB

MD5
62e693dbe569eae715b70bce23e5658c

SHA1
b2afb678ee40a216d989d6a38f8741b046d804ab

SHA256
4d00073d6c4e4c808a215079c8e6c8e1cde61e1269ec88ef0d43b56762adf9d0

SHA512
25890ea68ec3c5084b6f3c71ca2b845e46e8a46fc7e908d776b7e37f70a5dc6d91ef9e819b5977b17b667719e09fc2afe8e1f1dc6cbcc7d7e99c273881f31459

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
337KB

MD5
60453c46ba11e81b3953ff96e9ba994f

SHA1
da2652f64c69f3d85bce61c302a32bef36b2235a

SHA256
e1ad2240fea6341c8f68e56e415c7713d7510f1d49fabe7049fc76c18c9cc1db

SHA512
c9a8b7009ab1dfc816f2c01729732b3d3b91cc5083a1d91fe90ec46b305d4c5f4fbb69ab965edda57cb805909fab402ddb78b17186faa936ca818f07155dec0d

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
337KB

MD5
fc4acd794c0e15d3b9167b665af86dd7

SHA1
040bf8ef98c641ce77a8e157d1c5be9bf5409308

SHA256
3aa8c5c46647251d00d4364b23bbb68d0528e8c43b9ab1f6a86163334f4e5230

SHA512
b885ba5f4ab27850b2575d4a016e7048e41ef0510defc32531f684e3a4d073cb75cfa89f30d585bc7972db0a6d6d7204e2550e37946283fff079975eb4404682

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
337KB

MD5
42fa20241f1172c5ba0533c3355bdf90

SHA1
8e37c36057c4a9d4fb013f4b4c61f6ab4b87962c

SHA256
2c4bef5fb511e50a234589645fd0d4d38d6933d339e0083869db5af0a57b0625

SHA512
df312bb2e2ff7ba307c9b1e074e45697132d77fd11613f9cfc412db33692d4aed68fa371dbc3e3f8fd7e687592274fdcfd088fff2fe4ab7c35ef91f6865ada32

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
337KB

MD5
ec567afbe74336efefcc0bfa7d548032

SHA1
c341a3764fe243bb7752eb7c483b57ef3c42fb78

SHA256
7856041adaf6884f4ff03eb7ae6a6e021dccf195d77a3b88d0101db978d79eb1

SHA512
d45f6396c0b21ef83d4bf886271e5aea7d00773dcef16151e7d1fd77fe4aea02587b5b94dec548746ea21e4667b4af0a2499e6d75983a73a54208509517347d0

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
337KB

MD5
58dcad8a9c1bb6c758192f43fc5a32cb

SHA1
2f7650578fd232290f326ea6e98db7cf95e60abf

SHA256
3a6cd6f601dd3375056abe089a95b8adc6a8b14a0b8919e3ba09775080bc1429

SHA512
61e9a840caf0f05986411dd3634f949e68be713b0125b2bcb0c4eaf5021a8acc6f0b648e95a3573c679455d5274b5d9a600be525a55e04d60dccf28cfd500921

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
337KB

MD5
a99a1ce13a37ebcbd6282eb820186b24

SHA1
c76195c7b63f67b5361bb7654b20180f1a54782d

SHA256
b560bf64161714a22266d2015c203ee0dece965eccc46ad56e14cf8d0108db12

SHA512
9848d7feb799d82cedeaae9feec3e86253581eafd0897e88c2592c212b1c5fb73ea3bb5d647f5ffc8b0e55ed26f97d0c81944c13e391c0273776c39d584040db

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
337KB

MD5
a4fab38162c26209781d1cb9177f8a81

SHA1
494dd73c829d7fff2dcf389d38ddd956595cf64e

SHA256
997f374770560d5792ff686807633ff8c79a8d75303d641f0b2501b3630ffc1e

SHA512
6cc1a8bb5524d6c30ac2477e25372c6fb283144ed14e65ead1e4047bf62e7de3958502be23ac3e12cc0ece4ea9f79a89fab76b413e55c0855c37b8e05350e22f

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
337KB

MD5
b002585a7fb0a9c5ccc2adb79c89f509

SHA1
e99facf9a18aa31920f0a76455615de52afe0746

SHA256
cbafb2a91af00218f16ac71bef6a39b59f70878ae50947a5dbf4698e0c724b1b

SHA512
aaa95c32ce5727a5b21adab076895a2cc55cef0fb3054df1692339a3d5da55217d4c0188e1fbda16c47a1af2bb92c86744ae8279a4dc3f900211d1d8627d2ecf

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
337KB

MD5
791fab62b96392b7fc7b477c59a21dfb

SHA1
020d46365dd5e2948bdb2b438d9aa85c5488bf84

SHA256
5da6a52e4b5b66a27d0dfe098b7b722f109a7551283b5b683b62f3c5fd8af4a4

SHA512
7c32a650f3e00cb5c2a28249506cbb09ac3e6f39cc74f8a6830922ab0ea3362777427c03978881d6c4bf0e1804ad7c5dfa6544c667ce29a06bb28b5076d3f66c

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
337KB

MD5
d32dcd0ab0a9f7905a566d51b719f687

SHA1
523e88dc9f6a294890e6fcf04ce30fc205944aeb

SHA256
983f4a04199e04aab79c4c32e363463da99d1258384e53f73d23efd6aeb68532

SHA512
01b9913e6754c6d01005b71cf2502e281289bbb73a90d2e38941d6aae81cff0ffbb2d2b0596fba2fc9eb53214350dabedf161a726e5374c933d69e0c97d60d6e

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
337KB

MD5
05d2fe50b2b80aeec04469d1b4720d60

SHA1
1be680a62cbb33472b42d080de13a1c74862853a

SHA256
63bd76c3aee8a4c709e657d37de346ac1187d1b4d9b8edd7f9508d51607c17a0

SHA512
1108528d2082b38a70bec592abf5d1d50d4630c99107d199071e657a65bd11faef27a0e2d54b298e5698332bbfc5944030041c136914e1200b3a2d1338243241

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
337KB

MD5
a94a7b88237dc7e44e1da47f3e52e0d8

SHA1
27b7e6186696727e091ce4d8a6620fbd341ffa0b

SHA256
5454c9a2ada4e2608b82be312a93a95cbf98b774e1425ba7326ad23e9881dec4

SHA512
1ef75c7aed41d08ce9b11be20336011ff3d52f77b353b19d5751d0af9da7f008105a7a8cd0612a741fd6b62d27052ce74b5e6c84d707fdcf7000c87c543006bb

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
337KB

MD5
fb8f99c57b0e7f2a8f292f8dcbac49f2

SHA1
5d0397aeb35abab5e1b28ab599bbfcf9f12801cc

SHA256
4c7f11f1bef91caed6c6dc5aa5dadaf4f76fa0e243100a0207129b76abde4a02

SHA512
23ab2a70339f095db7873f831777c5e3d5614926e2de5eda12e00722c0cf2116df63e95a98adb9773d549a8a51066d0fcd16ae807758d6357bef6df60744f709

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
337KB

MD5
730863bf37fe291c8bd8ed89485419f1

SHA1
0ee4f914e1deea16a280785693aee1a1e3276ebb

SHA256
1814e552475dcb673837e5f2482f432d8d93d2cbb26140d71af5589abc832c26

SHA512
eca71a1e8ba7cd79fe7ebe71d939eaf1a2b0a81e02ebc8f18263cb668f9a5b3101fa3e9fc65d4cf2932f368e44b4aba80b5151747844a34c748280b89036223c

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
337KB

MD5
4683ae29e95aae3a1c32562708675146

SHA1
a5274f97ad497a3f3a4378587beb6c01f430cc33

SHA256
f19b4b20e17b5c7873cb91787d33103c5df2b913fc24f50887fa29a09ecdab9d

SHA512
be70595c1dcc9ec3b8381007f321428cfa17cb463d29408bec1a06e867c55f5d1f1aa723ac86f79d145e2e827da97dd7f3730a6191cf481ad758c0b26eae0b14

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
337KB

MD5
2163177d825dbac5539fa24ec17cc395

SHA1
0e883345037080ad8cca0a9e512f0148d48d8a3b

SHA256
ecb1a5baaec329e5761f509d6c1f40ad286ba419c00fdf8087539522d7c87c45

SHA512
7165e32401ee169b7b21babbee2cfb0dc0165d9816c651a0b3d12be7c88d213b13e94cd0652a3f2a6c6b371be588d7762cfe7a6655fc2a4259d90797720f0139

Download Submit
C:\Windows\SysWOW64\Lhnkffeo.exe

Filesize
337KB

MD5
2d84a3e8cf9c0bd877dab20427ddfeab

SHA1
866301d1fd4ddf5abf5696c7160cf0f9e7b29ef3

SHA256
3acdde685d50bbdbc539d4c94535ec1b01981d72ace77feaca655a21018a19cd

SHA512
1bfda3929931ac9468d471c8a85c7358a20a97cec99f55ba1241e07259a40b2bdddd056057933a2ea73bdb6a210ee5f161afcb819434aacb6c7f42b837868814

Download Submit
C:\Windows\SysWOW64\Mgjnhaco.exe

Filesize
337KB

MD5
3e6de27e5ebe186584fb0fd084d042af

SHA1
e195c7b4aa7b6ad908294fd6785a7fba31edd748

SHA256
e995bdf46be029a44a2df8517367fb4627ff9d63c219bdea6ff3e31fead0d9c0

SHA512
19ad6019bd0c48564fb3ae60adf37010806312b479aec7cbf7e8e80d18585d08b4d637aab9267b2e9a450e746bf1237ba9619344e3bc1afeb007b7e2962633dc

Download Submit
C:\Windows\SysWOW64\Mkndhabp.exe

Filesize
337KB

MD5
a10b124b5523ff8ebc6f18768242c138

SHA1
0ca4a31865fd57f8482c6672b4075d6c55cabe4e

SHA256
973e88885a2b7d4b37eaf5f01d099836ef226c30e2b2e0ed7134fb5d26858fa0

SHA512
74d4d50aa22ee044c2614cca0b72207d267a0f16d4d30a763b96e98921e2ad009eaa6558d1ff6e81011d5c54d1f6495db38b9f4f0f2165a475ce6a579745a8ae

Download Submit
C:\Windows\SysWOW64\Mqklqhpg.exe

Filesize
337KB

MD5
e9f01b40f859876d938a964a8e6fba23

SHA1
cc9a7f00fb655a0d7e011b81931466f214f460af

SHA256
5e84a28949a7d35087c6b31ba76615e59a800ec6e5b1dc4223c23661af67d5d8

SHA512
946fc2ba3f699b423b093c1801607e07e88f4595efbd859806a4f91984f5aea0c0c3892ebf37ce77c0dcafc1e9eafb79a1df2588488571006bc84c70440269b5

Download Submit
C:\Windows\SysWOW64\Nhlgmd32.exe

Filesize
337KB

MD5
eb2ce439695d370a94216fbdd0529add

SHA1
a861788425751a42c5f643b8517783096630c233

SHA256
37ddd6ea226f27e3b7733737a0d9d017047fa444f444308b91f1e334ae9a0f8e

SHA512
2eeb6d068148bc239d17dbf8ef2f7754add2555d4e15ab3af2e03d50597bd41e076a677dcff69cbb03ff81b210e00e057b6aa6cb3e071d21e3556aeb91101d36

Download Submit
C:\Windows\SysWOW64\Nplimbka.exe

Filesize
337KB

MD5
8f1ab6c371bb4dc3916165d43e748d15

SHA1
cf8f567f7007f9f47fd5a7199097b786ce603ed4

SHA256
fcf92bc8e165cd77809ec7a4cf81103dcaab235c86ef9c38feeeae3861e4a1e8

SHA512
67f996f6ce6aa9ff20301674353d4bf93b7678baa970c29e67b866c5edb456852290d7080a2725ca9a9058796d263077892832f48d6d49e97e54c01ea61ddfbc

Download Submit
C:\Windows\SysWOW64\Obmnna32.exe

Filesize
337KB

MD5
529675edb68ae8c267f12841d80070fe

SHA1
9060f919b18f51794d328d071f31281238af836b

SHA256
6dfc46b8076dce3d76b92883093605f40d521c744b33e9011623121750e7e0bf

SHA512
00d273901208bad2ef1622be2c2e13066af1251a74f9f2429a9f6a70b3426e82c735f3e7cdf8f74e0b57efc2348c7e82ac25ee61a84daa2f09eea692009386a3

Download Submit
C:\Windows\SysWOW64\Opglafab.exe

Filesize
337KB

MD5
bd88ab547daa737ae908fa08b45e98d1

SHA1
a996d4abe21b0468504818ae755b0311d1e55d04

SHA256
db720c2183c7ab659c16f2c58132098da1c38bfd83ea494cf900862f25240d30

SHA512
b59a2bd9519cd1629918a3781fb8f7feac3dc1ac9296a755d34f3387c0370c11df9efb81698588aa56ce0ad3a25a84aa8b06aa7ce0202ac57f1b16ec67cb118c

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
337KB

MD5
602fdb8fd67a441d1fedfac3765f635b

SHA1
1449418f7b2f981d726c0fe26f8c6702c77d6062

SHA256
ea6549f976a0848aeb9444fe0e878f26cb5eaa960dcaef9a2d81d383581d309e

SHA512
30fc4865a72aa2d3304c81bed15f48a3d0d4439eecdaa685dd96506b703145ba29a3ff897d4648d8952798df5cfcbf60bf80f3b8d919460156e4124c1397d02a

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
337KB

MD5
dd2498e7e29ea5676196f17b26b48fde

SHA1
8eb7232b4401058ed64d35af512f752e4fc5850d

SHA256
39fedb2e2f7a5769c48025c050662b832facc041fa3683c5662baaee1e1e2cb3

SHA512
d3915d6428bad32996af16004c9256ae30c2e9e6367c7e7e902ea10545e74f1f6cd20bdde529b573951d0b902be63b5072719ea6b76c66b00592e024a5a86439

Download Submit
C:\Windows\SysWOW64\Pkaehb32.exe

Filesize
337KB

MD5
5389755672cead63076efdd2efd30781

SHA1
ccc1832b92445f2cb9e5ec57db9cdc34e217d5b0

SHA256
e02e0d02bfbe6f69fbc911d1e2bd05f0f0e8aa297aa9e36cd995609dfdb76694

SHA512
6afe2f140e10b0cf7b000c1ec333f8c8f44f7495ddc255f6cbb68ac2ec24d5886d23edffbff24261bd613f9fc125e9c0a2bb667f2652c3d5ee93d478e8e3e20a

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
337KB

MD5
7012475dc7c8b3c98d602776abd165eb

SHA1
a5afa66be21be9adbbb35b823839e0a59baf6cd9

SHA256
90c42350435ebc70691d4120bddd785e07bb4a58bea13ea4844c4feaab9cbbaa

SHA512
ef1a68e92f8b228738cd14da0b4bcfd741dadf7a9c5854364b1fbd09ae2c270e78bee7f26fe8c3ff19110d6f1c7a2215e4d24f5f4b1aaf327a94ce615fde7ef7

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
337KB

MD5
3d15fb0f68e14a11de49a4d9e7a3ac21

SHA1
8cf2c10751c86ab5067d1044fbd16cbf965b3f7d

SHA256
8043a66694f66b4e46fce2985ce5efe6aa7f6de7328a2a9ed9f816a7baa346df

SHA512
0f31777a4fcd99b48bf3d8f8df08ba7b2543bcbc41b73faf33d14199e3e39a90338752f9609ae68814e495487d9ac4976c243d4de78db42c62db3e66513e677d

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
337KB

MD5
1568fcee4537ef25bf86284604dcb7e4

SHA1
856027d9bf9e5d548ccc710242fc0226bf3e0ffc

SHA256
bd52f4185167ccba632491d2c0dfe1df60e1da7fd51a95c56c2d1648d5cbb0bb

SHA512
92bc511825850db8bbb480246ab0b425bd4daffda0a5113c1f97b6b6e1f05138cf16265ba05db836a8260f5e689553aa4bc8c92c53002aa5c7f2c814af6487ce

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
337KB

MD5
c78091bb0331fc8671ece48b06f34a77

SHA1
11a4a8da3de8189f127fe407558615871f88f0ac

SHA256
838dde5b17d0fc7a9752870e90d8aa1f0839d4c937e9738662892a8dac7d67e5

SHA512
85980b9d8537059a7d35c7c1b1980169359efd3667283d262338c4baeedbed69be02ba46415e914932bc7a8ef7d106a0c2fc8d28665d3f7ec9deb578364fc50d

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
337KB

MD5
d431203355f1d05012c0571ddab92199

SHA1
c2a588f9d6894be75e016b3efc839dc3d205af21

SHA256
34a57d86c2138dceef92c25db87b28459cf6a33faaff2d501e5d7700f20b2497

SHA512
fe5dd7d94f76a57f1baf5cfa7758b968c7a0fed3be11e5d7d24285b63354040c7d233fea017f09881b51c87396b78031f961b3a5e20bb5170f78d26eb891ad96

Download Submit
\Windows\SysWOW64\Mimgeigj.exe

Filesize
337KB

MD5
ccfd4393119e2890f736f20b5c3e286d

SHA1
53da6d9aeeb2b089b8cbb183e7349053a20b0490

SHA256
148b958f1534e9fa0da696abd57d708eb9ecfc47c75c23bf98d1d766fb45984e

SHA512
43090ae093ccf7049b7df8109c4b1599076ed5f8c33468b4747360c23382ff2c2e336ba9295dda006cca2ece81385318e231b1ed4fcd3413b854fcacaec87c23

Download Submit
\Windows\SysWOW64\Mnaiol32.exe

Filesize
337KB

MD5
e64bba59ad2f17ca63f8fb5bdd24a474

SHA1
5becfb785380e61070306d1f03f0f12147dd166e

SHA256
b073d9b6352ee9e8671b021acda2a80004d0cd04430b4ba1063906f032d75957

SHA512
2b6ffe38d23cf9c1ee73ec1007716f6ca46ac04557f99cc91840c0f03958f71b8ac04af0ee647d4712c23c91fc33f5052c54a282deb0ab1453c84fbbfdbc81bf

Download Submit
\Windows\SysWOW64\Nedhjj32.exe

Filesize
337KB

MD5
82d9f0f162a045f357ca5657d4727297

SHA1
8458c42f9cc756e2197e3ac83eefefaaaca1907f

SHA256
82deda293953f57338b44e2dbd56f793bf66843bb21d227309fb19dbebf4ce88

SHA512
f52ef08b9ba0e3062112d47a86dc96ed5f452ec00d65b03bc36cbd45ec5dff9818886ced561a0f412bc93b1c30b0f605a622753aad2823805932195d9ad56c34

Download Submit
\Windows\SysWOW64\Nibqqh32.exe

Filesize
337KB

MD5
b1c596a6ca5cc0b6185d6d3d450caf61

SHA1
a2564b11d18066382c2f1246e1c9110176c75ead

SHA256
925ac1774e4f9366f70b364abe59db8aa7f5b055d22d7a57ede06a3840806af7

SHA512
b4e91869889e27b26a2461d9b8d2aad9849288474442846d8227f7ca17d32ec82dfd6f6f1d1482410bdb66e1237764163492e14f65a70a1c551bbf436e6a2e20

Download Submit
\Windows\SysWOW64\Nmfbpk32.exe

Filesize
337KB

MD5
f1c901591dae5848cac0b9c7a9ae16ab

SHA1
624f309db5ea5da73169f1a2274b49fd8855d527

SHA256
b0f7e441011e0e4f7ceb05eeed23ef9ce7f5c1313d4338ad88c53fd66993342d

SHA512
c0d95ba9c8dde7756bac474f3d1a2e0d81f88e16ac8094b0442cea3f804f05e66b8059e403a565b0d28f256e757780ac7c435d35999d82c7c173d106657c1bd7

Download Submit
\Windows\SysWOW64\Olbfagca.exe

Filesize
337KB

MD5
6192e06256cf488460bfd40c6f3f6c8f

SHA1
04f28b44f236610bdfd9ec1b92e33eb8d80615f7

SHA256
72c291f699e2e756366dccce9100ad89c40f2a51c436c9bc5a26e10f644bd7f4

SHA512
6852c7d95fb9a4e24253b790d5821062931a7156787dd629312da16164fbaccc6dbd6e87eaffb31f7b072d0a7ec0047ec3e115f6cf5cdf31a314382576ecf06f

Download Submit
\Windows\SysWOW64\Olpilg32.exe

Filesize
337KB

MD5
ae752c58b82bd85474582fdd198788a1

SHA1
758975ebf7e89e546ceed8c355eeeabafaa337d4

SHA256
9e86878c1c1e44b99dc95154e1f5776374259f33e64f2debb3fa70d395529aa6

SHA512
23798098dcc919f506c28179cc1093a1aa6760e2c4fe103f6e1f406c5417046fe051c0a37227fccb09ff68858466d8e385e969ee4f21fb25167a56ea657b9cd7

Download Submit
\Windows\SysWOW64\Pljlbf32.exe

Filesize
337KB

MD5
3e0f4b4ea60a065d2d005c927e2b8587

SHA1
1ee9bac5959abf85c3025075b88b16e5c0d1bcf2

SHA256
e6e07bf96617350c2d2378965687d7f65e094f2cbfdff7ece80ce1bb4453085d

SHA512
ae541efe677ac4b557a697bd192e4be7394e0018217b3ee96841f1594b7c541b4a72ad121531c869fc272ff7596623476938bc97f93e02036bede8db1c290d92

Download Submit
memory/288-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-27-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/288-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-415-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/536-472-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/536-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-304-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/876-303-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/900-502-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/900-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-479-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1144-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-11-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1488-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1488-376-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1520-252-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1520-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-316-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1580-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-317-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1644-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-293-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1692-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-230-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-262-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1736-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-453-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2056-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-457-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2188-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-339-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2244-338-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2244-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-284-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2264-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-282-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2268-272-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2268-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-416-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2332-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2332-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-324-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2340-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2340-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-633-0x00000000775F0000-0x00000000776EA000-memory.dmp

Filesize
1000KB

Download
memory/2348-632-0x00000000776F0000-0x000000007780F000-memory.dmp

Filesize
1.1MB

Download
memory/2348-306-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2364-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2388-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-349-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2404-212-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2404-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-368-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2416-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-383-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2780-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-480-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2824-129-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2824-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-357-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2852-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-361-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2892-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-81-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2892-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-159-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2896-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-499-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2896-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads