berbew | 42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/10/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
Size

96KB
MD5

52c1905ef2f7d054576cfb7047ba1a43
SHA1

8b341900ff6005cc4045b7e6cfc3e7fae6515a9f
SHA256

42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a
SHA512

db7d4bc1acaf0d67ba57320bcb62b4318ab274460606508a60c23f6d6d05d8a2f165fd071aa48efca43c38ddd256830a0e18aa5a835f892a7232c1c0c24cee9b
SSDEEP

1536:OPC9yQatqLtqlwRfJvv5b+Zjxtt2Lu7RZObZUUWaegPYA:OPQzawLtHv5O+uClUUWae

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbqbioeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngcnpkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajedn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lldhldpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfebcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mknohpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlhnfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pciiccbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebbgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blklfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfemdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chickknc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkbgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkpgh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgchckl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgchckl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfebcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnmhajo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picdejbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbqliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqamaeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pppihdha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbqbioeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmppm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbknb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgdpnqfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnmhajo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmppm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkbgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaffja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opkpme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcfpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmolkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpmhgc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mknohpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkmkgc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcffi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mognco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncndnlq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpkhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pembpkfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpmljan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blklfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggcnbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mognco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlhnfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncndnlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcffi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pembpkfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peooek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjomoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbhco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbhco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nokdnail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpkhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciiccbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccinnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebbgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaffja32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001c846-436.dat	family_bruteratel

Executes dropped EXE 49 IoCs

pid	Process
2920	Lmolkg32.exe
2908	Lpmhgc32.exe
2464	Lggpdmap.exe
1576	Lldhldpg.exe
2832	Mlfebcnd.exe
2740	Mognco32.exe
1640	Mknohpqj.exe
1048	Mgdpnqfn.exe
924	Mkbhco32.exe
640	Ncnmhajo.exe
3024	Nqamaeii.exe
2980	Nlhnfg32.exe
2128	Nkmkgc32.exe
2208	Nokdnail.exe
1280	Ngfhbd32.exe
1796	Odjikh32.exe
2172	Oncndnlq.exe
3064	Oqcffi32.exe
2636	Ofqonp32.exe
1748	Omjgkjof.exe
1868	Ogpkhb32.exe
1564	Opkpme32.exe
1468	Picdejbg.exe
2404	Pciiccbm.exe
696	Pppihdha.exe
2788	Pbqbioeb.exe
2540	Peooek32.exe
2836	Pngcnpkg.exe
2696	Pmmppm32.exe
2712	Adkbgf32.exe
1808	Amcfpl32.exe
580	Abbknb32.exe
2956	Alkpgh32.exe
2680	Ahbqliap.exe
2964	Aajedn32.exe
1624	Bgijbede.exe
2468	Bkgchckl.exe
2364	Bgndnd32.exe
2632	Blklfk32.exe
1372	Bjomoo32.exe
1084	Cfemdp32.exe
1864	Ccinnd32.exe
2088	Ckebbgoj.exe
2000	Chickknc.exe
1152	Fdpmljan.exe
332	Gifhkpgk.exe
896	Gaffja32.exe
2940	Ggcnbh32.exe
1720	Gmmgobfd.exe

Loads dropped DLL 64 IoCs

pid	Process
1996	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
1996	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
2920	Lmolkg32.exe
2920	Lmolkg32.exe
2908	Lpmhgc32.exe
2908	Lpmhgc32.exe
2464	Lggpdmap.exe
2464	Lggpdmap.exe
1576	Lldhldpg.exe
1576	Lldhldpg.exe
2832	Mlfebcnd.exe
2832	Mlfebcnd.exe
2740	Mognco32.exe
2740	Mognco32.exe
1640	Mknohpqj.exe
1640	Mknohpqj.exe
1048	Mgdpnqfn.exe
1048	Mgdpnqfn.exe
924	Mkbhco32.exe
924	Mkbhco32.exe
640	Ncnmhajo.exe
640	Ncnmhajo.exe
3024	Nqamaeii.exe
3024	Nqamaeii.exe
2980	Nlhnfg32.exe
2980	Nlhnfg32.exe
2128	Nkmkgc32.exe
2128	Nkmkgc32.exe
2208	Nokdnail.exe
2208	Nokdnail.exe
1280	Ngfhbd32.exe
1280	Ngfhbd32.exe
1796	Odjikh32.exe
1796	Odjikh32.exe
2172	Oncndnlq.exe
2172	Oncndnlq.exe
3064	Oqcffi32.exe
3064	Oqcffi32.exe
2636	Ofqonp32.exe
2636	Ofqonp32.exe
1748	Omjgkjof.exe
1748	Omjgkjof.exe
1868	Ogpkhb32.exe
1868	Ogpkhb32.exe
1564	Opkpme32.exe
1564	Opkpme32.exe
1468	Picdejbg.exe
1468	Picdejbg.exe
2404	Pciiccbm.exe
2404	Pciiccbm.exe
2792	Pembpkfi.exe
2792	Pembpkfi.exe
2788	Pbqbioeb.exe
2788	Pbqbioeb.exe
2540	Peooek32.exe
2540	Peooek32.exe
2836	Pngcnpkg.exe
2836	Pngcnpkg.exe
2696	Pmmppm32.exe
2696	Pmmppm32.exe
2712	Adkbgf32.exe
2712	Adkbgf32.exe
1808	Amcfpl32.exe
1808	Amcfpl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlfebcnd.exe	Lldhldpg.exe
File opened for modification	C:\Windows\SysWOW64\Mknohpqj.exe	Mognco32.exe
File created	C:\Windows\SysWOW64\Opjdhb32.dll	Pmmppm32.exe
File created	C:\Windows\SysWOW64\Lpmhgc32.exe	Lmolkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfemdp32.exe	Bjomoo32.exe
File created	C:\Windows\SysWOW64\Fdpmljan.exe	Chickknc.exe
File created	C:\Windows\SysWOW64\Ihbgmc32.dll	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
File created	C:\Windows\SysWOW64\Mknohpqj.exe	Mognco32.exe
File opened for modification	C:\Windows\SysWOW64\Ncnmhajo.exe	Mkbhco32.exe
File opened for modification	C:\Windows\SysWOW64\Nqamaeii.exe	Ncnmhajo.exe
File opened for modification	C:\Windows\SysWOW64\Ngfhbd32.exe	Nokdnail.exe
File created	C:\Windows\SysWOW64\Adkbiook.dll	Peooek32.exe
File opened for modification	C:\Windows\SysWOW64\Blklfk32.exe	Bgndnd32.exe
File created	C:\Windows\SysWOW64\Nqamaeii.exe	Ncnmhajo.exe
File opened for modification	C:\Windows\SysWOW64\Ofqonp32.exe	Oqcffi32.exe
File opened for modification	C:\Windows\SysWOW64\Abbknb32.exe	Amcfpl32.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Ggcnbh32.exe
File created	C:\Windows\SysWOW64\Dijbqion.dll	Pembpkfi.exe
File created	C:\Windows\SysWOW64\Chickknc.exe	Ckebbgoj.exe
File opened for modification	C:\Windows\SysWOW64\Mlfebcnd.exe	Lldhldpg.exe
File created	C:\Windows\SysWOW64\Pciiccbm.exe	Picdejbg.exe
File opened for modification	C:\Windows\SysWOW64\Fdpmljan.exe	Chickknc.exe
File opened for modification	C:\Windows\SysWOW64\Ogpkhb32.exe	Omjgkjof.exe
File opened for modification	C:\Windows\SysWOW64\Alkpgh32.exe	Abbknb32.exe
File created	C:\Windows\SysWOW64\Fcohglnm.dll	Lpmhgc32.exe
File created	C:\Windows\SysWOW64\Oqcffi32.exe	Oncndnlq.exe
File created	C:\Windows\SysWOW64\Mdekjmob.dll	Pngcnpkg.exe
File created	C:\Windows\SysWOW64\Jakoae32.dll	Bgijbede.exe
File created	C:\Windows\SysWOW64\Ncffihci.dll	Mlfebcnd.exe
File created	C:\Windows\SysWOW64\Fodbcjid.dll	Picdejbg.exe
File created	C:\Windows\SysWOW64\Fkecpl32.dll	Adkbgf32.exe
File created	C:\Windows\SysWOW64\Bqqclmpe.dll	Abbknb32.exe
File created	C:\Windows\SysWOW64\Lqicio32.dll	Cfemdp32.exe
File created	C:\Windows\SysWOW64\Lmolkg32.exe	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
File opened for modification	C:\Windows\SysWOW64\Mgdpnqfn.exe	Mknohpqj.exe
File opened for modification	C:\Windows\SysWOW64\Nokdnail.exe	Nkmkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Odjikh32.exe	Ngfhbd32.exe
File created	C:\Windows\SysWOW64\Ogphdb32.dll	Ngfhbd32.exe
File opened for modification	C:\Windows\SysWOW64\Amcfpl32.exe	Adkbgf32.exe
File created	C:\Windows\SysWOW64\Lgaahp32.dll	Gaffja32.exe
File created	C:\Windows\SysWOW64\Mognco32.exe	Mlfebcnd.exe
File created	C:\Windows\SysWOW64\Ofqonp32.exe	Oqcffi32.exe
File opened for modification	C:\Windows\SysWOW64\Omjgkjof.exe	Ofqonp32.exe
File opened for modification	C:\Windows\SysWOW64\Pbqbioeb.exe	Pembpkfi.exe
File created	C:\Windows\SysWOW64\Qigefa32.dll	Bjomoo32.exe
File created	C:\Windows\SysWOW64\Aajedn32.exe	Ahbqliap.exe
File opened for modification	C:\Windows\SysWOW64\Ggcnbh32.exe	Gaffja32.exe
File created	C:\Windows\SysWOW64\Blbfiq32.dll	Lmolkg32.exe
File created	C:\Windows\SysWOW64\Nlhnfg32.exe	Nqamaeii.exe
File created	C:\Windows\SysWOW64\Omjgkjof.exe	Ofqonp32.exe
File opened for modification	C:\Windows\SysWOW64\Picdejbg.exe	Opkpme32.exe
File created	C:\Windows\SysWOW64\Amcfpl32.exe	Adkbgf32.exe
File created	C:\Windows\SysWOW64\Aijolhib.dll	Alkpgh32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbhco32.exe	Mgdpnqfn.exe
File opened for modification	C:\Windows\SysWOW64\Oqcffi32.exe	Oncndnlq.exe
File created	C:\Windows\SysWOW64\Hgnoehoj.dll	Ahbqliap.exe
File opened for modification	C:\Windows\SysWOW64\Ckebbgoj.exe	Ccinnd32.exe
File created	C:\Windows\SysWOW64\Iiogbn32.dll	Fdpmljan.exe
File opened for modification	C:\Windows\SysWOW64\Bgijbede.exe	Aajedn32.exe
File created	C:\Windows\SysWOW64\Gifhkpgk.exe	Fdpmljan.exe
File created	C:\Windows\SysWOW64\Nokdnail.exe	Nkmkgc32.exe
File created	C:\Windows\SysWOW64\Ngfhbd32.exe	Nokdnail.exe
File created	C:\Windows\SysWOW64\Memchb32.dll	Nokdnail.exe
File created	C:\Windows\SysWOW64\Odjikh32.exe	Ngfhbd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	1720	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmolkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkbgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfemdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opkpme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkpgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgijbede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccinnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbqliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggcnbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggpdmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mknohpqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkbhco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpkhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pembpkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcfpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngcnpkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgndnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnmhajo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nokdnail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfhbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqonp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picdejbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbqbioeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blklfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpmljan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omjgkjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpmhgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgdpnqfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqamaeii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncndnlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajedn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgchckl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfebcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhnfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkmkgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciiccbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peooek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmppm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjomoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chickknc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaffja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifhkpgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lldhldpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mognco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcffi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pppihdha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebbgoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lldhldpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncndnlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peooek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlbpigi.dll"	Ckebbgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcfpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijolhib.dll"	Alkpgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mognco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieeidi32.dll"	Mknohpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfhbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pciiccbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmppm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcffi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbqliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqicio32.dll"	Cfemdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggjlfl32.dll"	Chickknc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhofjehd.dll"	Ncnmhajo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkmkgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqcffi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pembpkfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlfebcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mognco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nokdnail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogphdb32.dll"	Ngfhbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgijbede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blklfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggpdmap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imahgj32.dll"	Lldhldpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngcnpkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjomoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chickknc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgaahp32.dll"	Gaffja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlhnfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnkma32.dll"	Ogpkhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdekjmob.dll"	Pngcnpkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egedlo32.dll"	Bkgchckl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncffihci.dll"	Mlfebcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmppm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkecpl32.dll"	Adkbgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajedn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakoae32.dll"	Bgijbede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfmdigd.dll"	Nkmkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Picdejbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijbqion.dll"	Pembpkfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pngcnpkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccinnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebbgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbhco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meoiij32.dll"	Odjikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkpjknd.dll"	Opkpme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodbcjid.dll"	Picdejbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qigefa32.dll"	Bjomoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgndnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkmkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omjgkjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Picdejbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmdopge.dll"	Pppihdha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjkn32.dll"	Amcfpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohglnm.dll"	Lpmhgc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2920	1996	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe	29
PID 1996 wrote to memory of 2920	1996	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe	29
PID 1996 wrote to memory of 2920	1996	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe	29
PID 1996 wrote to memory of 2920	1996	42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe	29
PID 2920 wrote to memory of 2908	2920	Lmolkg32.exe	30
PID 2920 wrote to memory of 2908	2920	Lmolkg32.exe	30
PID 2920 wrote to memory of 2908	2920	Lmolkg32.exe	30
PID 2920 wrote to memory of 2908	2920	Lmolkg32.exe	30
PID 2908 wrote to memory of 2464	2908	Lpmhgc32.exe	31
PID 2908 wrote to memory of 2464	2908	Lpmhgc32.exe	31
PID 2908 wrote to memory of 2464	2908	Lpmhgc32.exe	31
PID 2908 wrote to memory of 2464	2908	Lpmhgc32.exe	31
PID 2464 wrote to memory of 1576	2464	Lggpdmap.exe	32
PID 2464 wrote to memory of 1576	2464	Lggpdmap.exe	32
PID 2464 wrote to memory of 1576	2464	Lggpdmap.exe	32
PID 2464 wrote to memory of 1576	2464	Lggpdmap.exe	32
PID 1576 wrote to memory of 2832	1576	Lldhldpg.exe	33
PID 1576 wrote to memory of 2832	1576	Lldhldpg.exe	33
PID 1576 wrote to memory of 2832	1576	Lldhldpg.exe	33
PID 1576 wrote to memory of 2832	1576	Lldhldpg.exe	33
PID 2832 wrote to memory of 2740	2832	Mlfebcnd.exe	34
PID 2832 wrote to memory of 2740	2832	Mlfebcnd.exe	34
PID 2832 wrote to memory of 2740	2832	Mlfebcnd.exe	34
PID 2832 wrote to memory of 2740	2832	Mlfebcnd.exe	34
PID 2740 wrote to memory of 1640	2740	Mognco32.exe	35
PID 2740 wrote to memory of 1640	2740	Mognco32.exe	35
PID 2740 wrote to memory of 1640	2740	Mognco32.exe	35
PID 2740 wrote to memory of 1640	2740	Mognco32.exe	35
PID 1640 wrote to memory of 1048	1640	Mknohpqj.exe	36
PID 1640 wrote to memory of 1048	1640	Mknohpqj.exe	36
PID 1640 wrote to memory of 1048	1640	Mknohpqj.exe	36
PID 1640 wrote to memory of 1048	1640	Mknohpqj.exe	36
PID 1048 wrote to memory of 924	1048	Mgdpnqfn.exe	37
PID 1048 wrote to memory of 924	1048	Mgdpnqfn.exe	37
PID 1048 wrote to memory of 924	1048	Mgdpnqfn.exe	37
PID 1048 wrote to memory of 924	1048	Mgdpnqfn.exe	37
PID 924 wrote to memory of 640	924	Mkbhco32.exe	38
PID 924 wrote to memory of 640	924	Mkbhco32.exe	38
PID 924 wrote to memory of 640	924	Mkbhco32.exe	38
PID 924 wrote to memory of 640	924	Mkbhco32.exe	38
PID 640 wrote to memory of 3024	640	Ncnmhajo.exe	39
PID 640 wrote to memory of 3024	640	Ncnmhajo.exe	39
PID 640 wrote to memory of 3024	640	Ncnmhajo.exe	39
PID 640 wrote to memory of 3024	640	Ncnmhajo.exe	39
PID 3024 wrote to memory of 2980	3024	Nqamaeii.exe	40
PID 3024 wrote to memory of 2980	3024	Nqamaeii.exe	40
PID 3024 wrote to memory of 2980	3024	Nqamaeii.exe	40
PID 3024 wrote to memory of 2980	3024	Nqamaeii.exe	40
PID 2980 wrote to memory of 2128	2980	Nlhnfg32.exe	41
PID 2980 wrote to memory of 2128	2980	Nlhnfg32.exe	41
PID 2980 wrote to memory of 2128	2980	Nlhnfg32.exe	41
PID 2980 wrote to memory of 2128	2980	Nlhnfg32.exe	41
PID 2128 wrote to memory of 2208	2128	Nkmkgc32.exe	42
PID 2128 wrote to memory of 2208	2128	Nkmkgc32.exe	42
PID 2128 wrote to memory of 2208	2128	Nkmkgc32.exe	42
PID 2128 wrote to memory of 2208	2128	Nkmkgc32.exe	42
PID 2208 wrote to memory of 1280	2208	Nokdnail.exe	43
PID 2208 wrote to memory of 1280	2208	Nokdnail.exe	43
PID 2208 wrote to memory of 1280	2208	Nokdnail.exe	43
PID 2208 wrote to memory of 1280	2208	Nokdnail.exe	43
PID 1280 wrote to memory of 1796	1280	Ngfhbd32.exe	44
PID 1280 wrote to memory of 1796	1280	Ngfhbd32.exe	44
PID 1280 wrote to memory of 1796	1280	Ngfhbd32.exe	44
PID 1280 wrote to memory of 1796	1280	Ngfhbd32.exe	44

C:\Users\Admin\AppData\Local\Temp\42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe
"C:\Users\Admin\AppData\Local\Temp\42aff9d138011fd658f20dabd7ea709cad3ef49128c44b53e9d45a330a16259a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\Lmolkg32.exe
  C:\Windows\system32\Lmolkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Lpmhgc32.exe
    C:\Windows\system32\Lpmhgc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\Lggpdmap.exe
      C:\Windows\system32\Lggpdmap.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\Lldhldpg.exe
        
        C:\Windows\system32\Lldhldpg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Mlfebcnd.exe
        
        C:\Windows\system32\Mlfebcnd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Mognco32.exe
        
        C:\Windows\system32\Mognco32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Mknohpqj.exe
        
        C:\Windows\system32\Mknohpqj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Mgdpnqfn.exe
        
        C:\Windows\system32\Mgdpnqfn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Mkbhco32.exe
        
        C:\Windows\system32\Mkbhco32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Ncnmhajo.exe
        
        C:\Windows\system32\Ncnmhajo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Nqamaeii.exe
        
        C:\Windows\system32\Nqamaeii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Nlhnfg32.exe
        
        C:\Windows\system32\Nlhnfg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Nkmkgc32.exe
        
        C:\Windows\system32\Nkmkgc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Nokdnail.exe
        
        C:\Windows\system32\Nokdnail.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ngfhbd32.exe
        
        C:\Windows\system32\Ngfhbd32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Odjikh32.exe
        
        C:\Windows\system32\Odjikh32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Oncndnlq.exe
        
        C:\Windows\system32\Oncndnlq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Oqcffi32.exe
        
        C:\Windows\system32\Oqcffi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ofqonp32.exe
        
        C:\Windows\system32\Ofqonp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Omjgkjof.exe
        
        C:\Windows\system32\Omjgkjof.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ogpkhb32.exe
        
        C:\Windows\system32\Ogpkhb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Opkpme32.exe
        
        C:\Windows\system32\Opkpme32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Picdejbg.exe
        
        C:\Windows\system32\Picdejbg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Pciiccbm.exe
        
        C:\Windows\system32\Pciiccbm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Pppihdha.exe
        
        C:\Windows\system32\Pppihdha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Pembpkfi.exe
        
        C:\Windows\system32\Pembpkfi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pbqbioeb.exe
        
        C:\Windows\system32\Pbqbioeb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Peooek32.exe
        
        C:\Windows\system32\Peooek32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Pngcnpkg.exe
        
        C:\Windows\system32\Pngcnpkg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Pmmppm32.exe
        
        C:\Windows\system32\Pmmppm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Adkbgf32.exe
        
        C:\Windows\system32\Adkbgf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Amcfpl32.exe
        
        C:\Windows\system32\Amcfpl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Abbknb32.exe
        
        C:\Windows\system32\Abbknb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Alkpgh32.exe
        
        C:\Windows\system32\Alkpgh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ahbqliap.exe
        
        C:\Windows\system32\Ahbqliap.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Aajedn32.exe
        
        C:\Windows\system32\Aajedn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bgijbede.exe
        
        C:\Windows\system32\Bgijbede.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bkgchckl.exe
        
        C:\Windows\system32\Bkgchckl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bgndnd32.exe
        
        C:\Windows\system32\Bgndnd32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Blklfk32.exe
        
        C:\Windows\system32\Blklfk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Bjomoo32.exe
        
        C:\Windows\system32\Bjomoo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Cfemdp32.exe
        
        C:\Windows\system32\Cfemdp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Ccinnd32.exe
        
        C:\Windows\system32\Ccinnd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ckebbgoj.exe
        
        C:\Windows\system32\Ckebbgoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Chickknc.exe
        
        C:\Windows\system32\Chickknc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Fdpmljan.exe
        
        C:\Windows\system32\Fdpmljan.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Gifhkpgk.exe
        
        C:\Windows\system32\Gifhkpgk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\Gaffja32.exe
        
        C:\Windows\system32\Gaffja32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Ggcnbh32.exe
        
        C:\Windows\system32\Ggcnbh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 140
        52⤵
        Program crash
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajedn32.exe

Filesize
96KB

MD5
522d696d743b75f2e599db6b63c3afda

SHA1
6b3519b0e58e0f6f78342c8366f9b436d87c0830

SHA256
00d8577dd425dcba03f10bfca0d42753ceb2c3b2d00b6477e294889d3c2d7916

SHA512
f4f31b887488ad4bd5d9dfca377297771428a08706be9087d66e2ab9899ec03d993065119c678dba03736c641af944baaa770e40ab2adb2ab8b5ae748453c20e

Download Submit
C:\Windows\SysWOW64\Abbknb32.exe

Filesize
96KB

MD5
ef2194b91a1a8d882f486a96e918a4b5

SHA1
e603edd74231541e760b7c59166936bdf2936a7b

SHA256
e95efea41826285434aeffd89515cbc5abd554acaf5f432a26cbd9ff2b5471b5

SHA512
a1623de50f2db205538db004be0326f4a308dddf6692dabe6090be3106d274b298df4e5695989169add6cd37860c847cdb1c68ab31d7d2eb3d939ef443539758

Download Submit
C:\Windows\SysWOW64\Adkbgf32.exe

Filesize
96KB

MD5
31f81556727fc009d5419541c3f6bf32

SHA1
9bd8bce17613804b30bd0eaf28404255f80b41ae

SHA256
fa7371955508dc32403c2c68fe03b75d8bd3a39c796e028c6fdc47cfd490cb18

SHA512
0de2e8ba376ad784d120a02e87eb4ff6454cb94cd7141c99abfe095fa98584f504b29880a03d9565ef90e14d3c45eca27935cf0ea3a44cdd932e72097ecc7b63

Download Submit
C:\Windows\SysWOW64\Ahbqliap.exe

Filesize
96KB

MD5
59a13306f8673da2b8e0249794f8de1c

SHA1
154b84ae1025441937c3fd9f922fa0bfd28bb9c6

SHA256
fc2f061f20738d2095f75382da18374cd62567f92fe9b46579aefa4af5945861

SHA512
18158cc7478ed84f5b2653902a9a684abcdba8b8401707054290a8b516c573cb1773ad47e4f6c75ce52b85a26f0acb418401087bbd639998a5186e23a753acbe

Download Submit
C:\Windows\SysWOW64\Alkpgh32.exe

Filesize
96KB

MD5
8ab2b0259ed2c7963c1f57c0df511349

SHA1
3d6f8dec9bbffd2bd4bc6828a3b3df6b3ba711c5

SHA256
99b0f581e8cfc6a2a366b6480de090d61c6f57b2069c4f5e591061f8b83c76ca

SHA512
7ce6ba58ed594cd1904f97268b3eb35cc1f904396ceede24cd5329941c747ed3f0445b3ff581ed6b89a7a0062c671c967b42a9984f418cb910b9ed1b619fe4d2

Download Submit
C:\Windows\SysWOW64\Amcfpl32.exe

Filesize
96KB

MD5
26de6ed56be8edb9a0896a645b5ace7a

SHA1
a527d617dff4cdaa06fffcd672217eb9eec834bd

SHA256
013b839476c514a3b42b1744f7cf63da47ba4fff4bd9d1b25588d70995da05c5

SHA512
92382d3aed2225fb0dc03ab81294d531314c1fd10b042f8cba3127a90088a528442673125bc0127cf4ccbb9aa9cf35e57fa0e82cab224436148f13309ce0eab5

Download Submit
C:\Windows\SysWOW64\Bgijbede.exe

Filesize
96KB

MD5
84481bbedfaaf06191369f275fe945f8

SHA1
746cc63aeeae74ee38b0706aa62c4ce4aafd0c48

SHA256
22771b1a020aeb67346a6b6a4433affd73faaec2eefec0c11494d01fcbee1a2c

SHA512
77ec6a0f436c7996dd11a521af067e0f183c869a1fa1d61661aed7b760064511f3effbd9ce1687320b2ab4d0ba37271bf74cfab1e10c11d1cb3c37c4d87bbe02

Download Submit
C:\Windows\SysWOW64\Bgndnd32.exe

Filesize
96KB

MD5
ce9fb267fc462a363c56f7606beaa6c8

SHA1
2d56c9233c9916bc8779adda688ec800ae825b3b

SHA256
3b279d6ee68863e4df3ccb239e8538a6ee34ef5b27eb851ebcd2d00b0e9a89c6

SHA512
db3e02dd018fa25df75d214a3371b71696b68b4542e4b3fd88d82bfe80ea7c7e4a95a66adc6fb146e34906eb8f7fa31318dff84434d3f0f9e6b70acfc4547043

Download Submit
C:\Windows\SysWOW64\Bjomoo32.exe

Filesize
96KB

MD5
4f998da3c299a649b25008e11b85887c

SHA1
87e63f566a3e6d516c0502983d5df947b3c15013

SHA256
73bb8dea92cc6cadc8f159b50b8cc11a32a04c0822eca51e7e4d60e545833e71

SHA512
0cb5296dee795eb514cd6a61381377e4f66dbcda22e78317b5608ef22609215c0b5eb92ac01ed89a11b15f456e494f34cc656a538cfcad2a03b7a6eec2f8208d

Download Submit
C:\Windows\SysWOW64\Bkgchckl.exe

Filesize
96KB

MD5
08c8db4e3fc89917cbc34c76958f0df4

SHA1
6d4ce111029b9c23b06366cb94b099b8f63c8013

SHA256
687794d97ede9623c83b5a6c6ef138c6fd92e362035b6df87cf3e456efaab8fd

SHA512
401892bb878021b02c2851d0412f34737921bc3ad2c93bbeee6f6bc3a5f6c40a283e0ffa67c43a7c3d35d6e98ec06fb7136bc41ddccb2cec381a78b45bee7243

Download Submit
C:\Windows\SysWOW64\Blklfk32.exe

Filesize
96KB

MD5
36974ca32a8270e78d5abd6575970ec9

SHA1
c7401fdfff82b4718e7e50e3a6e1b2ac3622f18e

SHA256
2066a781aef1fda255365a32a15921532bc977ddf4039ec72d9a3c4461c3457a

SHA512
197be6d05bbcdeb472794f1d5b7c8a06573fcf2a81d5b1e0850b4e5e723a747262013143ecc53df355b7e48474ed9e010bd5f91dad3fc02074cbbdb6ae2e2469

Download Submit
C:\Windows\SysWOW64\Ccinnd32.exe

Filesize
96KB

MD5
1ee9881ab6b83e861bf9079380c4e41a

SHA1
868c81cc26965b30f82ad97c1d658cbd13bbf266

SHA256
ffb513626c5a562f3050c9e29e3e5b43081b35d018924cdfa1cbef03c8c1c71e

SHA512
14fe90b7da45fe9311a1298ae85ea5294e65afdffa1c03c164a6b0c4ed116212170dbeefa3eaa2ab77feca3cf5cfed114b00f2db1e82add5abddb5c0ed55776f

Download Submit
C:\Windows\SysWOW64\Cfemdp32.exe

Filesize
96KB

MD5
39ac6df4e4257be9da110e8e4be21601

SHA1
b9d2721c0a3f8798d938d5ea2bd6e5770a489f63

SHA256
fbeb703d211edc3757d04d500102283fc6f336dead4ddb69b16ced3be382019a

SHA512
09ee1e753f9ac51852bdd99a3c7ec8051f69b8602f5ee9e4ea4543f57bc5786765924c4922bd548e7980ab8b317fb4dc463dd66cf1cabe110b5ea8498a89ad1a

Download Submit
C:\Windows\SysWOW64\Chickknc.exe

Filesize
96KB

MD5
6dcc8cf4e9646081b69e40855aaf9cbc

SHA1
928da04d3aac5b9a02aae2464314901b9f186ea0

SHA256
98c53552e0084db30c78a53a59d2014b3af947fdf0334de1cf36d3e00ca3873b

SHA512
273b57b5b1f85f289aad3a38c6a08975cd3b9d1e4a7500c8fee6faab0fca661517e8d33c47a138bd7e86e7f46e9135cc0ece6f254fed69a7caebcc0becdf57b9

Download Submit
C:\Windows\SysWOW64\Ckebbgoj.exe

Filesize
96KB

MD5
6826edfc3a0d498ab6b19f8693e0badd

SHA1
9158e6efe7014203cd6a607aab219592c3e293c4

SHA256
98ebf28c5991d66300eb6254676ff700d5fdb8866abf8f02e182a2eee3c15535

SHA512
4641feab23787f4814aef1734eb055b818ba7d059a3838bf708ff1c383ab3b11d325e3d11633df0ca63d39cfa9579cb775e5732b7fab437830fefc67199df0aa

Download Submit
C:\Windows\SysWOW64\Fdpmljan.exe

Filesize
96KB

MD5
6087d3f87d6f3da4aacb8e9d2473c8bc

SHA1
9f4d8c8ac5b6b0cd9b4c21f07b8f46b472cfe179

SHA256
ca554ff9ec02dd855bc1fd546e1a06ef1e2b04b5d15f99db2b244497c80acfe6

SHA512
f957f5a7d352a06af695fe2d2fe21037fb4bae1121e438314eb8125ac34f45f677c1508673084bd0998de90883c2928c735996c63ae7fcee82258acf81dda192

Download Submit
C:\Windows\SysWOW64\Gaffja32.exe

Filesize
96KB

MD5
af90aa2fd804ae359133aa2a78b8fdc1

SHA1
4f3330e01ad3fa7aef7b5c42efe373ee537489b6

SHA256
82ba8e5edd4366e708cb92743a9ae657cb626e4bbfa7dda1f119e337374e5760

SHA512
601f5d4a94e8f0c9d31cc8271f38c14e69262cfddc1e3b15679e9ce24228877fca232ae8db31361cdc8581149ffe8dde2eb2356954ad5ceaa071bc2a4bc1b3df

Download Submit
C:\Windows\SysWOW64\Ggcnbh32.exe

Filesize
96KB

MD5
b91413c183622569a1390ac1e3f3f891

SHA1
1a7dd824ab1b771422439839b291cf9bfd560c0e

SHA256
bfffda0c31956167643b7e42436696e1c78cec253839ac8aec008b41cf0b2962

SHA512
cfc232fc0b31b4f9b0f10d88703c067441fa109e7a1d888fcd58d081ceec27c940d78459b74ba99be88f1056e3e074a785b4f680d8e885e4bce94836d217f0df

Download Submit
C:\Windows\SysWOW64\Gifhkpgk.exe

Filesize
96KB

MD5
aba3320aae636502d1275e1f76b022c4

SHA1
6342450151ef1d250fd40765f8f228246e61a358

SHA256
21afde804b56e72a810a9a5b9cc38aae60137f2b2a52ae67acbb3d05452793b6

SHA512
1b6d27ebc23f1a1eb1d7cbc6f0942f7740bd6c9377ebddf010c801df17223b0251d73e56ba13865546e57f230c173b3ac44c14b349512c8f1304d631702d9020

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
96KB

MD5
0db677a46a356227d29c602fdc599497

SHA1
589c8edbc3df3542b43cec742004e85214707ccb

SHA256
fa9e0abee57863503848dabde54b6d7523a1b16edfe943b9a6c8d567a3bc9cdd

SHA512
da43c2b370a3b6f4d00b796ab008c6708c81289931171c66dd89e22f26de2770fbd97bee5fc968fa5426a0c969b35f9bdc5c844156ad03c3cbe01c9524e05a31

Download Submit
C:\Windows\SysWOW64\Lldhldpg.exe

Filesize
96KB

MD5
2814bebd46081f35c8903ac4e1ef669f

SHA1
0582328296d822ca2340a89037b48abd3348ddd7

SHA256
e9bb3765694bec86afc1a747977375fa9a4583231c2d7d6382f7401a99c4c204

SHA512
747c9558f959ff22a33f097cdae4a4dfde895d2e9307bc3e7a2ec61af62c7204d5631443d163129369ef8955592e45dff3fb013d568ef2ec6d09a9c609cbd88a

Download Submit
C:\Windows\SysWOW64\Lpmhgc32.exe

Filesize
96KB

MD5
d09748ce57c98b85f9cd35b442320a94

SHA1
3756a538fb8fe636c81dc03eb7f4304ce413493d

SHA256
eab0c4c8772907c9cbedc0335f2950d7d84ca8160e3c9f4c3c06143105165adc

SHA512
5983b99465b4d9e73efc3bc800eb037e83bd3214b971aacfa0a6c29b862737817aceff68801a61e9d337a0dc976a39b6dfffc3936e72b2222e75a765b27c98fe

Download Submit
C:\Windows\SysWOW64\Mkbhco32.exe

Filesize
96KB

MD5
a0877ff595f8a2cf6f9339eb030ad5bf

SHA1
150e840e6490a39648d065949752f2ae5615cd04

SHA256
999e0e903811fb0b8d065019d09b17f3533bbc10eb2bdb8f04527a0af420d7a1

SHA512
6b1f1b0b37b9b1324982dc22de83781166336ba12b47a522b43c3c261cf71996c9153245c334de031c61ee43fa5e7c49346bcabd9a39f9e2f41410340e57aa61

Download Submit
C:\Windows\SysWOW64\Mlfebcnd.exe

Filesize
96KB

MD5
06b3c251941fb3d2f0d3c1d92f4347de

SHA1
bea5b96ffb888b4a5a8cc75766ba3d196b22ba0e

SHA256
8ec113c65f38f7001917e9d5087be7287769d9a9d06d579cc2c1a557be8d602a

SHA512
4d0614f07f72f4290cc808cb4f57664351e772a324a80793fe7ed0dabb0fc869a53bd3d0c5e169699ab2694b9e51cc95e618eb4edff7cd1ff49aca4c7ca2e058

Download Submit
C:\Windows\SysWOW64\Mognco32.exe

Filesize
96KB

MD5
64743a853eb706f372801793cb00b15c

SHA1
a84b207d79ce48f8c70409960fcd6286798faf26

SHA256
e4a08c7e579fcde02bdf4794c690eaf3edce2245ef7f487af4c2b559c8deed0a

SHA512
bb000498402acd473c99afe3c3bb8d00a5278a8d6c0bcafd28530c96b4081aaca39ca472d7b287dfd5c85bf870888255408680f01281710876166b92b15e8056

Download Submit
C:\Windows\SysWOW64\Ncnmhajo.exe

Filesize
96KB

MD5
d121aaec438bffdecb51550f21d460d9

SHA1
34bf82a780daead9d2246e179d2f63ac84089a3d

SHA256
2dc1c0e89363375accfeeedf6c4de943576a042102f765aca313673e8c4d0344

SHA512
e80c39caa3674cef754b0f02b71a9da41d4748f425ea28a7e3083c4c9722ec46029d8c7186847c5b629651ebc9a1ce0130af0fdd0a7157289810b9651603fa6f

Download Submit
C:\Windows\SysWOW64\Nokdnail.exe

Filesize
96KB

MD5
9046c5de26f32f7960bc11d1ba6a907d

SHA1
fc33e928fadd36e7fd811ad04fd862e1235136f6

SHA256
980a153b2e0fba51b204ed15f94d51c3d3641a7d264f73ae747d74401cadbc55

SHA512
e3535dfeee337b76e5bb759740d4c93c9737c6e6707ce54179d94ad9f97e84fdbf5f5e9e13f483e84815b64fd05450e0ca926d1eb6cfcc3abe750147991923b7

Download Submit
C:\Windows\SysWOW64\Nqamaeii.exe

Filesize
96KB

MD5
9637f90cc024d3bbd2776862fdb546af

SHA1
01fbd62f4d4e20ff7113c04ecf74dc55396021d6

SHA256
2a583e54306e3a5a722d7dce347bd14b13bfc3cd9bf4e4c8f51152441e1eb5e0

SHA512
8eee5ffd4fd4f2a9dede9be26456f6ed251eb96d7627b2deed23e810d5425da13bb863140c1ddc578cae1a2dc9325d5d39fa4fc36d0722b3104fecbb4e788832

Download Submit
C:\Windows\SysWOW64\Ofqonp32.exe

Filesize
96KB

MD5
1c853b13a3db3243e648704729f85e7e

SHA1
b3ff0aa3da0cb7a88da42fa1c0b6906487b494c0

SHA256
fd775811baa929a38c6836e865ab2809db2fac6f28ed6c1aab8be0264686fc5a

SHA512
076c0016c3a51800cc333944d2beffd48cd12d474b217aec3c41b48c1a15705674ae9642c72633cf795d58228d6c5f0b568b7aa570b695f4e001ba8ef69902f6

Download Submit
C:\Windows\SysWOW64\Ogpkhb32.exe

Filesize
96KB

MD5
ab27632fc83b9a7a730156a0673f8552

SHA1
c05cfe41599147afcec558c094344f6fe8a9df98

SHA256
fc17619b52adfe9fe8d406d0aa740be23c822615523f84531d78961a0590a276

SHA512
1c5e71ff5ba163f0fc60a6e96ac38299eeac783ac6a809aeb7333fafc65e8753c5231626c931518ad218e78ab5d9e709619a8975455fbb34504fb3d99c811bb9

Download Submit
C:\Windows\SysWOW64\Omjgkjof.exe

Filesize
96KB

MD5
d4b24c7f281d9cb2611d07bb2eca282b

SHA1
0865563430fff89e9376cc670b0cb21eba57d1e1

SHA256
c32a01d2d153064ef426ede8938cf3cdfa9242468b03c48f931580051291780b

SHA512
8a87194633bc2a028b11e201e728e35d2337caabf3c6eec35914bff3c015f17d078a571e9aa2db4084aa79bee887be0f75b8d472d317f9fdd76a7d607ebb4f50

Download Submit
C:\Windows\SysWOW64\Oncndnlq.exe

Filesize
96KB

MD5
2f3ed6bffe2370e70c21bc527dfc27aa

SHA1
5638b841d99fbb7979e7d8f99a6a57b5f1d43edb

SHA256
ba7b9796fb83c7012b3e576c96d2d287073dac7c8cb848ba47ad55774983e753

SHA512
ae3fa24b969a0ae79c4c395ba1c30f9bdae9b8ebe5bafd1af39fa10c35ae621196a687e13b7acbdef4e27f1e4e7a0fb40687d0af022b4a59421e1ce172cc2fb3

Download Submit
C:\Windows\SysWOW64\Opkpme32.exe

Filesize
96KB

MD5
0d0b29ba4062aab9393956d4ad0907e6

SHA1
15de33beb4ad8ac8a19f4e650e8aa441d86ac21c

SHA256
817d96cb93939eda0b7b85694b4f0c907ce39f2d05638c8718e968f68daa70e3

SHA512
e712c8fd573533a5b72c9e77846279c8babf6c78f652ffa3597adf71601aa6634955ac5fce4d8029b5d7b62b039a7159260db526221a6189361323027523f0b9

Download Submit
C:\Windows\SysWOW64\Oqcffi32.exe

Filesize
96KB

MD5
f13a9891f2a12a31ec6089901fcb0ea0

SHA1
1ac343b7d8d341615cc3525990289d75c58efb4f

SHA256
91d9292bda09f87018bd5026d505866a6075998de48dcf23c649bdcf39fc5d76

SHA512
d6acfc541f1a4b8abd3fbf90d50764c9b232b0b461935d7e8876cef322147c0813dbb3431f39c1bb8be9e98e989cb14d28b7188bce78b0839dd7ece7ab79e3aa

Download Submit
C:\Windows\SysWOW64\Pbqbioeb.exe

Filesize
96KB

MD5
6e73a77c1a9bd0cd55977c08baaf26bb

SHA1
23a575cb7381c82a6b2b556cc2a2d6c2921d97f7

SHA256
5c3474674d8aadfbb4172cf0e1e4bd7b416f1e533f1efc23703424f97d561faa

SHA512
b88ff24bb864c05ff4d8014b4b47187af60b7c94c7c829d85807aca05fb48fcd63c0fab8a2f8f771dcdab7a1eea25e0ed1c863b2bf1599386e0054626cbd7464

Download Submit
C:\Windows\SysWOW64\Pciiccbm.exe

Filesize
96KB

MD5
ed87021feff6110aad3a2d7ecb9e23a4

SHA1
b502d964810a45092a75c9e6dcd5f0545aa969a7

SHA256
c7d9f99b25646c1fa05f72bef24bf2de9b0885060415e2492ed2c095d0dde50b

SHA512
78dae17481717c68a30809bae1256a14487f5a4462e9bcd29d0986d6da924210ed619950a8cc1bcbcb1c0a5e1693f2382ed5bf02ea937028b94e2df33f1c9ff3

Download Submit
C:\Windows\SysWOW64\Peooek32.exe

Filesize
96KB

MD5
3b735f56cef48a76be79206d9b3e6867

SHA1
d8a255d75a48e11fb9f7bc299f7e61672eabf231

SHA256
5c124768400052f84f4f61ad033f035d7a54dc0065a331b11081858a8c15b157

SHA512
91b2ee31213242e52f4379682cb25add8902d2ab4bb637496141e8ee2e201f0891070865ecedaa9b09677554f204bd29eb5aa2544cc4bc393b88fd2e7e6352b1

Download Submit
C:\Windows\SysWOW64\Picdejbg.exe

Filesize
96KB

MD5
f7b4ef2591ac3d28ab20fdfe5cbe7342

SHA1
5f94c7a288bc55791811cb0cd8139d6edca07e95

SHA256
1daf5536765b4ea48f674273756aa4b02a5965f6819d974ab12d1a1fe6831603

SHA512
7d6b2d93eda2ce7a61d388e72b55be9753f4bb9b8979b41a1b13b03e618ec623c46e51b9abc6956227c031e2af3c74b64668ac5f43eb48cc26d077ba9ee7098f

Download Submit
C:\Windows\SysWOW64\Pmmppm32.exe

Filesize
96KB

MD5
01b581905fb76691512f26be6e9aa0c5

SHA1
6ddaf52f2089abf7e28a421b82324bbe0a0119f0

SHA256
02bede18ca034ebdabb02ddd724c5f1f5aa5089e2be754bd3db1540791d7a955

SHA512
0232d543c5e5469bb9de059fb19d87cd7f09798973a869479080346ad8a785121752551a8b933fcf131e1d96991cc270a446a26c7ab886afba67047cf2f25b9d

Download Submit
C:\Windows\SysWOW64\Pngcnpkg.exe

Filesize
96KB

MD5
574c9eca26d7e74a55c2372b3462454b

SHA1
ab61e339796b2d00f4098eb60fa36aa3da573f16

SHA256
d3988c9e4f8bd98263d66095b77871d2b6365243f3cff33dc822058e36c1782e

SHA512
79f36157ecee9a82f448816b79d45a808f17634eb9aa4a58682e7b5b9b3a35cb5613926bc9088f245280132946b798e8d21c030aa7de82956e0181b6f7430988

Download Submit
C:\Windows\SysWOW64\Pppihdha.exe

Filesize
96KB

MD5
6440344a5905a6b014e832bbc02b107c

SHA1
4773bb823bfb5527bf242dc9fa8912cab4466e4c

SHA256
2bf4a931cb9f2e16c0f3e3ebd1c59d6967f5baada48b9297c9bb136564e7a4bc

SHA512
4cb399b54cd008e95a860f7870ff51406100d6c1e2f0d1b7ef84958a7f27e28574dc282779dcee991991258663c7f04b83115d4b059075628c43b2b46440b2c4

Download Submit
\Windows\SysWOW64\Lggpdmap.exe

Filesize
96KB

MD5
b9ce9c864055340a5063cb098f3e0a22

SHA1
f6fcacef558a711703c2016e59f06af4d1cfbd93

SHA256
f9da8fb5036c5bf0c0781c79c1ca7c87f3b533fc25c97d1619728d8efd62156f

SHA512
8fe91e45d1e2dea8511444d1c96594b408056cd76634ab0cce2b9bbb9101927db70af5fb8e575df8465434027e44291e62631b7c3aebee8573c84f2f0dae7d71

Download Submit
\Windows\SysWOW64\Lmolkg32.exe

Filesize
96KB

MD5
3357929fe004dc79e9e26014bef4a204

SHA1
de71518031631d88e05f87e3c168a363460f6cd6

SHA256
578229b4f97cd781dddacab2ba46d45bcc64a8d33875275f80496fc4e3c56d02

SHA512
23b8b59f50fd9562858b95a4bde3b3bfa6c9cd6ab7e1e58f1dfc717c7f733b28251c78c50e351a0e98108ff7e83e407f1fe9d7915b042459db3be92219478c38

Download Submit
\Windows\SysWOW64\Mgdpnqfn.exe

Filesize
96KB

MD5
23f7d0cab21654f97214ab6b51ceefe3

SHA1
16abfcea9fcfc7dcd01fb2f5ee0034b342ece31b

SHA256
b571cb37fc23e5d9eb1e8a6cb616a6ad3f595e381b1de4eaed6560ec17ab2d71

SHA512
e4078cfb7dbfa4921a59f870204efe2434758d867548a27c6dc8f755db72d7fb011fc615a50ec61d4dac98efe0baf25c4348f35edc7af4173574b3c8d3643ce5

Download Submit
\Windows\SysWOW64\Mknohpqj.exe

Filesize
96KB

MD5
cbd596ae62415ec17a30c805ccea9eeb

SHA1
e923a33435c2fab02b631c37718d812207b0b4c1

SHA256
eff67039fd68446528dc24d6655421bef88c8d148e5619e64dca7c479ffb73cb

SHA512
a1c92e56963dd33f8f0acc706ca339ba47f59e2f0e38f0707cdf90fdda609b49b0f478d26e2b0ec8dec8ad1ee4fcd19d7c1aa82c05142cff65f95cb9dffea626

Download Submit
\Windows\SysWOW64\Ngfhbd32.exe

Filesize
96KB

MD5
67c8634be12c4f766e66ca08caf91b70

SHA1
299fabfb87f512e48b407ceb879533bcc0f270fd

SHA256
a69c5920bc64e3fcc6e431439843f66d01c724027454e02ae990ef59f7184b02

SHA512
b1994764f61c37d520e42a6773895dd82e30092dce858539b12dbf73e8aedef9d8b7bd1b913313dc054ae5a401ddacf5687b75bef90660bd5112eedce848e8b0

Download Submit
\Windows\SysWOW64\Nkmkgc32.exe

Filesize
96KB

MD5
fcf27fea61e3100fe43c0731cdba8789

SHA1
8fde2f27bd406cb7df7a2dc4cbe0fc7831eda115

SHA256
4de88d20bc82debb55594ebb8db9b8754269fce61633b709af7b2a56afb6af95

SHA512
95fb64b3b94e49e577a45d403abd8b56f2f908a617772459820d271e3bfe9056f64bb523a5952f811f44b212eb240f15fc7972913db85cda316040f6fa47651d

Download Submit
\Windows\SysWOW64\Nlhnfg32.exe

Filesize
96KB

MD5
9951d9121ce35eb3f9b954960f67f66a

SHA1
c436042de3a8677aa53fd3c08b16554760a76ac6

SHA256
15acaba04ab517c6203295c3e7d1c3f66ac5726f0895b41a0ea76628eb8425d6

SHA512
c69539bf2338ffc637ff9b6dd004b70bcd0a77906d56cf663f4aecba1ee4b0c903abb675b79b632b685bf5f6f73d2d35fc9b2c4c00710533d41f4093ca0f5809

Download Submit
\Windows\SysWOW64\Odjikh32.exe

Filesize
96KB

MD5
52b2f1c32b070a3e5ff7abe716fff079

SHA1
120317b641847a6b57fe82bddf276bc133cc16a7

SHA256
3fd9d46e65cd03ed9ff96de200e726ea8118c1283b7561fb163838fd35decc9c

SHA512
86586d1ea5db76b92785030da2ababe101e73d2ead225ffc6ac84e59cccac0635569d97f73a8185fdff73db482b667e4bd982f65c5770121992c45f6611433ac

Download Submit
memory/332-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-142-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/640-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-311-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/696-312-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/696-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-115-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1084-492-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1084-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-494-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1280-212-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1280-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-217-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1372-481-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1372-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-297-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1468-298-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1564-284-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1564-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-288-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1576-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-62-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1576-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-620-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-103-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1640-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-266-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1748-265-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1796-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-225-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1808-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-277-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/1868-273-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/1996-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-324-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1996-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1996-11-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2000-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-618-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-184-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2172-234-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2208-198-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2208-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-460-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2364-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-305-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2404-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-309-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2404-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-449-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2468-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-345-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2632-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-253-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2680-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-415-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2696-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-377-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2740-95-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2740-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-89-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2788-335-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2788-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-331-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2792-322-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2792-321-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2792-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-384-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2832-76-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2832-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-353-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2836-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-39-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2908-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-425-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2980-467-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2980-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-169-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2980-174-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3024-155-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/3024-160-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/3024-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-247-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3064-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads