berbew | 2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73f

Analysis

max time kernel
109s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2024, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe
Size

163KB
MD5

ff5abc78603bded5d226a4a06a07c120
SHA1

27b14914afcdeb11d6bdc18906b2d8b3159e6e17
SHA256

2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73f
SHA512

8cf1c1d19f8044d9170905697ad344be6ad555da76e5d21787cddc807090909a335d7ed924d28c4d707a468bbfa1836873ba740514438995f1cd16e15e66e68b
SSDEEP

1536:P5fp2Vt2r1PPj6+x0ClexEvcPpRjHClProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:BPr6+eOe/HjHCltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlnnii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomclbho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppphipgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdepfjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqnceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abajahfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcmcddng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmmdoppe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdeaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfblcgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakmen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkhbnlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjbnbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmoab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcccdfqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihdkgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcihco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhgkdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nokfgbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbjmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcclkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baiqpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capgpnbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjemfhgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcdgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfdemopq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooalga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcdgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdepfjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdncliaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgdmjpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdeaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfdncm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfipcpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnhofj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adiqjlcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplfog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niqnjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfblcgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qadnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paoebbol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cikkeppa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cipepo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpacmhma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ladpaakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfdemopq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajalaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipepo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcqgnfbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfiogn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjqckikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcocpdfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlqjoiek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcjbkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcpphib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adiqjlcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhihii32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 64 IoCs

pid	Process
4552	Kpbjbk32.exe
2732	Kcqgnfbe.exe
232	Kpdghkao.exe
3756	Kcccdfqb.exe
4824	Kimlqp32.exe
2140	Kpgdmjpl.exe
1100	Khbibm32.exe
4128	Lchmoe32.exe
1240	Lhdegl32.exe
1724	Lonndfba.exe
216	Llbnmk32.exe
1044	Laoffa32.exe
3624	Lhioblgo.exe
2920	Lcocpdfe.exe
4428	Ljiklonb.exe
4968	Lpbcii32.exe
4472	Ladpaakm.exe
2956	Ljkhbnlo.exe
2020	Lpepoh32.exe
1568	Mcclkd32.exe
4868	Mjmdgn32.exe
336	Mpgmdhai.exe
4308	Mcfipcpm.exe
448	Mfdemopq.exe
3752	Mhbaijod.exe
1064	Mlnnii32.exe
3004	Momjed32.exe
4600	Mchffcnj.exe
3220	Mbkfap32.exe
4036	Mjbnbm32.exe
3012	Mlqjoiek.exe
808	Mplfog32.exe
920	Mcjbkc32.exe
3908	Mfiogn32.exe
936	Mhgkdj32.exe
3820	Mqnceg32.exe
1716	Mcmoab32.exe
4816	Mfkkmn32.exe
4344	Mhihii32.exe
4032	Nqqpjgio.exe
3984	Njidcl32.exe
3412	Ncailbfp.exe
4704	Nfpehmec.exe
3996	Nqeiefei.exe
4368	Ncdeaa32.exe
1644	Niqnjh32.exe
2688	Nokfgbja.exe
3176	Nfdncm32.exe
1472	Nomclbho.exe
1812	Njbgik32.exe
3856	Niegehno.exe
1252	Ooopbb32.exe
4860	Oihdkgll.exe
4660	Ooalga32.exe
5100	Obphcm32.exe
2024	Omemqfbc.exe
4588	Oodimaaf.exe
2324	Ojimjjal.exe
1152	Oilmfg32.exe
3448	Opfebqpd.exe
5040	Ojljpi32.exe
1796	Oqfblcgf.exe
4632	Ocdnhofj.exe
4652	Ofbjdken.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jmkjjl32.dll	Mhihii32.exe
File created	C:\Windows\SysWOW64\Gmbpqc32.dll	Nokfgbja.exe
File opened for modification	C:\Windows\SysWOW64\Oodimaaf.exe	Omemqfbc.exe
File opened for modification	C:\Windows\SysWOW64\Pjqckikd.exe	Pfegjjck.exe
File opened for modification	C:\Windows\SysWOW64\Nqeiefei.exe	Nfpehmec.exe
File created	C:\Windows\SysWOW64\Fcbpnlmn.dll	Ncdeaa32.exe
File created	C:\Windows\SysWOW64\Abcgghde.exe	Apekklea.exe
File created	C:\Windows\SysWOW64\Pnhflm32.dll	Dmpjlm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmlme32.exe	Bbedlg32.exe
File created	C:\Windows\SysWOW64\Bnlono32.dll	Ciioopad.exe
File created	C:\Windows\SysWOW64\Jakhal32.dll	Ofbjdken.exe
File opened for modification	C:\Windows\SysWOW64\Pmfegc32.exe	Ppbeno32.exe
File created	C:\Windows\SysWOW64\Appapm32.exe	Aificcbj.exe
File created	C:\Windows\SysWOW64\Aapnip32.exe	Afjjlg32.exe
File created	C:\Windows\SysWOW64\Dghodhbp.dll	Lcocpdfe.exe
File created	C:\Windows\SysWOW64\Pmopgdjh.exe	Pjqckikd.exe
File opened for modification	C:\Windows\SysWOW64\Baiqpo32.exe	Bmmdoppe.exe
File created	C:\Windows\SysWOW64\Lhdegl32.exe	Lchmoe32.exe
File created	C:\Windows\SysWOW64\Lpbcii32.exe	Ljiklonb.exe
File created	C:\Windows\SysWOW64\Mbkfap32.exe	Mchffcnj.exe
File created	C:\Windows\SysWOW64\Nokfgbja.exe	Niqnjh32.exe
File created	C:\Windows\SysWOW64\Kffchbjn.dll	Mcfipcpm.exe
File created	C:\Windows\SysWOW64\Pcigff32.dll	Abcgghde.exe
File created	C:\Windows\SysWOW64\Cdncliaj.exe	Capgpnbf.exe
File created	C:\Windows\SysWOW64\Cpgefj32.dll	2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe
File opened for modification	C:\Windows\SysWOW64\Kimlqp32.exe	Kcccdfqb.exe
File created	C:\Windows\SysWOW64\Lcocpdfe.exe	Lhioblgo.exe
File created	C:\Windows\SysWOW64\Ladpaakm.exe	Lpbcii32.exe
File created	C:\Windows\SysWOW64\Cfplpc32.dll	Ooalga32.exe
File created	C:\Windows\SysWOW64\Ojljpi32.exe	Opfebqpd.exe
File opened for modification	C:\Windows\SysWOW64\Qbekejqe.exe	Qadnna32.exe
File created	C:\Windows\SysWOW64\Liielgja.dll	Khbibm32.exe
File created	C:\Windows\SysWOW64\Dooenm32.dll	Nfpehmec.exe
File opened for modification	C:\Windows\SysWOW64\Ooopbb32.exe	Niegehno.exe
File created	C:\Windows\SysWOW64\Balijopc.dll	Ooopbb32.exe
File opened for modification	C:\Windows\SysWOW64\Mbkfap32.exe	Mchffcnj.exe
File opened for modification	C:\Windows\SysWOW64\Qadnna32.exe	Qimfmdjd.exe
File opened for modification	C:\Windows\SysWOW64\Bifbjqcg.exe	Bakmen32.exe
File created	C:\Windows\SysWOW64\Cikkeppa.exe	Ckhkic32.exe
File opened for modification	C:\Windows\SysWOW64\Ppbeno32.exe	Paoebbol.exe
File opened for modification	C:\Windows\SysWOW64\Amfooafm.exe	Ajhbbegj.exe
File created	C:\Windows\SysWOW64\Pnbodpej.dll	Amfooafm.exe
File created	C:\Windows\SysWOW64\Ogneqhig.dll	Bbedlg32.exe
File opened for modification	C:\Windows\SysWOW64\Kcqgnfbe.exe	Kpbjbk32.exe
File created	C:\Windows\SysWOW64\Lpepoh32.exe	Ljkhbnlo.exe
File opened for modification	C:\Windows\SysWOW64\Mjbnbm32.exe	Mbkfap32.exe
File created	C:\Windows\SysWOW64\Fiflofgh.dll	Mlqjoiek.exe
File opened for modification	C:\Windows\SysWOW64\Ddolcgch.exe	Dpacmhma.exe
File created	C:\Windows\SysWOW64\Pgeclkie.dll	Cgolnd32.exe
File created	C:\Windows\SysWOW64\Fmejibbn.dll	Dkanob32.exe
File opened for modification	C:\Windows\SysWOW64\Lchmoe32.exe	Khbibm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdeaa32.exe	Nqeiefei.exe
File created	C:\Windows\SysWOW64\Lhjfgd32.dll	Aapnip32.exe
File created	C:\Windows\SysWOW64\Ckoega32.dll	Apekklea.exe
File opened for modification	C:\Windows\SysWOW64\Pfegjjck.exe	Pqhobced.exe
File created	C:\Windows\SysWOW64\Nndmfpai.dll	Qjlcfgag.exe
File created	C:\Windows\SysWOW64\Kcqgnfbe.exe	Kpbjbk32.exe
File created	C:\Windows\SysWOW64\Mcfipcpm.exe	Mpgmdhai.exe
File created	C:\Windows\SysWOW64\Ajfjgohg.dll	Momjed32.exe
File created	C:\Windows\SysWOW64\Nfpehmec.exe	Ncailbfp.exe
File created	C:\Windows\SysWOW64\Nflpljfk.dll	Pcihco32.exe
File created	C:\Windows\SysWOW64\Lemgdggn.dll	Lpepoh32.exe
File created	C:\Windows\SysWOW64\Mhbaijod.exe	Mfdemopq.exe
File created	C:\Windows\SysWOW64\Capgpnbf.exe	Ciioopad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5816	5664	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpggpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baiqpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpbcii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajalaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppbeno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgdelfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfiogn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niqnjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojimjjal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpdghkao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncailbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmopgdjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmmdoppe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhioblgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgkdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niegehno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhbaijod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcmcddng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfipcpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdclgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paoebbol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhbbegj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljiklonb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchffcnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjemfhgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgolnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjqckikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjlcfgag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abajahfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkfap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aapnip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfooafm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oilmfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbnmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcocpdfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihdkgll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omemqfbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakmen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbjmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momjed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qadnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdepfjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdeaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojljpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajoplgod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomclbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfegjjck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcpphib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgdeicjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhihii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnhofj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhobced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcjbkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiaphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amohnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjjlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgghde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimlqp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfdemopq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njidcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncailbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niqnjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omemqfbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojimjjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcgghde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfblcgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfegjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhbbegj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkanob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iochne32.dll"	Mplfog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqinhobc.dll"	Mcjbkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amohnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjjlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbjmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcidobif.dll"	Bkaehdoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccfqg32.dll"	Ckhkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmidnd32.dll"	Cipepo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfickg32.dll"	Mcmoab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcgghde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpggpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciioopad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffchbjn.dll"	Mcfipcpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdaego32.dll"	Njidcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niegehno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakhal32.dll"	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfegjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfooafm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpdghkao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfjgohg.dll"	Momjed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhihii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooopbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmopgdjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmpjlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjfqklj.dll"	Lchmoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcclkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchffcnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplfog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfkkmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmaacp32.dll"	Ojljpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppbeno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acgdelfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adiqjlcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ladpaakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooalga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbcmna32.dll"	Oodimaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjemfhgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bakmen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhmai32.dll"	Kcccdfqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgfbied.dll"	Pjemfhgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiaphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljiklonb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjbnbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooalga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbaak32.dll"	Ojimjjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoodla32.dll"	Laoffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhioblgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abajahfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdeaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njbgik32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4552	2180	2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe	84
PID 2180 wrote to memory of 4552	2180	2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe	84
PID 2180 wrote to memory of 4552	2180	2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe	84
PID 4552 wrote to memory of 2732	4552	Kpbjbk32.exe	85
PID 4552 wrote to memory of 2732	4552	Kpbjbk32.exe	85
PID 4552 wrote to memory of 2732	4552	Kpbjbk32.exe	85
PID 2732 wrote to memory of 232	2732	Kcqgnfbe.exe	86
PID 2732 wrote to memory of 232	2732	Kcqgnfbe.exe	86
PID 2732 wrote to memory of 232	2732	Kcqgnfbe.exe	86
PID 232 wrote to memory of 3756	232	Kpdghkao.exe	87
PID 232 wrote to memory of 3756	232	Kpdghkao.exe	87
PID 232 wrote to memory of 3756	232	Kpdghkao.exe	87
PID 3756 wrote to memory of 4824	3756	Kcccdfqb.exe	88
PID 3756 wrote to memory of 4824	3756	Kcccdfqb.exe	88
PID 3756 wrote to memory of 4824	3756	Kcccdfqb.exe	88
PID 4824 wrote to memory of 2140	4824	Kimlqp32.exe	89
PID 4824 wrote to memory of 2140	4824	Kimlqp32.exe	89
PID 4824 wrote to memory of 2140	4824	Kimlqp32.exe	89
PID 2140 wrote to memory of 1100	2140	Kpgdmjpl.exe	90
PID 2140 wrote to memory of 1100	2140	Kpgdmjpl.exe	90
PID 2140 wrote to memory of 1100	2140	Kpgdmjpl.exe	90
PID 1100 wrote to memory of 4128	1100	Khbibm32.exe	91
PID 1100 wrote to memory of 4128	1100	Khbibm32.exe	91
PID 1100 wrote to memory of 4128	1100	Khbibm32.exe	91
PID 4128 wrote to memory of 1240	4128	Lchmoe32.exe	92
PID 4128 wrote to memory of 1240	4128	Lchmoe32.exe	92
PID 4128 wrote to memory of 1240	4128	Lchmoe32.exe	92
PID 1240 wrote to memory of 1724	1240	Lhdegl32.exe	93
PID 1240 wrote to memory of 1724	1240	Lhdegl32.exe	93
PID 1240 wrote to memory of 1724	1240	Lhdegl32.exe	93
PID 1724 wrote to memory of 216	1724	Lonndfba.exe	94
PID 1724 wrote to memory of 216	1724	Lonndfba.exe	94
PID 1724 wrote to memory of 216	1724	Lonndfba.exe	94
PID 216 wrote to memory of 1044	216	Llbnmk32.exe	95
PID 216 wrote to memory of 1044	216	Llbnmk32.exe	95
PID 216 wrote to memory of 1044	216	Llbnmk32.exe	95
PID 1044 wrote to memory of 3624	1044	Laoffa32.exe	96
PID 1044 wrote to memory of 3624	1044	Laoffa32.exe	96
PID 1044 wrote to memory of 3624	1044	Laoffa32.exe	96
PID 3624 wrote to memory of 2920	3624	Lhioblgo.exe	97
PID 3624 wrote to memory of 2920	3624	Lhioblgo.exe	97
PID 3624 wrote to memory of 2920	3624	Lhioblgo.exe	97
PID 2920 wrote to memory of 4428	2920	Lcocpdfe.exe	98
PID 2920 wrote to memory of 4428	2920	Lcocpdfe.exe	98
PID 2920 wrote to memory of 4428	2920	Lcocpdfe.exe	98
PID 4428 wrote to memory of 4968	4428	Ljiklonb.exe	99
PID 4428 wrote to memory of 4968	4428	Ljiklonb.exe	99
PID 4428 wrote to memory of 4968	4428	Ljiklonb.exe	99
PID 4968 wrote to memory of 4472	4968	Lpbcii32.exe	100
PID 4968 wrote to memory of 4472	4968	Lpbcii32.exe	100
PID 4968 wrote to memory of 4472	4968	Lpbcii32.exe	100
PID 4472 wrote to memory of 2956	4472	Ladpaakm.exe	101
PID 4472 wrote to memory of 2956	4472	Ladpaakm.exe	101
PID 4472 wrote to memory of 2956	4472	Ladpaakm.exe	101
PID 2956 wrote to memory of 2020	2956	Ljkhbnlo.exe	102
PID 2956 wrote to memory of 2020	2956	Ljkhbnlo.exe	102
PID 2956 wrote to memory of 2020	2956	Ljkhbnlo.exe	102
PID 2020 wrote to memory of 1568	2020	Lpepoh32.exe	103
PID 2020 wrote to memory of 1568	2020	Lpepoh32.exe	103
PID 2020 wrote to memory of 1568	2020	Lpepoh32.exe	103
PID 1568 wrote to memory of 4868	1568	Mcclkd32.exe	104
PID 1568 wrote to memory of 4868	1568	Mcclkd32.exe	104
PID 1568 wrote to memory of 4868	1568	Mcclkd32.exe	104
PID 4868 wrote to memory of 336	4868	Mjmdgn32.exe	105

C:\Users\Admin\AppData\Local\Temp\2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe
"C:\Users\Admin\AppData\Local\Temp\2c03c66ef1bc12dee5fa01952bbd196e38edeb3b4f4c945d917fae5dd9ced73fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\Kpbjbk32.exe
  C:\Windows\system32\Kpbjbk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\Kcqgnfbe.exe
    C:\Windows\system32\Kcqgnfbe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Kpdghkao.exe
      C:\Windows\system32\Kpdghkao.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\SysWOW64\Kcccdfqb.exe
        
        C:\Windows\system32\Kcccdfqb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\SysWOW64\Kimlqp32.exe
        
        C:\Windows\system32\Kimlqp32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kpgdmjpl.exe
        
        C:\Windows\system32\Kpgdmjpl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Khbibm32.exe
        
        C:\Windows\system32\Khbibm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Lchmoe32.exe
        
        C:\Windows\system32\Lchmoe32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Lhdegl32.exe
        
        C:\Windows\system32\Lhdegl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Lonndfba.exe
        
        C:\Windows\system32\Lonndfba.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Llbnmk32.exe
        
        C:\Windows\system32\Llbnmk32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Laoffa32.exe
        
        C:\Windows\system32\Laoffa32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Lcocpdfe.exe
        
        C:\Windows\system32\Lcocpdfe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ljiklonb.exe
        
        C:\Windows\system32\Ljiklonb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Lpbcii32.exe
        
        C:\Windows\system32\Lpbcii32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ladpaakm.exe
        
        C:\Windows\system32\Ladpaakm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Ljkhbnlo.exe
        
        C:\Windows\system32\Ljkhbnlo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Lpepoh32.exe
        
        C:\Windows\system32\Lpepoh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Mcclkd32.exe
        
        C:\Windows\system32\Mcclkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Mjmdgn32.exe
        
        C:\Windows\system32\Mjmdgn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Mpgmdhai.exe
        
        C:\Windows\system32\Mpgmdhai.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Mcfipcpm.exe
        
        C:\Windows\system32\Mcfipcpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Mfdemopq.exe
        
        C:\Windows\system32\Mfdemopq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Mhbaijod.exe
        
        C:\Windows\system32\Mhbaijod.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Mlnnii32.exe
        
        C:\Windows\system32\Mlnnii32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Momjed32.exe
        
        C:\Windows\system32\Momjed32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mchffcnj.exe
        
        C:\Windows\system32\Mchffcnj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Mbkfap32.exe
        
        C:\Windows\system32\Mbkfap32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Mjbnbm32.exe
        
        C:\Windows\system32\Mjbnbm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mlqjoiek.exe
        
        C:\Windows\system32\Mlqjoiek.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Mplfog32.exe
        
        C:\Windows\system32\Mplfog32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Mcjbkc32.exe
        
        C:\Windows\system32\Mcjbkc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Mfiogn32.exe
        
        C:\Windows\system32\Mfiogn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Mhgkdj32.exe
        
        C:\Windows\system32\Mhgkdj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Mqnceg32.exe
        
        C:\Windows\system32\Mqnceg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\Mcmoab32.exe
        
        C:\Windows\system32\Mcmoab32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Mfkkmn32.exe
        
        C:\Windows\system32\Mfkkmn32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Mhihii32.exe
        
        C:\Windows\system32\Mhihii32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Nqqpjgio.exe
        
        C:\Windows\system32\Nqqpjgio.exe
        41⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Njidcl32.exe
        
        C:\Windows\system32\Njidcl32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ncailbfp.exe
        
        C:\Windows\system32\Ncailbfp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nqeiefei.exe
        
        C:\Windows\system32\Nqeiefei.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ncdeaa32.exe
        
        C:\Windows\system32\Ncdeaa32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Niqnjh32.exe
        
        C:\Windows\system32\Niqnjh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nokfgbja.exe
        
        C:\Windows\system32\Nokfgbja.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Nfdncm32.exe
        
        C:\Windows\system32\Nfdncm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Nomclbho.exe
        
        C:\Windows\system32\Nomclbho.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Njbgik32.exe
        
        C:\Windows\system32\Njbgik32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Niegehno.exe
        
        C:\Windows\system32\Niegehno.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Ooopbb32.exe
        
        C:\Windows\system32\Ooopbb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Oihdkgll.exe
        
        C:\Windows\system32\Oihdkgll.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Ooalga32.exe
        
        C:\Windows\system32\Ooalga32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Obphcm32.exe
        
        C:\Windows\system32\Obphcm32.exe
        56⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Omemqfbc.exe
        
        C:\Windows\system32\Omemqfbc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Oodimaaf.exe
        
        C:\Windows\system32\Oodimaaf.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ojimjjal.exe
        
        C:\Windows\system32\Ojimjjal.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Opfebqpd.exe
        
        C:\Windows\system32\Opfebqpd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Ojljpi32.exe
        
        C:\Windows\system32\Ojljpi32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Oqfblcgf.exe
        
        C:\Windows\system32\Oqfblcgf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Ocdnhofj.exe
        
        C:\Windows\system32\Ocdnhofj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Pqhobced.exe
        
        C:\Windows\system32\Pqhobced.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Pfegjjck.exe
        
        C:\Windows\system32\Pfegjjck.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Pmopgdjh.exe
        
        C:\Windows\system32\Pmopgdjh.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Pcihco32.exe
        
        C:\Windows\system32\Pcihco32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Pjcpphib.exe
        
        C:\Windows\system32\Pjcpphib.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Ppphipgi.exe
        
        C:\Windows\system32\Ppphipgi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1432
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Paoebbol.exe
        
        C:\Windows\system32\Paoebbol.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Pmfegc32.exe
        
        C:\Windows\system32\Pmfegc32.exe
        76⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Ppdbdo32.exe
        
        C:\Windows\system32\Ppdbdo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Qimfmdjd.exe
        
        C:\Windows\system32\Qimfmdjd.exe
        78⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Qadnna32.exe
        
        C:\Windows\system32\Qadnna32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        80⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\Qjlcfgag.exe
        
        C:\Windows\system32\Qjlcfgag.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4124
        
        C:\Windows\SysWOW64\Ajoplgod.exe
        
        C:\Windows\system32\Ajoplgod.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Aiaphc32.exe
        
        C:\Windows\system32\Aiaphc32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Acgdelfe.exe
        
        C:\Windows\system32\Acgdelfe.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Ajalaf32.exe
        
        C:\Windows\system32\Ajalaf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Amohnb32.exe
        
        C:\Windows\system32\Amohnb32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Adiqjlcb.exe
        
        C:\Windows\system32\Adiqjlcb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Aificcbj.exe
        
        C:\Windows\system32\Aificcbj.exe
        89⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Appapm32.exe
        
        C:\Windows\system32\Appapm32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Aapnip32.exe
        
        C:\Windows\system32\Aapnip32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Abajahfg.exe
        
        C:\Windows\system32\Abajahfg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Amfooafm.exe
        
        C:\Windows\system32\Amfooafm.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Apekklea.exe
        
        C:\Windows\system32\Apekklea.exe
        96⤵
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Abcgghde.exe
        
        C:\Windows\system32\Abcgghde.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Bpggpl32.exe
        
        C:\Windows\system32\Bpggpl32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Bbedlg32.exe
        
        C:\Windows\system32\Bbedlg32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Bjmlme32.exe
        
        C:\Windows\system32\Bjmlme32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Bmmdoppe.exe
        
        C:\Windows\system32\Bmmdoppe.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        105⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Bifbjqcg.exe
        
        C:\Windows\system32\Bifbjqcg.exe
        107⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Ckfocc32.exe
        
        C:\Windows\system32\Ckfocc32.exe
        108⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ciioopad.exe
        
        C:\Windows\system32\Ciioopad.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Capgpnbf.exe
        
        C:\Windows\system32\Capgpnbf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Ckhkic32.exe
        
        C:\Windows\system32\Ckhkic32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Cikkeppa.exe
        
        C:\Windows\system32\Cikkeppa.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Cgolnd32.exe
        
        C:\Windows\system32\Cgolnd32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Cadpkm32.exe
        
        C:\Windows\system32\Cadpkm32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Cdclgh32.exe
        
        C:\Windows\system32\Cdclgh32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Cipepo32.exe
        
        C:\Windows\system32\Cipepo32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Cgdeicjf.exe
        
        C:\Windows\system32\Cgdeicjf.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Dkanob32.exe
        
        C:\Windows\system32\Dkanob32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Dcmcddng.exe
        
        C:\Windows\system32\Dcmcddng.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Dpacmhma.exe
        
        C:\Windows\system32\Dpacmhma.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Ddolcgch.exe
        
        C:\Windows\system32\Ddolcgch.exe
        124⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 400
        125⤵
        Program crash
        
        PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5664 -ip 5664
1⤵
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgolnd32.exe

Filesize
163KB

MD5
0f0ff587334cd529c55bae63a7fd8a36

SHA1
b16f40fe388d911257699eed3722378c1d8959f5

SHA256
70baf1e9dfd997e6a4f34332cc6ff1005c841514f40ad38311f8fc1277e37d28

SHA512
aa118aa75a89062da6ac2a2e8caaa3838442d9ced51656f7ecaee9fc73d696c8979a12871df140b050cd330f94e8b12128397e7edca594772464499bf1e759df

Download Submit
C:\Windows\SysWOW64\Cmnnfn32.exe

Filesize
163KB

MD5
dad1dbc16e5617ff9b4ddefa9c5f512c

SHA1
1845ba58178aa2d0c0159f70948f2f9239f47317

SHA256
1ac57835462525748f8648608df72989076a0f99f7737a5097d1612503dee303

SHA512
22cd5d40a091109d7da3c4005507a643ea27eb5f2d016a8d603d98cb197842bbdea5c0d855e1ad92b7cc197aa72dd776423f0e3f9128ae6998f18ffb0c3f2380

Download Submit
C:\Windows\SysWOW64\Ddolcgch.exe

Filesize
163KB

MD5
1d8f50caac16c88adcefe62be72e9b25

SHA1
495416a19c95615205b2334d178a0c76d0ab26e8

SHA256
cdf632807a47fc31e137ced58a0ba0cfa8c3b12ee8955bc01c0572e6553e060e

SHA512
0dc46c1c19db4475a028f369a56801d863a35119d60c8c4e37cf070e29f6eaee8b6efb41e4d6a03c7cf7cef57ed646e7fcfec16da8c1dcec6b5195a1f11b3712

Download Submit
C:\Windows\SysWOW64\Dmpjlm32.exe

Filesize
163KB

MD5
6b5b2ff939622036f65f320f622d8759

SHA1
3bdcd536d781aba071ccdfb3d3d6a9ed596d8c07

SHA256
94691a4883073a861cd8960284b9b4b073901a3dc267a8444abcda6d077709f3

SHA512
b2f1495be47e87bafd150daf99795c5926cd90245068eb7072f6a90635a7a4a5f192de6a17e076fd4161cdc7d73ca43cd5412530190597bca741a38877df516b

Download Submit
C:\Windows\SysWOW64\Kcccdfqb.exe

Filesize
163KB

MD5
b4127a8b1a70ee1d89cb0f35d417696a

SHA1
11a9507a0924be646f8fee084e85b5be11f677d5

SHA256
19feeec0e46d5a8a9431a5950a9c8d05afc96e9c64c2ce727001ef0e0801da94

SHA512
f5ee4395791bcf524c29c850f8ec38e2ccdea44e566cc59418d9ca5ee1135f8064ccd7ff69d07c62c7026e502b5bb6d248cdf9308434ce72f4193e9e8a56ea81

Download Submit
C:\Windows\SysWOW64\Kcqgnfbe.exe

Filesize
163KB

MD5
39a3973e62416abc16dd0efdba87199f

SHA1
661670ccbd358f99a0b3bff732a7fe4777e6bd91

SHA256
bd83be6776063cc010a51ea596713fac0706e54cb1331699480ade9d53eed18d

SHA512
c83ca0f22afb02b1c8faf554409d493ea9eb066db394e8c71e62fc457e883fe75c4050e0e2f5427b3f76b696a459eee192ff73dc41063828b6ef323a48519a50

Download Submit
C:\Windows\SysWOW64\Khbibm32.exe

Filesize
163KB

MD5
c521c659c9b1c1a75f2eb7b64a3974f8

SHA1
396b9491f4ec2532382e637016d633b026dc1719

SHA256
4db87e3835a2550fea3af06a5b8b7fc1531a3927f242f45ac7bb0f4c6ece282c

SHA512
cd2d20dce30dab1de3257ae05efc1f87467a3329b10b409d79ae435656ce71e538894ef4632788853fe63846e2fcd0f8d1c9815fbfa1fab276b358e1b4f3417a

Download Submit
C:\Windows\SysWOW64\Kimlqp32.exe

Filesize
163KB

MD5
e3b7a6c99dfb2979e338ee59faba21d7

SHA1
90d0b4081a17992d22b32801cfd3d01956ff5928

SHA256
8be46a309845fa35070329726ee31ece392ee1022876a4769cb0ae655ed3b86f

SHA512
bbe99d1a8a9aeade7f7e30e45e2a273107b098dd05f67dfcdb2bcaee59f98bae7e33f00fef54356a440fd20bcc74387d4994f5a62f467cad66d4c14f058c570a

Download Submit
C:\Windows\SysWOW64\Kpbjbk32.exe

Filesize
163KB

MD5
b07c4965ada9e3ff4620cb1c7790b9c9

SHA1
2c92112480237e5d2ea64fea37161500c879c098

SHA256
6fc16c5a7feeeb85b02fb897ef637988832209ee607a2944eea12d24912d9cfd

SHA512
83e402c2768c577d127c0d8f1a51f382eb0bdf814b7dfd54e4d9084d6959ae8355357d3db5bb8680e7d44533a3cb141c85d4cc7d7fc47e46afd4cef53c750dc1

Download Submit
C:\Windows\SysWOW64\Kpdghkao.exe

Filesize
163KB

MD5
cbdc7a5e399fd9ad72ef19b192e5f57b

SHA1
79f378d468456cb3547600116753e44e31229631

SHA256
aac3e4d8fa6e2862ed0bcac51f10c821fc95858c5cc90b616e2c1ca950845069

SHA512
72f9e95af34c3a5e6f810c65e5085d912b5a848b55a39f4687bbf0f499fb41921eaa407502c7c48bba15c7efef8fab45898a0cd687ef0c443e540fcb4374824f

Download Submit
C:\Windows\SysWOW64\Kpgdmjpl.exe

Filesize
163KB

MD5
4fcbe13a74563987d103ade33de787d3

SHA1
c3f3d07fa86ac68dbdef37b05add64f0ad9bf9dd

SHA256
09c3e3c0ca1dbed4fc038e10f3af086b19f4fe79ae061a3bcf1046ca730846f8

SHA512
0e0580d1c289600eb3fcf42f8dc1734fccfbc2becb62c07f086339bc6589ab4cfb709474cdaf6bdbb79ed479b4fe73197d5afe3e88121fee0089cc1cb9d3625f

Download Submit
C:\Windows\SysWOW64\Ladpaakm.exe

Filesize
163KB

MD5
43e340f028c90ac57b079360b73066d6

SHA1
1f8ff4853961348bc468008c132aed893d3d0d52

SHA256
112564c09a8a913442772eecfc8930731165e4e02ee267ba32031c64404b9167

SHA512
37131cbfd77979aea1253457a761e2706c4e33f8e9adb59e20ba109d66ef0133218882aef15f1af659fb03a3d96f4188fc050b7cfd7e3e4e56520d4ae76033b0

Download Submit
C:\Windows\SysWOW64\Laoffa32.exe

Filesize
163KB

MD5
fa810af06b65a7ee651d46b404a13585

SHA1
3d5d6c36b451df11d0a7b1aaa438ed17a87599ad

SHA256
f2318bee4f91de8a891d15234ff6d1101a8761c360ccaa5643cf6a809ecc26b4

SHA512
43feac04c62fb8b98e72ee6dfcb4f06958d5b6ea9e7ef35137c25d0c965ddd89e65407c358ecedfb875f39132a7f2f6ce16dd3a84431fef5d510be0d3632edbe

Download Submit
C:\Windows\SysWOW64\Lchmoe32.exe

Filesize
163KB

MD5
0e0eff760b9e20ec162b35c1bcf32ba4

SHA1
dd780f60a46434157b91c24fea211faf5dc0e566

SHA256
ec35233f9e551e5affa6bb630e73ac4c312a5ff56824e689242723da8a1d3308

SHA512
899b8d0bce5a4b5b72575041f1a83c26d994776c46b58cf34656945fe4f5015f0d535c23558a93a489d61b05c2547b3b9f97f20b4226ee3f67c3b720c6fbf908

Download Submit
C:\Windows\SysWOW64\Lcocpdfe.exe

Filesize
163KB

MD5
fda11663e7f648ee8c6f48aa1757871e

SHA1
8de33b1ededa47378c4cdbc5522ce56f120b49d0

SHA256
4f7c9617e736e3f4b8cf433b4667fc49db80f37ce54abc27a1b4a74d64da4191

SHA512
0002d393fec9bf1ada1d2577e83b2c14b37d468b4780cfb5bfe2dc4ba4fc4810214162448413be2c42467280fcd7016a4faae2cf692184a0cd41024230e5e68f

Download Submit
C:\Windows\SysWOW64\Lhdegl32.exe

Filesize
163KB

MD5
8558508620633d738ce1993bcfeac946

SHA1
1bdca27bcc52ff95e947593724aaf5331fee34bf

SHA256
aea4e71797f35a27fd83293e2169eaeb4e3f5e5dd3b090c8c367d8564c8db813

SHA512
f2afab169e918e9bf69853254391a395e195eeae46963a362b951751242ec70716af0141c56b859b3b1cd0cf1cfa4c4b05854362cd671ec3b3936331351ddc9a

Download Submit
C:\Windows\SysWOW64\Lhioblgo.exe

Filesize
163KB

MD5
c41a42e02269ccdd254d558a6aa6fa58

SHA1
dac2208ddcf4ad720e37667ae2c4f27cc3f9d387

SHA256
9e7c9a7c355f2120dba5d6177ef751e9093aaf14eb9fd84553975be141c040b3

SHA512
e5499d661fa6677054b6200d1e943c11e0bdc778b4247e5888edb2d71f5b4e7b9571ae95088e88fec47db63236ae2e3103dd4743e65d4f922e8958b9d4ce9a4b

Download Submit
C:\Windows\SysWOW64\Ljiklonb.exe

Filesize
163KB

MD5
f1a8e159a0443c87befc402b873c575e

SHA1
beae5368fcca4e91f242bece964575ed200ffed5

SHA256
028500cf1f4ba8b889449d86751b4f7677b307b6a895c825f2335ff392d55dbb

SHA512
92a663861c0858f2d12533a8ef88617d1f200fb7c9a391baffa7a6bf76259b3c793a7c231fb59086927b078c50932a8dee64e291ac99166dc5179de24c46bd0d

Download Submit
C:\Windows\SysWOW64\Ljkhbnlo.exe

Filesize
163KB

MD5
895d570f8b0f644fd003e656f7a7e120

SHA1
d5f2c5d40b85aadadefd399218ddbebd6263e6e4

SHA256
6f271895f9d1f7e6072ae9467594166ab0edec3aac1a56eae7eccde994cf57a2

SHA512
530bc71d19b850cefcd7d8376680e76c0fe37227ba22c518c7963bf5f6e6c20edfe0190532ab4f96eb9e267fc6dc6c407760288d6c4509aa62799e8f978d7dc1

Download Submit
C:\Windows\SysWOW64\Llbnmk32.exe

Filesize
163KB

MD5
f75ea318f46d2f7d54ebf511c9d43f6d

SHA1
6bda760952de7f58b6cec57af4be633ff981b7e8

SHA256
ceaac58be5ba9d60fbc4c788e780b5903f4b45c0dc265aa3300eb573c9984ba1

SHA512
ecfc023bd90403ab399b1deb2446c71dcc8e3d60277c75c97134d5856122d017ad36ff9fbdc44fdc2cc3424a97dd075de1196437f4f60e440285cc7b08ef2f97

Download Submit
C:\Windows\SysWOW64\Lonndfba.exe

Filesize
163KB

MD5
f7d1c0d242691093ee660b07165a8094

SHA1
897fad3aaca24f01140d50354c51eb0233eb840c

SHA256
5071833def4084c502b01cc012c7bd978344238635d9af43f959e62160c98310

SHA512
f2c17b353270bd4ab74afc2f7a3c40cee11a77a3d96ac6327e28cd19de008f1ce69494fa1e1812936203e62a346eeb1df923d0ad8678826ca002574d656ff0da

Download Submit
C:\Windows\SysWOW64\Lpbcii32.exe

Filesize
163KB

MD5
bab4d4a2b86eeaf1a49f9f06b176dce7

SHA1
af69b37d294e34004891e763b01a464d19461f9b

SHA256
9f1e7baf6a5522070e4719153599986b14f016063dd004c323730b630e9b6032

SHA512
6d4393767ba8882b856b6cbe98398a07a21ceae0f41b8b54ddf5cce17024cee0a94a8796d87fc64f2e66801a76c9ab58ef606d685ba10b523cc65a4ca445ffb3

Download Submit
C:\Windows\SysWOW64\Lpepoh32.exe

Filesize
163KB

MD5
83857733ddf5d1e3d9414bb6a114611f

SHA1
9d0eb6d5bac99b4ba717f64a9bad6b4865016c50

SHA256
a056e60bfcdc3e94a4a60e401a355ce008483e54cd4169c04f416ddf9085fcfb

SHA512
9f0a4293ff1681ca1f93243a1a40998ff39206d73aa61ea926279668e296d71056428a8d563108491ccdd65ae26d1edbdc64f412dcd0962114cd9b99040c4f71

Download Submit
C:\Windows\SysWOW64\Mbkfap32.exe

Filesize
163KB

MD5
cd826744395a1afed6596846189aa4a2

SHA1
bd3893845464fd50c1ecfab24099f863ccfddefe

SHA256
58a3dc4e5780a409267caa2b42870183986a8a3286544fa3a8b048417207e674

SHA512
9de593ee7f75ac678c4c0feb8079def5e7b24d54b9286d991cc0ce88f80bacb22589ef8a41f982da5c16b96b91d6e61ad11898708f0a16f03bd3059135aae970

Download Submit
C:\Windows\SysWOW64\Mcclkd32.exe

Filesize
163KB

MD5
f1bea757b211766a2d001668bb759242

SHA1
8d2a0929f1411fe9bf2ce61f81414e92cf084a12

SHA256
f21f1a181abbee838595fa459fbfee404a893c59ce0ae632eee4cef599a368a7

SHA512
2bf153b2a7799b0288dc2070b6ac96f8c660d99ffcdb2d58ce7e4a7bd7df5db370a9613de5cb5787b295b5d0d04c2e6eda3edb752e8dd2b2661e01172c22975f

Download Submit
C:\Windows\SysWOW64\Mcfipcpm.exe

Filesize
163KB

MD5
46a0f23ec17dc6a740f59abfbb1a8777

SHA1
170d4b38f9546fb889d0302a33e2247b2c41d4be

SHA256
5b483d56d9518df24d8dcd93a490995aa70887ec30c7cc6302a5e9b5baf286dc

SHA512
615ebafb8aa115bba78814452cd91e2404ec472a869c6288cb1e107cafd855d204a60b7e174c37bd70f072ae6a4da3f22a4c8b9a9b28de80a9c716dbdee8b0bb

Download Submit
C:\Windows\SysWOW64\Mchffcnj.exe

Filesize
163KB

MD5
685abea7367b1dc4f554f2d01bd77e03

SHA1
1f1b264e324bd8030fb092f34c369f24e088a669

SHA256
0240257d42fdee9df287903855127ce3ff7d2c3e0338648f49a233518a128a83

SHA512
01174d8642f350fcd67ad670c64cbd1b1fb1d28d0c02670514263cad6cc81049d22bf335d2d740c22b146b9728a58bd64b936f32474bbce5131d7fa2bb1ab90a

Download Submit
C:\Windows\SysWOW64\Mfdemopq.exe

Filesize
163KB

MD5
0d985b52d2a0c316fc5f32a63d183384

SHA1
77397b00dd93c69f9d8fc440c9bccaffb0127a23

SHA256
9a04b8a99471e6bd39da38dd8ed3a8894d97ee93a5d1dd488e3f37fca7960bcb

SHA512
7b1cb6e23dd1096a80211a1ae7e73ba0242d89b77e3491f8a2d9d6e26d679eeec4fec6891d540c515e75b62b88cd1ca7eb7fd660ee9672129a8d1ff1586e2faa

Download Submit
C:\Windows\SysWOW64\Mhbaijod.exe

Filesize
163KB

MD5
09178b2849bb45d129f29c80f8d6ec21

SHA1
1eb1920452e2d3c758a8b9cb5bcc18bb432a51ca

SHA256
db555b8dd4f3c1172b205288b8ec7a6691349c6ede5c8039025f60060326f071

SHA512
7abb1591489eb5f87769081896558f90a46e6fc7f24a9c6c5e514ffd49dea7d4f7a8a042f9d026cc8acf9bf88c790180be2bcafcf9139bf632a159f735e3b0f3

Download Submit
C:\Windows\SysWOW64\Mjbnbm32.exe

Filesize
163KB

MD5
71d25dfa454ab37b9b6f33028c85aafd

SHA1
50f5e04faac566f3c354590504d8685e87bbb026

SHA256
ce6af28dae2472d786db1f907d65f4907084078ab0b6108add74b1a77568f019

SHA512
61cf53595cb61e8f9b356ab4399533849439ec380668cf2adf2cc2d65063a584771a0b6f82a037092c3bb4e97dd4b24a435e1a0b0195579d569a7226f2fee350

Download Submit
C:\Windows\SysWOW64\Mjmdgn32.exe

Filesize
163KB

MD5
26a16fce01c47d91d62d96b4b904260f

SHA1
55e0d67d0424e14b92b10b93bb3260f9b6049618

SHA256
953a72159d0a45ef17525afc84f4427551f2996f41c8d88f59d16553650f5ae2

SHA512
c70b687e72e1bd1f31a1a18156bf22a9bbf6632785a5128c492d8c21f2a1a3757a0b4845b43ee7532a34bf48325f07334b67ad266bb18c593c26fc1e5ffb2584

Download Submit
C:\Windows\SysWOW64\Mlnnii32.exe

Filesize
163KB

MD5
9d7f073a793a0704f3fb18a4fe61bbe0

SHA1
6272196eee1847e16cb71b256dcc05a62de7ca20

SHA256
d395dd2d4e786bd3357a35e2f8b212c4962cfebfb965c025aceefa219793bf7e

SHA512
73f63ff4cde3c1cd7fe01b10cf801595106df73f608edbc268ac3d587a129bf0370a945e9140b6c8416f7ffac4f567e2932a3a2027cd021c1e971e6c318c708f

Download Submit
C:\Windows\SysWOW64\Mlqjoiek.exe

Filesize
163KB

MD5
2ffee7dea82cd36bae47a7cd95e01598

SHA1
0ac648bf75eeaaf645e97b3e888cda6c6c7a89f1

SHA256
b2205933660d08614e2f4fb7c1ca89c25392947304d86570bd193c8efe9ae264

SHA512
fe4d9d9d81d8b077225ca4cf268cbc7d990840f1d9104ba104f92139685bf6ae69a431b8da5ff1f2b3e34854026b10de811ce439b4f280ac0628ad25b817a8ec

Download Submit
C:\Windows\SysWOW64\Momjed32.exe

Filesize
163KB

MD5
f4675bd7a7de25c037e357465d53321b

SHA1
4991d4095c03898dacb0ccfbb1cf896403c32f78

SHA256
a663db92f4a2fd33f25c59bba32d7ee73e4cbc70747a736186c2662381965ad9

SHA512
6ab7fe5edad621c7265ad3b72cb625b13686833c17eb8bf34a4eac0c1d248a1ea7b52fbe63dd7d7e1c4914c5e579c50191fe12e2aedcba7b98b526992ead7fc2

Download Submit
C:\Windows\SysWOW64\Mpgmdhai.exe

Filesize
163KB

MD5
31a3ee3bd0b46473ad2f8b29b4850841

SHA1
65fb2c661352c27d5b45d34207908f18e116e7be

SHA256
e73c8b5bf0f1626619342550676ddf62a87b0aa3544f7a63332e1392919b5aff

SHA512
658816f12a390ae8469c89a2055eb76d38b1c048cef98a6a4db6c0695c2b2c79cd814b6f845bd354cb295806ccfba7b924e07a325da767e11feb60016dd0407f

Download Submit
C:\Windows\SysWOW64\Mplfog32.exe

Filesize
163KB

MD5
cb4276ad18f9d852aed834b43c7ee87f

SHA1
3dfb1cf47d47d48c7ad27c093c5ffb6eb6d51c34

SHA256
2767510b8cbe1bf448d5ec1de9e8f024b7c7874a6a8b5e06153e7986ffec4410

SHA512
5aeb2d58bed54461dd91e9f8f6546c75d6297bd8e4d02fad5ac5e50b590e828ff54aaef5aad9ba8aa587301ec178fb5810fdc4f08dbf8c6a9d8d5d96917f5a55

Download Submit
C:\Windows\SysWOW64\Niegehno.exe

Filesize
163KB

MD5
865c4b5301db69918344549b06eaeaaa

SHA1
9f23e810995142dba443fa0aa32b4eaebbcab0cc

SHA256
ed86e8ca3ad08fac47ced1b8ffc4fe03504712595feaaa720bc7564ea1d15665

SHA512
bf1e9a974e5351de8b727ac2963d6d6de4f8a2913f89dac7761300aa87f344bf0d50ae7a136c2424249ef8e2c11685d88c46d0430fba2bc940485c99d6fa0df5

Download Submit
C:\Windows\SysWOW64\Nomclbho.exe

Filesize
163KB

MD5
fea2c6957ede293eb4d7aa9ae78c5076

SHA1
c1a8e3789db08774507c2c25fb5fe3d44be5079d

SHA256
0c38d0da9d82e78a59e27e93a2619637fadb39d0d38c33287773c933f191c454

SHA512
6b612a34070d8e66574c7ebf7229495581a1d4059bcdd1d0aedc84b79a2f2675dbee8f3a66f008281ba35df846f57d9a5e84b49af3faaac7699e97c8f280877e

Download Submit
C:\Windows\SysWOW64\Opfebqpd.exe

Filesize
163KB

MD5
83b43074e81d636359db598cfe8948be

SHA1
2d808318f59e825c6f1ade684a8db0cc72e9117c

SHA256
7b4a977ffb38316e72d780d942d34b2a3c7cb574faf27c6363ff496470ae13f3

SHA512
b48b6dbd2e3b711319d9d88471ac26a9f2e4f7e5f19109ed181fb3247393b4436344a0f36ab149f940b7e843daa645c5926f1f2dc71a5a3ff1dcbce6aa4320df

Download Submit
C:\Windows\SysWOW64\Ppbeno32.exe

Filesize
163KB

MD5
b40dc16decc1a1eb3f3e4e5895529254

SHA1
b1b41b73df2ea3c1d939f68b99d710a0c9a7684a

SHA256
47c82c114f6db823279deda3b18fdeea710b6bce3611c19767c090806684b7b3

SHA512
bd3d412842f5da65e8d179397944e4300271ddb2433f24d6dd2bd30e6ccb35432f484b15740ce2001b1a3f447cf326610820fe6e3de8eb63142e590253e67a2d

Download Submit
memory/64-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/216-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-645-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/408-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/808-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/836-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/980-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1016-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1044-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1064-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-671-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1232-896-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1232-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1240-684-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1240-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1252-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-166-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1644-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-873-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-590-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1724-1032-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1724-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1796-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-955-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1960-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2140-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2140-665-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-560-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2180-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2180-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2180-619-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2324-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2444-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-632-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-548-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-620-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2920-118-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3004-284-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3064-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3252-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3448-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3624-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3756-655-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3756-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3856-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3908-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3996-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4036-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4124-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-677-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4200-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4384-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4396-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-126-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-142-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4552-626-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4552-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-613-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4632-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4652-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4704-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-658-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-949-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4868-1013-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4968-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5040-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-381-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-869-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-602-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5184-633-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5252-639-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5332-646-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5436-664-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5568-682-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads