berbew | dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe
Size

186KB
MD5

bf54d8c71f913b15ef2417acd9f2c738
SHA1

62676eea79c9526b6b6ef5c83494497eff89ae3b
SHA256

dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614
SHA512

f76c3750eaf771a26190ef7dec561b6568b5416877592cee4d147680fa208c57fd59971d26d6561b70e62954b44064a322d8349a014135e38a753e81898cfd6f
SSDEEP

3072:GyDc6vHdem5OqNFv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vGT:GyDz5O4F+Jk/4AcgHuvg

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3964	Ldoaklml.exe
940	Lgmngglp.exe
5108	Likjcbkc.exe
2588	Lbdolh32.exe
2376	Lingibiq.exe
4912	Mdckfk32.exe
4056	Mbfkbhpa.exe
1496	Mmlpoqpg.exe
2248	Mpjlklok.exe
100	Megdccmb.exe
5036	Mlampmdo.exe
4444	Mckemg32.exe
3400	Miemjaci.exe
4528	Mgimcebb.exe
8	Mlefklpj.exe
112	Mdmnlj32.exe
4584	Menjdbgj.exe
4496	Mlhbal32.exe
4992	Npcoakfp.exe
3004	Nilcjp32.exe
1968	Npfkgjdn.exe
4060	Ndaggimg.exe
3308	Nebdoa32.exe
5084	Nphhmj32.exe
4760	Neeqea32.exe
3180	Npjebj32.exe
2332	Nfgmjqop.exe
2668	Nlaegk32.exe
3948	Nggjdc32.exe
1220	Olcbmj32.exe
4416	Odkjng32.exe
1224	Ogifjcdp.exe
3036	Olfobjbg.exe
2800	Odmgcgbi.exe
3412	Ofnckp32.exe
4776	Oneklm32.exe
544	Odocigqg.exe
1708	Ognpebpj.exe
208	Ojllan32.exe
1432	Olkhmi32.exe
3944	Ocdqjceo.exe
556	Ofcmfodb.exe
2108	Onjegled.exe
1972	Oqhacgdh.exe
2380	Ocgmpccl.exe
2912	Ofeilobp.exe
3404	Pnlaml32.exe
4048	Pqknig32.exe
2304	Pcijeb32.exe
1520	Pjcbbmif.exe
2492	Pdifoehl.exe
2116	Pggbkagp.exe
2920	Pjeoglgc.exe
5104	Pqpgdfnp.exe
2584	Pgioqq32.exe
4976	Pjhlml32.exe
2224	Pdmpje32.exe
4836	Pgllfp32.exe
3996	Pjjhbl32.exe
1900	Pqdqof32.exe
4748	Pcbmka32.exe
2608	Pjmehkqk.exe
4784	Qmkadgpo.exe
3164	Qceiaa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5720	5588	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3964	2292	dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe	83
PID 2292 wrote to memory of 3964	2292	dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe	83
PID 2292 wrote to memory of 3964	2292	dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe	83
PID 3964 wrote to memory of 940	3964	Ldoaklml.exe	84
PID 3964 wrote to memory of 940	3964	Ldoaklml.exe	84
PID 3964 wrote to memory of 940	3964	Ldoaklml.exe	84
PID 940 wrote to memory of 5108	940	Lgmngglp.exe	85
PID 940 wrote to memory of 5108	940	Lgmngglp.exe	85
PID 940 wrote to memory of 5108	940	Lgmngglp.exe	85
PID 5108 wrote to memory of 2588	5108	Likjcbkc.exe	86
PID 5108 wrote to memory of 2588	5108	Likjcbkc.exe	86
PID 5108 wrote to memory of 2588	5108	Likjcbkc.exe	86
PID 2588 wrote to memory of 2376	2588	Lbdolh32.exe	87
PID 2588 wrote to memory of 2376	2588	Lbdolh32.exe	87
PID 2588 wrote to memory of 2376	2588	Lbdolh32.exe	87
PID 2376 wrote to memory of 4912	2376	Lingibiq.exe	88
PID 2376 wrote to memory of 4912	2376	Lingibiq.exe	88
PID 2376 wrote to memory of 4912	2376	Lingibiq.exe	88
PID 4912 wrote to memory of 4056	4912	Mdckfk32.exe	90
PID 4912 wrote to memory of 4056	4912	Mdckfk32.exe	90
PID 4912 wrote to memory of 4056	4912	Mdckfk32.exe	90
PID 4056 wrote to memory of 1496	4056	Mbfkbhpa.exe	91
PID 4056 wrote to memory of 1496	4056	Mbfkbhpa.exe	91
PID 4056 wrote to memory of 1496	4056	Mbfkbhpa.exe	91
PID 1496 wrote to memory of 2248	1496	Mmlpoqpg.exe	92
PID 1496 wrote to memory of 2248	1496	Mmlpoqpg.exe	92
PID 1496 wrote to memory of 2248	1496	Mmlpoqpg.exe	92
PID 2248 wrote to memory of 100	2248	Mpjlklok.exe	93
PID 2248 wrote to memory of 100	2248	Mpjlklok.exe	93
PID 2248 wrote to memory of 100	2248	Mpjlklok.exe	93
PID 100 wrote to memory of 5036	100	Megdccmb.exe	95
PID 100 wrote to memory of 5036	100	Megdccmb.exe	95
PID 100 wrote to memory of 5036	100	Megdccmb.exe	95
PID 5036 wrote to memory of 4444	5036	Mlampmdo.exe	96
PID 5036 wrote to memory of 4444	5036	Mlampmdo.exe	96
PID 5036 wrote to memory of 4444	5036	Mlampmdo.exe	96
PID 4444 wrote to memory of 3400	4444	Mckemg32.exe	97
PID 4444 wrote to memory of 3400	4444	Mckemg32.exe	97
PID 4444 wrote to memory of 3400	4444	Mckemg32.exe	97
PID 3400 wrote to memory of 4528	3400	Miemjaci.exe	98
PID 3400 wrote to memory of 4528	3400	Miemjaci.exe	98
PID 3400 wrote to memory of 4528	3400	Miemjaci.exe	98
PID 4528 wrote to memory of 8	4528	Mgimcebb.exe	100
PID 4528 wrote to memory of 8	4528	Mgimcebb.exe	100
PID 4528 wrote to memory of 8	4528	Mgimcebb.exe	100
PID 8 wrote to memory of 112	8	Mlefklpj.exe	101
PID 8 wrote to memory of 112	8	Mlefklpj.exe	101
PID 8 wrote to memory of 112	8	Mlefklpj.exe	101
PID 112 wrote to memory of 4584	112	Mdmnlj32.exe	102
PID 112 wrote to memory of 4584	112	Mdmnlj32.exe	102
PID 112 wrote to memory of 4584	112	Mdmnlj32.exe	102
PID 4584 wrote to memory of 4496	4584	Menjdbgj.exe	103
PID 4584 wrote to memory of 4496	4584	Menjdbgj.exe	103
PID 4584 wrote to memory of 4496	4584	Menjdbgj.exe	103
PID 4496 wrote to memory of 4992	4496	Mlhbal32.exe	104
PID 4496 wrote to memory of 4992	4496	Mlhbal32.exe	104
PID 4496 wrote to memory of 4992	4496	Mlhbal32.exe	104
PID 4992 wrote to memory of 3004	4992	Npcoakfp.exe	105
PID 4992 wrote to memory of 3004	4992	Npcoakfp.exe	105
PID 4992 wrote to memory of 3004	4992	Npcoakfp.exe	105
PID 3004 wrote to memory of 1968	3004	Nilcjp32.exe	106
PID 3004 wrote to memory of 1968	3004	Nilcjp32.exe	106
PID 3004 wrote to memory of 1968	3004	Nilcjp32.exe	106
PID 1968 wrote to memory of 4060	1968	Npfkgjdn.exe	107

C:\Users\Admin\AppData\Local\Temp\dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe
"C:\Users\Admin\AppData\Local\Temp\dd961c941c36e4595d0792ceb6545ec0a83e202cbb39a96697ba4838c77f9614.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\Ldoaklml.exe
  C:\Windows\system32\Ldoaklml.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\Lgmngglp.exe
    C:\Windows\system32\Lgmngglp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\Likjcbkc.exe
      C:\Windows\system32\Likjcbkc.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        37⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        44⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        60⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        75⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        77⤵
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        78⤵
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        80⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        86⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        87⤵
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4076
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        93⤵
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        100⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        108⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        118⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 396
        124⤵
        Program crash
        
        PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5588 -ip 5588
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
186KB

MD5
bff5b067b0d83e6b11bda44110fcc25c

SHA1
11cb4a4871cbcbe85a4c5aaab8762c869d61f479

SHA256
b89c2225408472f95f84c24dc7a45ff33f1b1aa798a9908662f1f76d550dd034

SHA512
99664dba79bdf505c9870b50c27c2da3a43d79e3312807736fa05415212cca11efeac0fa55991b53502f66ef2f47d71e2b749e4458c42f2746a133675ac1f134

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
186KB

MD5
2a3e8c6094218a66c8e90e8c5faa605c

SHA1
78fbf05255380f7434be3fd0c0dc752466662aef

SHA256
e913869db7e59a34aabdbe615f02d67339b5f7f6ae8a0cac07fe5563782a4452

SHA512
38f71c27b14c1ee1ed5227036a8351d39d75182cafd61bdd1922d5acf4881f67236cf7802eb99b308353ce17811d4587ed963307690c76ad61c0a69a6918030d

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
186KB

MD5
1f9f11a98d128e10b14e142fa0e0bea8

SHA1
713dc0aa433e0df532c35e5c0254ed1e0368e515

SHA256
3a1ca5b881dc7581c048101771374c2c641224eef9f7da6e7a770baf65a3042e

SHA512
f06dcf7a76d3065c5e027fa761689c27492bef98959e4005f627dd3708de8c5428b72081e146ab9037b13d46d796f10f5da06474d422532299ce005267d03eb6

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
186KB

MD5
f52a661421d44579a6612dd76ba47918

SHA1
3abe84ce53f0987d4b8d137a6312095ea8cc2d3f

SHA256
5f568449477647ca554c122f1f4fcc086658c8a9407e3d190307b459c6b75074

SHA512
1be2b36a899d81b3500156bfd4c911ec5cd9981612de771c90ba3d61c21608756d11d9ce568ff96cb949ed1ad19db8d55255e1d9289319980b9930e27c9b2623

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
186KB

MD5
ea5e4e2db835e6f05acac987fb918622

SHA1
74a35d6ef94b6fcc9cd7a25f0f74214731d4e1de

SHA256
e96ffdc96c71913a85bc31adb0e7cee03477049c1abb9662aa1f9a8b77c6a022

SHA512
196c20687771430162d22f7d610a07b60dc43da0e14d8b746182d3c74af6a905529d1b59bf121137de5e858a44ee2bc58245efd6c14e95aa019c0d7e3bc3dd56

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
186KB

MD5
3421cc4904d187ce4cc5ea78ff6dc9bb

SHA1
fef5c1c5d5fc5010f94105cd4216167a6857b093

SHA256
da852b5651931d0fba8b30c2337731894cb007634124ac97aed01f6a496c518e

SHA512
9038abc69b7e7e6414df2b8c0e542ddab98507dc2a8d75d325738140c87bccc8ebd52ae149ee6030e1b5032f442ecf6b8fc6395ad349de96c7ba663d4575c288

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
186KB

MD5
3a554631ea95a2c61a0488413b5443be

SHA1
5dd758fd7c7f8c50de21e747e40c8adf12e00144

SHA256
cb6912d8b2f64168a98fdc0198e2d9ff9810aaf5fbf934ab7a12a4efba378c94

SHA512
55a17812089b4f10fe0fdc022402d3a4397700dab9c06a28efceee5f0c2a299769b68dd26453518fa95e5e072bbf580f8d27a938f0a9dde6345f27df0cf8ed66

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
186KB

MD5
336d910ab8e17c9f7538a077e8822161

SHA1
b7eafb511a5edcfdd50ae61b47f0ca9e17d96b72

SHA256
b6cef05f5fb310fef6523b01717d539c9813588d01431c4266cb638d346a3e39

SHA512
a17a81339c487b48b3e76d23c542f7c3f59710c16b8a64a26852772708677a3540c600b23c18320bfd91f1fafd80bd7c3eb3dac8012f3d5f62e4bdda3d40a4ce

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
186KB

MD5
7571541b52e9eaa8f477dcca2e34cdbe

SHA1
945b9702c37ad7ba2047e8fe0d0c2f9704daa80b

SHA256
06bd3606084676576c2d1aedb592f1dfc3efd8f1bccf16908f07a613b6d3a221

SHA512
17d549e37b4a624092fe30fc64c9136cd5d4ffa3b9ee602f776b9c04c02d52423f3b3538f3a4c226f0b0c3f16d911f5dbda4085ab07b967168b4f9e25f11f434

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
186KB

MD5
e662122a20265f438e371306cf8c90ed

SHA1
49b1b897c2dc38b7c5ac0573089ba48465b2f39d

SHA256
82fae65cd2ad6f8d39168231a8521e817b25fcc3c98a36eebc65a7a8d2dc2f42

SHA512
209b6e44e4e93a1f7047bdd9b5e8c867f5d5490c0c5d4df4d7cbb45049e38231bd75c9164b46029496154b54717ba1383130abe1af2a29f7f1b43885a6d9e7e6

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
186KB

MD5
3fbb1fb452b152de80d4a7b7f7ce4868

SHA1
eabf2626a0c863b7acbdc0d3c3eede0a62beed30

SHA256
8a761cdc68ce9ce15ce8264c7a7023f55841820318f1deddbf9f4cbaecfcd7dc

SHA512
9f65d8afbfc3e744570ae77af299c8cfacbf910be796a85ecff31c2efd024b0d0ce6986b11f0105bfea076b8cf01fef55852b2196bf648fd0617dd0ce92a1251

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
186KB

MD5
af64761165591a19ec00acdbdc608c72

SHA1
c3bfcac83e4232cf473acb694aabc3062d9e7379

SHA256
d95818645d4ba996a4fdc3def112ae2e16520167cc4f08745795ff3e42bb7f7c

SHA512
ba64a4ffc9ade07f80251254299bee6a934afc11670ce59e15dd2577f89669decc1679eeef717222d61d9c8fe70a99bc705ccf80d19615ccef7b9d6ea5429082

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
186KB

MD5
a31994c8a08a1f94d4059d69de5d850f

SHA1
abb22753d6be27ce6eb1bb2035d9cd41086df6d6

SHA256
b5ff563132f6c286c0c8852ab23896e03c8abb0cb7fdd1d1aad3b9920c67b4a9

SHA512
117bcce45f4cf247e98c7a224239d96d721ffe4241ceb24ff5d91bbde75f83ba681c45008553fd8af476c87bc0fa7c14c1eb38ebbc750937e2456aaec2cd5b16

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
186KB

MD5
432a699cc070504b0ff96a9d488fb46b

SHA1
00fb9d682d9a89fe1dbc118a29d692a09ffc0bbe

SHA256
39dbafefd949f7760ee773901513b4eac84aa44cf58d84c0a14e53c6041b3557

SHA512
838196db6c3f69a574ab2d87fd2514550c75de32873d9d728b655e8327e2f8af43b71323f19e17a54ba8c63648023f4acea4b1a45c0a8aa70d605d4bc89fd6da

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
186KB

MD5
22ead3dab4b610fe6c1102d9a849a9b3

SHA1
b1b7c87d5235524885a599fa38d1808a447e5a2a

SHA256
9f9529896d82b9cfd7be365d76349642811ba84c233b178ae72b7b720b7f1500

SHA512
f44ff06b9f035034670453fbdb60dd0cb3529c61f691cf80317853aa413c9f94ac233018b5fe155530c7a2633a7e57f61c9d2d5efe98f60724e964c57514fa00

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
186KB

MD5
9f8d444a5a26a0160bdbf61b2e9c3dec

SHA1
6f1b6c9709d1625c79038c80396ec7cf866b3fb4

SHA256
dd315da329793d8a2e6032e01ececdc497897bbd9166000369a60e36e881675a

SHA512
5e0ede958b39d91b2b637c3203a296858ae7a662389de8ce65003d969c63678bc6704ea248540863736b31499c7715ce03f6da1f4c3b938b87e50927c3c24012

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
186KB

MD5
45ed36a11c0a89dbbaae6e1078a7d958

SHA1
26f621578d5773b2a9296df38432d5ee524d16e7

SHA256
991222d06fe39ec8f5264fb8c3805ba444c841054c14a94a347e62349f97cacf

SHA512
e2592d67f20b6a91e81e74da0d6e5a774530eb6ef598a695558efc32df08bb9845e43f56aefe7f05aa88e31333b93882f714535a4e3aa831d6f08bd3e39c094b

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
186KB

MD5
c5755610f5fcfbc8513b9c5406262388

SHA1
b92a0f268ccabdb15eccf88cf85b57910da036f9

SHA256
934f32c6ec8787895b9e43eeaedcfc7e38ae90d6f0ab1315b98b10f740f75092

SHA512
52f9ff64d78e33015ff9ba2157df4ae6306d656c42254eaaa3e9966740c0507f0224b5286111cc515f33198a18b141d66893c8a0482b6c4b87ce38bf33ec2b3f

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
186KB

MD5
8a0549a31f5b21feb3c2c951ddf6bc40

SHA1
478e6500f73089fbf847ef7948502db5e9e2a1bb

SHA256
9d874920106793b9b73d254fd7ee2c5dccef2b7dedf8c17f91c39f6a671154e2

SHA512
b5266b20c58afddff05c1c7360c668d92509eb13f767d8b598b28f8bf672eefb0244692eee6625b78c87ec61267b4156bb7fdce3c441462cd056e104287330d6

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
186KB

MD5
28df68f5dccae8d722b0c756a8102b2c

SHA1
4b47974a3565bf615cd1cd938c5f0c468d2a753e

SHA256
91b3011308cd44d5282fb7a4651511072e6082f5835353e2aaa5148a6b691e3a

SHA512
56f803b249cc275c80d1b1b5ee79826f289598e8933bca7a550c046c072c8f2a4d1c2ba76a1a1e39015aff4adda1a44d1e37f5219ae6245ebfd1994deaefc2e9

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
186KB

MD5
91d45c391d35a05659991cf2e8d2778a

SHA1
b3f194cb60b4b9b350650a09db8cb009fdc1b067

SHA256
dd91227da91cf29be260e4a19ee4e33be88b00fa139ed24dbd4e0ac82322d3ce

SHA512
55499f1f2e05b702905e4a096557515de7881d7289d62bdbf4d0fd7201d9c0b8d6dec2c2dcfa7fa7be33313a3d7245686773a186933381a49892324eef070769

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
186KB

MD5
71116becf763f2d1c0c37de9805afd89

SHA1
d7c8fe2736af46a2a53b0bb8b5e5c797f9d7f418

SHA256
8abb908fe4898355053a13fe73286358fb43b979ded57174a94ff4b5db064fa2

SHA512
f6251c92802eeaea548ba2deec4e40132b976cade69250e91ea9de3eb440c8044f8235ff2f9ad89394d24fab746c410b6274782ca47cd5b51ec66a472d88ca5e

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
186KB

MD5
f335da3a1afd1c31500de9b8c5d42aa7

SHA1
f40f6ef35dcc84a6a9f5f02cebbee85e56052251

SHA256
4a3ce5332d3d9625aa8b09b530af845c4771104b92aa58941dc9f394e1631e75

SHA512
29ad1ca7f54370f81cc4249b6908ec3e22b8e09b9859795072bb7641a6f01c47773f5d02dd70f3e4edda2f551ecca38b929cdf64ed7668c00e91131e8de67542

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
186KB

MD5
7f105cbf40dd1f3976f649ba88f944f8

SHA1
efdb6eac09320ce1c8ddb03c3e21853943e6cfbc

SHA256
852cb9475071cb5c2478455b8bd0314164bec3bb80b4351d5c3fa1de83a05d77

SHA512
660c44f7a559bb79bcb6c8978fbdd9b20b08bd6778f52abee89d49c455b4d5bf7c7bb17810f397126b755dcbc674de924c3fd93f173ac00a01e07e051c4f3ebb

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
186KB

MD5
a65d5e4ff9a675417c721138a23ff2d2

SHA1
b367db667afbc38a56dc5606175cc5b19ede777c

SHA256
632c5c7521c0d4eeb85229ec76f1a9afa1a80fc6d2ee585f8022ee0da7c84961

SHA512
b140f457bcec6f63a9d749b6f5bb67a89c2ba6cb336551fb52dd182cc6d2e968020c1dc6076b1d61206e659a3dad4bc656594bc6c6723db283065a2716c95830

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
186KB

MD5
0d53945ff41f3dc51199f5cd9ce9b9a9

SHA1
00071d154ddade1349548a0715dafad74fd4a992

SHA256
f84c4528c79b0ebd2c900473a9f1c0dcf4487ae87e9bdfbb4082eafdd2f0db58

SHA512
c12b521708b4f426aa48d21de56b5cc8ab5733ccf70068894a496800bd2cd45b4cb7954330d990def2307963644cd3996944789c7d16989cac240f6eaaa260dd

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
186KB

MD5
a0a9a0fd3505b6c71818f56e23c6b70d

SHA1
51c46e1828512def07191dd97159e9d6cc4e19c7

SHA256
43629cf955f979c6a01b528b79e58a89c6a034996d3028071d6606e24e0f467e

SHA512
653abcab5dfb7cd8442a42fd482bb32644d1e983df8b67752b93db32554d30a93715f90a2fdbf8a2c2cc85568f6340d165dcc251e507b4f91a4080217d955c5d

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
186KB

MD5
aa844b18f055e5253702f5788abd72e7

SHA1
5fec9af9f051ddc409577dc0d584eab6477818b6

SHA256
645c8a63e4e844ab1297089fe499500ffbe06b6129989b111dd56caf443500b8

SHA512
49f7510477ea28d38b4f9e1fe55dbaad5c4c59f31f8356cccdab9a99cd80f01bd73668f7c8ff99c3a6e832bc77a489c4da2d05fefd1c60906ca4d95ea0b51c3a

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
186KB

MD5
b74556518fca0ddd28160e6c5e9d7021

SHA1
77941d6a2e831f2e5150ade3a3e892a0983fc830

SHA256
87783e7d036173691f494f1acc3922a97a8fe2fbc73d4b8d7454aa0a80704dcb

SHA512
9120e75d7dd0f6a0d7c579f8a9e4bc78b34b24e2d4a6e13e6260e698bf1d8d9d8f28ad3a967cc2365b7fbcc24fb9fdd49c6006ef3a6a66cfc3f73bc1bbafa98c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
186KB

MD5
d1d07bba3459b3545c15efa40d5771e4

SHA1
db3a08503037500d6a1e405bf0a5b3ab7a394db3

SHA256
09c27b91825addff5c962c04c85a62b1c56b05e2dc74182bcb164170842f972d

SHA512
722ed1562667c9287a52aa8df39d705fbde628de0069884a9a237e648e40b884f66e64861274c65098eb47b9cfa715b02768179880d211ca5b5f67072d82b201

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
186KB

MD5
cf3fb152bf0b92ffe8d415c288beb5ef

SHA1
27d92f271e9084bd69f8807ea5d6a37042c9ef62

SHA256
d9ed58b6182b108ba924956facf534bfcdac56de7a24250532a50a9861e98e9d

SHA512
ebdb5fab30b5aaee5706f98bca4ce4b19a326cc0df67a16a96094cf9cefc01165d01b0a0d7c9cd869fd738d14fe7453d17d1c65d711877dc7d55821783aaad2e

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
186KB

MD5
73d54d0f7dc8fe2df8e8774e4e279cd2

SHA1
652e7c163c2b576ea59a522e03ffc1df5f741edc

SHA256
c5ff27976d3ada4d406a8e440d463c2a9bbe4aa7f8a5669a8bc3ed73d6f4955c

SHA512
91491eaf5d3538130f9ec3cbecf5c12cfc46178583db8e59ec32f9e108f95055226477eda997e870fe6ae6fe51c2754eb5d11a19eafd31c5aec8757e65e9eb56

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
186KB

MD5
c36b2552040a88795cd2ed6ff42fb99d

SHA1
8f08bd51bbcf9f9227d53c19250dda8305d62a5c

SHA256
7733072a50d1a4c73d8599f35cf64423b69fe120fab270e5ce75570c144f1cbb

SHA512
42f2e7fb66b4dd0c0f1440c43e3ad82e2c60dd6a5f3d8159d1165eee2c82c22315ad877c8fde61da806aa56813d39ea8a177fee476aabb1c3ff36c7675abe087

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
186KB

MD5
03475a14b8ef744acb8c4bdac79c8e89

SHA1
7ca132589d87a02ffbf241ccc0a4faf3f1319bd3

SHA256
a26a773dfba8fb414a98bfa05c9e70ffc5c1369da41b23c693f0ca8d62155ddd

SHA512
c632b63febe09f11a3d9fd2148cdc3bd7a0001a81ae39390ba6c893d677fcaee127a8db129f8025fb7cf58484c13a0bd4b9d189d20d2bb30688ae567d0c64e99

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
186KB

MD5
3bbd725ed69d13766902ebf98dc915b3

SHA1
51083bb127a8dfb1f14b7265d69195b4a609f9ad

SHA256
e5afdea1a3125d0a920eb5283d0a130940933f1bb48a532f23565d0da47dbcec

SHA512
ee9c2d0166ad3f2b8000e2d6522c865a780d05911c1bfd4a1516a48965d53d8a7227ca6a9ea6aa5772e22699fce0341fb86ea98f669d134330965d713a98a717

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
186KB

MD5
b5d0c0b9f3796326ccee1fc750c3d9a6

SHA1
63ce3558e1ad5977106887eb0eb23de741be2779

SHA256
ff14444ed39c95bec458a1dd25b1ca027e02d2c15e55b166410d45e03613e746

SHA512
f7581135ad2c9ca1e1f43462ba6e8c2ee65f9bcc42e95999fff4ebb213bf92b735f1dff005dd0456c7874271bd4bca6af99f57c6b0756fda772dd4a6cdc232cb

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
186KB

MD5
b18b29a5a186325b7d1dce5fe676b09f

SHA1
cb42db1099f21ce1f89a0346434ce14686cc6c88

SHA256
db51b3bb6834d712ac8cee0c73248bfa81ba935e436e56afe8de1c266d545dfd

SHA512
4e6918984279cee5116caea0ab18fa6957c21ffc87a61d102c7f44e7a918751e3ab397fe9e71c14351856d14fd1394fa530995d3e507c6e8c075507c7c58307e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
186KB

MD5
d231999848703db8fdaa68d7434117fb

SHA1
ef4a80d3983815befbddeb7561d3d4fd7b16702f

SHA256
b764973ccb0a02454ee9224289306f7e06b6b7e630c02bdf441d6ef6fefcfb8f

SHA512
e07bcb6ce044dd7789e78360f4fcc809e28ca4858991e17673fc7aeed002c245b0c1c5c042ac949a92401975e6737803a92d99d321e5768edf4b902833c9c8a6

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
186KB

MD5
607c467419f6c836669a9aeb4f89fcb0

SHA1
69c35c510687e86577c87110c2ae35c2faaadf66

SHA256
956c9ebc4fbdd279b4db971282d6e6301c1cbc4259ff1baa9f69a921a23182fc

SHA512
f908a0fb264a5f38636167bf0a67228c0611be806615778bda25c3c8035cb30b14d7494111adae63077ab8750bc54da5c01de29f7d6414b08841e60d6982c499

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
186KB

MD5
66cae6524131f09d4b6de02790a42efc

SHA1
57ef2a8310c9b51481c6372619b0369c56bb553c

SHA256
ca1e3bd9223c57f112d39efeba40804b1079bde46c228be12051980d082301a3

SHA512
106fe57007ec062ff04955bc78b2930a598cf94b2933d678da209266f567be2dc947700122212f2d30f72ce2c98924d118f349b1d5da8f958ee4e73403383d61

Download Submit
memory/8-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/100-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2292-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5952-860-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads