berbew | fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe
Size

62KB
MD5

78c15d94ada4dbbafbf08e965599a7c0
SHA1

86fc7f148859411a0dd973d4818cc348c3c244bc
SHA256

fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6
SHA512

abd7c6ab1bc4488135827fd08db0da74cb079d867aa9664ee556b40e434be83044ece29fd42a5c264230958867977d3b5b49663a8ff389456ce7eaa81ae5eabe
SSDEEP

768:sT1suLok2UGn0NNzlD1AZIlZ21paVhQPA6YwJP/1H5daQXdnhxENcJEl5y6O:smuLGBABTAespWsA6bLyive8CyV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3584	Kmdqgd32.exe
1536	Kbaipkbi.exe
4804	Kmfmmcbo.exe
2224	Kdqejn32.exe
2096	Kfoafi32.exe
3088	Klljnp32.exe
2692	Kfankifm.exe
2256	Kipkhdeq.exe
4336	Kpjcdn32.exe
516	Kbhoqj32.exe
1872	Kplpjn32.exe
2360	Leihbeib.exe
1756	Lpnlpnih.exe
2552	Ligqhc32.exe
3528	Lboeaifi.exe
2028	Lenamdem.exe
3444	Lbabgh32.exe
736	Lljfpnjg.exe
1332	Lbdolh32.exe
2064	Lllcen32.exe
3952	Mgagbf32.exe
4552	Mlopkm32.exe
3848	Mgddhf32.exe
4540	Mlampmdo.exe
1104	Mckemg32.exe
4520	Meiaib32.exe
3368	Mdjagjco.exe
2172	Melnob32.exe
3384	Menjdbgj.exe
2884	Npcoakfp.exe
3688	Nepgjaeg.exe
2956	Ncdgcf32.exe
3792	Ngpccdlj.exe
1156	Ngbpidjh.exe
2644	Npjebj32.exe
3880	Njciko32.exe
4648	Ndhmhh32.exe
4452	Nggjdc32.exe
2508	Odkjng32.exe
1100	Ojgbfocc.exe
4240	Ocpgod32.exe
1060	Ojjolnaq.exe
2216	Opdghh32.exe
3908	Ojllan32.exe
1796	Ocdqjceo.exe
4100	Onjegled.exe
4048	Ogbipa32.exe
3936	Ojaelm32.exe
1848	Pcijeb32.exe
3484	Pnonbk32.exe
3840	Pclgkb32.exe
3988	Pfjcgn32.exe
696	Pqpgdfnp.exe
1956	Pflplnlg.exe
5036	Pjhlml32.exe
4796	Pqbdjfln.exe
1616	Pnfdcjkg.exe
1248	Pfaigm32.exe
4704	Qnhahj32.exe
688	Qqfmde32.exe
4776	Qnjnnj32.exe
4268	Qddfkd32.exe
4204	Ajanck32.exe
916	Ampkof32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Ligqhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kdqejn32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Kmdqgd32.exe	fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Kmdqgd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5860	5600	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3584	2304	fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe	83
PID 2304 wrote to memory of 3584	2304	fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe	83
PID 2304 wrote to memory of 3584	2304	fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe	83
PID 3584 wrote to memory of 1536	3584	Kmdqgd32.exe	84
PID 3584 wrote to memory of 1536	3584	Kmdqgd32.exe	84
PID 3584 wrote to memory of 1536	3584	Kmdqgd32.exe	84
PID 1536 wrote to memory of 4804	1536	Kbaipkbi.exe	85
PID 1536 wrote to memory of 4804	1536	Kbaipkbi.exe	85
PID 1536 wrote to memory of 4804	1536	Kbaipkbi.exe	85
PID 4804 wrote to memory of 2224	4804	Kmfmmcbo.exe	86
PID 4804 wrote to memory of 2224	4804	Kmfmmcbo.exe	86
PID 4804 wrote to memory of 2224	4804	Kmfmmcbo.exe	86
PID 2224 wrote to memory of 2096	2224	Kdqejn32.exe	87
PID 2224 wrote to memory of 2096	2224	Kdqejn32.exe	87
PID 2224 wrote to memory of 2096	2224	Kdqejn32.exe	87
PID 2096 wrote to memory of 3088	2096	Kfoafi32.exe	89
PID 2096 wrote to memory of 3088	2096	Kfoafi32.exe	89
PID 2096 wrote to memory of 3088	2096	Kfoafi32.exe	89
PID 3088 wrote to memory of 2692	3088	Klljnp32.exe	90
PID 3088 wrote to memory of 2692	3088	Klljnp32.exe	90
PID 3088 wrote to memory of 2692	3088	Klljnp32.exe	90
PID 2692 wrote to memory of 2256	2692	Kfankifm.exe	91
PID 2692 wrote to memory of 2256	2692	Kfankifm.exe	91
PID 2692 wrote to memory of 2256	2692	Kfankifm.exe	91
PID 2256 wrote to memory of 4336	2256	Kipkhdeq.exe	92
PID 2256 wrote to memory of 4336	2256	Kipkhdeq.exe	92
PID 2256 wrote to memory of 4336	2256	Kipkhdeq.exe	92
PID 4336 wrote to memory of 516	4336	Kpjcdn32.exe	93
PID 4336 wrote to memory of 516	4336	Kpjcdn32.exe	93
PID 4336 wrote to memory of 516	4336	Kpjcdn32.exe	93
PID 516 wrote to memory of 1872	516	Kbhoqj32.exe	94
PID 516 wrote to memory of 1872	516	Kbhoqj32.exe	94
PID 516 wrote to memory of 1872	516	Kbhoqj32.exe	94
PID 1872 wrote to memory of 2360	1872	Kplpjn32.exe	96
PID 1872 wrote to memory of 2360	1872	Kplpjn32.exe	96
PID 1872 wrote to memory of 2360	1872	Kplpjn32.exe	96
PID 2360 wrote to memory of 1756	2360	Leihbeib.exe	97
PID 2360 wrote to memory of 1756	2360	Leihbeib.exe	97
PID 2360 wrote to memory of 1756	2360	Leihbeib.exe	97
PID 1756 wrote to memory of 2552	1756	Lpnlpnih.exe	98
PID 1756 wrote to memory of 2552	1756	Lpnlpnih.exe	98
PID 1756 wrote to memory of 2552	1756	Lpnlpnih.exe	98
PID 2552 wrote to memory of 3528	2552	Ligqhc32.exe	99
PID 2552 wrote to memory of 3528	2552	Ligqhc32.exe	99
PID 2552 wrote to memory of 3528	2552	Ligqhc32.exe	99
PID 3528 wrote to memory of 2028	3528	Lboeaifi.exe	101
PID 3528 wrote to memory of 2028	3528	Lboeaifi.exe	101
PID 3528 wrote to memory of 2028	3528	Lboeaifi.exe	101
PID 2028 wrote to memory of 3444	2028	Lenamdem.exe	102
PID 2028 wrote to memory of 3444	2028	Lenamdem.exe	102
PID 2028 wrote to memory of 3444	2028	Lenamdem.exe	102
PID 3444 wrote to memory of 736	3444	Lbabgh32.exe	103
PID 3444 wrote to memory of 736	3444	Lbabgh32.exe	103
PID 3444 wrote to memory of 736	3444	Lbabgh32.exe	103
PID 736 wrote to memory of 1332	736	Lljfpnjg.exe	104
PID 736 wrote to memory of 1332	736	Lljfpnjg.exe	104
PID 736 wrote to memory of 1332	736	Lljfpnjg.exe	104
PID 1332 wrote to memory of 2064	1332	Lbdolh32.exe	105
PID 1332 wrote to memory of 2064	1332	Lbdolh32.exe	105
PID 1332 wrote to memory of 2064	1332	Lbdolh32.exe	105
PID 2064 wrote to memory of 3952	2064	Lllcen32.exe	106
PID 2064 wrote to memory of 3952	2064	Lllcen32.exe	106
PID 2064 wrote to memory of 3952	2064	Lllcen32.exe	106
PID 3952 wrote to memory of 4552	3952	Mgagbf32.exe	107

C:\Users\Admin\AppData\Local\Temp\fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe
"C:\Users\Admin\AppData\Local\Temp\fefe16d97a24d65437436d87e1df790bba1d0f89b5bcaaf13a028fe143d8e6e6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\Kmdqgd32.exe
  C:\Windows\system32\Kmdqgd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\Kbaipkbi.exe
    C:\Windows\system32\Kbaipkbi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\Kmfmmcbo.exe
      C:\Windows\system32\Kmfmmcbo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        23⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        26⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        31⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        44⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        48⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        58⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2772
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3500
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        90⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        91⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        100⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        112⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 396
        116⤵
        Program crash
        
        PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5600 -ip 5600
1⤵
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
62KB

MD5
9eb4181d43524a5348366ffd58e940b9

SHA1
65466a2c0cfd8a80c9eaaa5bbfb557676fd82af1

SHA256
f3d61f83d64f944541a6d3969d1ee4aa3397be678e92d81d71d8c92ba9b533b4

SHA512
e54db0260e2106651116248a05bcac69fdd8067175baaa2c1e4faf22ce0ea25c8ef890c0f972396d8c1f0fac426be335de679bd6c092f83234aa89e5f9feb243

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
62KB

MD5
c58a9a3af7724018b5c030421e8448a7

SHA1
e69f4c63df1e5613f54aef201c7990ae0ed29ab1

SHA256
50e2e5545fdd813acb409dbab1af7018146cce4960b49dfa1436d709eec1c740

SHA512
0483c285dfd36c5fb0a641b783bd9a882958255234a7661ae730404bfa7ec7d9068169a4559778c2675823df46199bd238d92efe9849affe279c8c22361e3630

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
62KB

MD5
e0cc07a0f699c17d74740772289b3bec

SHA1
5f64470485c39dd9ef252378d1d3ad3c5159f7e4

SHA256
24bf3995aba8d44ba016f9fe638f57d1f21f2c4eb24bced0606409c42aea76ed

SHA512
bc77280263dc52a9dd248755eabcabb451b5166cd193b0ec8f0303d9f4ef7478e1249e4bbbf3dff14f57bebf3d4860027a9d23e4d4a4655f51335cc3251ee67e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
62KB

MD5
bd12aad1f620b994e5a76d0376feb6f9

SHA1
8db1df5e571e80a0b781460d89f556a0da1fc5ec

SHA256
6cc0226b18dc86b15a49485cf6a67ce2d018874e040ded921d8d85a63cdd257a

SHA512
768ffa735d688427b681a1c2cf3b0a2852282e07189a58338a4460648d84ea6e5cadc66d575fd70f26644d1699c83ccce1e3bf282e0ff9f282a1cc3804e116ae

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
62KB

MD5
94f61db18bf22857310206c990fcaedd

SHA1
43d09072658d14c1ef1f081e518fb48486759449

SHA256
d57fe15a7c42b89c6f0016087ec2f285fedd118fa5536d9044f025f23283133a

SHA512
a6d98f0b6b7ef4f9620205977195dbd8504f3c3f514d59fbd0deef040668331aceb4e1aa732df6d82a6527baec3fa376f1b5c4bdbf6516427054d5d3c726d6a6

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
62KB

MD5
ad1a5807dcd5f33254d4b66251db7de1

SHA1
752caeaf2b16a6c08f0e878db35235caabf87715

SHA256
ac3ea8774ed666b2aadc6ac89a48efd91248a3997fc67377852e09c991070cef

SHA512
7a4035eb5937bfd6bba8afc74e21cd6f710e467914460e58402ace6b3dc5f8ccbcdacb6a5423508a95fe20e46e24e6d555d39dd0e34421ffd05413b389ad58b6

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
62KB

MD5
42919d678431aa721b03a9ff7d405392

SHA1
175927341437e06fd0823530722c6c4a8b52be3b

SHA256
be9cd0aa6457a614f382d0a7e52fb577c2f8b38fc6cc045ad7877a4d94fa1f2a

SHA512
1595b81951ccb5e5cafa805947cb5e429cdd1e498ef20b4f314c40e419b952322f2bd302154449f2607e532c854ffb1f0b5525b234764bdf1a9c030559637a58

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
62KB

MD5
3f3dfd48fb9c666b012e5f122829331c

SHA1
98c1dbd720e6e15a9899f9ad54cb43be565d7a37

SHA256
d379b9ee0e5c6886ab6edac45d19bfb0fa225e82255491decb876dbb30caca3d

SHA512
643d999b42f39c526445814fb93cc421dede2c31a304c8f985c3e551efb560171dc484629f531779bcfb699745b6c12512a43c283ddc48c36767818f85f4677b

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
62KB

MD5
cba7404180c39b035869311df6f405ac

SHA1
d4c4a4e7ee6d448321514390d0d0598f2cab3081

SHA256
67187ac29d7308072ae63a764396f43d4b2fdaf4104b1066931ecbf2e37b0a22

SHA512
07723dd1a8323ffaef4455a6df741f64181f6748980ba7b85205d0dbca55c19f1eead436be7017d3c69a1ea3310797a65095f6d08a7ca40bc979f6b4089b14e2

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
62KB

MD5
24ebbd50b19b8d7e9b92934d8e6bace4

SHA1
42d2930b396a3d059d13369911f2a5510236562f

SHA256
bedeadd145f10828fe3ce023a540dc862b080564ba3fcf741eaa99d72f454644

SHA512
415ea0cd5ca921d8635902f283ba7aad86724431c1d0f2d63da810f9bf0ad666a02b62880875175bd411014e87ded450029a2b30f8fab64b20dfaf85c4f2b828

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
62KB

MD5
1eb7c5fbbecb53574776be8b623d7794

SHA1
7b68e9886efa57e3df5aee8903be2b3c51c51577

SHA256
8ca675239841002692d8ee370e85c761c2f99fb5392bf9ee437fae2112437b59

SHA512
455bb0a4b261024ee612b27680e27f08ce63b2fdb7704843c046a0a6db33b03f2d5d521ec9425f2f40515f6e6c187a7d7e623f05408c195eb0e57fe612a50774

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
62KB

MD5
74ea20e0249fa06a9a2408ac43a062ec

SHA1
34f4c36c2eb234a4f4c89f02c8725c1a55db1b9b

SHA256
d9eac3c21260c261acddd6f24465ff812c8f4826ea70889833ddf5f5e55c9638

SHA512
24f08089432f7dc622d9744cf8a49249d89e41c5ef1f8e63b1e44e4eac3e98a0733738448994544c0541bb329f1078ad36b38888aabf7698b43c724045199b97

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
62KB

MD5
2e00d1d8ae5e07e1299d27081d31298e

SHA1
fb3afe9489700322948176ba6110728b3130bd12

SHA256
ec97cbb54a803dc6fdf231262430784737a857a4949a60d5c8d176f76d5f9098

SHA512
0cfc154fd5929a89cf3e237255dec89fad7d8670f130230f4472bfc366c9bd4749cfb063d888d8a74c724e0bc929d11ef973a35422b356d43ab881581f9ef504

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
62KB

MD5
c072658654927166e52649397ade719f

SHA1
453d355804b80757994a241d99460aabfb0fa8f9

SHA256
52f46acd2ca058aab0781ed4dff4e34a5afa35db82b4bc5762975250e5279dff

SHA512
d56e968ed012bde179db0e345830f9aa5a4c7ba71776cee29376fe77ef0e4e452b8e2faa4c4178136df63cb9783daa2a03812d995c358ea3da87ee45c9ea6194

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
62KB

MD5
c970c22919df2de41e1b10cd47dc4b71

SHA1
0ee6bb5a5cd0acb97d54c5748ea311a8ab9ae87e

SHA256
29d88f55db2da34f25ba6ff38e1637497e3813fc20fded6e6d10160a60fa6b98

SHA512
d5f90aaabd1eaa16f70d0f94207a5eb1eea25275cd530f44878799dfca0ff0a371ad67d1854cff5e051bfc28edcc1fa14f37beef9da26d38389b6618079be6c4

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
62KB

MD5
19363503b50383ba6b49012d8750b0d5

SHA1
f4d40c8dd177440b2ab4bbbbaaa208634f231859

SHA256
6020faa386b0cc7af983e79fa483b65996aa495d709632f1236001a1914367c9

SHA512
f677a0db65cea95505e6caf1d6f898090786ab4e37b47e6368e034c4fc8d66b57aac9c10241681c6b41198839c89d194c8cdf0e2d58595369d1ef3c2040beee5

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
62KB

MD5
332181f99bffafd69533f930ac3a7edd

SHA1
2c903a5bb65def047ddd3678586bce8378bfab2e

SHA256
6570e5769efb59d103fffae496a0dac4e9a1225de86494b40eae182b21c8097c

SHA512
cad8fdb7865589cc090f58e9f57998b0efa3bfa80b3eca28ee6771d0ffb6d52e3fcf0fed83393a025b13b966e5c52ba9c9381c7f54488c9fb2a9a49609e3e8ae

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
62KB

MD5
f89bdca900f67b0ad01fcd06ae6f3235

SHA1
08f4b62ef2e5cb4ba3a1b637c625a1f8dca58cf0

SHA256
e3a53217e7a3acc245369774a5260d9f0ea44bf2ba02246c4b0a5fd48c84bd49

SHA512
13fb58cab222eed31de5e3c61c7be8b9839f9a97ce31ca280880cd362a3b93060a3a95b09edec1cd3dbe5f2aab95d13710456d3f0748f8b5ad96c733d0bc013e

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
62KB

MD5
5ec746c5655c916f2060b1a3e07002d5

SHA1
9d9a24b834dea85d7ddc78690a3e4c11ee0b17f0

SHA256
6cc1a6a3c97204209f1462311dd3710a0c7646d5216e1a134aeac38aacf1fe6d

SHA512
17b1d737169061f95f65033073734dd14b1ba7578f0905fe25811bf2c7cfb98f410bd6e9c718afed934b5866cb07be0f414736e3e14b1f484e0c20da40fba8a5

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
62KB

MD5
8b83059a34c82b3d18fe2598ded179f2

SHA1
184058183f5d2667a3c94188ba3b6b03c228ba68

SHA256
8d0d0f05fa00fcce90bef586e03c2f3da532ce5221cd6a9654d0277af484a6e2

SHA512
f68f3756cbf59bb91aef641ba5bc5f52b39ac815c3fdfeb35916ae4ae70c7ea2f6ca9a0502016fedc981a22b6046fbdc080f29d39d8bb77ca93bd1bf7761e863

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
62KB

MD5
3d50d2e539886c4bae7e3d4d886867ed

SHA1
e878234452fc8edd1b83e8bfc109a6f86c448bfb

SHA256
348e4d6cc21fe04e43e2a8a9985e7d9a562d22047e5042b8ee8f70a59e5eafc3

SHA512
ac83bb961fcef02911dffced61dba0d15c5b3a2480905b1e847cb0321c2216612fe8c38936a6547c3899cec24b61968e7bb94680bda74662fc1d38fa35edf843

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
62KB

MD5
a8927adfef64449b386d3639bac9948e

SHA1
f5e17f13a7e604dd59ad488a4d959f43b79454bb

SHA256
82c5ff6ec6375f98d68b02ff0e7b1bb4286c4c6b560a756c3d9f9f1336877bd3

SHA512
005332c4a421c34896a12ed9b88a8be089301894cdd5da6b26910c2c9d0f326cc5adcae1e3bdea1e838ef477995af529a828fcb81f90b93b0a36bd37eda8c9b2

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
62KB

MD5
3b74588fddba3d0370863c1f668739fb

SHA1
5163222ab438a780d571eba5542ad90e01bb93bf

SHA256
069c20c1541bd7040a92f6190626cf70a61b343a79890b6c6d4d488f43265e84

SHA512
805e08ec3d147e477d72a51d3409641a22492bc248c888d102900015979e291564d5c59b8cf68e541b134d60977ad23ee695b5c410e5090242ce8872a9c2c65d

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
62KB

MD5
0c0157a45dc2f68f8c92d1eb2e5a6c00

SHA1
37fb53270024b72ee04719b99b5f8410da7f0809

SHA256
16a18c8b4c5e57030794c3808715fb02b05c31019cffaeeb2c9d644124b7e5f7

SHA512
3a2f43007bd7ee22489d77c2a4d77f125f16d2b9ae78a0c113427c32bd26348eacb3438331ea20ba5db49184372cf180bb542e6ce16cb24b454f902e11374f47

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
62KB

MD5
28612a0009691a2e2d5f0b72313df8a9

SHA1
3eb91d4d35bfdaaa5a7dcfe0381be728f61f6154

SHA256
395582a08d20a3f9a5fc10b3dede4e9bf1ab28f854c20fbb15c57c40f740c11d

SHA512
8c82cdb96ea4f0b6558ec52cff33da4a58a68c100f12a4cbba7e16b67e4de6f3cad4254596ebf7f9f2666e3c7e053bd9a7c64ba2b6b79623e6f71fe8a84de532

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
62KB

MD5
87a3e39025678c95acb7a767e0eba2ff

SHA1
43620fa2057168e84d991e5fa535861091a28ac7

SHA256
816dcc891b51dfdc9f95dda46b0ccd2fb1bed5582400dffd5c9601d3fbcc56ae

SHA512
00271bdc5e44d7c603141606116f24543eb2e65a267cdabb5b5a4feaa7ea71428a2c42b4f40bb593891f108071bb49848f40856c8564da7293f8ba8c6b0225be

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
62KB

MD5
fd8891e0f69544f6fd3343f4c0830255

SHA1
454cc7b6a57ab5f702b963a4323585e7f29dc3a3

SHA256
c120115daec45932f0f9c4c8c969a8cda1a8dca90a89181b5146393a0ceeaf96

SHA512
47e43ce7d60891ab5b15c79dbdba445c1bad9fac8f90c58949e3029918fc748aa03d4d4f00a997d22ce7c50e892543d7e2937244f296fc9fbddc07c68de5c6cf

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
62KB

MD5
8b56756153aa5f7d13be420fadfef761

SHA1
da4dfc0a0de65f6012e312cb9285b767f9c42e04

SHA256
c22ed6fef09fb0cdaa744d9e267707c0fa326e98d1dc4defb25142a1467c7baf

SHA512
a0c6a056a6f8c96fca032ff57600b190a179b9f9b8dd67163973b4ab05b54dcf1b181372413f5651c38bf1ecccc6361d95ddc60f358d4b78b4f03045d510e801

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
62KB

MD5
77729131e978ea23c8f3f0d06455e6c8

SHA1
b2edfbba26164887c9f7f0215b6cd813fbde9e7e

SHA256
36d51ec2d7e77b3d7468b9c0a6c25a52e05db4c6c9b1b2ef09d488c0458cedbf

SHA512
4805ee9cb2fa802e587598c6feda89b126525c502f8966b9288386be4b5e07f3978a921be2515a58fea3f13a2c537c06cee12a91028328f13a04dc08a89f7011

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
62KB

MD5
4f9c810bc0b0e465a6ed8d78a7875ba3

SHA1
c48c1dcaf6c80d9e20a69f28d2841f7a0f289b00

SHA256
be19040f0b4bd811a09cd3be5ed458b303b5c9ed47135948ebb13d4db49ca213

SHA512
c3f6cda92a73f71fcf0cbe1c198743162099ae150e14c71ef34ce443b82d1705271cb01c1803e41daf8b689188f0e5e4895cadc17522e642cd4e946a22743e85

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
62KB

MD5
990c5a96afdbc293920a1cd00a90de9b

SHA1
3afc30c069e289fb17d025b8de6df3d178799f7e

SHA256
79fa6925428ee9bfc12ae4d5038f9e4343d6e693c1b341ccaa0ccab5e99c98bc

SHA512
6c6b12c3d59051aed8412db3f5090e42e25f227eae50d570301316d7ea090a5e97bc4a5d8f9c04a79b962767c1e4d56619e6490da8f355d24ac53c42a5d41f1c

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
62KB

MD5
d1fc5138a27c5140763f22137f405fc7

SHA1
b140c0a90658ebd4ace71f0dc9f05c64a2453173

SHA256
95aef7fe5c0a3db884c873a5fe0166835f1e75d4794c06d1d7d236e4af15b461

SHA512
ac95e7c89be6869d59732d0f77604037d5e288a04731ba67986aa44e27b42d14dd3696bb484f2deaa4c4ecd4cf8d7b22b6ff03b0a80830289eb0f50776bee8a1

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
62KB

MD5
daad1c4fe00578e882062f85f0948f36

SHA1
3b8bf8f2a9b4f44ef4ac514e11f951cba9cc610a

SHA256
8589766656be28571f28ecc73edff9ea81856f57276220069915df79204d58fc

SHA512
bce916815a397151c8977d02710984f46bea0f23e66571f74ddc13c31e1c18e23c37e6c628f7986f536d84cee04f716becf435e2bb381714b8f846909e44b88d

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
62KB

MD5
e2fe6ab3deeb12aaba33591fe88c75c2

SHA1
62e8a7203a391dae12f508482c60d916caceb5f3

SHA256
33fe81446e9bff81c59d3b140ee979837778083278a77168ce397b53c795893e

SHA512
d397d161e74d623903baf36bbcf49274797ea55993e6a4481a15f017ff9b8c1fbdfe906f68c159ad2c6bec1faafb4eedf367d365d82d69336c901d7adca11a2b

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
62KB

MD5
5455e5d1fa11808bbd27e10a05ac963c

SHA1
40e16a4275933cc15b3192dea22c46bfddc9954b

SHA256
af20240cbc46a99cfd469ce9ee90f115b7c4061de82bc7b366b96b600a7d96bc

SHA512
f9fa939aae79f7b2167ea421c27d2e14ecf12ce029c5819a704ef7e44375f3790b13c6d916313676f87f632503319d1699837d5c1b523e0856052a091a83f210

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
62KB

MD5
7c4213cac374149b80b55162dd602b6d

SHA1
16dbc6c88543898bb003b8068b5335c089518b14

SHA256
45f49622ded23fc7e98e4d11735e89909fa728accdbdfd88dcb76c0d933723b5

SHA512
e5cde61c353dfe04f4b6b35523ed18075a41a04fbfc018434c8f243a87e852c76364ceea2c5ecfbe283c0fc918822443f343c372966f2ea863159285b547f765

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
62KB

MD5
5a2d7f3b632d6704a0d9079b3f161466

SHA1
ca35dbb3df4e25bcd7bf23bd8a35fd3165bf7e3d

SHA256
2b4850d926d131a2905771725d0145efa148e54878b322ea4dcea0f94ad0a927

SHA512
a18bd8e949881c0e2aef5be5376abbe15f348f861a86b743976a58f14aaa384848d02d26f92e11b4da49abede1ca7f76a0bca54ff00069cd58dc528be2e22ac0

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
62KB

MD5
04b109a7a88219942db64ed775747c9b

SHA1
07ddf93fd7a5a65cf63d48842682dfa88d99dc8c

SHA256
42f083f654b1ea5383cf45bdcefd004b2d726f6fa85690e2130c07625ea22235

SHA512
f45d5bbfa3c0401e6b04cf120203246e38a2a3013aa99047bde366fc39b40d2a952a5a156d0a3813ab1720163f7c31a74de92e0a6ab59e70cea166d9882839ce

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
62KB

MD5
9faebbdd530f1c740d9b17d25692b39e

SHA1
710fc8996a1566342aca27161024c01c2bdd1a27

SHA256
40d96229bad32e51d5053199123b792a9475eb4913f10b58a047a7afbc63e334

SHA512
20869527cfaafed15f6bb65d3c375fac7daa4f3bc7e7a233d963731aa76ab26306860fc9fbee72c4ed2e92719867cdb1e947efb4987f3ba95788c479117d2ced

Download Submit
memory/516-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/516-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/696-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/736-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/736-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1060-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1060-416-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-402-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1104-300-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1104-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1156-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1156-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1536-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1536-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-197-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-368-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1848-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2064-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2064-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2096-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2096-126-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2216-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2216-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2360-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-100-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2508-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2508-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2644-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2644-367-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2692-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2692-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-284-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3368-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3384-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3384-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3444-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3444-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3484-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3528-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3528-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3584-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3584-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3688-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3688-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3792-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3792-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3840-410-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3848-198-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3848-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-307-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3908-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3936-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3952-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3952-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3988-417-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4048-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4100-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4240-409-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4240-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4452-320-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4452-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4520-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4540-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4540-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4648-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4648-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4804-107-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4804-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads