berbew | 0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
Size

368KB
MD5

53e52bbebfc01e1609d2f3a3c12b4920
SHA1

a59cb52e755782b87d61f21a88e937fd95532c06
SHA256

0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737
SHA512

08db4ef37f8c7114a60a3f231da1087f607426b2c52e4e0f3a956bf7799aae2522d83aa13f32bea3a3818e153bce1fc495d6030af1a1453f0d282d923db54a4c
SSDEEP

6144:xXg6Lanwaug8kdpSpYnGhlOcJVBQO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwH3:xXg6Lanwaug8kdpSpYnGhlOcJD/+zrWT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbpgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfobbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbfbgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqlhdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdmmdnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbfbgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdniqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hapicp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapicp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdildlie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hanlnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdniqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipgbjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jqgoiokm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jabbhcfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hipkdnmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iefhhbef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jofbag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjifhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfobbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilncom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmihhelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 56 IoCs

pid	Process
3060	Gdniqh32.exe
2616	Gfobbc32.exe
2752	Hbfbgd32.exe
2596	Hipkdnmf.exe
2500	Hdildlie.exe
1612	Hanlnp32.exe
792	Hapicp32.exe
884	Hgmalg32.exe
2948	Igonafba.exe
1772	Ipgbjl32.exe
1992	Ilncom32.exe
1844	Iefhhbef.exe
2548	Ijdqna32.exe
1576	Idnaoohk.exe
2100	Jabbhcfe.exe
2856	Jofbag32.exe
2112	Jqgoiokm.exe
2320	Jjbpgd32.exe
1204	Jqlhdo32.exe
1072	Jjdmmdnh.exe
2816	Jcmafj32.exe
316	Kjfjbdle.exe
1228	Kjifhc32.exe
624	Kkjcplpa.exe
2384	Kbdklf32.exe
1076	Kohkfj32.exe
2688	Kkolkk32.exe
2592	Kaldcb32.exe
2492	Kbkameaf.exe
2632	Lclnemgd.exe
2108	Leljop32.exe
608	Lfmffhde.exe
1296	Labkdack.exe
2956	Linphc32.exe
2216	Lccdel32.exe
2024	Liplnc32.exe
1940	Lpjdjmfp.exe
2444	Libicbma.exe
340	Meijhc32.exe
2052	Mhhfdo32.exe
468	Migbnb32.exe
2884	Mlfojn32.exe
2308	Modkfi32.exe
1484	Mdacop32.exe
1852	Mmihhelk.exe
1784	Mdcpdp32.exe
1920	Moidahcn.exe
1440	Magqncba.exe
2260	Ngdifkpi.exe
2676	Nckjkl32.exe
2832	Niebhf32.exe
2572	Ndjfeo32.exe
536	Nigome32.exe
592	Nlekia32.exe
2916	Ngkogj32.exe
1548	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2708	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
2708	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
3060	Gdniqh32.exe
3060	Gdniqh32.exe
2616	Gfobbc32.exe
2616	Gfobbc32.exe
2752	Hbfbgd32.exe
2752	Hbfbgd32.exe
2596	Hipkdnmf.exe
2596	Hipkdnmf.exe
2500	Hdildlie.exe
2500	Hdildlie.exe
1612	Hanlnp32.exe
1612	Hanlnp32.exe
792	Hapicp32.exe
792	Hapicp32.exe
884	Hgmalg32.exe
884	Hgmalg32.exe
2948	Igonafba.exe
2948	Igonafba.exe
1772	Ipgbjl32.exe
1772	Ipgbjl32.exe
1992	Ilncom32.exe
1992	Ilncom32.exe
1844	Iefhhbef.exe
1844	Iefhhbef.exe
2548	Ijdqna32.exe
2548	Ijdqna32.exe
1576	Idnaoohk.exe
1576	Idnaoohk.exe
2100	Jabbhcfe.exe
2100	Jabbhcfe.exe
2856	Jofbag32.exe
2856	Jofbag32.exe
2112	Jqgoiokm.exe
2112	Jqgoiokm.exe
2320	Jjbpgd32.exe
2320	Jjbpgd32.exe
1204	Jqlhdo32.exe
1204	Jqlhdo32.exe
1072	Jjdmmdnh.exe
1072	Jjdmmdnh.exe
2816	Jcmafj32.exe
2816	Jcmafj32.exe
316	Kjfjbdle.exe
316	Kjfjbdle.exe
1228	Kjifhc32.exe
1228	Kjifhc32.exe
624	Kkjcplpa.exe
624	Kkjcplpa.exe
2384	Kbdklf32.exe
2384	Kbdklf32.exe
1076	Kohkfj32.exe
1076	Kohkfj32.exe
2688	Kkolkk32.exe
2688	Kkolkk32.exe
2592	Kaldcb32.exe
2592	Kaldcb32.exe
2492	Kbkameaf.exe
2492	Kbkameaf.exe
2632	Lclnemgd.exe
2632	Lclnemgd.exe
2108	Leljop32.exe
2108	Leljop32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mncfoa32.dll	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
File created	C:\Windows\SysWOW64\Iefhhbef.exe	Ilncom32.exe
File created	C:\Windows\SysWOW64\Bdlhejlj.dll	Jabbhcfe.exe
File created	C:\Windows\SysWOW64\Fpcqjacl.dll	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Kkolkk32.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Kkolkk32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Jcmafj32.exe	Jjdmmdnh.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kaldcb32.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Ilncom32.exe	Ipgbjl32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Mfbnag32.dll	Hbfbgd32.exe
File created	C:\Windows\SysWOW64\Dkqahbgm.dll	Ijdqna32.exe
File created	C:\Windows\SysWOW64\Epecke32.dll	Jjdmmdnh.exe
File opened for modification	C:\Windows\SysWOW64\Kjfjbdle.exe	Jcmafj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkolkk32.exe	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Leljop32.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Moidahcn.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Gdniqh32.exe	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
File created	C:\Windows\SysWOW64\Ipgbjl32.exe	Igonafba.exe
File opened for modification	C:\Windows\SysWOW64\Jabbhcfe.exe	Idnaoohk.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Linphc32.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Nmmhnm32.dll	Hdildlie.exe
File opened for modification	C:\Windows\SysWOW64\Jjbpgd32.exe	Jqgoiokm.exe
File created	C:\Windows\SysWOW64\Pbefefec.dll	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Hcpbee32.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Bdpoifde.dll	Jjbpgd32.exe
File created	C:\Windows\SysWOW64\Liplnc32.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Lgpmbcmh.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Jjdmmdnh.exe	Jqlhdo32.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Kkolkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Linphc32.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Liplnc32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Hbfbgd32.exe	Gfobbc32.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdklf32.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Aepjgc32.dll	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Idnaoohk.exe	Ijdqna32.exe
File opened for modification	C:\Windows\SysWOW64\Jjdmmdnh.exe	Jqlhdo32.exe
File created	C:\Windows\SysWOW64\Pghhkllb.dll	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Leljop32.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Ijdqna32.exe	Iefhhbef.exe
File created	C:\Windows\SysWOW64\Lclnemgd.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Modkfi32.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Jmamaoln.dll	Gfobbc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
912	1548	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hanlnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefhhbef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjifhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkolkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igonafba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idnaoohk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqlhdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liplnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jofbag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaldcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijdqna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kohkfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabbhcfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfobbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdildlie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfjbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdniqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hapicp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgbjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmafj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbdklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjbpgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leljop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Labkdack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgmalg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqgoiokm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdmmdnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjcplpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclnemgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfbgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilncom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hipkdnmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Linphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll"	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnag32.dll"	Hbfbgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jofbag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll"	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqjacl.dll"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdniqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbfbgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccdbl32.dll"	Ilncom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgafalg.dll"	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll"	Jqlhdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncfoa32.dll"	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilncom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Linphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdqna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplhdp32.dll"	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjbpgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhbld32.dll"	Gdniqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jabbhcfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Moidahcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3060	2708	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe	28
PID 2708 wrote to memory of 3060	2708	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe	28
PID 2708 wrote to memory of 3060	2708	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe	28
PID 2708 wrote to memory of 3060	2708	0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe	28
PID 3060 wrote to memory of 2616	3060	Gdniqh32.exe	29
PID 3060 wrote to memory of 2616	3060	Gdniqh32.exe	29
PID 3060 wrote to memory of 2616	3060	Gdniqh32.exe	29
PID 3060 wrote to memory of 2616	3060	Gdniqh32.exe	29
PID 2616 wrote to memory of 2752	2616	Gfobbc32.exe	30
PID 2616 wrote to memory of 2752	2616	Gfobbc32.exe	30
PID 2616 wrote to memory of 2752	2616	Gfobbc32.exe	30
PID 2616 wrote to memory of 2752	2616	Gfobbc32.exe	30
PID 2752 wrote to memory of 2596	2752	Hbfbgd32.exe	31
PID 2752 wrote to memory of 2596	2752	Hbfbgd32.exe	31
PID 2752 wrote to memory of 2596	2752	Hbfbgd32.exe	31
PID 2752 wrote to memory of 2596	2752	Hbfbgd32.exe	31
PID 2596 wrote to memory of 2500	2596	Hipkdnmf.exe	32
PID 2596 wrote to memory of 2500	2596	Hipkdnmf.exe	32
PID 2596 wrote to memory of 2500	2596	Hipkdnmf.exe	32
PID 2596 wrote to memory of 2500	2596	Hipkdnmf.exe	32
PID 2500 wrote to memory of 1612	2500	Hdildlie.exe	33
PID 2500 wrote to memory of 1612	2500	Hdildlie.exe	33
PID 2500 wrote to memory of 1612	2500	Hdildlie.exe	33
PID 2500 wrote to memory of 1612	2500	Hdildlie.exe	33
PID 1612 wrote to memory of 792	1612	Hanlnp32.exe	34
PID 1612 wrote to memory of 792	1612	Hanlnp32.exe	34
PID 1612 wrote to memory of 792	1612	Hanlnp32.exe	34
PID 1612 wrote to memory of 792	1612	Hanlnp32.exe	34
PID 792 wrote to memory of 884	792	Hapicp32.exe	35
PID 792 wrote to memory of 884	792	Hapicp32.exe	35
PID 792 wrote to memory of 884	792	Hapicp32.exe	35
PID 792 wrote to memory of 884	792	Hapicp32.exe	35
PID 884 wrote to memory of 2948	884	Hgmalg32.exe	36
PID 884 wrote to memory of 2948	884	Hgmalg32.exe	36
PID 884 wrote to memory of 2948	884	Hgmalg32.exe	36
PID 884 wrote to memory of 2948	884	Hgmalg32.exe	36
PID 2948 wrote to memory of 1772	2948	Igonafba.exe	37
PID 2948 wrote to memory of 1772	2948	Igonafba.exe	37
PID 2948 wrote to memory of 1772	2948	Igonafba.exe	37
PID 2948 wrote to memory of 1772	2948	Igonafba.exe	37
PID 1772 wrote to memory of 1992	1772	Ipgbjl32.exe	38
PID 1772 wrote to memory of 1992	1772	Ipgbjl32.exe	38
PID 1772 wrote to memory of 1992	1772	Ipgbjl32.exe	38
PID 1772 wrote to memory of 1992	1772	Ipgbjl32.exe	38
PID 1992 wrote to memory of 1844	1992	Ilncom32.exe	39
PID 1992 wrote to memory of 1844	1992	Ilncom32.exe	39
PID 1992 wrote to memory of 1844	1992	Ilncom32.exe	39
PID 1992 wrote to memory of 1844	1992	Ilncom32.exe	39
PID 1844 wrote to memory of 2548	1844	Iefhhbef.exe	40
PID 1844 wrote to memory of 2548	1844	Iefhhbef.exe	40
PID 1844 wrote to memory of 2548	1844	Iefhhbef.exe	40
PID 1844 wrote to memory of 2548	1844	Iefhhbef.exe	40
PID 2548 wrote to memory of 1576	2548	Ijdqna32.exe	41
PID 2548 wrote to memory of 1576	2548	Ijdqna32.exe	41
PID 2548 wrote to memory of 1576	2548	Ijdqna32.exe	41
PID 2548 wrote to memory of 1576	2548	Ijdqna32.exe	41
PID 1576 wrote to memory of 2100	1576	Idnaoohk.exe	42
PID 1576 wrote to memory of 2100	1576	Idnaoohk.exe	42
PID 1576 wrote to memory of 2100	1576	Idnaoohk.exe	42
PID 1576 wrote to memory of 2100	1576	Idnaoohk.exe	42
PID 2100 wrote to memory of 2856	2100	Jabbhcfe.exe	43
PID 2100 wrote to memory of 2856	2100	Jabbhcfe.exe	43
PID 2100 wrote to memory of 2856	2100	Jabbhcfe.exe	43
PID 2100 wrote to memory of 2856	2100	Jabbhcfe.exe	43

C:\Users\Admin\AppData\Local\Temp\0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe
"C:\Users\Admin\AppData\Local\Temp\0b2288e1906a855c54e629e696dd9f8cc1a112aa6fb1851325504d56308d5737.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\Gdniqh32.exe
  C:\Windows\system32\Gdniqh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Gfobbc32.exe
    C:\Windows\system32\Gfobbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Hbfbgd32.exe
      C:\Windows\system32\Hbfbgd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Hipkdnmf.exe
        
        C:\Windows\system32\Hipkdnmf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Hdildlie.exe
        
        C:\Windows\system32\Hdildlie.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Hanlnp32.exe
        
        C:\Windows\system32\Hanlnp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hapicp32.exe
        
        C:\Windows\system32\Hapicp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Hgmalg32.exe
        
        C:\Windows\system32\Hgmalg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Igonafba.exe
        
        C:\Windows\system32\Igonafba.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Ipgbjl32.exe
        
        C:\Windows\system32\Ipgbjl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Ilncom32.exe
        
        C:\Windows\system32\Ilncom32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Iefhhbef.exe
        
        C:\Windows\system32\Iefhhbef.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ijdqna32.exe
        
        C:\Windows\system32\Ijdqna32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Idnaoohk.exe
        
        C:\Windows\system32\Idnaoohk.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Jabbhcfe.exe
        
        C:\Windows\system32\Jabbhcfe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Jofbag32.exe
        
        C:\Windows\system32\Jofbag32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Jqgoiokm.exe
        
        C:\Windows\system32\Jqgoiokm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Jjbpgd32.exe
        
        C:\Windows\system32\Jjbpgd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Jqlhdo32.exe
        
        C:\Windows\system32\Jqlhdo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Jjdmmdnh.exe
        
        C:\Windows\system32\Jjdmmdnh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Jcmafj32.exe
        
        C:\Windows\system32\Jcmafj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Kjfjbdle.exe
        
        C:\Windows\system32\Kjfjbdle.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Kjifhc32.exe
        
        C:\Windows\system32\Kjifhc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Kbdklf32.exe
        
        C:\Windows\system32\Kbdklf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Kkolkk32.exe
        
        C:\Windows\system32\Kkolkk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Leljop32.exe
        
        C:\Windows\system32\Leljop32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\Labkdack.exe
        
        C:\Windows\system32\Labkdack.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Linphc32.exe
        
        C:\Windows\system32\Linphc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 140
        59⤵
        Program crash
        
        PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gdniqh32.exe

Filesize
368KB

MD5
7fa49d6c255c9ff7de94a89c1381b2e8

SHA1
05b53e73d0ae5c95da4492c3a1fd9a852f83290b

SHA256
48c8cb544fa388b084c388b1e9bddb1569426a8f845ae82bdba742dee9d0bc17

SHA512
6cabb9e14cf34dfa19290e0d6e70e70653b5a391e048d7745fda221d2887e946dd043525ea303b34e1e50f318f9f8c500d4496397b49e790401805f1acec0c2a

Download Submit
C:\Windows\SysWOW64\Hgmalg32.exe

Filesize
368KB

MD5
35fd4bf2dd28a0ec5931e0dcd58927ab

SHA1
cc5fd6a07e2bec5e89c1ef9a4e106cc3d3f6a59e

SHA256
dfe584e85013bd14ece7c35a11a0f425642e82bae46f0803f9ba2ef13dafc208

SHA512
d858ef9ac7f6fc3060e4e0a76da9b39aced48d441cadcc2ae5d08c7fe85e7766c851eab0a3f9901dacaa2ebb4240805e7356a4f1fa4a15160e2fc525f3de1f78

Download Submit
C:\Windows\SysWOW64\Iefhhbef.exe

Filesize
368KB

MD5
585776969b8a982c0abefb3f961080bc

SHA1
bb2ab6ecbb6a833477885d707b3c949cc652b611

SHA256
deb927748b44e61b34f61d37f83b1d7c3fe7fe42bfd3f135e4f71b844191a49f

SHA512
2dbf1da8167ee56bf67af3f184394cfe8e1dccaea8cdafb0f1d07ac1f5e36758ed64718a98256556eeac25822043416982057896fb9132b575bb1210044ef3b2

Download Submit
C:\Windows\SysWOW64\Jcmafj32.exe

Filesize
368KB

MD5
ddba930da6ce407afdb78ec545ac5a94

SHA1
776545b47ece7d1c9cd18ee5fbab6bc8c36af707

SHA256
fa5ac0b0b3dc7a403f31afd44bdfd63bf76e34a9483b1716ed7a8e968176f466

SHA512
ab257c595be11e4fe5ba51a8fd57c2a339879a848ac794e4c16320875f765a0c66a701db08861fde682a1b4ccf34c09c1c029be3de8b63eaca72ae40112babe2

Download Submit
C:\Windows\SysWOW64\Jjbpgd32.exe

Filesize
368KB

MD5
6264641bcbac1ab41f1202dae60e3c36

SHA1
ffeaa1844fb4923f8d36e3818b979fd35d12bf8a

SHA256
5a7f8dc0a16521f3f2e7152a2e40200c665b032ba5555f0ea8e5a35f99e72089

SHA512
99e0f1ed381ee2bdd67931ab355c32e465736931108c407f3be247db626ed09ec57a239cd4dee9bc4ddcbe9e53fa158f35b2ef36ad412030db825928861face4

Download Submit
C:\Windows\SysWOW64\Jjdmmdnh.exe

Filesize
368KB

MD5
7c8c3f1ecd9eaf5dcea2f7dce2177833

SHA1
541019ede80846d1a02fc586a3de50c293aace4d

SHA256
33eb342e8672d23e8bd046500233ee4afc6813fdb5776861b4cf868632d1f0e8

SHA512
464993be39ea3f2eefb8434570897af378517da3abadd00f729ab31adf33b5a3c00dce96d30e34c21a659c4bc65ab68194ca36d068d5260102460ca79142bdca

Download Submit
C:\Windows\SysWOW64\Jqgoiokm.exe

Filesize
368KB

MD5
e90dfb506a1fd762b77a464a6216e405

SHA1
46c4b7feec21b8c49849a197d874dee7f5a2118f

SHA256
cbf54497399f58cf389e12e4c9f1db9fa66e550c5c041c2e6e9a6c73d3552534

SHA512
0f262ec4b7d2a33af369fdfe5f9a822eeafa1a7b0a3e6763e9a09619159ac58992c734b8fe6d36b247df5270b1be496a6ca3e62e04bf651f2270b27df3fe1d4e

Download Submit
C:\Windows\SysWOW64\Jqlhdo32.exe

Filesize
368KB

MD5
5107193bad482d815da066d55d57a684

SHA1
7ce06c2ced6416aa8e78d78391eaf710c68cab7e

SHA256
5c59e62a34fe75b1cf6a45230107e9e2b48ef98fd770d7c26065d362130cf81d

SHA512
2be48ed4e03a7238d41e1afe89e37cc3d9b07bc6637d85fe0e7dbf66514acc56d0043ed3c9f3fa8f1186c7036c1b96afdb54c9fffd9678bde927e9d78bedd023

Download Submit
C:\Windows\SysWOW64\Kaldcb32.exe

Filesize
368KB

MD5
fcd121029cb54edfbb13533e22e91059

SHA1
31e230d3221f22700e94121c22703f1b12f967e5

SHA256
9ab35f10fe8a552a55d2d7856214985f31d31e4fe40c7b0c62d0f8640d95e035

SHA512
8d04860e5104e37cbab8825f8ccca623f4d1d6fbc8facaf71b2c3ef734041e526f3d65599f5698bbdb89559de9d323600f180949e90787d480a7285e0caeae5b

Download Submit
C:\Windows\SysWOW64\Kbdklf32.exe

Filesize
368KB

MD5
e50efa65d8ee6cc6c5e2a629a9974d13

SHA1
23c2609bac78a52d3154dca90da2f91d73301fd3

SHA256
0ffa20bbd3efd6f363bda32c7439e4822cb360c6afacc6dbb865ad28ad186661

SHA512
0ed7ce6caa4f2cd165a36f84c58f99b1fd8bf0ec2205e74e5292f6a6f1c5858bfa15019a97daf0ef788856f8179aa7271bb16861dfc2f95f3e7300b044df735a

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
368KB

MD5
4f70da6e301aab1e40b91651cd7164d6

SHA1
07d12529fc4a72d941156fbd3ef05eeec9efda6f

SHA256
da65166c89a25b9fb5d5f157676a8f604a906344519b7373c48c7f077cfa0069

SHA512
7f438b3666bccbc7f73f6b6ecb34d664524cf6f8c24df87b51fff43e30d3832dac314cf18d223a8a622265d2c6bf7f82f5e5de445e0a0d26f34ad551f8b9bb40

Download Submit
C:\Windows\SysWOW64\Kjfjbdle.exe

Filesize
368KB

MD5
c8041bd95309651914c5964470de5ff3

SHA1
a4fa058995901818070ac2ec4cc3d055acf3fb5e

SHA256
07a83e7421c389766297711be17213fbf191ded7fd94e265b082810bb36e17ad

SHA512
c38540246ae815e4f7c1f8cd62a879257f8361dc7291b5ca4c115038865e9101031bbac51e0a0ff0610daef5ec393b591117e437ad8d0414e4fc0c77d6a8690a

Download Submit
C:\Windows\SysWOW64\Kjifhc32.exe

Filesize
368KB

MD5
5af5335ff3a38ff7e3ab6d24630e7adc

SHA1
436236f77a73f1d78d3ee5a17ce4b9a590a59f44

SHA256
da440782f849c556feb435b70a0c19440eed27de60329f37d347f77951f1e344

SHA512
d97654ed923825c93474cdb48ab237fcd9a6eb431a42f7c0109ec6c979daf9384f3fabda4e44392b8642680468fe207d3a34c750c4e01158f63c58e50732bbd9

Download Submit
C:\Windows\SysWOW64\Kkjcplpa.exe

Filesize
368KB

MD5
132e099f739ff06d22581fcfe94cdf42

SHA1
8d7a1a44b7b42191829cb8d765bf5288cc469996

SHA256
46abf2190e90cda96ac528fc3be02f06cde51ef83965573106b2ea30a05a6c42

SHA512
0dae8cd62cee5dd29fa39f115d97e52cc032373cf58e9a42f6e4faa1d7bc6571ad9b4c5f2974c51a290f85730be590477e0ac8b65a0ae8b5c6bc14c9a1f631eb

Download Submit
C:\Windows\SysWOW64\Kkolkk32.exe

Filesize
368KB

MD5
2a3745aa6ec816581b8ff4442987735c

SHA1
d8f5994016cdf2bb14135d3391b28927b63ee709

SHA256
5012c1ebb4f2eb596ba76d35f314da4c41e9a7e6f36f4fed16b5c5f7519a6065

SHA512
c476f8e8c5b7da9b58db0bc5f1ec3c302978712038b6383c2647a99e6126ab60470662e0ba326b7aa1c5d5fa33cb2a1070b6c3c1a658e5c5ebdf8d8b2c345081

Download Submit
C:\Windows\SysWOW64\Kohkfj32.exe

Filesize
368KB

MD5
e3e2464fc6ca0a8d112e5d319df17a15

SHA1
a13699819076af12a62a8ad3c154a8e36af9164d

SHA256
9de49b14953a33ba3c16cec350a8b6edc6c8b31f9b5ebfb40a13f88bc5a96eff

SHA512
57b0fb2e0719ae6eb26a2e24709d4310f58269835fc695f572409e2c4e0da370fd96963439c6facf993d4938d8d114966e8abe7cc34a8fc488be5f5e37dd9fa4

Download Submit
C:\Windows\SysWOW64\Labkdack.exe

Filesize
368KB

MD5
dc242d90d990ec0725ae9d12116375db

SHA1
92bae38061fd685b9396f00562f8e2c8f67d85ab

SHA256
7e7851b97387d51a9f78e8569b23ed272d2bbab5b4abca02443c14451f91f983

SHA512
c810ca3036ba4957efcda8a298071ef33d5d77a8ed9d21f2ce0a4280e597cfbf9005a2cd5b1f563ce541ba831906d5883c80f14a5bc1e43430224215a23f691b

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
368KB

MD5
cc4b5960a845f13b3e3e4f0302434c13

SHA1
4ca742f4867e8833bccdc133e537d363521fd102

SHA256
29d6a82614844643ad312c76633623f39638b622af8f704db24030938ce6ac9a

SHA512
1784084035ec8dc400f17f64efeda94c0928287fd75f6af8f1653d538b02f649da97169308087badb2c2f896887b44d13e2f1b84a0fe535886e395a39f983c41

Download Submit
C:\Windows\SysWOW64\Lclnemgd.exe

Filesize
368KB

MD5
8c38468ccaa109f72455b75f1ed3e373

SHA1
30fc31443bc114c69ad4ba4967e6f1437286ed38

SHA256
e566488a5782558972abfeb38596b0f76f78389560db7fa472f05caa2bd31ef1

SHA512
5bf4fef0d5945a9c60f629595f8f7ec3b0593fb4c39a6edba92b32e73467a3441ed45c11df66a1b778800386f962f296895c4b37b560cb7fbcdf0ab751271dfb

Download Submit
C:\Windows\SysWOW64\Leljop32.exe

Filesize
368KB

MD5
127a8a360dca87c4f05656763e052730

SHA1
328cf37fb8a1d5658ebe25d74d8f3a353cf9268c

SHA256
223e0c6d63bbac742d43f49bd3ecefa38a5e341e5e4b11a6e0f974f03e2550ef

SHA512
5f2cbb2432bf74a235867e761fea5fe4a1c58067776223e9f497df105bd6858720ad2ffa9d58d028b7beb9a5bf4161e73b74997a4040427b69afdc20f5b91978

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
368KB

MD5
bf6d28edd23fe66bd4bbbd4a06d0ac08

SHA1
2baa8cbeb2133040707eef32c8ffe7765b542a92

SHA256
1913bdf1103b3c5dc63b6561f714e195e349266b6db43220d162f651046f79f4

SHA512
de89a071730110354bce2a4310987ac9073b1ae26b9e06e791abe1b8b56271be37629179c5f51446354e22cab03362898e2a823cca8e621c5cd3246fcfbaa3f9

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
368KB

MD5
3c69980eb0a5d18e35fa1c658fb9db7e

SHA1
fbebe4571246da37b8d21b2e84e5492363bd33f5

SHA256
dfe644a4b7a5a0f84ca84062c0a2abb19eec81d73a47e81a6491ab16b108859b

SHA512
b6fc759fbfce675ef717534182e1f81d4a43edd0901eb1f540bed9c8409fdbbb8fd81e2b320e6e4f989fceb2f14ba0180a1c2d1be4ed96e862409b127f6531af

Download Submit
C:\Windows\SysWOW64\Linphc32.exe

Filesize
368KB

MD5
0faa4decc9fe905f7998f93b6ccd854a

SHA1
ab7edc0505fd168bf9f308d40a9a844b8ba45a6b

SHA256
99bb81820a0748d78249682b500c49973dd956c60f7247c0ffe410f04124e33e

SHA512
b95222bc4abe793ca07e486874c4673ab31d068dec3882d248fffb503cb09f8e49bc212be9c647faffd47394d65b7bddbf997892867b87e8f337fbb12f4e6350

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
368KB

MD5
320f4f7b7d5dd5f1e291a3799ccc0855

SHA1
2f2d0ddde6ef734df550c69dd0f41ca42311fd59

SHA256
48db4b0cc919fb5942afacacb3eb48e272b6649aeff7a32f902b8bce6d0bbf33

SHA512
9d80faafe488eb9bb18252c19c038bf8158852c14c26444a447dc77f1428dc699621983bffba616b0388281f4942512763b543789f76a964310e33d76beebf3d

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
368KB

MD5
f7bf382c4d4a501723ffa20666823c3d

SHA1
3aeeb7542cd01ecb5ffa3632cd77c4ebe6a23c54

SHA256
d776324c9ccb0c609a2a9d909eae60f638658ffc33399b660f37a637fa61631e

SHA512
bcd5f3f361e1b328a4dcb58cf33495ce26d1dc332c15d5359510ec6c51dc0f9beb4ae7abf3acd386fc964f44043bccec5336f22e7d6eaf0e71ee2017939788a9

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
368KB

MD5
cceaff57c00df2fcb9ed68dc739561da

SHA1
109609bc8778181716022405a79708dfd22ff7c8

SHA256
492bc16b5495cf2889b8cfdb2ae296168c0e87c512459c6b9fabbf6d7c797e4c

SHA512
ccca024d31e79227939c02e5148c9b428c9a7423693813b58f8a45e62d257b2c6ff4ce4e15ffd570981b9974f46fcadb9bf2c7e7b5a63b7ebf20b9f637c7241a

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
368KB

MD5
5370b9f9e56ddd3142e579146ff336a8

SHA1
dc170e63810687e1029ef50e622eb74efd6e375a

SHA256
58ac5c9e03bd773c5828cd21029730fe8d125e233cd3f3c3788b85d3fc052c21

SHA512
a4581be17c62f096f2735f145c26f1d29ec2f26862fa60b2ffc4bc6e05a7a4bbcb54e95e495814395a4ae055db8aa3956c2140e75cddda530151ce80aaead63e

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
368KB

MD5
e906baed61be3db55d2a4888a6f8a76f

SHA1
5e69cb06a0807897c985c7c94badcf70343fa658

SHA256
b35a9668eb8e846c857629da016e6f215158b56cad9f03a63c9547be089c9f1b

SHA512
bd06f8d0a5d5e7c43bb03d71d103d2991fd9437ef9e4548f5089405b437d6928d0a722629cd7ac347a3e167004545d162718b6df7132ffd8f9cf2b24cb480c41

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
368KB

MD5
a372a61080e13b47992f3a4c890b0b61

SHA1
c2ea3740cc8c8869feb7d9e9241a65bf506e1020

SHA256
84bc3f50ab01bdc4bcb02a12bd034c2bd574ec307507bd4f98e3e7e0933983be

SHA512
9d350a084900676057f350b1d6716f36366cc04b1aa0cff2230b108cfae69144b16425679e929e2a04fcc752618473a055bf78ce6f5b9ed8cc28cf097ce6810a

Download Submit
C:\Windows\SysWOW64\Mhhfdo32.exe

Filesize
368KB

MD5
bea0d1333f4db387fd632f5361286f3c

SHA1
2d28d17f0e5f9490fe26896299490248782197ac

SHA256
e372cfe796bd0861e98c6441a9b365fcd1bfb315a3567535a31186aefc40bf7c

SHA512
fc3b3cbdf113410f66ee831122f7547d960b7fc8888d6b176121ecc7338794bf59158a04b7feffb98d4a69e8e513105ab029df346d4a560385628d4b983b6a56

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
368KB

MD5
c32b22eccd46d04c9ba171c3568a7b58

SHA1
b0517666fecc07285d3229fdbb8d13d1f30c8266

SHA256
22dea1303abe0562f08ff3de2d76054f2e16f07e5174afb7d3fd16c0c0f40c2c

SHA512
a1dfcb1178562daa3b6f147b9eb08764a419a1f4af047497c6868cc50ed9778387bd10078ed071f070785ea689e1a4cf0bf0acee6e157050319083ff75f799b2

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
368KB

MD5
18272d265959ad9bea14e6b6ee0e8e5f

SHA1
26e0416e35236b8706c1294d5e754eb49cf61adf

SHA256
96f6fac100ad8af82b9b4468412c2f0deea0c345745748aca3479f7f4e9aaff4

SHA512
9c6be02c1f7d90c630a4096114b4436925bcf86cf027b82b5f9682b05bddd79dc9a36a07c73b6c599477138cda6a89792afa19a5dcae520517f55ca37abd4f6c

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
368KB

MD5
0a409f519faadd5f4abeb6f06d2af757

SHA1
81ad560c7d777f415e857def3f0a6e42ec4764b5

SHA256
becbf158b03d0ed6a78840e979f6b4452ee3ce81df43aab6977d76f014139a47

SHA512
9bc52869f29a1d087a3224ec3c6edcbf73a5f8387c1337c9f6ac4c320ed6fc42b1029549e47fca670526a85d5d1ac137c5d90d67df957363ccd9a901c453dfd0

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
368KB

MD5
11c0e4d543226b66d083153024542f19

SHA1
aba0b6f928a314a3b478d312f857ee80ceefa88b

SHA256
2c20de88ef463fa0fc4f228fb5d74624cb5b10cf47f372d54ef20b7e637df531

SHA512
a023398a4a1f2ef90f2ff494519cc7e87b7c4cedbfe5890c51fada0bf74dd9c0a28be09d6ea3b1de76632358b2e21d515386f9f7847fe7c0c1312f5dbd374343

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
368KB

MD5
47af2d0e4e13898c6765ae8d2ec0a824

SHA1
c04ebc6dee2f592e2f2c1ba73e4b22f7ba623a87

SHA256
58043b6eb9c2d3b2e65274db4129cb511ec210017ae9a82ca9e9a193a583fc4a

SHA512
b44e7777ae497d7c750e64e7d4fc4a0c8a4e95e941d3a40c6c8a3e6c302e77b7fcedd687da1c2e208e2fd0adddd3b1d5881277bb37a28888c715933d1eb16203

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
368KB

MD5
5c3c292be0225929b689d380f7766102

SHA1
b438037b0a156157196795fd82eb7c7f68512a1e

SHA256
b5b3b2c6ebc32b10c29242604cd46d718aa59773fe74b640f991574c81774f22

SHA512
f3f8a1ed88f73421610b8a4e6996b9389494a6ddfa9d59db883c99940f603a4501a178c51a1d22834a745b77ae4dcdd8941cbf27202a3c07d9f9e153332e94ec

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
368KB

MD5
2211d875e9399c2822c5b260199a0631

SHA1
b17120c0b7a73eeb593038917a6090e085805477

SHA256
98c4082f69097c99bdaf6d7155c40da7ab8d4c21fed087565dcf8b100afa10c7

SHA512
dd37389a075f09c2940f56e9a137bcee3d52efa0a0d51b4824520764cec26a853a2c4b3f58c2267ae868ff1063ef9aeb60e5d2bbb1e8c0a993cd27bb047d46a0

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
368KB

MD5
2acd1c14e7de52504cfdf4dcee9be85c

SHA1
834eb5ad1e7d8d68db93acc5806b3818255a352c

SHA256
a53dd6cdb64dbdb1e1b9db86e200169336378c1295d1dc77a106372a369cf690

SHA512
1f5392748a171d27a0355358f492d5ec608b5a0446f4f19aaa035b37e0bc915da8deb43918180ae7e02e9779a0b99357017ce4ab3186a20efc0efa6e814dfee6

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
368KB

MD5
a99cf8bc8223c82dbb14c13b87525358

SHA1
12bdaf69448ee0ad1526b2c112d05fe13c3b95fc

SHA256
16f4bf51fbe8d40a6bd763650e7454cb6561d1d11f022796afdc69c141912484

SHA512
3132eca11aacea416de0fbafac1bff0c8d65ecb74d18231577d5a628ab7e6a7718e9b176fa483e776ade625cc3125190e1d1f76411c927640df63385eababbe9

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
368KB

MD5
c0d61fa1c7e43c48bf77ddc7cac123da

SHA1
cdc18c242807724e3e834f63e9c4e10d2aee2ca4

SHA256
c7a97291fa3150ab31f35ebe259fa2452acad13fb3fa91bfee6936dbb68b3fd5

SHA512
4f1d6a3f9217c204f7f31bb6ecf3d8bf8e33da3548675bb8753a1ab8fe1d37162dba7712f889b68e93d721f5fc3f35a6ebfbcfd3bded6c0e5e518c0948210a8c

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
368KB

MD5
1eeed66a2d9516377a8f5c6853f9bb31

SHA1
9108a46a2a8dd0a2fe1a29883aa73a0e3e615441

SHA256
e0204b312555189e844dd4b909e0b6d135a6fc5973f68455cb86c004e1454c38

SHA512
e2afe96d91b1ea541153349ae3b3a228fb836555c33b9199c6518d84534d6291904a8f53054c1c47659f19160dc6622d701b74d69d20cc35bf0e4441e34ab22c

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
368KB

MD5
564925f9d0e1093edf713857d051a299

SHA1
45599140aff3d475e14aaabd72130327751c9e6f

SHA256
57a006c007637f730bbcd82aa369ff0aa25e00c3fa2269fdb8b757e72b340b30

SHA512
e9998cf93ac6368eaffbd9861eb2fca241e314c30e68027d13d3480b4318342ed239af3c0cd5ee8eaa2d8556fed2b6443663c5a03d871e93ea64d49aa162e11e

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
368KB

MD5
8c44ef2d13167b27bad382b5011a3e0a

SHA1
cd5b2d77f77794607358f904efb2753025b41c33

SHA256
5d928a78953a595853ee790595c04b95b5664afb7f738e2cb51f82faf0a7e8df

SHA512
c26db9126dfd1dd696a60da22c06f64784254e887287ca83a78bb1723f4afd4ab5cc6f76071a9451f74431ef37b202d652e8d511357a832966d249544a313404

Download Submit
C:\Windows\SysWOW64\Qpehocqo.dll

Filesize
7KB

MD5
195d9a083809c34817017a9afd3f3bcf

SHA1
8118aa435c7e829dbf5722fc698eb8df36b30537

SHA256
ea9128950061aaf4772eefbcf8cc754fbe52159b0388c1458d93e58d3a45db92

SHA512
99f71f61b8dc4e3539bb5edba0028bac4436bed44ff28f23ed159e7c5f54b072ef0c293c996dea64baa9af83e4c65da087cf879099b1b54e4c3f7fcfeda9389f

Download Submit
\Windows\SysWOW64\Gfobbc32.exe

Filesize
368KB

MD5
3d33d953ea0369bcfc6f5359e1cd089a

SHA1
69aa9c512c904c8c7d40a4970098f26f2a581ef8

SHA256
c53628290cfb207aa2b21295838adb9f803fd23e77269823b4e305bd82aee06f

SHA512
04c8969eafc271c1377c29f882a5391079a5ad7dd4f3a61da72b19b2ec554c5b611107f8d957245e098651de742955de6283ad539fbf542c503bca4424c32ce3

Download Submit
\Windows\SysWOW64\Hanlnp32.exe

Filesize
368KB

MD5
ad33ec1c3f411dd3d837b3f0edea5f12

SHA1
4e744e3dc7c1032e7ba05a097444aa7ff3841da3

SHA256
78eb134cb332233d51e434bfeea736cf5342d0d734be6e48f438f5332a91e85a

SHA512
a2441fd31b87f9e8747ffcc19bae223f9182ca0acd8204d36cfe090c3f11f5fac3f4f3788f5fe7380954afdea07d371a6848a8887de54dc39a04e09a60dcac58

Download Submit
\Windows\SysWOW64\Hapicp32.exe

Filesize
368KB

MD5
f7c8b5f5204626f2962760c485a515e7

SHA1
63619ad92c4768a7a51dc88be1a772521da34c15

SHA256
45a08a8f341f63755529b42ac4b7adf5bfb2713e360796ef1e6741d0f2ff25e2

SHA512
60ec70d13077fa3a042dbc00671b0470bc2454f0c5d811549f84e89180f25134898af8ca5dd63c5951aed60858ac65ddad166883b5229858682c38724a9ee359

Download Submit
\Windows\SysWOW64\Hbfbgd32.exe

Filesize
368KB

MD5
d7685210c491319f9640951cd43c403c

SHA1
8bc1b7970060bef7dcd0e377a17fbfc562abcc35

SHA256
c7f6649691e8ad58aaf8da381bd0a89ea9a1a9935856f5c91fb1aeba0c2ba118

SHA512
19bae2c502c0021a648c333d32c99531407faf438991b0d584cfccd4a409c126a9e6d3df0aaf9983cbae4d5b56144826090c2a8daf9f3b746fd2b65cd1b14b31

Download Submit
\Windows\SysWOW64\Hdildlie.exe

Filesize
368KB

MD5
5dd6e9c80ed27e80fbad829f9402d0e4

SHA1
332e933cd1c94e0dec6f082be9470692df9d660f

SHA256
78632835819aa8d86c83247f34bb4e2b93b472ecc66d78a8f3b58f493ad345e3

SHA512
10898959f81d52b9fb6173ee096981ec137eebceacdd913426fd707f9fb9e6507cda18607af87b3da35a6667f4c916a8050097c3251cc3ac19f875b074e19e8b

Download Submit
\Windows\SysWOW64\Hipkdnmf.exe

Filesize
368KB

MD5
e37c4353af135e489ad495639e62f595

SHA1
15d62e4222381c0da0fdb420e2ba72da172976be

SHA256
63c1dad45a0eaae59fb82cee0198247c99208e0a2a81e3dc54ca2de68c21f589

SHA512
74de8d90563f0dddccccf5255c75d2daa947d33ad34578a8d632b92c32e94485044aa41c7ced34b3960a7b5178bdadf2af38bed9289aaf400e419ccb274c0d40

Download Submit
\Windows\SysWOW64\Idnaoohk.exe

Filesize
368KB

MD5
83664b2606e02bfafa1d99882087e91f

SHA1
39c54e5fc2415442d20ba9dd5a846b43fe29382a

SHA256
5c7c88e231caf77a6807e565fda4bfc7cf63eeff44b475813316925101c43ef2

SHA512
8076bd29704193f595599990f691d10bb8852ddb0ac181f670e26096b7e7c2b08ad7b3d6b6153403b3d17914c5e3c2240b4ed54a1316546281988149fefae860

Download Submit
\Windows\SysWOW64\Igonafba.exe

Filesize
368KB

MD5
c7e207b99d04caacd8c006e8f81f854b

SHA1
01d424e1ede41af2f871a0fcf3c5b0729a9b6a47

SHA256
e2c31c78d073848294036cb486b37087fbb142e05d6e388258db138297cffef7

SHA512
67a75e71e79f84d54353e2bdc1f0c4dddd35248f5e632b9deef9d01dc24a7b2e57adabb7f8095b540072f3d7e022efc2adb2c5bbcd9bdc1f960f9fc4b755001d

Download Submit
\Windows\SysWOW64\Ijdqna32.exe

Filesize
368KB

MD5
ae8dc00b48b67a78ec1773f4a87cd826

SHA1
efa0cca0d75f895cb018398069d6389f7d29462b

SHA256
d8914780a11d963f0946e06e19a9f64b841ccea3e31f3975ec517bfb01b5a542

SHA512
01bca5e727f664230a13aa36729d2f7bf090ff683dd32d2b7ed82c5ef553036bd7c1dbf9169136fa2b6d65eae3a35ceb6c3a4990e836c5c066f3b94d9857c9a4

Download Submit
\Windows\SysWOW64\Ilncom32.exe

Filesize
368KB

MD5
42e8bf3408b8fd139ab850c3e8577a61

SHA1
d1fa3d02454f04ea5c6c96b5c810d8b71128cdd0

SHA256
86041a066365f7e48d396a55a0cb79c68639cf9eb12ad109a014894d78b3f4e4

SHA512
e6fd7be41621382deee59d9fed2bda8434d1e23b3ecae8d4d76e7097172154262124e3c5baff518a927eec387fe08d72986f4dc3a64677f253fbd41c132cd8ee

Download Submit
\Windows\SysWOW64\Ipgbjl32.exe

Filesize
368KB

MD5
355800b539b30a6224882ef0bf3bc466

SHA1
f83207c02bbfd4aa62bb809986e87f6ac98ef5b7

SHA256
2ab591e26f8ffa5f165fccd996d92b89ab179389aa160ea485130fb6fecc028f

SHA512
676709290696406d76a160901f64b373625e5e3d02441e67cb04707d3324a94807fc726c7cf8f77b8ff4feb454dfbcb5105191e9b35cdaa560f075dc7d4ba912

Download Submit
\Windows\SysWOW64\Jabbhcfe.exe

Filesize
368KB

MD5
321ddebdaf718372ca2704cdbfdee082

SHA1
7e95983856b984baeb6a8526319f0287bf130cea

SHA256
8bae632f26b75e08218db77234f07a69091adf3e5c3b12f152fadff4c2379bd7

SHA512
77493f2546292efb97d246f1a77709f2110c37930e86ebf602bf210c824e3ab39559227d08a0a2c27d1c58c5ec293079e7b990ebe05aebefecd66fc251e60a3c

Download Submit
\Windows\SysWOW64\Jofbag32.exe

Filesize
368KB

MD5
13c4266bd8bf6e3dd1bd05a6e0a48360

SHA1
8087c1b1421c7bcad6327f50275d8bd0b986ee90

SHA256
c58b1845884d0fed73331a4606595ecbd26a875fd695c7732d667f56d4335aa6

SHA512
0f3355e0d47e2a84fec936e48c8b4190f4754fb0d8560df04f4afaad55b6f7978213d0e28286281d86d7216de7470d45a338ed710e2e2f360ee4314504406050

Download Submit
memory/316-288-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/316-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/340-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/340-479-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/608-402-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/608-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-310-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/624-309-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/792-105-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/792-424-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/792-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/884-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/884-115-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download
memory/884-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-267-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1076-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1076-331-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/1076-332-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/1204-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1204-257-0x0000000001F70000-0x0000000001FA6000-memory.dmp

Filesize
216KB

Download
memory/1228-298-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1228-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1228-300-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1296-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1576-201-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1612-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-88-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1772-141-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1772-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1772-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1844-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1844-173-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1940-457-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1940-447-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1992-470-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1992-159-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1992-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-445-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2100-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-215-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2108-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-390-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/2112-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2112-234-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2216-429-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-691-0x0000000077A70000-0x0000000077B8F000-memory.dmp

Filesize
1.1MB

Download
memory/2260-692-0x0000000077B90000-0x0000000077C8A000-memory.dmp

Filesize
1000KB

Download
memory/2320-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2320-247-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2384-321-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2384-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-320-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2444-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-467-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2492-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-366-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2500-75-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2500-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2548-183-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2548-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-356-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2596-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-397-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2596-62-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2616-34-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2616-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-342-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2688-343-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2688-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-355-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2708-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-12-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2708-13-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2752-380-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2752-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-53-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2816-277-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2816-278-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2816-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-225-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2856-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-227-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2948-446-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2948-132-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2948-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-422-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2956-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-367-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads