berbew | 55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe
Size

72KB
MD5

8bbcdd55b9282d00347e8ce0a93851c0
SHA1

d1d32ceb80364c7f3f91d64bc5004051defe15e3
SHA256

55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708
SHA512

304878e08d26d0b66465189098e312cf9c4b2417fea49b5302cab1e4591eeafa508c778f7e885ca57d53b99800dad9b7835a982fda7b0fd1f0488e41411edeb1
SSDEEP

768:OY11ulmufGuweK8ukz6JjWH+1icry4KN4wSXu/1H582pU9UiEb/KEiEixV38Hivb:OgI/0LM6JisimD7xUxuPgUN3QivEtA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
888	Kimnbd32.exe
3740	Klljnp32.exe
4476	Kbfbkj32.exe
452	Kmkfhc32.exe
1768	Kfckahdj.exe
968	Kibgmdcn.exe
1184	Kplpjn32.exe
2972	Liddbc32.exe
388	Lpnlpnih.exe
3524	Lekehdgp.exe
1744	Lmbmibhb.exe
2352	Lboeaifi.exe
2432	Lmdina32.exe
2052	Lgmngglp.exe
2856	Lmgfda32.exe
516	Lgokmgjm.exe
2800	Lebkhc32.exe
4664	Lllcen32.exe
3928	Medgncoe.exe
3428	Mlopkm32.exe
1232	Mibpda32.exe
2976	Mdhdajea.exe
1732	Mpoefk32.exe
1132	Mdjagjco.exe
2032	Mlefklpj.exe
1760	Mcpnhfhf.exe
924	Menjdbgj.exe
5076	Mlhbal32.exe
4840	Ngmgne32.exe
820	Nngokoej.exe
4228	Ndaggimg.exe
4756	Nebdoa32.exe
1392	Ndcdmikd.exe
224	Neeqea32.exe
2588	Nnlhfn32.exe
468	Npjebj32.exe
5028	Ngdmod32.exe
2956	Njciko32.exe
4344	Ndhmhh32.exe
1824	Odkjng32.exe
1108	Ojgbfocc.exe
3844	Opakbi32.exe
4416	Ocpgod32.exe
3000	Ojjolnaq.exe
4428	Odocigqg.exe
3536	Ognpebpj.exe
2612	Ojllan32.exe
1820	Ofcmfodb.exe
3840	Oqhacgdh.exe
3668	Ofeilobp.exe
2188	Pqknig32.exe
2740	Pjcbbmif.exe
2408	Pmannhhj.exe
4520	Pclgkb32.exe
1180	Pnakhkol.exe
2592	Pdkcde32.exe
1096	Pcncpbmd.exe
4328	Pjhlml32.exe
3020	Pqbdjfln.exe
4280	Pcppfaka.exe
4972	Pfolbmje.exe
848	Pnfdcjkg.exe
1524	Pqdqof32.exe
4008	Pcbmka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe
File created	C:\Windows\SysWOW64\Klljnp32.exe	Kimnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5608	5224	WerFault.exe	215

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 888	852	55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe	83
PID 852 wrote to memory of 888	852	55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe	83
PID 852 wrote to memory of 888	852	55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe	83
PID 888 wrote to memory of 3740	888	Kimnbd32.exe	84
PID 888 wrote to memory of 3740	888	Kimnbd32.exe	84
PID 888 wrote to memory of 3740	888	Kimnbd32.exe	84
PID 3740 wrote to memory of 4476	3740	Klljnp32.exe	85
PID 3740 wrote to memory of 4476	3740	Klljnp32.exe	85
PID 3740 wrote to memory of 4476	3740	Klljnp32.exe	85
PID 4476 wrote to memory of 452	4476	Kbfbkj32.exe	86
PID 4476 wrote to memory of 452	4476	Kbfbkj32.exe	86
PID 4476 wrote to memory of 452	4476	Kbfbkj32.exe	86
PID 452 wrote to memory of 1768	452	Kmkfhc32.exe	87
PID 452 wrote to memory of 1768	452	Kmkfhc32.exe	87
PID 452 wrote to memory of 1768	452	Kmkfhc32.exe	87
PID 1768 wrote to memory of 968	1768	Kfckahdj.exe	88
PID 1768 wrote to memory of 968	1768	Kfckahdj.exe	88
PID 1768 wrote to memory of 968	1768	Kfckahdj.exe	88
PID 968 wrote to memory of 1184	968	Kibgmdcn.exe	89
PID 968 wrote to memory of 1184	968	Kibgmdcn.exe	89
PID 968 wrote to memory of 1184	968	Kibgmdcn.exe	89
PID 1184 wrote to memory of 2972	1184	Kplpjn32.exe	90
PID 1184 wrote to memory of 2972	1184	Kplpjn32.exe	90
PID 1184 wrote to memory of 2972	1184	Kplpjn32.exe	90
PID 2972 wrote to memory of 388	2972	Liddbc32.exe	92
PID 2972 wrote to memory of 388	2972	Liddbc32.exe	92
PID 2972 wrote to memory of 388	2972	Liddbc32.exe	92
PID 388 wrote to memory of 3524	388	Lpnlpnih.exe	93
PID 388 wrote to memory of 3524	388	Lpnlpnih.exe	93
PID 388 wrote to memory of 3524	388	Lpnlpnih.exe	93
PID 3524 wrote to memory of 1744	3524	Lekehdgp.exe	94
PID 3524 wrote to memory of 1744	3524	Lekehdgp.exe	94
PID 3524 wrote to memory of 1744	3524	Lekehdgp.exe	94
PID 1744 wrote to memory of 2352	1744	Lmbmibhb.exe	95
PID 1744 wrote to memory of 2352	1744	Lmbmibhb.exe	95
PID 1744 wrote to memory of 2352	1744	Lmbmibhb.exe	95
PID 2352 wrote to memory of 2432	2352	Lboeaifi.exe	96
PID 2352 wrote to memory of 2432	2352	Lboeaifi.exe	96
PID 2352 wrote to memory of 2432	2352	Lboeaifi.exe	96
PID 2432 wrote to memory of 2052	2432	Lmdina32.exe	97
PID 2432 wrote to memory of 2052	2432	Lmdina32.exe	97
PID 2432 wrote to memory of 2052	2432	Lmdina32.exe	97
PID 2052 wrote to memory of 2856	2052	Lgmngglp.exe	98
PID 2052 wrote to memory of 2856	2052	Lgmngglp.exe	98
PID 2052 wrote to memory of 2856	2052	Lgmngglp.exe	98
PID 2856 wrote to memory of 516	2856	Lmgfda32.exe	100
PID 2856 wrote to memory of 516	2856	Lmgfda32.exe	100
PID 2856 wrote to memory of 516	2856	Lmgfda32.exe	100
PID 516 wrote to memory of 2800	516	Lgokmgjm.exe	101
PID 516 wrote to memory of 2800	516	Lgokmgjm.exe	101
PID 516 wrote to memory of 2800	516	Lgokmgjm.exe	101
PID 2800 wrote to memory of 4664	2800	Lebkhc32.exe	102
PID 2800 wrote to memory of 4664	2800	Lebkhc32.exe	102
PID 2800 wrote to memory of 4664	2800	Lebkhc32.exe	102
PID 4664 wrote to memory of 3928	4664	Lllcen32.exe	103
PID 4664 wrote to memory of 3928	4664	Lllcen32.exe	103
PID 4664 wrote to memory of 3928	4664	Lllcen32.exe	103
PID 3928 wrote to memory of 3428	3928	Medgncoe.exe	104
PID 3928 wrote to memory of 3428	3928	Medgncoe.exe	104
PID 3928 wrote to memory of 3428	3928	Medgncoe.exe	104
PID 3428 wrote to memory of 1232	3428	Mlopkm32.exe	105
PID 3428 wrote to memory of 1232	3428	Mlopkm32.exe	105
PID 3428 wrote to memory of 1232	3428	Mlopkm32.exe	105
PID 1232 wrote to memory of 2976	1232	Mibpda32.exe	106

C:\Users\Admin\AppData\Local\Temp\55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe
"C:\Users\Admin\AppData\Local\Temp\55c517284e6130d22f7f106b3501d5d726d82ac844228211ee72808fd0f8b708N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\Kimnbd32.exe
  C:\Windows\system32\Kimnbd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\Klljnp32.exe
    C:\Windows\system32\Klljnp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\SysWOW64\Kbfbkj32.exe
      C:\Windows\system32\Kbfbkj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        33⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        66⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        67⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        68⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        69⤵
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        70⤵
        
        PID:796
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3420
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        90⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        95⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        104⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        105⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        109⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        127⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 396
        128⤵
        Program crash
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5224 -ip 5224
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
72KB

MD5
1e2423a6384682fa629f1d3eade7063d

SHA1
07fa62b6769a17ce83987ce862649f3468cfba86

SHA256
cc2f41dc3aac732a59cae9e63a43731e536727236180a7165f82d3c7b3980c34

SHA512
66972c53326fca83ba8d77bc6cd2eeda1438ac067c32d3d1087f5c5f3ae47d73ac180433356753224ccf2fee2c55608fc026bf34253ccbd3fe724be6524ed900

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
72KB

MD5
4858a301c33fdb7446e08d1cd75bee94

SHA1
957836f1d700e1ac8be87e996b4a98fff201e3b9

SHA256
3fc50b8e74976ddfd32026d8b0d72441dffccd7468c75a96dac060b77d51703d

SHA512
7a31c4057ade56e9d3d76db468b9831c9bf8cafeaedfb51c66537b9d1aa61973e5bf0767742629d984632bc7538f0df460d27cd17fb81f1eaa74ecd8f3d70fd4

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
72KB

MD5
513f82fc675ade682c40a226215b62f4

SHA1
7261fa528adf6bae1b3b5287567be6ffd6e21525

SHA256
5dba3bdb9b2cbf853957100dbb3e2ff179144b4fdba2dd5069d7584fb50a6dc6

SHA512
cfa90629f1cd3f44ccda3e3def983875501b1b86fc694df0af34204fbefc08fdfadb40a7afe3a656c7219af371b718b46505c634c60173dabf7bd54aad50e3b8

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
72KB

MD5
1209efe7d826a683ed3df5a014531a30

SHA1
208eb905b7755cb0535cc001fa764424148dc088

SHA256
9997e9f93f6e342213d334dbbed88f9d0773e8cc9c06d4cf473141cfd4fe1474

SHA512
fdb1492043a236ea765950e1977f3ef92a93d9c25cf97991d39489cf8a89616cd3d6854201f781b6fa3038cd209a5a04db0f3ce415e88bdf7fd2ce9ce2bc2bae

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
7925bb34fa780a54cd8dc1e3dd3dabbf

SHA1
bd4d0f5a8058a712a0a418beac1aea73fb47f3b9

SHA256
4d9773ea98a23f11b726f5436408adb262338307d95e361f8c0c296862958a4e

SHA512
de1e3390cecef816f2a6de5729ceb74c58a70a8a08690f5913985e1833dc46640955525c5ea662b0ed2850cdc9b876d40ea964ca2eae3f425cb941b80edeae1d

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
72KB

MD5
5b9119fe2a8a314c36dffe3701bc7134

SHA1
5b00251dd03fc029cb3725d91e1641182e8863d8

SHA256
0ff9a76479992b54cc2af287eb81c0fddde8e378b45255dd0b6e0fe8be8aaf99

SHA512
a3a4db03670365970b299c84643d1bf9e88f790c55f670c5b08e64b4932e8641b423ae15328795ad2ac06a6d4873a251c57237ad3754390e164065edcc5105bf

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
72KB

MD5
278b55eae19b0ba2e5db2b1602dad7d6

SHA1
f0a696f68d7bbbbfb234abd9b517800cfb5196ce

SHA256
a36b32d52dbea408a4112bffb5dff0000f634ce2624383bd4c85a8a9316ae62d

SHA512
18f5ae4a3cc98983e9475008e15af96190b9c2e7d075dd9f4d9382af0e444269b21d8dc3d5cc4f3a6f59468980660378ea959f431e30211fc7db897274b50622

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
72KB

MD5
8406338b5c0d3f4ba65240878a761ef7

SHA1
d3ac52314ff8f98199789faf09efeb4b89b9e9a4

SHA256
40eea3c396b42758ae0d7a1f153407f81650dbf847d18f0d1dbd9256a7eb0dc1

SHA512
ebce2be62da48ce7ca552b85b15a3775ac84238a9219d810cc7f4f179e8026fcfb5686662eb65721aae9eea100588f5e9b997dee00e567fc25147a26392fd1f3

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
72KB

MD5
5a53fc6484adcb5af941894f7dcbe3e7

SHA1
4bd0f524ea95505d71720ee501453c4bbaec70f9

SHA256
ae2f79660ff21a611a44662de4c024604a4842cfd38b25d3ca1a44c7b57e5825

SHA512
67867ec5d7de579231883848fdcb12d60a862ae039682e1e2b246ce82eb790f4718a61f94633634b7ef757fad8ef75a5b1ee0fdf98ed48ee79b774dc6d77d968

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
72KB

MD5
fefd53c9376e7ef23271f82d684a16a4

SHA1
5bccfba3ab9dd1f4bf3605811e5d180597b3fb98

SHA256
d55e460a6fa1adeece2c889e1a27bf281296a10b357b68d9a638551d02a2a92d

SHA512
f42db0a534a5c2b90fc874ce66620a34b1fdf10aebdfd4d8bfd824a2125510ef4abad2f028bb834ba04b3eb8d74cd71b5231de435e9c74db9519745930fc020f

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
72KB

MD5
dded5f2e33c000284fe8929ed0a743ee

SHA1
1d0bb98dc5ebf17be11b1d172d034540974235bf

SHA256
b2d5717939f73c24319d1a94af85ca7efc4d27aa03038725d314e43eeee82975

SHA512
8c9ad65648f130cde9823b8f09359b36938bea5c9503ed4cffada17b2f414a672e73cb2b417c69b03834ad99042b6e6bb328d5072840d3877316f3235fe2074f

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
72KB

MD5
154a1a40eb1db9a22391a9a1cf92d189

SHA1
3caa1dd37fd48540f7d0ba825b5a931d41a519d0

SHA256
1089c0157cb0572747de04d49b0cd94cc35280376e2b9d5c7a4ec4b922d5e49e

SHA512
9548d8f6159810273c3b1bc8e6fdabe1693a368cdc70691ea396b239b2e336077747fd713105b357f3cde0590aeb26de9ec844b730bc44794a40ebedddedf879

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
72KB

MD5
dd657be3d794e298b235eb76417a3685

SHA1
90375d42e37ef9758220a6029d884a3ef187f280

SHA256
d6a9c82c2af75ce4d8bd2f43057c17368ef93c48afb4dfabf57c19da04589d9e

SHA512
fe189c7e5071436adc7e351d40aec50bbb2b194ed03778d932a7411a626f52f9f14b312fb8393f66f6991518f7e633f40dbba744cdf03a7e086c38a867479f35

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
72KB

MD5
bc374f8762ebc63a84d346f4a063f9e0

SHA1
8b92ffa6867dccb9f33c3b81b27d5fa2350f8193

SHA256
f9852b4c77da91496593ec6479e4b7dd521277d51673e737a628637bb9cd3a99

SHA512
2e04873d9b2d50ecc02b87e48b27c3c74a57891516ff40529e683e6abceadc59c5df30423a9fdf8988533b2f5f6a1c4cd8bc3bc88bff617682ecda9d487e5014

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
72KB

MD5
0fdb2f5862c3d26f7709ae4edc54f79e

SHA1
f282d2d424fbe6ef407135f815af06be40f1eeab

SHA256
77c78b86de4c76a572dae70d9c94f22e71bb8b01a743c715c1e7875fd14b573e

SHA512
f89c5d3330f45f3cb50c2822cc2c0b582f4f03042e205b5f5b6dde7236b44d076090d23cf00b55747197ceb045fd54f4d35631666b29802a8bcab74c4251f8ff

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
72KB

MD5
2c4c4c94870101c0e13feef64d880cbf

SHA1
8f5988faae1c81927f6f736e06baaa9c37a38561

SHA256
18bc554c9ed60325733b3139c1c31df0b65fa3a1c750403fead8ac0a75aa4e5e

SHA512
298b39619b6376c63e10e7823e69559df002d66ddcd181a318f88236900278328e77d3dde07c362652b67efbaf70ccc258699f4c63a6fa218445a3420414409d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
72KB

MD5
ebdb832d42cd508f3383df7c19b7e0e3

SHA1
d0a691efa0af9b2ada245caf365ae0b45a3a69e3

SHA256
fcfcb8521f0ddf41668c6e0a07388fad4c855b6c62644efe0b51d1a4739ab725

SHA512
fd1aec7c48a8f4b5f6d07070ab4de1b7e8e01a73917786c069a145525cfa6b7f88f48cef989703851e86c8c858beb326a56e2d0ce889e181f435fc3dceb842bb

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
72KB

MD5
f2599f5deb4045e161681c1137f9dd20

SHA1
8357478a7b9681da40e095c56eae6081fb641b65

SHA256
42779eb77453f7c06b9ec2fb0371640cd9d3691f44b3f311812df6834042fd85

SHA512
90c058d429e977657a4dfa9cb6c5d536b453373b5dd5c69fc2feb434d359cd1e314d39defba978fe48c7f31d8714b0af863d07b3dfbc40a151c5a4a11c581e05

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
72KB

MD5
d5b095c772719a4cf9f50f9a221a0869

SHA1
2399eae33b3f569f7a2a070d255aa8405d56d49b

SHA256
3a747d68f72ba6d47169ae9bfc7d05e237e0597147fddcd0a29e813d42d12653

SHA512
d7393ed5f593721f67035e58b91dd9f2cfb43d2a2e43f8314a85b933e7c164147b13bfef35dbe9415ec18323d31e107d534b049cbf6cd1c170871c8058e40fda

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
72KB

MD5
aaf479fe148e1cbf500aa5f39ea40972

SHA1
00ddfa395106916748a1c08f420feff78fd38db4

SHA256
9b93e634ac0eb68f9cab4b709af5f96cdec2a6f3fb2d7afaf26e7d73c7ad0545

SHA512
5ffec329c444bd0cdb9198af4d8517db3d8ccd40750c3f346e073c6b10b94b87d02cbddaf41a7a2af4c567e9cd87077e121dfbcbc217adba7c77560bbcee2b51

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
72KB

MD5
6f6bafd884109965fe942bda77c88e35

SHA1
b2b08f36bf3eef3af93c3793285b6bf2e3ffb970

SHA256
80a14d44e142a8f5583ae6006ab6ad117f9d102653eb388e3b11258430b07600

SHA512
1cefda01106e6f461f9099cf7df6958037eb520f802c15d273afc1f4e00fac23e745f4813b7307b8ad3907671980f7e5350822853dfb0ad078d1fad1424339b1

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
72KB

MD5
85146afbc06763ece7ecd251c8558d3c

SHA1
73cf460ac5791b5239538f3b6496fd26f0ccecba

SHA256
18b9c0ff692922a260c91f495e5558d6132697c4d66915f326e386c509c9812d

SHA512
57adc049f8061affdf97926bd0fede412919375e29cf36d4ddd6003a1d9bedd88fb433933c7c896825046d3096e246ed51a74bff99d832bb078ea1db4271c8ae

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
72KB

MD5
71abb7bf8014e77fe88ad115bfaab8b1

SHA1
c2a45f82fa30744707336946fe7e88130d4dec30

SHA256
f509c4c9bb129ee59d37ae64a26784e79595398687d28ce866f29d9c8f547369

SHA512
5d1cf00a9e8ae4ef36b69e1d14687dcbcb9d3b1b4ddc11fda8c5e4813d68be57befce728c2d9659709b0190f35ef8dffa717a7a30211c2703de330763f5d3a53

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
72KB

MD5
61e87a281a948c170e1c065d1e650320

SHA1
6b9158c2fbefc763aa755b11d95f85227a54ef0a

SHA256
5e41878246d774a04d18540b118acfec486269c5de3cbfa4b79e9189ee4ce0d2

SHA512
8d11ee7e017dda21271591216fbb20928b83baf71c8c1b3b389f029b852e2220769c44fc040f4e562c917ca18be56e164e731715a3b79ad05e0da57cfd652918

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
72KB

MD5
9f247d2d6af3aeec40833fe21862c402

SHA1
05ac71d1aa8624a8f2141d35345e24ff5ebd51fa

SHA256
621839f6dd62034356ce5806a0853704df4bd2e9dd32f352583f4f2095df6459

SHA512
86707151aca995bca995c5e3212f54e6e5a7185f94973c4a139b00299f7aff2f6d4a96183c9595046629a18fbe448aad4002dd00b02f1594b7468355837124cf

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
72KB

MD5
cd0caa603158f3a584278f3860cb664e

SHA1
ff9a242cbad045a45595641119937697e280fc3a

SHA256
f8941b267618fcd2bdf81c8e12f225fe2b0b7eaba512afc0719a76203e71534f

SHA512
7e66645a7cd087a658df4824e1a402234628b60fb6fd451832284a65e1b9dacd494df874df9c560b8059a4d8c0b0c6a774835965570a183300fb7b6d89b637ec

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
72KB

MD5
4fcf1e1ae518ebbb1274f4952892fc2b

SHA1
136b1f549bb2a3b95e142493ce3589f520a8e2a0

SHA256
79b37704c2d58817abc506ece9d3e20b28014afe3cb245268c19dfc61de46943

SHA512
16f84133344506b3b908c746280f0177b2f8acbb4e8506bd93b89dc467670886b6427db80491d0011752377115c4cfc316b9569ae64b10b0cccedcec1c3e6a23

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
72KB

MD5
352938876d580a66e69d5f720f6eeced

SHA1
dfa3ae15ae1e7164e323292201ba45b2ca723a9f

SHA256
263ffcb7649f3f010de7abc5b760d60d7b40ae677d5cf10bd1b8f793ab56cfeb

SHA512
5ef2cff7ac07050fa0adc8852802daf7ee17cedf5c01ee1d529780e4d856d4df5f36f908a5271f8ffd7bbefccaf11ab22101b380e2696264dda7e2b47376196c

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
72KB

MD5
c9595ff5b6ca77ac520e45660ef48941

SHA1
90ba3e1e139dcbea44155fa11c87dddd4dce2b97

SHA256
ee55fe4e723d34ccec2f8ff89d577819109263943c805c3cdf4557300d93cfd8

SHA512
2deaf518dfb320b23a665b6262cf76067ce9bc6eb7cb93afc9621f1a9d706cc31a1ab520676250e30c98c45757e93965ef47c0ed0a7ec4d1d495c1af932eb82e

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
72KB

MD5
c867ccfa9f34f558b3f34ad5d0927629

SHA1
81e86364077646fb5551f51aa543aec8fb280e04

SHA256
239d9a77a27f5167f504ce26e36a6adea8da6e8e37acc038737d7aec8b9881ab

SHA512
5909a76499aafdc31197d06ae293c152fe21c7b341adb3450b7d6c6ea9487f193ba66812094b4f275f8f25a163c0d03f3915bc245f58b16f51b9c61a8eeaa8ab

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
72KB

MD5
bd73994abfa3cde15340011878ce8b90

SHA1
9be66eb4e878dcccbd3931ca016e3875210ba973

SHA256
9eb215b114ea47daffbb0bef9f4376ba72d8494aeb25afa9bd6845a5584408bc

SHA512
7aa2b6b73402bea9f9b15e53b8c048684f138e93c0a4c090b3f1d28e77e7a7703c60d9e49eb2a0c4135f59ca2ab9ea22b72a3fc759dde4e423e893c43feb8d6c

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
72KB

MD5
38fbe5c0f6eee2dc3c089056089c3e5f

SHA1
94b5ffc5b416c3902889a0ae1e090f5cbe30f056

SHA256
6cdab52e5f26c2de10986222d6095953d47483681c26921dcf751706c0a9ba5c

SHA512
645dda94cf3904776038654110eaeee4422950c6fda1b02349b93b1644a2d5a98d1e698a992d62a30ef2fe963425411a9e10c70a5ef3f6cafd2cab9c5648e5c9

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
72KB

MD5
354397cac8bd77f2003ca754c7d2e854

SHA1
3400f80fd6057f2aa62c63ed2bc382c1ee4a709d

SHA256
f2eed05184891e267214d2bf5cec15abdb528728f3950547178f64e5621ef072

SHA512
e0d12ee1d729ed59496098ad007396d65beee281125d6e4e8238379b4229b58248e0201166e03d21062c69e40f09101d9c88f5b3c6eaa12408d5a10e3a71b6b8

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
72KB

MD5
3cea54b31b37b307c755eb075e1aa38d

SHA1
228a194e58e790243f600122401ac24be76b5ba5

SHA256
2d30bee26a9b323fb3495f63ffdad30d91d4abd56efa4176f255ea5dff1aeeb4

SHA512
cc253769de99a8fb8f4317a54c1ab077541f888131767b80d6affb0e8db7830601260b81324387a6127da1e5a5a3490237bb85e566ef3975c1d04b49d0281575

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
72KB

MD5
15f4aa467537f6350a1d6d852cb0b4a1

SHA1
dc533cf30b49439c956b30fe57824006fa395bb7

SHA256
4e44611ae44361300956d4dae3c2b1d3e80c750517c458729da3e93eeb9710b9

SHA512
62bb445c604f6d9055365399bf63460d1051f17658f8daa2a1c3e08a8df8e3990c0923ab47536a667ecdc5a411500a52cb5b4c43b8fb2d528b724857c7b3e46f

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
72KB

MD5
9eed003470bd93641b0bc7947c06f2ac

SHA1
2a3b664523233565b57941c5a70e9b6c602ac455

SHA256
b5b6ee5d5ed9d31b669cd2171c65e1dbf2f98a7ca441a1171491da3a4e64acc4

SHA512
b583b44a4e8b920790e0cec09d4a5097fc93df7c0f749642d5db9022eb7e17e9d56212a5377a78ef0b7de6c4d03650cf234a71197a0971c5f2f6f191927bdffd

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
72KB

MD5
0a479a7abb7e9a690a7f1ac03412e88d

SHA1
4a6a3e4ad3e277061c721eb1e8ad1de0e1c9ef71

SHA256
637af9353a044ccf53a025ee39c8d7d39871bc5e9feeb1400a1fdc1d276aee89

SHA512
3106bed7f61dadb55f148a959cf22e088f2770916258fa8d043f6a8b6766f081e736669dfebd58210da78e085b3e603222fb7daaa46ab4a97e15d32fcc6cb7f9

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
72KB

MD5
aaa532f8cc92faf0f60c7461aa784e37

SHA1
d5099e79de2ffc286df5d3075bc1479018a5ddab

SHA256
47e8346aafdef6d06c6f529241ec9fd4ac0e6acebe72ec19beb14b20cdb26edb

SHA512
7a1c501b5d03ce496101aecd661c99a29853484e53d7049fef458731c1850aba9e028db6761a2090532e98f18abc24dbe880f2ac03918e063a2c0371da7f7148

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
72KB

MD5
8335d149bcf8f6a1a8f48b08e093fc57

SHA1
3dc64256ffb6bddb28df4488d4ab09e416f263fb

SHA256
b16ce80ea1cb01f41c93e2287e9453584afe15173ccd4a6885fa60761d41f4ca

SHA512
71ec052d9cbea16d386155dcd6fbd574d40cb7b11c0ac4671f10b7d78b7577bbab5b537050d7a598c08c57a8dceca0f1d817fd6814603ec18052b6f05965d193

Download Submit
memory/224-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/224-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/388-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/388-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/888-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/888-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/924-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/924-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/968-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1184-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1184-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1392-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1392-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1760-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1760-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3524-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3524-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3840-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4416-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4416-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4428-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads