berbew | 4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe
Size

55KB
MD5

471efb5e0c362081bdc9f1166641347c
SHA1

9db083d2c1345fb5232b355bd117e4e40c3671b2
SHA256

4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0
SHA512

15b3f2afd465719ed9a7704071f821887f861ebf7b8b7b7cbf15008fee6067a7891368984d6357730439363d6a70755007d5873bf3fc365d04262284c776840f
SSDEEP

1536:snoHfH6RlRNEJsmTE6kn8vJbFHgj6TMfoyWhN+L2LZ:snoHg42mTE6kn8vJbFHgjxf6aoZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1868	Jbjcolha.exe
516	Jehokgge.exe
3212	Jmpgldhg.exe
2804	Jfhlejnh.exe
712	Jmbdbd32.exe
3368	Jpppnp32.exe
1780	Kemhff32.exe
3524	Klgqcqkl.exe
4748	Kfmepi32.exe
5016	Klimip32.exe
1852	Kdqejn32.exe
2184	Kebbafoj.exe
3424	Kpgfooop.exe
2568	Kedoge32.exe
3900	Kdeoemeg.exe
3952	Kefkme32.exe
3564	Klqcioba.exe
3996	Lbjlfi32.exe
4904	Liddbc32.exe
4660	Ldjhpl32.exe
3484	Ligqhc32.exe
5020	Lpqiemge.exe
4796	Lenamdem.exe
2004	Lpcfkm32.exe
2368	Lgmngglp.exe
2896	Likjcbkc.exe
3792	Lljfpnjg.exe
4884	Ldanqkki.exe
3032	Lingibiq.exe
2788	Lllcen32.exe
4084	Mmlpoqpg.exe
684	Megdccmb.exe
1336	Mmnldp32.exe
1536	Mdhdajea.exe
4364	Mgfqmfde.exe
3096	Mcmabg32.exe
1120	Mmbfpp32.exe
4492	Mpablkhc.exe
2020	Mgkjhe32.exe
1956	Mnebeogl.exe
4496	Nepgjaeg.exe
4548	Npfkgjdn.exe
4800	Nnjlpo32.exe
1164	Ncfdie32.exe
636	Nloiakho.exe
2704	Ncianepl.exe
3576	Nlaegk32.exe
3888	Nggjdc32.exe
4448	Nfjjppmm.exe
4204	Ocnjidkf.exe
1968	Oncofm32.exe
3460	Ojjolnaq.exe
2168	Ocbddc32.exe
2472	Onhhamgg.exe
1688	Ocdqjceo.exe
1732	Ofcmfodb.exe
1100	Onjegled.exe
3488	Oddmdf32.exe
1468	Ogbipa32.exe
5068	Pmoahijl.exe
2956	Pgefeajb.exe
4524	Pmannhhj.exe
992	Pclgkb32.exe
4436	Pjeoglgc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jmbdbd32.exe	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Anmcpemd.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kdqejn32.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Klimip32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kemhff32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Oncofm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5356	5128	WerFault.exe	206

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1868	4460	4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe	83
PID 4460 wrote to memory of 1868	4460	4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe	83
PID 4460 wrote to memory of 1868	4460	4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe	83
PID 1868 wrote to memory of 516	1868	Jbjcolha.exe	84
PID 1868 wrote to memory of 516	1868	Jbjcolha.exe	84
PID 1868 wrote to memory of 516	1868	Jbjcolha.exe	84
PID 516 wrote to memory of 3212	516	Jehokgge.exe	85
PID 516 wrote to memory of 3212	516	Jehokgge.exe	85
PID 516 wrote to memory of 3212	516	Jehokgge.exe	85
PID 3212 wrote to memory of 2804	3212	Jmpgldhg.exe	86
PID 3212 wrote to memory of 2804	3212	Jmpgldhg.exe	86
PID 3212 wrote to memory of 2804	3212	Jmpgldhg.exe	86
PID 2804 wrote to memory of 712	2804	Jfhlejnh.exe	87
PID 2804 wrote to memory of 712	2804	Jfhlejnh.exe	87
PID 2804 wrote to memory of 712	2804	Jfhlejnh.exe	87
PID 712 wrote to memory of 3368	712	Jmbdbd32.exe	88
PID 712 wrote to memory of 3368	712	Jmbdbd32.exe	88
PID 712 wrote to memory of 3368	712	Jmbdbd32.exe	88
PID 3368 wrote to memory of 1780	3368	Jpppnp32.exe	89
PID 3368 wrote to memory of 1780	3368	Jpppnp32.exe	89
PID 3368 wrote to memory of 1780	3368	Jpppnp32.exe	89
PID 1780 wrote to memory of 3524	1780	Kemhff32.exe	90
PID 1780 wrote to memory of 3524	1780	Kemhff32.exe	90
PID 1780 wrote to memory of 3524	1780	Kemhff32.exe	90
PID 3524 wrote to memory of 4748	3524	Klgqcqkl.exe	91
PID 3524 wrote to memory of 4748	3524	Klgqcqkl.exe	91
PID 3524 wrote to memory of 4748	3524	Klgqcqkl.exe	91
PID 4748 wrote to memory of 5016	4748	Kfmepi32.exe	92
PID 4748 wrote to memory of 5016	4748	Kfmepi32.exe	92
PID 4748 wrote to memory of 5016	4748	Kfmepi32.exe	92
PID 5016 wrote to memory of 1852	5016	Klimip32.exe	93
PID 5016 wrote to memory of 1852	5016	Klimip32.exe	93
PID 5016 wrote to memory of 1852	5016	Klimip32.exe	93
PID 1852 wrote to memory of 2184	1852	Kdqejn32.exe	94
PID 1852 wrote to memory of 2184	1852	Kdqejn32.exe	94
PID 1852 wrote to memory of 2184	1852	Kdqejn32.exe	94
PID 2184 wrote to memory of 3424	2184	Kebbafoj.exe	95
PID 2184 wrote to memory of 3424	2184	Kebbafoj.exe	95
PID 2184 wrote to memory of 3424	2184	Kebbafoj.exe	95
PID 3424 wrote to memory of 2568	3424	Kpgfooop.exe	96
PID 3424 wrote to memory of 2568	3424	Kpgfooop.exe	96
PID 3424 wrote to memory of 2568	3424	Kpgfooop.exe	96
PID 2568 wrote to memory of 3900	2568	Kedoge32.exe	97
PID 2568 wrote to memory of 3900	2568	Kedoge32.exe	97
PID 2568 wrote to memory of 3900	2568	Kedoge32.exe	97
PID 3900 wrote to memory of 3952	3900	Kdeoemeg.exe	98
PID 3900 wrote to memory of 3952	3900	Kdeoemeg.exe	98
PID 3900 wrote to memory of 3952	3900	Kdeoemeg.exe	98
PID 3952 wrote to memory of 3564	3952	Kefkme32.exe	99
PID 3952 wrote to memory of 3564	3952	Kefkme32.exe	99
PID 3952 wrote to memory of 3564	3952	Kefkme32.exe	99
PID 3564 wrote to memory of 3996	3564	Klqcioba.exe	100
PID 3564 wrote to memory of 3996	3564	Klqcioba.exe	100
PID 3564 wrote to memory of 3996	3564	Klqcioba.exe	100
PID 3996 wrote to memory of 4904	3996	Lbjlfi32.exe	101
PID 3996 wrote to memory of 4904	3996	Lbjlfi32.exe	101
PID 3996 wrote to memory of 4904	3996	Lbjlfi32.exe	101
PID 4904 wrote to memory of 4660	4904	Liddbc32.exe	102
PID 4904 wrote to memory of 4660	4904	Liddbc32.exe	102
PID 4904 wrote to memory of 4660	4904	Liddbc32.exe	102
PID 4660 wrote to memory of 3484	4660	Ldjhpl32.exe	103
PID 4660 wrote to memory of 3484	4660	Ldjhpl32.exe	103
PID 4660 wrote to memory of 3484	4660	Ldjhpl32.exe	103
PID 3484 wrote to memory of 5020	3484	Ligqhc32.exe	104

C:\Users\Admin\AppData\Local\Temp\4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe
"C:\Users\Admin\AppData\Local\Temp\4184de6453c585ee3d0fc7fc92446945319b99c44c9caf6b3f783e335898c5c0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\Jbjcolha.exe
  C:\Windows\system32\Jbjcolha.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\Jehokgge.exe
    C:\Windows\system32\Jehokgge.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\Jmpgldhg.exe
      C:\Windows\system32\Jmpgldhg.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        25⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        26⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        31⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        37⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        40⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        42⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        70⤵
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        77⤵
        
        PID:960
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        83⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        86⤵
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        89⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4568
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        97⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        101⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        106⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        110⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 396
        120⤵
        Program crash
        
        PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5128 -ip 5128
1⤵
PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
55KB

MD5
69e83425d5c1b4eacd771b730e1e0b5f

SHA1
31931f4e83e6afc2e7ff275defc13d91826d3f8a

SHA256
e6c54b97fc596d6ae90ca18a1882d3d3b0aac9cd56c4175b835fabd275ff1dde

SHA512
6d6c026a618203daeabb41852ede5556c7910148ac6c18456c638a0a642c9e18f5ec913308b46d6f9e26287092bde97fc66428fd7fab4a1d894942b2c4b484c7

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
55KB

MD5
20321400f473b98474214a1280ed8dc7

SHA1
872ca4132ed94f319b82ab0685e62f77f48673b7

SHA256
1cfea2793d79d044dce32337d702ec8df9fb819e72d8fd6d855d1c3004c08f37

SHA512
4673ac1052f5a5ee76edb1ae4f71a638727521edf5c2be995d97c372ee9c821e71e077013e699af8358f68df24b3ad5c777bb2d9e5ddceb2691a8dd04c5f2a0b

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
55KB

MD5
fd163691fcd02f90d8cc64fa406c6593

SHA1
2ca542b72cc31624207a4dad3b679f91db95871f

SHA256
f0e73205783357f3548fbad5c1b5b1e1580b3bf6af7bbc7e8fe423685d25ead7

SHA512
e90e8800a4f38900d977f7cb8eee0d4c9a2fd7d59d63573f9dacfb418733c44edc4c86c895d663c0205675fd9e7a2f81e88841c34631fa821f6079dfa7ad4a95

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
55KB

MD5
069a76c4c1a62395e6433d78b7644b2b

SHA1
c72d28cd1837607b896b609cda1b52466282ce3b

SHA256
09cd8a865b92047d2b5e8191c494907e1f97acd551f05c13f2dcf77dc0fa14ea

SHA512
99502024ada372b83c133b90d48708f58edb41cb22d9ef0ee007e8ccbd692a3299ad7d04cf28737048681967126e3508ec1d9c149f7321f468a7e212f745a147

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
55KB

MD5
295a101bc973afcb5520bb20e90643a3

SHA1
cd2fcbcaa27a27504230304fcd369d4ba2cef253

SHA256
6162c782da3f3eaef980b7803b08226c6f771b8de7637bb8e57405f7685aff74

SHA512
144077010df5191a1eeb86c3958746a8c74429f1d288db4a7f3625baef59dcc03ff51d0d64f80dac1c18f518bef255df1c66b10683b12a77166f3e952b3ee8c0

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
55KB

MD5
7b75a3fefd2b7c516737e7a56cb0ad6e

SHA1
6cfb5daefdd790f6752aa9e449762905d6e08a48

SHA256
d64e76ecc1599b0640bb2bb01b085e67f9ed7cd665535f3724e6b399551c6d9e

SHA512
9342eefd3d9f8b650451e0c827e88d63c0379e7d51c6e140594c31de3fe928f3526022e2e314c08452a29cddf1d577dd2a97435567dd875d10f2bff7ac18e0ad

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
55KB

MD5
12f57772b604eb24257eeabba05f5f29

SHA1
a624106596614a6d5728d62de38d91230c13e6ac

SHA256
fa9ed444e1a13ed72fe49af7cfd5278cf1ce396681fe222e88deefbb4b9bb61b

SHA512
d069ef7491d8c8d11cb0b579edae1d19ac22e2080ddea00e5d5c75148ef041e5b4c208866b7255b5425b57c5509ffb0ae19397101261c60d0d60cbde40feaac4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
47a237616f77fae700075c0a4eff6557

SHA1
359d03fe339c5f114351d49488a063f24e5a20ab

SHA256
1a4051eaf59c1a111f3dbf9fe845678528e6f533fb5303fbe191c04f56db5ce1

SHA512
41652e406239e875148b54c1806aee057c7c26ac193278c4baec946e33181405804edda09d82efffca5692f550a41c1b452bc4287cb297dbe5dbc8749bdbfe41

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
55KB

MD5
408f8313092062e799f9270fb6231980

SHA1
60327afc17e97993912139483739490a9c8799b0

SHA256
6493108fa0cd2af53709aa3aae53ffba33aaaab11b1befe91d78a23b4e635765

SHA512
ef0a5ffdeb1b86c49af4535c0fa2df9ef6bb0ec71b94f6a1773b86acc2fda27852a939ea9e33add2b185417f63686a54b56ba4e377e9a30da57143982d9f45d5

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
55KB

MD5
dc70e71b87be3f31a93ea562afb50c71

SHA1
4d01579b92df4dcc95b636f3ffa421e681414331

SHA256
c0fa04053095465835c37d767b10b21cb0c3288c2b4f28705ab63e19e222a226

SHA512
9d92879072c5f247db1d669a852cfd6f92bc4cf34fbb5ec033a6fc0d6a9664d1ee815340d3b9bde98ba13380701ae0646f3fca109c84a5d5109cca34542da1cd

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
55KB

MD5
aced08a0d66cda7ff351f6b5185bf6a9

SHA1
86ea3b87cad35a2ce8fdca198359acd24b399672

SHA256
75388fab4c307bd662674da3ed4f5cf76a1aa5233d6c247288308ab351dcb708

SHA512
ccd18a8712302757b30d8d2e70e4c413f9b6e16e5378fd918f0f53ce589ecd9c35439cab93dfd0375f8180e9babc3a883debf9a3e7257bbb645bc99ac699f599

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
55KB

MD5
c815882ad97fd2af17d7e5a875e87160

SHA1
633d53c38a88438b3ab798b0fa8d7c307bbfd250

SHA256
906e18ed521df9b9d8cb0e0393d7984eea888cc1f4bb52d5cd6fdcbb0937816f

SHA512
c86a0e0a9d4bb6df14b1361c55077e4c732b57b2e3bd0eb1848b9f69e48af93a473ce08a7797a2461bfe1950228b2ed5f3de4bd7d6b0b26642e5dde9b0ee785c

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
55KB

MD5
bb8abe9878dec8d76e33e31bfd3202de

SHA1
cd4e08cb7a70344238f36fdfeaa90ccb83f8b6f2

SHA256
c0850996519836669dd9f14a794d62c0d7ca10b99e8eaa4641bb3d99e8bceac3

SHA512
431a674f8b3c10158f66c130ff9e469adfa68777247d9926f81794ac234427002a11996e11b110b712139889ae627894b4c39b744f8f8d4cb4d5f9d315eb405e

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
55KB

MD5
f5b21a9c61e94d076eb0fef36edbb060

SHA1
51c033133754011825d3e208cbbfcb170a7537d8

SHA256
37938e04d8e49b1229d7768a9ddc8bd1b38bef13efa50ef8d13b1aade8991d88

SHA512
ea70e688d717adea88c09e07ebf241b3a7c458f3bdade4f562647ce5687a9dce748c484a806f3b1928b24cfc7f0de574a392a6d87912233c77a69e09cb0bd243

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
55KB

MD5
0ec3bbe491fcaac4197e51a94bf3d894

SHA1
483c3ae6858158f98c1d60c8ba5f4e0274ff7a70

SHA256
371b8419c3361299e4dc0caca68d8064c00c1c93fa14f05dfb7f0763acdca984

SHA512
d442666d8f91bb8f01324fbceb341552d451d2e79ccd026919263eba420c51273b20f01191baa5c31fc1bf3e7ec1442f6addd7d4f20bf3a7dea07d636e5ac003

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
55KB

MD5
9a90eae27a7f2c41bef774eff213fe21

SHA1
6ed9b937f748d643fa0e5cf229335fac5e049cca

SHA256
7eaff16ea0fe9d0977db7b0e31f0db3668443b3e47e1400aa436c32e2dbd64e1

SHA512
6a7f9f97942c1472dcd6a6f162f8db8a1d115825602f3f8ea31b3452d435882d2362e41026edf6594cdda355a6fbeab2df8aa89a4364e51cc52522ddbedf1fed

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
55KB

MD5
482130047f9a4bf33ea1e22e021e5f4a

SHA1
92ffc3a05bbd4d799dd51cfac72d916ca0a70fbe

SHA256
5ed40a096d1a1824199460324240d9e29f9cd13fdebe632832d4f312d0c441e5

SHA512
01dc457fadc8fb07dd2e8a40283229504f436a2f804f0e78ff48ba5d417902b1f7e3cf807e82339ec01953ee90773aab26442ed80f3975e1b4910debed466712

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
55KB

MD5
bf6a2969eac1bd14fe22234bc51982bc

SHA1
3216b029217897fce9fb73755065754eab2ddadb

SHA256
2a1e8ace570ced111b7c1cb48ff30f5d85975545c806fc9fc58ec1d7118b277a

SHA512
0adc3d47773a53a87178ac2622b0f63139d3aed331ff758d9db0f5945f01c3f982bd020acddf65afb87effdc1f9fa4e7780d6f059c194c4076c1f329056533e0

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
55KB

MD5
1ada9ae5fcffa36d8bbc4b17545bd890

SHA1
7a2ec8b3e513496bcfef3a44f5dd4f3da403ec23

SHA256
7332f59bff0212e3e6e96204a4bb004b6fb9a6f11268c3b1b1e58103863c36b5

SHA512
e593c194ebe5e01272536a601b90a295890663601b71187d11fa1d142dfc6913ad8b1381e14002cb20640c7186a55c288286566eea69786b7fb15f9f387c3eec

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
55KB

MD5
2a5cdd4167aca7abcf9551467dbadff3

SHA1
9f1c21a61672eef3d146f90990cb7e7351e80858

SHA256
4079b584950527a8fc967398aa2c010cc391c6f89cc59fa92112dcd28cd80934

SHA512
287aeba270b60561db9696a90231f4ec8984a8fc869ce04a5957e3b56e23c7f3bffa6022008a7c6f0a4aeb9b30ca35f901dd0e83134929dc31d2d6b8588c78e6

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
55KB

MD5
ecb318c87b2890faca1539284019fc4b

SHA1
a58727e80b146801d14d44364ee96585d9810676

SHA256
795b0a21f830f1c3afcf29dfb22136cc7268405b2e0f2806c7a2f71917ad6772

SHA512
dc282073e0dc86192fe51a0138267eda710741e68db8cbeb02ebcb03b7c285f40e633a445292a5e6d2dcaeef5f67c1c2ee45cfe0461e6d1abf9700d29177f4e5

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
55KB

MD5
74bbd1c9eb7f2df810b156f2b5870eea

SHA1
a34143051fda7f06eeffe75132d216e9d8f6be67

SHA256
5d469a22127c994693b5589f861d910164bb84ed3c164bd1ecd0cf8065e35512

SHA512
bd42530e0a1fae2ae87bacfef0f65155c6c771bc22d71a9c765a01c9f89289cbca121793195d9bcbb9a7389c5ff0a0ecb1c237aad6d19245d60ba412d3d364c5

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
55KB

MD5
b64e3aa8272a826877db6e0f30ca4549

SHA1
ded472f8e183fa9d350080ee36b73b20c1298660

SHA256
2d9273dd79d7bd476b6fed6ada0596bf67f81b7707cc7e56b32bc45c09234cbf

SHA512
5d1289e9f67360560e9d5b736bd901d9c3bc50e5dca1d0b11f5adb7a33a9e8703053ebdde8f59f4b09221f071f1103cc4e8fe65537d53b775e167c9e94fb43a8

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
55KB

MD5
7507de61f4274776ff7877398e87b0da

SHA1
ec8d8b4f4562d2b42a72deb998c542eb46f3cc0e

SHA256
87d8390d9fc91fef5888dfa0b79bd0bdff1d627c6cda647a3d553dd32a744d81

SHA512
d4fde92f5e1f619de26df82735a03be63ab1d887ed3afab5f11af42db2449822df105291f615db2c86da3010cbc2f4a6f41b751abe5b60a30cea6b15c54d5a39

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
55KB

MD5
2538e688d1d5b811e4791476b8bfa833

SHA1
f95d181913509eb7bed21d0861b92691ff459547

SHA256
2ea7da179219c76709e8748ec7863b8d4906b4c7a279318c691c2071c09b1ce5

SHA512
765592a376ebca2f23ba31a00c7047029c9945c1d5967b4798bd1c7e5b67bda36be225543e19e27d85a1c1233603841be638933a010333bbe02d18f73864fd28

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
55KB

MD5
ce8876cc5a4519d9e9de1514fb73807f

SHA1
0635325489e8f37b51a5a5deab543cbabea508d0

SHA256
108b4f06f01b83be7c9a0e53fa837ad6fe09cb2373d4d55ab1c72e0f8dd1d020

SHA512
c77db6cc00d395b8febd0edc85f725e21cc288e52a54324db9831b7af84b6a03b81eb5a3f182eaea035b272252881e7b083475fa87ee17068cc0202a60ef4cd5

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
55KB

MD5
4955697fdf9c4bd8a02f0bfd72d54a78

SHA1
f26aaa3e096585594b89de625df78fba9458780b

SHA256
027ae314eb9b33abec50772c76d6e8d9ebfd6153c6c352a3febe5ce02dcdfd37

SHA512
22c1b0de0c4132f0547347e3b3ce7677a68fe91fb0dfaa98e8b14b7a6e82a6f2564f26bc804fe1e300ed856e371ec9185ea8bc46885fb6b7a9036d833f1e3e3a

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
55KB

MD5
60db96586e2bbf81aec6ca14fdca030e

SHA1
0de0a25a996f2605eded4a736aed2cd47a1731ef

SHA256
b6b70b758b4e15639bb845f4ca8bd82a3834afc787dd0b4537d7d13955e8c9cc

SHA512
62aa58d73ac0771e51dc55c5dcda135f66c6c95fc9168a9141008295d5c06266836911e856df7ea8ef1ca164190d9fcf2d155a88dbabae9a09c8c8759fdcba70

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
55KB

MD5
80dea31e73f763885d81bb61a9c3dd11

SHA1
13b34c6ad24ddc9ff5745ded98e9d63264e7ef5e

SHA256
61c8694e03f55e178cc925d9c2cda9d74f58f90cefb93134812a50598fc1a1f0

SHA512
5435fa20e4ad05729b0819b2ecd0fd1a181cf574ee0370ed3b38dcfd06d4ccdde5288fc8f7d452ee822c258c613b036f36dce46a9e90d883996c596564eb96f3

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
55KB

MD5
38cb238a6b49a65e44bc6ed4202f5ea1

SHA1
fdf9c4a1a24bbbae37c7c26883b6d9d866fd082a

SHA256
307d5b918637f09feed316c273a8c3a8694c33f08c68a811c9dd7d4124b35db7

SHA512
f5fd300339c1b4d5eb93f7cb49f1d89bb07c0ecb980cab62502c3ac3341684b6e7883b586b43b13aa14a329040e2369e1b877be3f4bd12377731b385ecd5c7ce

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
55KB

MD5
b4e3460acfaccbc184e48bcea5b1cd26

SHA1
1ae17031028e92e55ea5047bcacbd38af5054c2c

SHA256
f264de9130f69fededa051cf087834d22068d2a3a59014e75eaed018e99cb0ee

SHA512
3e22a42ef0fb3f814af10c67d2d5d2281a3cb1275ade43655ca07c2cbf740cafcb4ef26f4c2223a76464d8dface8df4effae2c648b75f000035f2b93afc6107e

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
55KB

MD5
c94d9f3dc30f81ee78dda634b9df12e9

SHA1
2fe3ac30999f0454a2c6f27ec67a5ff164a2f3e6

SHA256
90c70871e883f38d0868e2aea1ae6d5a642c4265361a2ca22c333c3ff97d1184

SHA512
1e9f5c6ecdba6dbd8c465f57c65c75da0cf72ad559cc034091d20d43162e39fa83a08171dd84f566b5b58e5d5ff0953885d7cca2a5409de75bd687f426a08311

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
55KB

MD5
d1e33242aa39a0171765ceedbbe97c3a

SHA1
e81bf6637763fd800ecc07d35dd731364c1d1025

SHA256
ec21c76aebbbbc0288e56424586594b92ad89b92b6b17e172245b50a11da979f

SHA512
2f5770c098e25f05137f51ff3b60fc2be776739aaa7c8d98ad053337322bb3d834456d6c6d199a4e2b1f8e97dd4c11d460c546d9130d3f5a516025db32ba1807

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
55KB

MD5
067f0e2bca3528850004a62326fe7752

SHA1
a4ce25ac67e7752e0444e42791535019b1550b5c

SHA256
7205a1b475099671d530cb36287cefe43e18a45348d0f42838760c7aa37f23e1

SHA512
60ad323c955f7f093d06cf14fdb0d15506780881a5b3d75c4e781c6246cb0edd7ced1077984f4d2d6bc822c6804aaec59314b1d7950cf5f1ae6d8a74bfba4821

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
55KB

MD5
b2080a380b71cbc4b8b13b47737433ce

SHA1
1795eb0535198cb0f6a229c4e2b42a39932a6153

SHA256
e4cc908225b8dd09ff5b9ae64f2c9fd98d50055192c862918132869a7c8dc891

SHA512
2fefa42596f67719153f95cd77531a4ff1a023cad105d785b977caf184ee47c3b658412fe1fe2ad7f7021db39cd90af5820c169cbfa6c49bef6513764884721c

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
55KB

MD5
31a4715fb4516cc788795d6b7a1228b5

SHA1
efddcb8d3aa68ef3741596a927a1b3ceab54325b

SHA256
f7bfa0b139027d2b532e26ce532e48c6ce584c0e6b22e730846d6d8ece3dbf04

SHA512
1ad8624beffd1c3cdbd0ea518636da9477aa0537f681ffb63d144e7662447c4e09dc700a15333c2f2732988c9c2a8cee11ee13d777383ea872d2aa3f5fc85ce5

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
55KB

MD5
69d1148c7ec56ba33d840d186ec5f886

SHA1
1ff72ca5f8694a9d1431bb40f639ad2a8c4cba28

SHA256
c14859a031e8614c2cdd0609e821b6553950c93acb0d32a56861d3bc82db8628

SHA512
fedc914777e58900fc8ef38df9e2757d0342162300a1b4a79121055262791618f48272505bb1963b3af2c0d3ad3a2e2a822a70dcfc9fc67927db47db641f0c65

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
55KB

MD5
82adfd056b4c626ea9a12a8a02d22f15

SHA1
1ed395a8ba6b28becb2845607198a702231f7334

SHA256
045a2d2fc646516f4276e3d616c9375c6d716844e713cd72f765bfdbb131b11c

SHA512
ad48e85a62d9269147243b548a9f69ec545dc0633f6471750f3af6e9e14fad5c51f68d730392e9af9ad241b464d19e9921f26f27e4903b57f6e30c4cc5aad83c

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
55KB

MD5
899465811143d61e429f8ad39d0147f5

SHA1
0bfb03f563efa8b6c0aa80994a25bdf5283d99cc

SHA256
623be81fc41eff49c8ca49b83677fb3f8a454d0aabd6ee315281e846a77ea9c6

SHA512
b646ad9268754155d35a6b4040f898b5f8f3e1457856188d5fb16c6cb77a0052d0070f23fff90111ce593631cadece02b40424afafb01aab702b6cfaa05851d2

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
55KB

MD5
799977b9726d2c102944e76caebc48e0

SHA1
fa8ab2850bda054450c0de84bbe5d22753df887a

SHA256
9027983442e1faf855044c708ab1a686aa98e5500f7278caea4e2f9998be5af7

SHA512
de194e249541a8a7f53bbb7d1436a9b97ed05ef84ec83729d6fd597e76330cc267d29bddb80a8e9dbc67a6929d841cca3299a98278a156f73b658ee3498dc5aa

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
55KB

MD5
69157ec793794e519708df21fbe44692

SHA1
5089190588b73ea3828ae0e19aaef761fb0731e3

SHA256
9d5941c7c34de46b0c1ecbc558923d6b8877cf03e9e82be369a0ccee5735dc13

SHA512
1489e340b1aae0f226066a04935916d4b95d5d2487c484718b35556deb31ac7e6bacf3443c963ffa1cb9905211a891932c37f8f4342a66ff9694ae9c5139ae0c

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
55KB

MD5
8ab434021caeae62027e0e1770ae93a0

SHA1
6d500cf0a635c85ea23feca50fd6b3151385ab1f

SHA256
b0e5559678f96afd549710798122a313e92dedf802ea7e2d2e258bf60a715fe5

SHA512
9e33ff43d1f933dbb364089620083ebedc105f5c812c2237b26264b92d136adf8902202a0a3ff0d5be6a539697d96d052290008a507b4c0b1f2f88674cf1bcb8

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
55KB

MD5
f4d3d382342156d196d4bfc500875d15

SHA1
925dc08d32dfc6c77f1ec896f3a56312240432f6

SHA256
6f8b34ba1cd9d2d2f2a5be25476edfa79a9b8d72e008d7e2682597d1a1e1acd8

SHA512
23aabbe9c92f1b430ed5ba662527c1b0708c721f3cb335569551fbf2ee521d30e0e0f37511ccfc6ed5bc6e79a100770a05f497dbc0dae3e3e563e2b3f9f3be97

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
55KB

MD5
d4193b809b511967d47d0ceae68f9d7e

SHA1
eb53238b1ddf2b9bf28131fa564a261590134e19

SHA256
17c6392b137d86f6483fca75eef207c3e9a8cf69b07556ffc9948d961c6547c3

SHA512
32fb4e5254b3d841400a809a88368504cce4014098953ddca26f6f6c03542d7d7391ea2282fe3d7ab8fce2376b5a8f5832447df0f9ff7bace5cbd92878adc43f

Download Submit
memory/516-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4460-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-857-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-846-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5684-834-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads