berbew | 564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe
Size

245KB
MD5

7087ec06afb561ac0cdfd6d6d9c94d70
SHA1

779c19afa5a07f46c942e5d21bc114fa4fb701cf
SHA256

564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1
SHA512

6327302f1faebaf9da32bd01ca0a22a753d24f792541179c5b49f83d0b4e6b909dcaafe77c7af146801e959b4de11958297e49ae1af370b0a13ec2fc3b19f5e5
SSDEEP

3072:+pooB1c7AlmzWvp4T58uwago+bAr+Qka:+vLlGT58uhgo0ArV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anedfffb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncoihfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbnlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhdghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnbebk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhfbacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bncqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpebch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfkec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npoeif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlhbdgia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agpedkjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leihep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdqncffd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijckhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfcogecg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capiemme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfqmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckepbgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmcqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mikjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcfph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldlehg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflpoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjbcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Canlon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplpmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekekp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncakqaqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkpbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlngje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgjbllq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloidfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijckhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpgoig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkjlpkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkjlpkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknlbmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nghmfqmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpcenhpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenakl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpebch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpdklo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npabof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgllil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfqhcei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcambi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2852	Lefkpq32.exe
4684	Lmmcqn32.exe
1268	Lplpmi32.exe
3364	Ldgkmhno.exe
2984	Lbjlid32.exe
4592	Leihep32.exe
2148	Lmppfm32.exe
3088	Lpnlbi32.exe
4216	Lbmhod32.exe
984	Lekekp32.exe
4744	Lifqkn32.exe
4896	Llemgj32.exe
1276	Ldlehg32.exe
1284	Memapppg.exe
876	Mmdiamqj.exe
3312	Mlgjmi32.exe
224	Mpcenhpn.exe
3896	Mcabjcoa.exe
4968	Mgmnjb32.exe
2136	Mikjfn32.exe
3624	Mmgfgl32.exe
2504	Mpebch32.exe
1504	Mdqncffd.exe
4176	Mgokpbeh.exe
4996	Mebkko32.exe
1840	Minglmdk.exe
3960	Mmicll32.exe
4736	Mpgoig32.exe
2024	Mdckifda.exe
4268	Mcfkec32.exe
2632	Medgan32.exe
5072	Mipcambi.exe
2740	Mmkpbl32.exe
1232	Mpjlngje.exe
4756	Mdehof32.exe
2576	Mgddka32.exe
2908	Megdfnhm.exe
1812	Mibpgm32.exe
3224	Mlqlch32.exe
4848	Mplhdghc.exe
3928	Nckepbgf.exe
4332	Ngfqqa32.exe
1720	Nidmml32.exe
1032	Nnpimkfl.exe
1036	Npoeif32.exe
4748	Ncmaeb32.exe
4504	Nghmfqmm.exe
1664	Njgjbllq.exe
3128	Nnbebk32.exe
2604	Npabof32.exe
4408	Ndlnoelf.exe
3236	Ngkjlpkj.exe
2384	Njifhljn.exe
1868	Nlhbdgia.exe
228	Ndoked32.exe
712	Ncakqaqo.exe
1684	Nfpgmmpb.exe
3916	Ngpcgp32.exe
3704	Nfbdblnp.exe
1524	Nlllof32.exe
3016	Odcdpd32.exe
3424	Ogbploeb.exe
2432	Oloidfcj.exe
5088	Ogdmaocp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ggkpkgck.dll	Lekekp32.exe
File created	C:\Windows\SysWOW64\Ghnelogk.dll	Mlgjmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcfkec32.exe	Mdckifda.exe
File opened for modification	C:\Windows\SysWOW64\Nidmml32.exe	Ngfqqa32.exe
File opened for modification	C:\Windows\SysWOW64\Oncoihfg.exe	Ofijckhg.exe
File created	C:\Windows\SysWOW64\Canlon32.exe	Cmbpoofo.exe
File opened for modification	C:\Windows\SysWOW64\Megdfnhm.exe	Mgddka32.exe
File opened for modification	C:\Windows\SysWOW64\Njgjbllq.exe	Nghmfqmm.exe
File created	C:\Windows\SysWOW64\Kaocpk32.dll	Njifhljn.exe
File opened for modification	C:\Windows\SysWOW64\Lifqkn32.exe	Lekekp32.exe
File opened for modification	C:\Windows\SysWOW64\Mmgfgl32.exe	Mikjfn32.exe
File created	C:\Windows\SysWOW64\Igikac32.dll	Medgan32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlngje.exe	Mmkpbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcbn32.exe	Oncoihfg.exe
File created	C:\Windows\SysWOW64\Kbheqgmg.dll	Qgllil32.exe
File created	C:\Windows\SysWOW64\Baicdncn.exe	Bfcogecg.exe
File created	C:\Windows\SysWOW64\Cmbpoofo.exe	Cegljmid.exe
File created	C:\Windows\SysWOW64\Dhfqmf32.exe	Dkbpda32.exe
File created	C:\Windows\SysWOW64\Olhbhlpi.dll	Mpgoig32.exe
File opened for modification	C:\Windows\SysWOW64\Chlngg32.exe	Cenakl32.exe
File created	C:\Windows\SysWOW64\Cmodnlac.dll	Lpnlbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdckifda.exe	Mpgoig32.exe
File created	C:\Windows\SysWOW64\Ndoked32.exe	Nlhbdgia.exe
File created	C:\Windows\SysWOW64\Oloidfcj.exe	Ogbploeb.exe
File created	C:\Windows\SysWOW64\Nolegb32.dll	Lefkpq32.exe
File created	C:\Windows\SysWOW64\Ldgkmhno.exe	Lplpmi32.exe
File created	C:\Windows\SysWOW64\Medgan32.exe	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Pjnjhf32.dll	Nnbebk32.exe
File created	C:\Windows\SysWOW64\Odcdpd32.exe	Nlllof32.exe
File created	C:\Windows\SysWOW64\Ogdmaocp.exe	Oloidfcj.exe
File created	C:\Windows\SysWOW64\Qqoggb32.exe	Pggbnlbj.exe
File created	C:\Windows\SysWOW64\Cbndlo32.dll	Lmppfm32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhod32.exe	Lpnlbi32.exe
File created	C:\Windows\SysWOW64\Kfhplg32.dll	Ldlehg32.exe
File created	C:\Windows\SysWOW64\Mmgfgl32.exe	Mikjfn32.exe
File created	C:\Windows\SysWOW64\Ofjidh32.dll	Mmicll32.exe
File created	C:\Windows\SysWOW64\Mcfkec32.exe	Mdckifda.exe
File opened for modification	C:\Windows\SysWOW64\Nfbdblnp.exe	Ngpcgp32.exe
File opened for modification	C:\Windows\SysWOW64\Opmakd32.exe	Onneoi32.exe
File created	C:\Windows\SysWOW64\Lgljnc32.dll	Pddmga32.exe
File created	C:\Windows\SysWOW64\Lhekcplc.dll	Bnhjbcfl.exe
File created	C:\Windows\SysWOW64\Cpjkogep.dll	Cjhmnc32.exe
File created	C:\Windows\SysWOW64\Mebkko32.exe	Mgokpbeh.exe
File created	C:\Windows\SysWOW64\Mgddka32.exe	Mdehof32.exe
File created	C:\Windows\SysWOW64\Mibpgm32.exe	Megdfnhm.exe
File created	C:\Windows\SysWOW64\Lhhdfpaa.dll	Nghmfqmm.exe
File created	C:\Windows\SysWOW64\Daphad32.dll	Qflpoi32.exe
File created	C:\Windows\SysWOW64\Aaejql32.dll	Afcfph32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehof32.exe	Mpjlngje.exe
File created	C:\Windows\SysWOW64\Djkqof32.dll	Megdfnhm.exe
File created	C:\Windows\SysWOW64\Dpqabb32.dll	Nnpimkfl.exe
File opened for modification	C:\Windows\SysWOW64\Doicia32.exe	Chlngg32.exe
File created	C:\Windows\SysWOW64\Lbmhod32.exe	Lpnlbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlqlch32.exe	Mibpgm32.exe
File created	C:\Windows\SysWOW64\Ogbploeb.exe	Odcdpd32.exe
File created	C:\Windows\SysWOW64\Ppccfl32.dll	Ofijckhg.exe
File created	C:\Windows\SysWOW64\Capiemme.exe	Cmdmdo32.exe
File opened for modification	C:\Windows\SysWOW64\Lefkpq32.exe	564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe
File created	C:\Windows\SysWOW64\Hcmgof32.dll	Lplpmi32.exe
File created	C:\Windows\SysWOW64\Mjmilige.dll	Ngfqqa32.exe
File created	C:\Windows\SysWOW64\Npabof32.exe	Nnbebk32.exe
File created	C:\Windows\SysWOW64\Oifpeb32.dll	Deehkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmcqn32.exe	Lefkpq32.exe
File opened for modification	C:\Windows\SysWOW64\Mcabjcoa.exe	Mpcenhpn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5196	2452	WerFault.exe	195

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndoked32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhagbfnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmicll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfqmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkpbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgllil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnphnke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjbcfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfqhcei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doicia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odcdpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplpmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfqqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnbebk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njifhljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpgmmpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifqkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabjcoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcambi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpcenhpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlllof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenakl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkpq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmgfgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlngje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldlehg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npabof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhmnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npoeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bncqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canlon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgkmhno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckepbgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfcmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anedfffb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpdklo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegljmid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhbdgia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djpcnbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memapppg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmdiamqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhdghc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnpimkfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflpoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfcogecg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcioha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfbdblnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeiojnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikjfn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmgfgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmicll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npoeif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnphnke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aebihpkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmfjh32.dll"	Mmdiamqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckepbgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keqnmjbl.dll"	Nckepbgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmodcn32.dll"	Ngkjlpkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicdncn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfqmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lifqkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpebch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npabof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oloidfcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgmnjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggocqjho.dll"	Mdqncffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndoked32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenakl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igikac32.dll"	Medgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdjfioh.dll"	Oloidfcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpcioha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifpeb32.dll"	Deehkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Minglmdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkpbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmaeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njgjbllq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmegcdno.dll"	Nlllof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbpoofo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capiemme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjbcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolegb32.dll"	Lefkpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmgof32.dll"	Lplpmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdqncffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njgjbllq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnjnjdho.dll"	Opmakd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddkqjen.dll"	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acicol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekekp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnneah32.dll"	Mcfkec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhdghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnamhjg.dll"	Pfeiojnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhdghc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoblolle.dll"	Pmmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmdiamqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckifda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Megdfnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejbmi32.dll"	Ncmaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpcioha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojadae32.dll"	Cenakl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaocpk32.dll"	Njifhljn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphad32.dll"	Qflpoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnknfhg.dll"	Dkbpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Memapppg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlngje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiefj32.dll"	Dhfqmf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 2852	416	564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe	81
PID 416 wrote to memory of 2852	416	564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe	81
PID 416 wrote to memory of 2852	416	564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe	81
PID 2852 wrote to memory of 4684	2852	Lefkpq32.exe	82
PID 2852 wrote to memory of 4684	2852	Lefkpq32.exe	82
PID 2852 wrote to memory of 4684	2852	Lefkpq32.exe	82
PID 4684 wrote to memory of 1268	4684	Lmmcqn32.exe	83
PID 4684 wrote to memory of 1268	4684	Lmmcqn32.exe	83
PID 4684 wrote to memory of 1268	4684	Lmmcqn32.exe	83
PID 1268 wrote to memory of 3364	1268	Lplpmi32.exe	84
PID 1268 wrote to memory of 3364	1268	Lplpmi32.exe	84
PID 1268 wrote to memory of 3364	1268	Lplpmi32.exe	84
PID 3364 wrote to memory of 2984	3364	Ldgkmhno.exe	85
PID 3364 wrote to memory of 2984	3364	Ldgkmhno.exe	85
PID 3364 wrote to memory of 2984	3364	Ldgkmhno.exe	85
PID 2984 wrote to memory of 4592	2984	Lbjlid32.exe	86
PID 2984 wrote to memory of 4592	2984	Lbjlid32.exe	86
PID 2984 wrote to memory of 4592	2984	Lbjlid32.exe	86
PID 4592 wrote to memory of 2148	4592	Leihep32.exe	87
PID 4592 wrote to memory of 2148	4592	Leihep32.exe	87
PID 4592 wrote to memory of 2148	4592	Leihep32.exe	87
PID 2148 wrote to memory of 3088	2148	Lmppfm32.exe	88
PID 2148 wrote to memory of 3088	2148	Lmppfm32.exe	88
PID 2148 wrote to memory of 3088	2148	Lmppfm32.exe	88
PID 3088 wrote to memory of 4216	3088	Lpnlbi32.exe	89
PID 3088 wrote to memory of 4216	3088	Lpnlbi32.exe	89
PID 3088 wrote to memory of 4216	3088	Lpnlbi32.exe	89
PID 4216 wrote to memory of 984	4216	Lbmhod32.exe	90
PID 4216 wrote to memory of 984	4216	Lbmhod32.exe	90
PID 4216 wrote to memory of 984	4216	Lbmhod32.exe	90
PID 984 wrote to memory of 4744	984	Lekekp32.exe	91
PID 984 wrote to memory of 4744	984	Lekekp32.exe	91
PID 984 wrote to memory of 4744	984	Lekekp32.exe	91
PID 4744 wrote to memory of 4896	4744	Lifqkn32.exe	92
PID 4744 wrote to memory of 4896	4744	Lifqkn32.exe	92
PID 4744 wrote to memory of 4896	4744	Lifqkn32.exe	92
PID 4896 wrote to memory of 1276	4896	Llemgj32.exe	93
PID 4896 wrote to memory of 1276	4896	Llemgj32.exe	93
PID 4896 wrote to memory of 1276	4896	Llemgj32.exe	93
PID 1276 wrote to memory of 1284	1276	Ldlehg32.exe	94
PID 1276 wrote to memory of 1284	1276	Ldlehg32.exe	94
PID 1276 wrote to memory of 1284	1276	Ldlehg32.exe	94
PID 1284 wrote to memory of 876	1284	Memapppg.exe	95
PID 1284 wrote to memory of 876	1284	Memapppg.exe	95
PID 1284 wrote to memory of 876	1284	Memapppg.exe	95
PID 876 wrote to memory of 3312	876	Mmdiamqj.exe	96
PID 876 wrote to memory of 3312	876	Mmdiamqj.exe	96
PID 876 wrote to memory of 3312	876	Mmdiamqj.exe	96
PID 3312 wrote to memory of 224	3312	Mlgjmi32.exe	97
PID 3312 wrote to memory of 224	3312	Mlgjmi32.exe	97
PID 3312 wrote to memory of 224	3312	Mlgjmi32.exe	97
PID 224 wrote to memory of 3896	224	Mpcenhpn.exe	98
PID 224 wrote to memory of 3896	224	Mpcenhpn.exe	98
PID 224 wrote to memory of 3896	224	Mpcenhpn.exe	98
PID 3896 wrote to memory of 4968	3896	Mcabjcoa.exe	99
PID 3896 wrote to memory of 4968	3896	Mcabjcoa.exe	99
PID 3896 wrote to memory of 4968	3896	Mcabjcoa.exe	99
PID 4968 wrote to memory of 2136	4968	Mgmnjb32.exe	100
PID 4968 wrote to memory of 2136	4968	Mgmnjb32.exe	100
PID 4968 wrote to memory of 2136	4968	Mgmnjb32.exe	100
PID 2136 wrote to memory of 3624	2136	Mikjfn32.exe	101
PID 2136 wrote to memory of 3624	2136	Mikjfn32.exe	101
PID 2136 wrote to memory of 3624	2136	Mikjfn32.exe	101
PID 3624 wrote to memory of 2504	3624	Mmgfgl32.exe	102

C:\Users\Admin\AppData\Local\Temp\564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe
"C:\Users\Admin\AppData\Local\Temp\564acaac624bc35c67178d81344ed19c9b1d29c71c1f21d5b5f9670876365ec1N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\Lefkpq32.exe
  C:\Windows\system32\Lefkpq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Lmmcqn32.exe
    C:\Windows\system32\Lmmcqn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\Lplpmi32.exe
      C:\Windows\system32\Lplpmi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\Ldgkmhno.exe
        
        C:\Windows\system32\Ldgkmhno.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\SysWOW64\Lbjlid32.exe
        
        C:\Windows\system32\Lbjlid32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Leihep32.exe
        
        C:\Windows\system32\Leihep32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Lmppfm32.exe
        
        C:\Windows\system32\Lmppfm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lpnlbi32.exe
        
        C:\Windows\system32\Lpnlbi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Lbmhod32.exe
        
        C:\Windows\system32\Lbmhod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Lekekp32.exe
        
        C:\Windows\system32\Lekekp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Lifqkn32.exe
        
        C:\Windows\system32\Lifqkn32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Llemgj32.exe
        
        C:\Windows\system32\Llemgj32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ldlehg32.exe
        
        C:\Windows\system32\Ldlehg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Memapppg.exe
        
        C:\Windows\system32\Memapppg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Mmdiamqj.exe
        
        C:\Windows\system32\Mmdiamqj.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Mlgjmi32.exe
        
        C:\Windows\system32\Mlgjmi32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Mpcenhpn.exe
        
        C:\Windows\system32\Mpcenhpn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Mcabjcoa.exe
        
        C:\Windows\system32\Mcabjcoa.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Mgmnjb32.exe
        
        C:\Windows\system32\Mgmnjb32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Mikjfn32.exe
        
        C:\Windows\system32\Mikjfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Mmgfgl32.exe
        
        C:\Windows\system32\Mmgfgl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Mpebch32.exe
        
        C:\Windows\system32\Mpebch32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Mdqncffd.exe
        
        C:\Windows\system32\Mdqncffd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Mgokpbeh.exe
        
        C:\Windows\system32\Mgokpbeh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Mebkko32.exe
        
        C:\Windows\system32\Mebkko32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Minglmdk.exe
        
        C:\Windows\system32\Minglmdk.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Mmicll32.exe
        
        C:\Windows\system32\Mmicll32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Mpgoig32.exe
        
        C:\Windows\system32\Mpgoig32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Mdckifda.exe
        
        C:\Windows\system32\Mdckifda.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mcfkec32.exe
        
        C:\Windows\system32\Mcfkec32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Medgan32.exe
        
        C:\Windows\system32\Medgan32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Mipcambi.exe
        
        C:\Windows\system32\Mipcambi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Mmkpbl32.exe
        
        C:\Windows\system32\Mmkpbl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Mpjlngje.exe
        
        C:\Windows\system32\Mpjlngje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Mdehof32.exe
        
        C:\Windows\system32\Mdehof32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Mgddka32.exe
        
        C:\Windows\system32\Mgddka32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Megdfnhm.exe
        
        C:\Windows\system32\Megdfnhm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Mibpgm32.exe
        
        C:\Windows\system32\Mibpgm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        40⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Mplhdghc.exe
        
        C:\Windows\system32\Mplhdghc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nckepbgf.exe
        
        C:\Windows\system32\Nckepbgf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Nidmml32.exe
        
        C:\Windows\system32\Nidmml32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Nnpimkfl.exe
        
        C:\Windows\system32\Nnpimkfl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Npoeif32.exe
        
        C:\Windows\system32\Npoeif32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Ncmaeb32.exe
        
        C:\Windows\system32\Ncmaeb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Nghmfqmm.exe
        
        C:\Windows\system32\Nghmfqmm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Njgjbllq.exe
        
        C:\Windows\system32\Njgjbllq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Nnbebk32.exe
        
        C:\Windows\system32\Nnbebk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Npabof32.exe
        
        C:\Windows\system32\Npabof32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Ndlnoelf.exe
        
        C:\Windows\system32\Ndlnoelf.exe
        52⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Ngkjlpkj.exe
        
        C:\Windows\system32\Ngkjlpkj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Njifhljn.exe
        
        C:\Windows\system32\Njifhljn.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nlhbdgia.exe
        
        C:\Windows\system32\Nlhbdgia.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Ndoked32.exe
        
        C:\Windows\system32\Ndoked32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ncakqaqo.exe
        
        C:\Windows\system32\Ncakqaqo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Nfpgmmpb.exe
        
        C:\Windows\system32\Nfpgmmpb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ngpcgp32.exe
        
        C:\Windows\system32\Ngpcgp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Nfbdblnp.exe
        
        C:\Windows\system32\Nfbdblnp.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Odcdpd32.exe
        
        C:\Windows\system32\Odcdpd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Ogbploeb.exe
        
        C:\Windows\system32\Ogbploeb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Oloidfcj.exe
        
        C:\Windows\system32\Oloidfcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ogdmaocp.exe
        
        C:\Windows\system32\Ogdmaocp.exe
        65⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Onneoi32.exe
        
        C:\Windows\system32\Onneoi32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Opmakd32.exe
        
        C:\Windows\system32\Opmakd32.exe
        67⤵
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ofijckhg.exe
        
        C:\Windows\system32\Ofijckhg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Oncoihfg.exe
        
        C:\Windows\system32\Oncoihfg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ogkcbn32.exe
        
        C:\Windows\system32\Ogkcbn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Pgnphnke.exe
        
        C:\Windows\system32\Pgnphnke.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Pcdqmo32.exe
        
        C:\Windows\system32\Pcdqmo32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Pfcmij32.exe
        
        C:\Windows\system32\Pfcmij32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Pmmefd32.exe
        
        C:\Windows\system32\Pmmefd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Pddmga32.exe
        
        C:\Windows\system32\Pddmga32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Pfeiojnj.exe
        
        C:\Windows\system32\Pfeiojnj.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pqknlbmp.exe
        
        C:\Windows\system32\Pqknlbmp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3528
        
        C:\Windows\SysWOW64\Pjcbeh32.exe
        
        C:\Windows\system32\Pjcbeh32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Pdhfbacf.exe
        
        C:\Windows\system32\Pdhfbacf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2400
        
        C:\Windows\SysWOW64\Pggbnlbj.exe
        
        C:\Windows\system32\Pggbnlbj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Qqoggb32.exe
        
        C:\Windows\system32\Qqoggb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Qflpoi32.exe
        
        C:\Windows\system32\Qflpoi32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Qncgqf32.exe
        
        C:\Windows\system32\Qncgqf32.exe
        83⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Qgllil32.exe
        
        C:\Windows\system32\Qgllil32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Adplbp32.exe
        
        C:\Windows\system32\Adplbp32.exe
        86⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Aebihpkl.exe
        
        C:\Windows\system32\Aebihpkl.exe
        87⤵
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2800
        
        C:\Windows\SysWOW64\Afcfph32.exe
        
        C:\Windows\system32\Afcfph32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Acicol32.exe
        
        C:\Windows\system32\Acicol32.exe
        90⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Aclpdklo.exe
        
        C:\Windows\system32\Aclpdklo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Bncqgd32.exe
        
        C:\Windows\system32\Bncqgd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Badiio32.exe
        
        C:\Windows\system32\Badiio32.exe
        93⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Bnhjbcfl.exe
        
        C:\Windows\system32\Bnhjbcfl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bfcogecg.exe
        
        C:\Windows\system32\Bfcogecg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Baicdncn.exe
        
        C:\Windows\system32\Baicdncn.exe
        96⤵
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Cmpcioha.exe
        
        C:\Windows\system32\Cmpcioha.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Cegljmid.exe
        
        C:\Windows\system32\Cegljmid.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\Cmbpoofo.exe
        
        C:\Windows\system32\Cmbpoofo.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Canlon32.exe
        
        C:\Windows\system32\Canlon32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Cjfqhcei.exe
        
        C:\Windows\system32\Cjfqhcei.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Cmdmdo32.exe
        
        C:\Windows\system32\Cmdmdo32.exe
        102⤵
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Capiemme.exe
        
        C:\Windows\system32\Capiemme.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Cjhmnc32.exe
        
        C:\Windows\system32\Cjhmnc32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Cmgjjn32.exe
        
        C:\Windows\system32\Cmgjjn32.exe
        105⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Cenakl32.exe
        
        C:\Windows\system32\Cenakl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        107⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Doicia32.exe
        
        C:\Windows\system32\Doicia32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Dhagbfnj.exe
        
        C:\Windows\system32\Dhagbfnj.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Djpcnbmn.exe
        
        C:\Windows\system32\Djpcnbmn.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Deehkk32.exe
        
        C:\Windows\system32\Deehkk32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Dkbpda32.exe
        
        C:\Windows\system32\Dkbpda32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Dhfqmf32.exe
        
        C:\Windows\system32\Dhfqmf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        114⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 400
        115⤵
        Program crash
        
        PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2452 -ip 2452
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Chlngg32.exe

Filesize
245KB

MD5
5be55d887bf81ba370ab6330a8dbae3d

SHA1
4278237c0293afdda0b73d1bc794718d06809af9

SHA256
a475595ed050b4b3a7ea319cd883382fdfe06fe84412137d839d1b3e709920a7

SHA512
094b2da213bfb83a86c29207bf287e024209c798d664638741cbbbe419ee6c055516fbec4499775263a9a24e2aeb3e669b8314b0f40bdd2258aad9c73d1a76ae

Download Submit
C:\Windows\SysWOW64\Dhagbfnj.exe

Filesize
245KB

MD5
cc99cae5a00099557a96c5ef5378dfa6

SHA1
5c7a0b9a9d80ff317728a929fce158d5ae33d4aa

SHA256
99c7a6bf9082a613d91f1f1545e6f21212cf0c2422b421d342778ef6fec33b16

SHA512
8b586358792ff58acad9549e4fffbf413947e8ccdf9dc989a8511de388e17f398ce83e7caeeca92441e8474e5fe23e46632699cb5ecb0477c0fd9ad9ba1b0de6

Download Submit
C:\Windows\SysWOW64\Lbjlid32.exe

Filesize
245KB

MD5
49519e9e56188b1c58f41208d0b577c7

SHA1
7f18ddf42e26f61ac94d87313625f6d0b5afd555

SHA256
c5002476bb6c0df383881f894c92e153a03acd00c3c0f0896b124965f51e9d55

SHA512
51fa5ff75b3afb048603670ed7b0850874b2321bcb7403c44c97ad4e21ed16600b3eeaa69f9cbe6c9d05c31ee510a6ba6e799707f307d7b1e0da6bb5148687a6

Download Submit
C:\Windows\SysWOW64\Lbmhod32.exe

Filesize
245KB

MD5
4d76a9e92abb771309c3feb593665372

SHA1
04175f0ac09652d12079805d4cf609f44b5e79f5

SHA256
2b39e17428bac1e540bef2ee64e6bdfa42095ef3d2b9f64d1db3847aab1b36a5

SHA512
ae3d5d5205265d5c49fce9fda740388fe6f6cf1a976fe9c803d132d19a133e025756fdaa12c96d2f6cbbdce6c1ec7923615da2b95a2e8f3918be7fa071543743

Download Submit
C:\Windows\SysWOW64\Ldgkmhno.exe

Filesize
245KB

MD5
a9fd7f613c5fbc476c124f805f2d92de

SHA1
8f32c91772826b37aea53eb1b3b1d0c9ce6b1481

SHA256
ff946c105d56e5b91dec6cf19c89e3e17d5e0ca950ad91fb9ba9b34f829ca903

SHA512
5590dbd92e60f22387139f997d1f4e3838801a92aa93c1bb11ca9105b92e7e2fe307fe25245e1838ff47ce56af77fe016116394283983e4830833e3a621e23f9

Download Submit
C:\Windows\SysWOW64\Ldlehg32.exe

Filesize
245KB

MD5
f9ce79d282b12aaa20624f7475f0e6d3

SHA1
429218aabc10163bad299f9c5d028fe5c02e8703

SHA256
d5c21a42c7ec50e886d974ad109f0f78c5fc33c4c519aac5af649c9b4d612ded

SHA512
2b68329898e79e4ed14e4225b215cde09359c7ee0c5ff2acad634cbb490f4699f9bfbb2329a1d5deb38c0fcf60a9aee8b6210db3a85585fecc0dce21b4e91f84

Download Submit
C:\Windows\SysWOW64\Lefkpq32.exe

Filesize
245KB

MD5
1e00e3303cbdfb4e1d2c70f16958b6ac

SHA1
c8529b9f9928135a0afe58ac3c5671cf29c07713

SHA256
22f6ccc40b849acf748c4aa89fd15e910b1cce32b21fa69ce5bd483d6b99ace5

SHA512
9ce22032d195e4b839f4642fb660b3cc7a4f7f19647fed372c08aaaf9c00142322f4e435d4fd888547290da1ffa7924701b7f4256b923925c311f412dee58bc9

Download Submit
C:\Windows\SysWOW64\Leihep32.exe

Filesize
245KB

MD5
1b2257b45959d03cb7a96366334dd1dd

SHA1
cfb202946591e934bfe8bee27be8996d16593c45

SHA256
b9ba2cfb3b374ab70f19a35909e6a27a53f987d7e8bc4c0cd37012b01728240e

SHA512
dd6c7dfadc333ae0633449fa98973dcafec35d7f3f7f729e9956cfc5098c0af8a85487a6b2030b0b44fa5dfba4dc807059fd03444432413941613d105b304931

Download Submit
C:\Windows\SysWOW64\Lekekp32.exe

Filesize
245KB

MD5
2585ecdca647556e2b49fac74b14c4ad

SHA1
add086d91517c5a5d8a3b0ec0b8867cc00e5de17

SHA256
7ef38e70a9da018de3118bc9d64a93bb4f1998b8119dda7163005d06eda14313

SHA512
bea1275f9ddad702d9c29e2ca954c0e5e0083ce33660e22a68f9ddc49e707d7f533f324bef075cc9f3ccf10d9baac018500e24f6acfd5f64444cc30150ae8396

Download Submit
C:\Windows\SysWOW64\Lifqkn32.exe

Filesize
245KB

MD5
a1a5e110cf02189eff5c63df85225aa8

SHA1
00aced722e4cdcbdf8541217692fe1cb55e62941

SHA256
be796e5a978a7746a102bc5ae7f17b42af2529c3d8f9fd7faac9517b9f7fe559

SHA512
393ef3e07d08830f3b2a1c67418271419fe21ff2601ddf18bbe1bf3abb988d25ef54622f7770f9737eb9ca51232fa9625d9abc338be1d42f28fcf1f8906bec6e

Download Submit
C:\Windows\SysWOW64\Llemgj32.exe

Filesize
245KB

MD5
0b45ed9b1a1178fd07d93d1770bc1b94

SHA1
bf1e080106eb4f8e9ee0c76299aa31881589e076

SHA256
009c51f514004317d1e917bcab73163f44573866312fd3f9de7e146b42656ef7

SHA512
b4c31b046e2a83b0dcc80222f1d978d1e1a77b4476d570edd564a36a9301f52dd229eb84b04bee67d1b26e9816154bd231242115a0b838618482dda7eea456b4

Download Submit
C:\Windows\SysWOW64\Lmmcqn32.exe

Filesize
245KB

MD5
917747a69fb38894bbf8e619e55e17c6

SHA1
20c178bfe8f9aa9bedfee50073fa8a271a13b417

SHA256
9804bb0b2724d8f80fa0c9185760fdadf9d8dfeae00d3da57c8e2a09a808f7de

SHA512
38c5421e82321a7e35548addcec339be46465fb1a6ca1e417d603d26135d05cf28bc1fc9a3e42e587d6e564ca3ee2f1483781abb74e6188380195058ca75b656

Download Submit
C:\Windows\SysWOW64\Lmppfm32.exe

Filesize
245KB

MD5
fd01e99b6b0b43af4dd99bb9aec93d25

SHA1
ad47459cc2c42631397721ca836c06420a71171f

SHA256
ba3db6facf8392c10985b3548b65169b66c28fe699cfcbf934361baaefeb2bc1

SHA512
c1bc11ef7816cf99c8c53d24c660a59b714316b15c84a918ab173702c1449b57768e95fb91baa7b17f2a3f4e98bcb60da6c69fa5f69096109996dfa1fa07e624

Download Submit
C:\Windows\SysWOW64\Lplpmi32.exe

Filesize
245KB

MD5
885e1add1d85bf1dfc169d32b1930cea

SHA1
99eb3854807a2144c46563d2c32418a072b70352

SHA256
1c68f49183f5197ab0e31036c29d832553ca0f4f2cc47eca58ec2e32518da5ca

SHA512
f65194ddb099b48a026fe5878bc18c32abc888651f7654ad538b911f02235a075e98678d5699adb07cb8a71c97bd97c384f488808eff258ceb29ea3788ab2835

Download Submit
C:\Windows\SysWOW64\Lpnlbi32.exe

Filesize
245KB

MD5
87ba8e968c034a6ba1e613710433b4fb

SHA1
f9fff69c0d907d0b7d2a06e91de47212c93dbbac

SHA256
0bcfc2aa23ca84d2763470df818002561b73925ce4a9b4d13cbe3013c3d0f3dc

SHA512
31a9f3b23ffb692e47b24153a060bc247ba157f4068924101981c84f72dd94acfda4778dc86e9d795a6d93befc6e03b4ef7f6560792df0c122579bd4319fbc0a

Download Submit
C:\Windows\SysWOW64\Mcabjcoa.exe

Filesize
245KB

MD5
cfeb18f0c648610092c1325a692235c0

SHA1
91cf1b662fa374a45127e550782700aea66d654e

SHA256
ffedd3eb2bb81efbb8ef822d758ef37ece9f6972e255f7abc48c23a1443429c2

SHA512
a8544e35506736de6bae2f9455f35b6a1e5eb48288af124041d2d3ac215bbb38e7dc45276ba4cb02eaf6460930c60d57ecc652b9f0b12fc2809f5e142f442839

Download Submit
C:\Windows\SysWOW64\Mcfkec32.exe

Filesize
245KB

MD5
7fdd7fe51213b46358a2ad6b20b878dc

SHA1
ad4166d99c7fa3af992e477a39f93b2d7fda5335

SHA256
12c8467d7b507a180007228e691cb7a012f1d1f3c7c533fff2b901168c3a7f47

SHA512
f53dfaecd75fb9684574836c6c6982ccf0a2dbb7a0cd3ee85a6d146e7d93ec75a77496498159aa5ca0d863c7fa838bc086333f2f4119034ae138d1aa9abd2f39

Download Submit
C:\Windows\SysWOW64\Mdckifda.exe

Filesize
245KB

MD5
cf4ffd0eadbc3bc9c893e016218a2097

SHA1
7d451c36782c583c5aaf8ccc800f48d988ca7986

SHA256
a33ed1cd6b6ed55d43382fbe96990a27c49419b760f24698f21ce122c9d96629

SHA512
afd0ed4522ec01b506ffe3d5aaa80a11756d98e95b6861dd93e1b00d6aa5a89f19580ffd7ad9408b0889f49d343f6288077328620af4b5c4c8ee8d4436c384bc

Download Submit
C:\Windows\SysWOW64\Mdqncffd.exe

Filesize
245KB

MD5
1eebea60bb313c3a9928362c55db0162

SHA1
c60c1e4df1fdaee6493458670073fa9b097523ee

SHA256
72be8459821f9a3f3e14afd70de3ad7462fd58018c4082af61a558dc4a1e5124

SHA512
ca340b045c621b5a6e9f3099d0b5e24610be223f12c47b469dc6cda428f529dc763541bde61791ab1fa46d73b061072d0cc6da34540f8918c3049b0013816023

Download Submit
C:\Windows\SysWOW64\Mebkko32.exe

Filesize
245KB

MD5
be64a06accf33fc42de60f935f2a80ee

SHA1
f44f63212c727b751d243b1e5b59d9e32613d47d

SHA256
9da969e4783c1d8350f4c8a73cc45b1187365ce49e7a7e3f109fcd57eb76c5fc

SHA512
482d7c3abdbed17af8c89fe8ac7e7d7449788732e431a6dbe4c1a3cfeb419c48b492870174797367b058458aca7f472f0c0dc72dfb492c203fa26f43a058c7ea

Download Submit
C:\Windows\SysWOW64\Medgan32.exe

Filesize
245KB

MD5
d438f215af609140578a10371b48f7cc

SHA1
19889245166084531c0ebfc1e1a9bf9d8f5185d4

SHA256
d6fb21c02a1e6b94b4247331533aa6e5cab69ec32375738ea6301933720ece79

SHA512
d2230f260b13bd41a9f82bf80c1ae6191825a591c019aa9ca94a24fdf712e62d1362877408c55f4a0920971c622d2703fecfeaa99bc40864a7a8bf714beead14

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
245KB

MD5
a82ba8638c0d72bbd72416b86c0e3f38

SHA1
c5d314c7628a6814fee6cc39e5c5c888377bfe66

SHA256
01e8663434196e6602fffd8616a087a87f16ac097bbaec44e6e1cea78be019b2

SHA512
2cbd8d317d0c15dfc8619754e861c733aea751399c453649d939738413a3877f4643ce84788d83fddd42ad8cf5f7e94e03c5964d55427846120907d05b78dada

Download Submit
C:\Windows\SysWOW64\Mgmnjb32.exe

Filesize
245KB

MD5
3e8edb1e0985d864ab1ed34aeb8b32f3

SHA1
699140967630bf4889cd7ecff57a66ef1cbf5f5a

SHA256
70d75116ed40d68c3bdd669ce3f961e46b3842ca69d4d335dc4953dc8eeb2998

SHA512
3238c2bc1bc89f118fc04a2b5a2deb566634f8fedd47bb46f8d98652763c01c32652406b4fd3b1eaf120da2d3b170a64f1f8dcc8f6fdf29f477545b513f5ca73

Download Submit
C:\Windows\SysWOW64\Mgokpbeh.exe

Filesize
245KB

MD5
aa2652251ed301d2bd532df348dbd0be

SHA1
9c338aa0f25ba8397bdfa900b3c10db6ba706394

SHA256
4f1bd8a971439bacec69fc094d8af727cd69d9b080b052da9c72fd05e3d9e9eb

SHA512
ac2e53a035953f4347381c2aae8635432d72ad3bee48d6f5749e57550101c5ae2fb44731ded9d21c77a53723f57bd5653ac954474b0b29b160c1efff13836458

Download Submit
C:\Windows\SysWOW64\Mikjfn32.exe

Filesize
245KB

MD5
87bf8c7cde2f2159068705c72b1beb17

SHA1
2c4076e3d10b931e6ff3c23fed43b78c1bfccd59

SHA256
468abf99a6718de88c2b017bad63d4c7669bc22457eff5850aa59020459f9c39

SHA512
1eb4e40202aa7f161c66b67c4d49e2c28021a723b46e301061f92f1629bc5dedd3185fb56c6c1ffdf31c7557db50b9eac00ce3b521ad9965ad8aa4b7e0fcfe62

Download Submit
C:\Windows\SysWOW64\Minglmdk.exe

Filesize
245KB

MD5
c24c02d0bdee2b5847c48584a2527228

SHA1
ba4045bdcdbfc62c3febd208989284a7c1decc02

SHA256
3f9a3e284a9efaa9889e1133b8c6696e9d64dcccc8de9fec729cb05bd1a5e625

SHA512
9c7b8120c25f360600ee663a3ecbeb59c1b2710ae5a065540caca097a6d49493dfc54d84535d08155901f0bf5d469a0a2396e21a7d8c81e813612694c207403a

Download Submit
C:\Windows\SysWOW64\Mipcambi.exe

Filesize
245KB

MD5
9934298b3f9aeab3f456fde2276fcafb

SHA1
56118f8266f87bab3297b16f301881cb4c590975

SHA256
0a05221cc2fdf2fe80564266fc5613348882d8917303d18dc7eee6d8f57e54cf

SHA512
ebed0c831845a2228f66377099ef86bff8a7f555811512df912dffba0599151247e67ea9968206072b57b86dff2ed6ffaae0d74e697ad5f0a017886788c60da9

Download Submit
C:\Windows\SysWOW64\Mlgjmi32.exe

Filesize
245KB

MD5
1dc99caad4b993aef5e3183a5b51c0f3

SHA1
e4e1197bd40bcd5fee87d79deff4a47a9a29477d

SHA256
d60f6bd6df75fa6a67651e71d37bd852445512c9895785e60422969fadfdd077

SHA512
da07039acd94726e4d6b1a0d0c87ba7d21e83c57b030cecffbbc84de3e46e2a5f3c4c93089e520191f4af24f0132996822eb35a3c8d4333acc9a4ce290e8acdd

Download Submit
C:\Windows\SysWOW64\Mmdiamqj.exe

Filesize
245KB

MD5
3843ef2d25f6624a00ad233e4a322837

SHA1
e256e4112406437190ea4e5fe7b7045e52bc64f4

SHA256
44ec25e35cc518916c4aae9ba6d8e59b421c77e717afd17a8ff4f4c8597b156a

SHA512
7edf18b7fccdbca30c24478a3264e594cb56fc59574085cf3c43ef63e9981d4853bfb3eed5e5b5c988ca367145ae89c16351550a1afccbede7f189fea20a4940

Download Submit
C:\Windows\SysWOW64\Mmgfgl32.exe

Filesize
245KB

MD5
7b6e2225835a9185cedb8215d42cb05d

SHA1
566483dcfb15dd0e06023ea189de85be15a76f73

SHA256
7087ca86f35f99b322d646ce0a3aae839d5de55f497f33c74941ece774e49e6e

SHA512
81ad2c62049b027c5e552006a6258ef4d5435c2ea5979ec7517c6177373d92840b0ea73c27dcdde472deb3c297034c921d267b53983fb39a282b0f8c2dec3b21

Download Submit
C:\Windows\SysWOW64\Mmicll32.exe

Filesize
245KB

MD5
27eda5a50aef79564a626866ff67e6e0

SHA1
b31dbf8e10f27e05517836fdc155a25126f1fba1

SHA256
a4e469970fce658266a5be2d05ebaae73feaea0518c2d3385da1ecc25dedf3ea

SHA512
3164290d119eb97e46489255960198627bbf1a5d80ad3c13f088e4ce6ba515bf7c20035a0661ccdf51bc01237b82a3c4255434edf6e3d83d32ce6a72665fff5d

Download Submit
C:\Windows\SysWOW64\Mpcenhpn.exe

Filesize
245KB

MD5
d82f22ab2fdb188b59547bfa3b8bb7f9

SHA1
07f6106a6e545cdfa17f9e19434fcd6c271d9774

SHA256
e4b760e24e4f3622601dd77d454c4719a76c2afe559cbce0d9e8d3a31958a03b

SHA512
84af02dce67a372eafb30c817932c51d8cc2a00a623ff5d60b9215090d975b8a468628d20c1919da49ec26d869ae7a134fea6aa7e87daf52c79a134519e590b5

Download Submit
C:\Windows\SysWOW64\Mpebch32.exe

Filesize
245KB

MD5
740a82ea83854fddd3f1c1a5e98a582e

SHA1
c8ad90bb7bf42e644b34f9ac0c9ea71141a0d32f

SHA256
c9f098bdbca6e19e4845f1c815b36082ad53fbcb4aabdf703b7513fb2d703490

SHA512
fc01c2c24786306dd58da2db1a277ca18aef8ade3ccf54c349848ef01d1df39f993f05e53a21be61990c3d82e3564174f16dee45a10c6fc98b27020d9aeb9a95

Download Submit
C:\Windows\SysWOW64\Mpgoig32.exe

Filesize
245KB

MD5
495a1986bc36b78a869551327b0d6ea2

SHA1
c0455275f7c02bb978e1ba6c1c0d4b5a2af032e5

SHA256
26f07eed00a7dc2103aa8ea0b1e8ea4a0d29342bed7f1e40bd70c7dbe5d7c4cd

SHA512
4b19c7a98887aa484bbbc631ed1b0547f39a9c5121f77cd9d226f3e93bc5342ab7c5d9c873b96c0ccfd7ff1bb7e956c77e9a7c3acfbfdc64c5fc355377a23e54

Download Submit
C:\Windows\SysWOW64\Ogkcbn32.exe

Filesize
245KB

MD5
5711d330a5eed22b82cfdb6de9bc0aa8

SHA1
02bd0236f68a0e566a66ef51b07ee539706327e2

SHA256
c87d7b8bfe05883b767ec46ddac2a39cfacdd566970d63d26dd7dd21ca56dc5d

SHA512
5df9247dbcf521b5db56d42d04a1dbfd44a12fffe840a6058c3cd22f93c1334fa32b4d026465b6a449ff88461219e87ef3c1cd9d53401c2f29c0b47ade4836cf

Download Submit
C:\Windows\SysWOW64\Pmmefd32.exe

Filesize
245KB

MD5
581d9082c6bc69f786e109614858de2f

SHA1
0d7d6f9bbb42b44dfa29a8ab0f3257cc76d51964

SHA256
4aa89c323633bf15d4957e0293bcae2d39b24a1ce8c66b12a31bb0c1c8fabc11

SHA512
92ed4daf6d6919367f98954e9ab8325986df6658ab8c38bd365cf555493b711a1ce5146f9c9ba8f62c9a3d1b55771782a9b9a84c27a75e1463e27a8afb98635b

Download Submit
C:\Windows\SysWOW64\Pqknlbmp.exe

Filesize
245KB

MD5
5fa4fbdd8c6d42426aa1ff1095f2310f

SHA1
8cccb50a7c87af4812a4b047a5972f54c37692ab

SHA256
1c250b5333d67a40ce8f0108f04c9790369a7a1a930d792769aa8c76cc2166b6

SHA512
c2faffb34b2468159e30410f10e6663c0198e5fd3c955750fcb65b0eca1bcdc87138a96a132b0935c93bb5c2443b221e880b6b6db05bbf78bb80ce10d38cc548

Download Submit
C:\Windows\SysWOW64\Qflpoi32.exe

Filesize
245KB

MD5
53aea043ff01f05e59522bdf0f85e436

SHA1
3c1e8c9608208e4c2a94ffb214cc47c0d14cbafa

SHA256
5fe942cea897f8621357a701e3ad893b838b20cbb5c399a9e24b49e7150c9499

SHA512
9c369869dfaf5fc5bbf175b3e21afe8a4734c7fa958bc9f833ecb2ba6d78c9b858cba978f61d74edb64d655e3568b8dcb2e55d55f34751f47d36ab18c3af3178

Download Submit
C:\Windows\SysWOW64\Qgllil32.exe

Filesize
245KB

MD5
ec447735520c78e95d4e603d8177f41a

SHA1
d8a354ea33787febb9fe82330a95d230e3621103

SHA256
2136c351487e578571a137aa062d849ce9d869d7cfe397f34f77c3396752ec83

SHA512
be92fc360cf4e6c815cc2ed061d3e7cf5eb9880ad6b4c0489ad3f4b8255294a5055abd5a9872dd06049788e95ddf0d36a9972b3eb4def94b68f6618eaef204f4

Download Submit
memory/224-648-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/224-141-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/384-622-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/416-530-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/416-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/416-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/712-387-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/876-634-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/876-125-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/984-600-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/984-86-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1032-325-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1036-875-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1120-635-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1268-551-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1268-36-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1276-621-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1276-110-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1284-118-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1284-628-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1292-649-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1504-187-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1524-407-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1648-587-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1652-501-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1684-390-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1720-319-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1840-209-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2016-447-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2024-233-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2148-572-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2148-60-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2244-483-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2300-552-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2400-511-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-429-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2528-573-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2576-277-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2632-248-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2640-477-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2740-261-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2800-565-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2852-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2852-543-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2908-283-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2960-453-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2984-59-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2984-571-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3052-513-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3056-465-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3088-586-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3088-70-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3128-351-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3224-294-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3236-381-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3312-133-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3312-641-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3316-558-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3364-564-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3364-37-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3424-418-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3528-495-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3544-519-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3624-171-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3676-615-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3704-401-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3732-489-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3784-803-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3872-594-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3896-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3916-395-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3928-306-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3956-537-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3960-912-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3960-217-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4012-531-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4164-601-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4216-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4216-593-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4316-470-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4332-313-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4396-608-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4436-580-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4584-459-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4592-579-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4592-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4684-21-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4684-544-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4692-549-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4736-225-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4744-93-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4744-607-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4816-441-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4848-300-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4888-642-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4896-102-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4896-614-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4996-202-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5088-430-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads