berbew | 8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe
Size

534KB
MD5

be4a53db4c28aa9a1dae74fc2fa31b30
SHA1

18752e2242ee6a5af111e96ca526a324ced793e3
SHA256

8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225
SHA512

dd2bb982794d90ea883ed81c0dfb5c5c5261d248da34b569be8227416cd2e58ff2559f3996abffc0ff201a1c31be06118d72faf1df3d5e44e32cd458fff79ea0
SSDEEP

12288:iPbWGRdA6sQlFh2kkkkK4kXkkkkkkkkl888888888888888888nS:iHFh2kkkkK4kXkkkkkkkk8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
988	Jbhfjljd.exe
3816	Jbjcolha.exe
220	Jlbgha32.exe
4712	Jifhaenk.exe
4848	Kboljk32.exe
3048	Klgqcqkl.exe
3728	Kepelfam.exe
3004	Kfoafi32.exe
784	Klljnp32.exe
3440	Kmkfhc32.exe
1540	Kfckahdj.exe
1320	Kmncnb32.exe
2100	Liddbc32.exe
1328	Ldjhpl32.exe
2388	Lboeaifi.exe
3636	Lenamdem.exe
1464	Lpcfkm32.exe
3544	Lljfpnjg.exe
1628	Lphoelqn.exe
5036	Mmlpoqpg.exe
3096	Mpjlklok.exe
1476	Meiaib32.exe
3520	Mmbfpp32.exe
3112	Mlhbal32.exe
2908	Nilcjp32.exe
864	Ncdgcf32.exe
2360	Nphhmj32.exe
4992	Nloiakho.exe
1768	Njciko32.exe
1636	Nggjdc32.exe
1956	Odkjng32.exe
4664	Olfobjbg.exe
1564	Oneklm32.exe
4932	Opdghh32.exe
4912	Ocbddc32.exe
4580	Onhhamgg.exe
4524	Oqfdnhfk.exe
2628	Ofcmfodb.exe
1708	Olmeci32.exe
1532	Ogbipa32.exe
3292	Ojaelm32.exe
1044	Pdfjifjo.exe
1624	Pjcbbmif.exe
1860	Pqmjog32.exe
3060	Pclgkb32.exe
1076	Pnakhkol.exe
3732	Pdkcde32.exe
4928	Pflplnlg.exe
2836	Pncgmkmj.exe
3444	Pcppfaka.exe
1184	Pnfdcjkg.exe
968	Pqdqof32.exe
4960	Pfaigm32.exe
2044	Qnhahj32.exe
3692	Qdbiedpa.exe
372	Aqppkd32.exe
900	Afmhck32.exe
4452	Andqdh32.exe
1164	Acqimo32.exe
2532	Anfmjhmd.exe
4852	Aadifclh.exe
2476	Bfabnjjp.exe
4148	Bmkjkd32.exe
748	Bebblb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Jlbgha32.exe	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Qamhhedg.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Flpafo32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lenamdem.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Odkjng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	3988	WerFault.exe	180

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 988	2412	8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe	82
PID 2412 wrote to memory of 988	2412	8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe	82
PID 2412 wrote to memory of 988	2412	8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe	82
PID 988 wrote to memory of 3816	988	Jbhfjljd.exe	83
PID 988 wrote to memory of 3816	988	Jbhfjljd.exe	83
PID 988 wrote to memory of 3816	988	Jbhfjljd.exe	83
PID 3816 wrote to memory of 220	3816	Jbjcolha.exe	84
PID 3816 wrote to memory of 220	3816	Jbjcolha.exe	84
PID 3816 wrote to memory of 220	3816	Jbjcolha.exe	84
PID 220 wrote to memory of 4712	220	Jlbgha32.exe	85
PID 220 wrote to memory of 4712	220	Jlbgha32.exe	85
PID 220 wrote to memory of 4712	220	Jlbgha32.exe	85
PID 4712 wrote to memory of 4848	4712	Jifhaenk.exe	86
PID 4712 wrote to memory of 4848	4712	Jifhaenk.exe	86
PID 4712 wrote to memory of 4848	4712	Jifhaenk.exe	86
PID 4848 wrote to memory of 3048	4848	Kboljk32.exe	87
PID 4848 wrote to memory of 3048	4848	Kboljk32.exe	87
PID 4848 wrote to memory of 3048	4848	Kboljk32.exe	87
PID 3048 wrote to memory of 3728	3048	Klgqcqkl.exe	88
PID 3048 wrote to memory of 3728	3048	Klgqcqkl.exe	88
PID 3048 wrote to memory of 3728	3048	Klgqcqkl.exe	88
PID 3728 wrote to memory of 3004	3728	Kepelfam.exe	89
PID 3728 wrote to memory of 3004	3728	Kepelfam.exe	89
PID 3728 wrote to memory of 3004	3728	Kepelfam.exe	89
PID 3004 wrote to memory of 784	3004	Kfoafi32.exe	90
PID 3004 wrote to memory of 784	3004	Kfoafi32.exe	90
PID 3004 wrote to memory of 784	3004	Kfoafi32.exe	90
PID 784 wrote to memory of 3440	784	Klljnp32.exe	91
PID 784 wrote to memory of 3440	784	Klljnp32.exe	91
PID 784 wrote to memory of 3440	784	Klljnp32.exe	91
PID 3440 wrote to memory of 1540	3440	Kmkfhc32.exe	92
PID 3440 wrote to memory of 1540	3440	Kmkfhc32.exe	92
PID 3440 wrote to memory of 1540	3440	Kmkfhc32.exe	92
PID 1540 wrote to memory of 1320	1540	Kfckahdj.exe	93
PID 1540 wrote to memory of 1320	1540	Kfckahdj.exe	93
PID 1540 wrote to memory of 1320	1540	Kfckahdj.exe	93
PID 1320 wrote to memory of 2100	1320	Kmncnb32.exe	94
PID 1320 wrote to memory of 2100	1320	Kmncnb32.exe	94
PID 1320 wrote to memory of 2100	1320	Kmncnb32.exe	94
PID 2100 wrote to memory of 1328	2100	Liddbc32.exe	95
PID 2100 wrote to memory of 1328	2100	Liddbc32.exe	95
PID 2100 wrote to memory of 1328	2100	Liddbc32.exe	95
PID 1328 wrote to memory of 2388	1328	Ldjhpl32.exe	96
PID 1328 wrote to memory of 2388	1328	Ldjhpl32.exe	96
PID 1328 wrote to memory of 2388	1328	Ldjhpl32.exe	96
PID 2388 wrote to memory of 3636	2388	Lboeaifi.exe	97
PID 2388 wrote to memory of 3636	2388	Lboeaifi.exe	97
PID 2388 wrote to memory of 3636	2388	Lboeaifi.exe	97
PID 3636 wrote to memory of 1464	3636	Lenamdem.exe	98
PID 3636 wrote to memory of 1464	3636	Lenamdem.exe	98
PID 3636 wrote to memory of 1464	3636	Lenamdem.exe	98
PID 1464 wrote to memory of 3544	1464	Lpcfkm32.exe	99
PID 1464 wrote to memory of 3544	1464	Lpcfkm32.exe	99
PID 1464 wrote to memory of 3544	1464	Lpcfkm32.exe	99
PID 3544 wrote to memory of 1628	3544	Lljfpnjg.exe	100
PID 3544 wrote to memory of 1628	3544	Lljfpnjg.exe	100
PID 3544 wrote to memory of 1628	3544	Lljfpnjg.exe	100
PID 1628 wrote to memory of 5036	1628	Lphoelqn.exe	101
PID 1628 wrote to memory of 5036	1628	Lphoelqn.exe	101
PID 1628 wrote to memory of 5036	1628	Lphoelqn.exe	101
PID 5036 wrote to memory of 3096	5036	Mmlpoqpg.exe	102
PID 5036 wrote to memory of 3096	5036	Mmlpoqpg.exe	102
PID 5036 wrote to memory of 3096	5036	Mmlpoqpg.exe	102
PID 3096 wrote to memory of 1476	3096	Mpjlklok.exe	103

C:\Users\Admin\AppData\Local\Temp\8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe
"C:\Users\Admin\AppData\Local\Temp\8da2cac02d4a7a235ce048bb6a0e63dab7187bb59ecb7b1c249e9b1f1cbf9225N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Jbhfjljd.exe
  C:\Windows\system32\Jbhfjljd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\Jbjcolha.exe
    C:\Windows\system32\Jbjcolha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\Jlbgha32.exe
      C:\Windows\system32\Jlbgha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        50⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        71⤵
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        73⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        86⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        92⤵
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        93⤵
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        98⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 404
        99⤵
        Program crash
        
        PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3988 -ip 3988
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
534KB

MD5
7ca8316f9e319ce8ef3123c49c3c54ef

SHA1
8d841b442c044f265e1d29c310bab74eea9a1844

SHA256
19cd5ffa596098a59fb73b002deb9ce78103aed6623c84474f2ad536909c151b

SHA512
6f99d25ab430797d742b53a0487da366fb4772e5a0d7f9137d9bfcde3ac85fed7a1481d306a50390e6a5c54f47b71550a4710791d6a6e1b2cd0ef36e53f13f2a

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
534KB

MD5
74a1d6aab28878a9e235a3392f6a51c0

SHA1
8fee5b820b90fa3372872277641d5eed1bb1baad

SHA256
7e10ea0ba8a9069e39bf77cd57b91ef2dffbc61da9dc023e22dc2be05c28ebc3

SHA512
96f80203c228be18d7d9b267c62b8bee2ce5b4c7f3cc83544ae6454b4b53b706f2810a2c7f547bda6ca83c9f0971d79c152c1d8bb4c17199f89fa2770fc575b4

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
534KB

MD5
ca6c9859724d18953b53a067300a7d45

SHA1
5d0e811825ff9dc1d1e3cfe85f2ebaf7bd05662e

SHA256
d5ef4945afa72b8ec34afce1191a273238759d03f28e0f024a613fd8585b4339

SHA512
7afc22ecbc0504be1646855ae7c4f0654f6864a46be20f6232b18a9f3425c519773e22b9ab8cd6f8ac085e9ba5f06bf630dc9c0b37a0d7d952bf280a61c48990

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
534KB

MD5
59d89e5bdcb23fe8fb679505454b3751

SHA1
c30625f64b914a1d88bec63348b600c367b9ec8c

SHA256
311418a72cff2647bdf501bb04390dee738e61f41b1c0d54f5067929487e76e5

SHA512
f9efc685ad5ec91e8251efb45e59eb123aa34c0c5943fde7f4e1e2a290ed4b3b1bf091b7eb992136767a3319a51d113bc623cfe5b0edc52dc8045595bb352322

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
534KB

MD5
8851edb4323e82d0e71fe00b077b6834

SHA1
2047b2097f08b24a9ea6de112a35aea6533460d9

SHA256
f173e0c771f2395f76fa06acaed72cabb7e3384803ea4ca484982445968744fc

SHA512
8073ac96aa706b5e01bb374881d8e3aa4b11fa1b1e01a015e3aae883b475f18e9ef3b797a21ca126424602b2c7ef2de6aeda7db9e2af8482a31416d7036bfa07

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
534KB

MD5
807ee713116c0ef364efb7580bb7e543

SHA1
16d6571dc6a462fc19db112b5f56f05c9ce4a183

SHA256
0ea12e47af3123d0fbb92d65b0a78955daedeb8ae5a418c44a9b700f4340889a

SHA512
ba7c98e2ccbb9bd8aa1f3982bf1701c645afe306ee73a3053a2a80f618e4ba733212d01a6b9d9f37503fa30650d9b14bc0c969f7f09edfeb5d2e4adc0a051684

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
534KB

MD5
47cf0ee9ae593610f6357a05a3da1da3

SHA1
29996227221d408a9edf6d8c23fca172d1dfc47b

SHA256
ccd122cc8b3154166e227772ee13a6e419ba2a9d1e6991fd2d7d513e01e61c7e

SHA512
d1f522d4f449a094020bbff2aabf6c4f3a118354bc41646279752e8d79da012f25849f23bcb545ada2f3d2435a6514c956c2f4382d79be841bb3315e153e7292

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
534KB

MD5
3562adc4411c1de5731dd90416f5a951

SHA1
615abcf0d10f529e38cbf62cd3dfb6dd89c3da91

SHA256
45789f478387e0b636ba80a7d46e97e1b8a336aee974a5743ce107db62636bf9

SHA512
f662bb09a28d1c743b377bb6dd11a41ba5cc1786018ca5bf5912c505dc409189270649fa54f46e33e4fcfe18c2a6c90638aa1bb047ba26ec1797f6932595d337

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
534KB

MD5
3c31662236be359cb59705f4c38ed603

SHA1
7d2b1e1f9b3f8e2b209692d3f844ca7902708b36

SHA256
f7f51ae416983e6f41f670724e5786783da0341b681f8d6b54770714e0f38ce8

SHA512
b197e3f5d215906e5f2b4800fa2aeb9a2910aa59cc4f0a07ff7dcfe7b267ef74b79123790ec2e152331d7f266e0eb00e16aab3cba05a456750f99507a0fb2881

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
534KB

MD5
e3a205ddb6879cb3e8ec5eca2129cd2b

SHA1
7d3a968910c9361b1738f374123438ca261b6946

SHA256
d4fddab4dd3d55f3f526b902defc5431c078d35d4608ddb49c4484a74eb0470a

SHA512
0c7d8bd90707580a6e0ea4c1fad284de0ce42d83e8c4c6f39f93a1e358030d3232b5d8522022afd16d8429f47807135af18f2a93313382373ccca5f8fc6fbfac

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
534KB

MD5
2e07fa9ce8a4c1d5010a9963869208b9

SHA1
c03d9a0649135eebe595a904fabfb05a6f367eeb

SHA256
867f1aea55cbe4cb11c8f54f506a17d9bef7245aab59b0c037609c143a7c0c48

SHA512
59dd7c3a5b435a32084ca74690a01efc4562ba012f38f96ed56a90e8ef4f3b8e71cb5de40c84a7bf5a7a0523a3710ca2d628ef81be886f521d969c289a763ff1

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
534KB

MD5
a867e5cd1cc63ee9b5861729531cbd6a

SHA1
eafd4380455ff0eb914ff69f4e257df0d8c9cdf0

SHA256
cbc5b5db7cfe3b955f6aa375561159a856ff7f152f8bb470c20bcce5bc010720

SHA512
47193383eff448e271982190f65ec4496c1e59fa7f8e6623cf9e9813aad75d53b38ceabccd02bd1bdafae280c434172b5c15878f318d727f23cdb0a9eddb0b5e

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
534KB

MD5
eeb16101d70a92610bda5b8e76d38685

SHA1
72471b74562f8d2fed0eaedf373aefcadf0a2e4f

SHA256
d95da6f6589dca8f5428e7a1b9cdf5550b2be003760fd68a2da4275cdefc5e2f

SHA512
96846a69bd2218485b1fcbb0d7b06b5f384507c0999be9d62ca4e95e5e71b6b5f99bf90e06f9398fd3a659ea1a0356e5daae4d9394b24a18386b8c60e5aef7a9

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
534KB

MD5
c14d23d5c8a8ff67ad4a12a7cf88c540

SHA1
781e400e0275352650a8316b9773c76c49c4c6bc

SHA256
1c3551ea6b0a2eab7d0516344f554c9386ecb5039d78f963a41b56f1a3d13875

SHA512
cd89bef9e46128740d212e172a066b10ce4d014b1ed9a47adbfb02a2383b27d2aa1533a5e3812d55fe90756d422e7194c9782dd0e4273cf5a8c1977b405ac9f5

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
534KB

MD5
8e554d4d22bbf39a263a856c8aeb7f6c

SHA1
e7f9493406ff705eae0550ef883f8dbee03c3e73

SHA256
b925f3c1d7c8cdf4251ce3f019f7896355e640d22c0096e852218f9cd0471bcd

SHA512
464e32bb79dec78ec2051beb0ac41aae15035b19ab648532635b89bb8388f8e4a18a82b2bf44d387f82c4feb0be1d13f609072e58885a0127060781b2bb3c5a1

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
534KB

MD5
ffea64f51b641d64459139f8e6aaac77

SHA1
00b4a12d14c1400c5dec9b8a16c21a53791c6146

SHA256
7a4162ee52ca0ae8178aab7a69b3245c35eb70bf822ec76cddbcec803219b013

SHA512
4885388af8269a1ce886e553f531ad3bf26ad62af3422d5c6bd05a928981bb284488ddd54b5c6911ad4df9239dfe696df9f8e1e8b580a62abf92bdb2ad8d6151

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
534KB

MD5
6e19b94a6094443d105dae0ac1c4a4d1

SHA1
74ee8dc822241a6d0cf0b0caf052a809dcda9a36

SHA256
65f79ea1df751c2018e3b3067e2d4d790ffd9027bc7de779989c7ac204406ee9

SHA512
41840ab58740b587bbe482d24eb00fd66b05def47c54164df9cc2a04b6e8463b997927d8e61a3d5128cc84ad96e76a3fe4c8cc4f7fd38ca0179dfbf76dd770cb

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
534KB

MD5
ee3807aef2c844f6b668f73d895dcc13

SHA1
79277b944ee1601aa1ddd75dbbdbfd7f2e6d845d

SHA256
fccf73ac84abbb7ec2a83988455849ec8a7683b8e60f888ad9dcebfc872c2819

SHA512
b1e16ed059bae83224052638750a64b9c2d9974b8164c096d67b04c7670a617c14d25c094915af9f8c58296a9c90c858f6ecf1ac3d8a0db86d2b19f9e1918569

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
534KB

MD5
361b9b181866021a3ebaedf6c2335736

SHA1
f0996c19731da3247d02c1e4ef1cf15b7160072c

SHA256
b43f62d6ca7a3e74f7e1bf631260e910b337b92b79042c308602d02378342137

SHA512
d7fc57f615bed327cf4872f1f75a27d580012d3fd9aaeaa9d47a720db467a13f42f791ba4cd959be92e49fcf153f90878d99cb15601d61bb6c115fbde60e1781

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
534KB

MD5
28ac11802d5c7ddd7dec4ff98e6194b6

SHA1
20608c05fa83386ed2a947ba84dd92e46555f59c

SHA256
039ae2af8243a4735c2a88ab60476c6f5d8cfd183fba73905b2e0c65e14cd2cf

SHA512
8180fbfc76ffa65076e54423912afcff4044e14f98f1b2fb4b96c6483653af4daea6464bbcfdd3b0bda9bbd73476385572d96ff73019ff78b48c0f1f05badd24

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
534KB

MD5
472ec0d177055271ce7069b56eddb69d

SHA1
7b31e0aa9c13a4090ce126520173591af4475f6f

SHA256
09bfacf025c22b3234e69f054a47833b28b780e05bcfe2dc88394b14e09944f5

SHA512
8cac6fc81ad00b7c9f0268fb1bcb4b5e40530dde5c44e7fa0637f7302ca5f9c680a892be06884de8681e76f3796270c318f0b663896d31d94464c9b95aac55c4

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
534KB

MD5
468a8a56fd94e293ad4ac26cf30036dd

SHA1
fdb2e67d4efd1632aa9edd7a0b84d72c20a5c46f

SHA256
90c5645606d3e6615abeada003daf4e59d395884f98f26deded0225cef998008

SHA512
8ca3b26594c462aaad1b3511909b3cc3e71e95d97e2f19982417c74269763ffb7fe7193a151aefda2f336fd2e652f34fd8f0b00046974af1d2a929b5608d6777

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
534KB

MD5
66bc281fae0e7793687fde692819c87d

SHA1
744c5b1e7c68f1ad745688e37d3dc0dd34216c06

SHA256
cf83e8999929376235770f12cc347f769c1760542c20e4c55c9e52ded3719e05

SHA512
4d1e13c03aec5d9492fadfe11059874a449b13b518ea38345e08c67f6bcb799dacadfbdfcb1b3d585370f41730c4be2713f8b486944c0a8fa2dd248c341507ad

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
534KB

MD5
d888eebb5cec271886260d0ed5f1da0c

SHA1
9fb6e5a252ca82f8ee46d1f393b47e5524877738

SHA256
2f4ef6a7c0fb5f70d68599656c5d852a686aa5fdcf21c6fbcacd6b6bc2570907

SHA512
3f6b9a98549fd7b38fe3bc9a867eb731d3d5b8315977095cc274f081a84b8716cbaa68164016a50a0afc1dd65b509502c5cc509aea61c7c3b5c60e3eb374bf5d

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
534KB

MD5
e0c89e41596aa29afa0d6f3239b2c8d0

SHA1
36e2eebb29d96579e58416ffd8849ee1e6e72bf1

SHA256
46f00e4409d1568a986693b85b3c224f677649b1e0fba02fdd3547b63561ac7d

SHA512
3cafba5d766f6b6c968f9f7d0fcadd72286333d2642b4c986c8d9b63690d61f6632d0eb95c709af12b09485d0939f60781ec274122a5b1dd164c84a3f8b651d0

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
534KB

MD5
9315b1da06dd09e4fe68bac3251fcb16

SHA1
5fa89fb4c58429333c632737a0b58be58d156985

SHA256
0416312a1233c1ce4a9391a72593e5011753286eb00cb08cf09925c56b190b59

SHA512
bb58d1f88f2d0b371d0d98a94592aed76a797a84e7f9f3b1c4ecf74030b28913ee462b3bd66495922651c7e5835700fe24881eae88cea51c7f9e4e5148e50c0a

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
534KB

MD5
de5143c0cd3147dd05852e0e77351edc

SHA1
489f12e17c5e5b4cdf1efe4400a1c44539f3e1fc

SHA256
14c7c9bf8ea73645ac4cde8e408405269c917e44b6767b8e17af3757949df49a

SHA512
ca1bddeeccbc0ec201955809c032cc1b5166d05f7b7fe7a3ab61f9fa7de98951aa54d2203778e7ded9ca708dd7a7d3e1141016cf1d1c72ee2d250bee07a55c30

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
534KB

MD5
a9d05182f02da98bffa5241e1846c66d

SHA1
9d80b2f8412a12b4966cb1d65cec026647b26608

SHA256
c362173a8aa6318844d309b9affcc787e591820a465bc2221409e016a3ec958e

SHA512
8ccc6c2317d388234111d17b9957d7386751c176bea5ecb80d3ea37684a6dc8a9dafc99484a44f9a016b42721f89599917f9e48c9fc8104cf83ceb5b48fc82c5

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
534KB

MD5
aa9df8c74c8c13cd02c36a68494d51df

SHA1
e4d4e9beabd4050a4cfa296a65b54a5b3abcd6e2

SHA256
e1a63dfd9e1d59e2694b105b6560ebdf7272dba8b9bb4c3a4198f1cd6ff8f9b7

SHA512
bde2da460fd171c92bf97ffc35a06e4280ee8a7cfb190859514f2abb9a2c010a110dea8a25329b7c5ca76d989b8b674f60b48442bc041ab7fe19c2781fb1a02c

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
534KB

MD5
ccd2f2a5a60c53511ef3633294639c2b

SHA1
4b067fbf09fb1249b9693fbfcc00474d5164980f

SHA256
9d5cd7bfcd44213d1ccc83c4214c72cb27d72fa5230298e13be47efc029d07c8

SHA512
d7943243c3d808c75b840a2971dfe413860a8ba6001e92728b2e1d9239fc22975af8efe4ab9fab0a9ae901bf9671dcc5f61e061cc972e12d91d397d27c603d36

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
534KB

MD5
54bbb5b0c913eefda1ec8c271b7d2906

SHA1
5e30da7e0ee19b92b75708c7a9400b682b27a215

SHA256
43a7335306f051361d9cc5a45c73b5564afbfc4bf5c42211712b184be391569a

SHA512
03907ba07507cca9b5fd1eca3ce5c96d6574d16afa8c44a4219a16998288bba668755a18cf2932df302db0ceba6e0b6bbfb6cfd1fc5b9509e1d1fb953b4c7ecd

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
534KB

MD5
8e3827079432f1e0e2cc47d5db7eed39

SHA1
c1a41e2791c7319700db16e0f540b098969b0c70

SHA256
b92cbd84366913136ad87db6481fc9ed56180cd6404437268483a941f8b656a8

SHA512
3af5de19bfef9d80050eeff5ec692ee3026594bc16dca78368aad8e2cbc03ae2e1b3517224e84e468d7c8af9258588e4e40617a03f1109f856d34106baaa126a

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
534KB

MD5
e94259fc3d70a11962529e119c7fdbb9

SHA1
a402edce923a171725c97cb2bbccac4815f23f06

SHA256
1d1b51d45ef23cb67e1fb5dacb979aad94362845cba44523e70b40513d681cd2

SHA512
48fb79eb52a111506ed8b3a56044343ad3a5518a77914c5f23233b4ebb89f9fd43a1973566637fa4cf132e44892004290f3295a91b7e5bf9347da90ded067663

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
534KB

MD5
b78825e16ce76648b4460c6ec6f3a3bf

SHA1
a1ea3d892e33449ac3fcfcd06c2e379ab4fe1acd

SHA256
ef439d447a98165cf0cbdf7c910c01e573fa122b106aa2a0cfe335b82b73fe5e

SHA512
33a4749f7e33de34f2b60988a1573818a05971ef8ad864519c7787db5c70c0a87cf70e77d666390fc9b7de608eef2d4948c30b60a0915ffec956d5be4eb957d7

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
534KB

MD5
f9e3ac8a51ecabccc137fc14d0b756aa

SHA1
a681be038edf2fc51fc9951fa2428d7b2b11ef14

SHA256
17abaee71cbb33bf51bf582cc0b9b37fadd70c99225a71df08c41b48767aa511

SHA512
b22880595fdd9cd95392a1669c38d4e56c0d36b0fc73279fe12adfd32243aac386211a845bc160f17603a06371aeaa3d43489a3b01c1e105b218719d883f36cf

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
534KB

MD5
92aa23df756b029a076c4549844017eb

SHA1
1909b3e835052476eebf05fc0dc0bf669a4db40b

SHA256
36cf6c0eeb0c76d9a3746d0760df3aea07ff1ba93cd54b1149067dd464a411a2

SHA512
1f9c7d5697a76f1ab0a57c09bb882bb0e14fd0580b2ba2a3e08a8e864d36d6a1c1f7a28e5184d82f3b91a25eec3b9acb4d8fdd4126342ccd26fe7185e646ac6f

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
534KB

MD5
c7222423d0c921f75224d47c4c81dc95

SHA1
51c33a2819729513167ee941b5de10eea7259409

SHA256
998c49930212e6b863231e285b13a9def47e4c692f72491caa92d0a7433d119f

SHA512
6ff51d0ed6935d4b4f07aef579421791f3054ccf1e3fb3680800c560a195dbfc01bbc99a0b0ffd589cc8c22459ae3b3456a68e12ddc033b221be1b0a85548df6

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
534KB

MD5
edb66e058670fe291ca5ede844b59f96

SHA1
5d719fe21a4245529a49e318d503c374b9a45d3e

SHA256
5ef32d646895abebafab121c455bd284c555af3249b4f5b0c374b8077ad98cde

SHA512
025c5e0ce7e1120e3617fdd13020e452ddcc4e1d37cc27b7c77b6410abb84398012eddf3a3d22d252301089c32f78cfd3843552a837fd4f22fb71a1c6f51dc0a

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
534KB

MD5
130f5c69ec2e40f7be6fb208f0127af2

SHA1
edba1bfea344d430ca28e756c1f89d9261f246b2

SHA256
aaecdd273d39a6247f331ad3195478ef6e0b4c62b6836878355b4ed30f089001

SHA512
0659a6ada9aa6d7217905c1b3c4a32bce4e7e8c83c395cca148d69108ea29d6726c0f0ba7f7ec5804d5011ed73291fbb5a88c040ab7fdd978a0fa3e79483fee5

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
534KB

MD5
ee9a9cc0b8f553ecc6775dd7d41ee102

SHA1
be925aec9b33a8e528d9379d9548a14ebae45d0f

SHA256
5de88bd2b3043446053bf6dda239ac3f49d6af992bfed1fc44f80238c876e036

SHA512
1503982b880e331721d6f92735c9f77c143603aae43e8ea543c6594c1b8e807624441cf28cf7ff65f57264152c97f12db23d97fd43c610ff0f067b805ae0555b

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
534KB

MD5
de86678b27513518efac3196669cefda

SHA1
e595ecbef3ed4044bb3282d931089fc362300e3b

SHA256
e261b466786701b76bf5cb9f1129d4139bdad21ed91f160d5824cc655f7dcb14

SHA512
375217dad62f3387e7057a4e67f4a8f14a2af21aa19a4f1dcb1756b85a5c9ffad8f757e22824162261c81a884c346b22ca29560e7fc47a738e747d67a56dfe01

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
534KB

MD5
c19146eec2a0e2f5d1e5c56675f4fab7

SHA1
29d41d46b11858d2747d564362c2765b6056b7fa

SHA256
64d2e4466d3f62b391b5d319a09330d0f0ae9468796cba36967112a6caeb94c0

SHA512
dbc4d257630f640e0eb27f3827b40e168fef9f3facb7693c38843433b38597258ff15e388be037bc31f65e4ee0d1eb45cc1ad8787c9e6e9213b77a07892a318e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
534KB

MD5
10375a7db5ec34b6be81a5c069edfed7

SHA1
9881a61272ed163304cf2fcfe9333af2d652db92

SHA256
f4683d3222744599b44fa90067081524b38ebc95ed2220f136adb06f923666a4

SHA512
0bc61af7c7ce22372b9afb32bdfd8eac66bdc1efbbe811392f679dc40c163a8758d9a8f8d96eba9cd42502ab33a65716ea7a32b440795733d3763d5aebb47fe2

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
534KB

MD5
d83b985c331f968a73935daa7f6c16d6

SHA1
f3a7b3207ab2d0281dd8afc886bee9e9b67ac26e

SHA256
2f25f07ac2bd47cfb909ddb9d03ec8540032c7de6b102e932ef1841819e3d616

SHA512
84bf85f68b2a542b1038f7e2c26c44ae8aa8fdb3fe7370c0b7806d20dae62db38ab4ce4977e072aec8915d662794f9c4cf0406971165d189c5112e492a40dfe3

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
448KB

MD5
6987ca0c7102c4ea5ed5e26b2086636f

SHA1
4d73b958b169a14b0b84625c6396018f9c11f735

SHA256
37516006fe6db9f3bd3ae45b8b1555949b1b5cc87d9bdaa1e75865d836e36928

SHA512
74238ba3c2c38560cdfad962adbf3510e5b4580c9cb6f0620c7f329ab0c3bb64dec58c71c078a147b248ae36c010750475fea1cdf6713814efa7d6d0a670d06b

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
534KB

MD5
a2d866c1a19fbff95bc8291ebddb7324

SHA1
07e0b7b6f1a7ade86728d425b8bdc210fc4a678e

SHA256
e146392a630fa96919d7771b0f8ce91604c06acd5bf7f08875616a804ca30698

SHA512
f0f5dc808194479d8ec21422781835d9f98bbb7e840b25809af5145888e81859da8d55203ad07cff32f34afc99f02b7cedf61641e608fe9b53d97e8b789441de

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
534KB

MD5
d3ef4cc7136aaaf3a3eefdf52f886f56

SHA1
c1f3885a23514a10bdb8d785f2847f69725f8c5b

SHA256
8dcbf787ceb24451b3cbc220190d132c656019a5f538b6535add6587031edee5

SHA512
ba4c2bc2cf5bbfe8ca982276786fcfa5ae7f2cc07867641a317de62a0d368fc6fd4fd1fe142f23d77eca13426661572e21a91869a165399c1cb348ecb95116c6

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
534KB

MD5
b9c46e3dd5e064e506e76e8a15fb8234

SHA1
9a8480ecd0ee1c9708387b05e13ca351f192ac05

SHA256
ff9458bf17bf38b738757ff797b3470af0b129979796b73ecaab834c1bede8e6

SHA512
a77f93c8750df9b5bab641f57b8c0981d331176f49ce7f35c823a9c97818570353c6312cf929316fb3b16cd6927f77a49a12e53ba2d2fc151c14c31914464222

Download Submit
memory/220-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-752-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-777-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2412-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-691-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads