berbew | e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe
Size

1.5MB
MD5

796ba6c44aec22790293a0ebe90db31d
SHA1

96d5027126e80c83f0a0d8701b77abbb49a547bb
SHA256

e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d
SHA512

4c456de2daf4e81c2f1d1afff2ee1bcefa2a23058fb14a041933d3fd4d9ae64c3314bf45062d020f4480b2e2db4f6e1067987a5f17390e734d635efaf52c8496
SSDEEP

24576:emOdkx6Q2xZmk6Ux6Q2xlPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZF:ehlmkIhbazR0vKLXZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4676	Jefbfgig.exe
3020	Jbjcolha.exe
220	Jlbgha32.exe
4712	Kemhff32.exe
3832	Kpeiioac.exe
1048	Kmkfhc32.exe
1396	Kfckahdj.exe
3588	Leihbeib.exe
1668	Lenamdem.exe
3720	Llgjjnlj.exe
2636	Ldoaklml.exe
1648	Lepncd32.exe
1792	Lmgfda32.exe
4404	Lljfpnjg.exe
2388	Ldanqkki.exe
2800	Lgokmgjm.exe
4416	Lingibiq.exe
5056	Lllcen32.exe
4376	Mdckfk32.exe
4836	Mbfkbhpa.exe
2740	Medgncoe.exe
2160	Mmlpoqpg.exe
3692	Mpjlklok.exe
2656	Mchhggno.exe
524	Megdccmb.exe
2592	Mmnldp32.exe
3308	Mlampmdo.exe
2712	Mdhdajea.exe
2900	Mgfqmfde.exe
1688	Miemjaci.exe
1636	Mlcifmbl.exe
1956	Mpoefk32.exe
4664	Mcmabg32.exe
3592	Melnob32.exe
3780	Mmbfpp32.exe
4488	Mpablkhc.exe
4344	Mlhbal32.exe
4908	Ndokbi32.exe
3264	Ngmgne32.exe
3280	Nilcjp32.exe
212	Nljofl32.exe
3844	Ndaggimg.exe
1148	Ngpccdlj.exe
1976	Njnpppkn.exe
3032	Nlmllkja.exe
4540	Ndcdmikd.exe
1984	Ngbpidjh.exe
3732	Njqmepik.exe
3932	Nloiakho.exe
5008	Ndfqbhia.exe
2268	Ngdmod32.exe
5036	Njciko32.exe
3984	Nlaegk32.exe
756	Ndhmhh32.exe
3460	Nggjdc32.exe
1164	Njefqo32.exe
1172	Olcbmj32.exe
4372	Odkjng32.exe
3636	Ogifjcdp.exe
4044	Ojgbfocc.exe
4360	Opakbi32.exe
1896	Ocpgod32.exe
1224	Ojjolnaq.exe
3028	Olhlhjpd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	5308	WerFault.exe	230

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4676	4468	e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe	82
PID 4468 wrote to memory of 4676	4468	e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe	82
PID 4468 wrote to memory of 4676	4468	e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe	82
PID 4676 wrote to memory of 3020	4676	Jefbfgig.exe	83
PID 4676 wrote to memory of 3020	4676	Jefbfgig.exe	83
PID 4676 wrote to memory of 3020	4676	Jefbfgig.exe	83
PID 3020 wrote to memory of 220	3020	Jbjcolha.exe	84
PID 3020 wrote to memory of 220	3020	Jbjcolha.exe	84
PID 3020 wrote to memory of 220	3020	Jbjcolha.exe	84
PID 220 wrote to memory of 4712	220	Jlbgha32.exe	85
PID 220 wrote to memory of 4712	220	Jlbgha32.exe	85
PID 220 wrote to memory of 4712	220	Jlbgha32.exe	85
PID 4712 wrote to memory of 3832	4712	Kemhff32.exe	86
PID 4712 wrote to memory of 3832	4712	Kemhff32.exe	86
PID 4712 wrote to memory of 3832	4712	Kemhff32.exe	86
PID 3832 wrote to memory of 1048	3832	Kpeiioac.exe	87
PID 3832 wrote to memory of 1048	3832	Kpeiioac.exe	87
PID 3832 wrote to memory of 1048	3832	Kpeiioac.exe	87
PID 1048 wrote to memory of 1396	1048	Kmkfhc32.exe	88
PID 1048 wrote to memory of 1396	1048	Kmkfhc32.exe	88
PID 1048 wrote to memory of 1396	1048	Kmkfhc32.exe	88
PID 1396 wrote to memory of 3588	1396	Kfckahdj.exe	89
PID 1396 wrote to memory of 3588	1396	Kfckahdj.exe	89
PID 1396 wrote to memory of 3588	1396	Kfckahdj.exe	89
PID 3588 wrote to memory of 1668	3588	Leihbeib.exe	90
PID 3588 wrote to memory of 1668	3588	Leihbeib.exe	90
PID 3588 wrote to memory of 1668	3588	Leihbeib.exe	90
PID 1668 wrote to memory of 3720	1668	Lenamdem.exe	91
PID 1668 wrote to memory of 3720	1668	Lenamdem.exe	91
PID 1668 wrote to memory of 3720	1668	Lenamdem.exe	91
PID 3720 wrote to memory of 2636	3720	Llgjjnlj.exe	92
PID 3720 wrote to memory of 2636	3720	Llgjjnlj.exe	92
PID 3720 wrote to memory of 2636	3720	Llgjjnlj.exe	92
PID 2636 wrote to memory of 1648	2636	Ldoaklml.exe	93
PID 2636 wrote to memory of 1648	2636	Ldoaklml.exe	93
PID 2636 wrote to memory of 1648	2636	Ldoaklml.exe	93
PID 1648 wrote to memory of 1792	1648	Lepncd32.exe	94
PID 1648 wrote to memory of 1792	1648	Lepncd32.exe	94
PID 1648 wrote to memory of 1792	1648	Lepncd32.exe	94
PID 1792 wrote to memory of 4404	1792	Lmgfda32.exe	95
PID 1792 wrote to memory of 4404	1792	Lmgfda32.exe	95
PID 1792 wrote to memory of 4404	1792	Lmgfda32.exe	95
PID 4404 wrote to memory of 2388	4404	Lljfpnjg.exe	96
PID 4404 wrote to memory of 2388	4404	Lljfpnjg.exe	96
PID 4404 wrote to memory of 2388	4404	Lljfpnjg.exe	96
PID 2388 wrote to memory of 2800	2388	Ldanqkki.exe	97
PID 2388 wrote to memory of 2800	2388	Ldanqkki.exe	97
PID 2388 wrote to memory of 2800	2388	Ldanqkki.exe	97
PID 2800 wrote to memory of 4416	2800	Lgokmgjm.exe	98
PID 2800 wrote to memory of 4416	2800	Lgokmgjm.exe	98
PID 2800 wrote to memory of 4416	2800	Lgokmgjm.exe	98
PID 4416 wrote to memory of 5056	4416	Lingibiq.exe	99
PID 4416 wrote to memory of 5056	4416	Lingibiq.exe	99
PID 4416 wrote to memory of 5056	4416	Lingibiq.exe	99
PID 5056 wrote to memory of 4376	5056	Lllcen32.exe	100
PID 5056 wrote to memory of 4376	5056	Lllcen32.exe	100
PID 5056 wrote to memory of 4376	5056	Lllcen32.exe	100
PID 4376 wrote to memory of 4836	4376	Mdckfk32.exe	101
PID 4376 wrote to memory of 4836	4376	Mdckfk32.exe	101
PID 4376 wrote to memory of 4836	4376	Mdckfk32.exe	101
PID 4836 wrote to memory of 2740	4836	Mbfkbhpa.exe	102
PID 4836 wrote to memory of 2740	4836	Mbfkbhpa.exe	102
PID 4836 wrote to memory of 2740	4836	Mbfkbhpa.exe	102
PID 2740 wrote to memory of 2160	2740	Medgncoe.exe	103

C:\Users\Admin\AppData\Local\Temp\e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe
"C:\Users\Admin\AppData\Local\Temp\e162b282fba626e83bddcec35a21437b15e8f816793bccc4d258b388ecfcf03d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Jefbfgig.exe
  C:\Windows\system32\Jefbfgig.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\Jbjcolha.exe
    C:\Windows\system32\Jbjcolha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Jlbgha32.exe
      C:\Windows\system32\Jlbgha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        34⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        36⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        48⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        54⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        59⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        69⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        72⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        73⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        74⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        81⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        82⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        84⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        91⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        98⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        101⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        107⤵
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1700
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        109⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        111⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        112⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        115⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        119⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        124⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        128⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        132⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        146⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        147⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        150⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 404
        151⤵
        Program crash
        
        PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5308 -ip 5308
1⤵
PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
1.5MB

MD5
2aefcbf72affc123be45b2f186fefaf0

SHA1
03a655b444d39d405c7159a61bc16a9d1bdb5bb4

SHA256
ca952efddbf6bb6e94d12c8e0104ec94db3466ff45f93e2ede69b78eb5a60c93

SHA512
1971727526d75c303ddbd9f76ebff26bcff72a2ac704c4f5a6d38268c1c71c709cec8f5ba6b88094bb9189ef5f7bbd6a7333bd10b3712a2e61563f4e4a43dfd1

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
1.5MB

MD5
b6f4c889728aaaa9197162d23178e576

SHA1
41aa29d99b28921d1921c60589bc95fb9c71a8da

SHA256
2b1fe7a31785ce9797c5c10c3ab1d63943b0c252da33766044377c2d4061b302

SHA512
a0cf5f47ebe1ba6181a9733ab38bc14492e52e86baec1c2bd1fec92a5548901df35ea0339c4eb362b6bd3d36fa39af67b319e265ada5d8a5ae6c3c734fdf7628

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
1.5MB

MD5
f1e0f161c08475078baec9ebe4587180

SHA1
d57ace233a1ee3105c2950b042cc8d4e61b67d57

SHA256
bf5be69a7a449c1508a00fd9b9be5a98ebe2a325f0d47a13df4de9316ee64f9b

SHA512
bbc4bdec866ac78e9a9a25d1749afd0b8d9f1e536632a0d3a7ad508bd4472c6225f4d239f4f571dccd466f01cfbede6823d7a5c2ead663a18de91390756fac0e

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
1.5MB

MD5
6881347c197f22ece75a7cd7924c8e69

SHA1
b8f4e25f092a4ebcf4fde90121bb62b1fd5cf6ca

SHA256
5b85bd8a81ce31774fd08baf9c405a21d76656d354afec7af21537630efe3751

SHA512
af8f84f6b04b177f154994cc6dc571d6130110915c6c3f4a17660dadf4cb7fb91d9578541322a094d0110d867e703314f8a377ecf59aecbc05e2a52afd79d6a7

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
1.5MB

MD5
50b6e3f090785cd469e04582d5254ac0

SHA1
b3e7b2671a87c471770da00ad27daef2b343368b

SHA256
a15261792544d662b32fbe8a919c56109652280b68d68461e939332f5b043b66

SHA512
4c6a19c5e8864efe6702e0d7122e9f58c4668d3ad914daccd89b8863c5bffbc0663afafbc04f447f5553777157aeda08baf0dd1ea227ac3e4809c2b8655dfc85

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
1.5MB

MD5
7b932a5a19ca71b1178e396609ff289d

SHA1
cd61476dd5ddb5dac2cf53e3f71ecba9ad015d56

SHA256
e25cfc99a1f2f662af70acd6d7d727a00a8d35c67baf7b1867884f24cb690f17

SHA512
0a6adacdbc0eba99c037bcc21d87fa3431df0cbb6d815c492e4e8b4de8418c0c427ffb639eadc9b7781a42680a411abfccfe36fe10b41c9cfb3c12da3f58d70c

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
1.5MB

MD5
e443ed9e2fb29d1b6237e3f52e0914a4

SHA1
f32482d3132bff7138edb31ae47304cd288f83d3

SHA256
9c0c51c9eb668a61e62bd40be3d7db342a7ae850da9d82f8d5ae239064eb3e0f

SHA512
aec3a9455dbd6494d2c9d7f0589fbc935f6b63b010d310c6815d5a3c1c633315cfb39a444df571016a5ea26ee341232b5855f4dd2ae71ac1660c9c6c5a12d7b2

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
1.5MB

MD5
e2185a5980cce691539abe2d14a7cc2b

SHA1
7557de0383e9f7845c792c76657f177795ff9d06

SHA256
111384e785e6029b6132b21851ea859af913f376fc749119def5940f7257d1af

SHA512
c8f54b366b4a7c5db0dade8ce97da23f55700d99b8bdaab11505ff2a2cd9bfefbbdd40cece85617acfb2b4f8e56db1ea27837f5b2c7752171e63ca0b81909512

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
1.5MB

MD5
1d2f180cbbf5a49896be74c536c9b8fb

SHA1
d3d293f66ace616b29a50b42660eac3a8c815c32

SHA256
095ca16cc7ac1f75f953c28fb66a0e9226baf83db5a9f41f8d2aa365fae5f5cf

SHA512
104cf3c8ff6f214bb750c70f762d57fdeca0c89c1b3a3b5e91a43d117be2bb221ea146cf3e3567431dda2020d546f438392eb5876c41ed8a551b3435ef475757

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
1.5MB

MD5
9c25bdbf1ef4a1fd0f82b8e9432c384c

SHA1
633e59107b66e879e7162bb52049eb6abac13212

SHA256
2ff65ae47d763451063a0b53c0663762afb18debe37958729e06a3f1e20ac8b4

SHA512
67106de2bfac16c961a821aa47f0491330ea750cfb97cec0d314b4a1df186f7bf002319a416237c95db56247ce48341ea71298e63fe3f2d1b8ea2e4525996213

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
1.5MB

MD5
fe30f5f398c1e17ffe87abb826a976d0

SHA1
4a82b267eefa1952993c6945df4711c798d2d8de

SHA256
1d1eff8a142f4564cf2f22ab06fb7cb9e6691883d18bf6a94fe44e45b6e1494b

SHA512
387235b04ea4f65fdc8f237ad90d1d654cc964edde75070a5418e413f43a5afe22338e0b313eac07726f57f56d303a998a654e7eeb8997ccfefc16cf0d23fe63

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
1.5MB

MD5
e8fb582c3a2c18ac008dc51505eda0dc

SHA1
f1169561c469e28c9fe2f0e80431d68118a19b2b

SHA256
e8073b54b65e41b4feb33b1d180981f634a51ab3eea6ded84fa75c8b3bf9d0f8

SHA512
7490c1fcda9e9587e87890792074498b1ce9306b3ff656c31dab206cd29bd6ee4a5562ad9ac9dc62d1bcdaf741e57d5c9320bd700f0425d7c4cdb2b416465951

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
1.5MB

MD5
4982479b0c1f19cfed0fae0fbf8aaa2d

SHA1
6bf3e1ff31fe46de310fc79d54362205567ee7a1

SHA256
89b9904ea123c8035ec1b59b51cfd7cc4c8584d014b66a6bba6de53125918067

SHA512
d6e5fa0f8baba6e1e70ab4cc6f3ab31a5916e039ff320e94aefa078d8259159713b3a53cb707a3af52eb0913306200ed828dca60ffaf3024ab5f4b43a86febe9

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
1.5MB

MD5
85f42d1af4fe9a4bca53f42a97b1342f

SHA1
cc4eded7207a3aac271f71b578a25844b62a445d

SHA256
546a2c019c7c3240d448b95cbed57df6f9fef5523d916ef35a9b0397b73b7341

SHA512
e73844d0ed20fd4aea6bc8e3fe5b1e46b60b7578a12a7f5b2317928fd86daa92d11318c5bcf6c94579c7d89902d0894416db809a9cc02d4f32a4a140f4896c02

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
1.5MB

MD5
01ef0b8c8f695d45577a60b72d1f90ce

SHA1
951b2408a9341c4e13481fa55041f3798863dd87

SHA256
c64cbe3f904f780762196c09d41faf26bee1121c499e3fcd68fdb8d861ccdeda

SHA512
2e4e7cb63c066bf5a6c535ea64d9b8317f85f1c7cd79cf1c39004c3e5dd8039406d72602a75973d43d00fbddc04b480a3216e52bfc678028d98dede01bb3b085

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
1.5MB

MD5
68034b857b3a553ecc0c982815995beb

SHA1
8af7bbc1b77842d65b8bf6d47f85ee007aa04d1e

SHA256
c8bb64cda343c3ecb19c2ecd985f0437baa2dce2152083f48a6f60875f908c01

SHA512
a29ba0ce1c13b2d2eadff649fd685c41ed48befd3c4051b481cb747d5fa2947976ec572fdd2709db97a7011c1062d915e5e36af087b1ee2fccf65f19bb436334

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
1.5MB

MD5
93b4d69f8561b5e025defb7ce0e79042

SHA1
830f84385d41612992297049cfd3dc5bd9e131cf

SHA256
8ed1800e8d583ab8a644c511b573dd275068ec4967518f2b7327fe417c3d15a8

SHA512
d2ca7afe6fc68887602862b2432e7b450bf1af7ed3937d4516348e6aac8666507364f4a5e4bb7d88b5e3bdc5d9fc1b3adc20b71c8e5a9826af9ab86521edbd8d

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
1.5MB

MD5
fc26e4b4d6b630b531f52624137a2bce

SHA1
15288795a2d241066bff68c055ecece84d5dc08e

SHA256
04bfa35e9c7fe57441725bbcebd77eb96a99c5c5d99f7afc3b932d1f39ad4775

SHA512
d557bce57e3ff3ee04047affb231d4c8da22d9d94de9270e74a5142d55d4d546f4151fc22364821a7e7fdfea33fd6cc1d2046e16091ae098cf935008b1363f17

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
1.5MB

MD5
14bd44a083f4b0abb3f3d07c14152d01

SHA1
8489bc0476da593e6939ae74d7fb8103cfc38548

SHA256
d8eb5eca9b790e3c875f6367ba46bf0c232c07071af7afb48003065e12356034

SHA512
00c31e718e56c0e2e8486f10c59784b7bdb18407e73440dc8424dc44c20ac01a955c127a7b05c21b54fc5c6b0343a85e647cc8a9b80748d6e51417468f3fff98

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
1.5MB

MD5
cf7cccb75bcfba76260a15afde748d7a

SHA1
5046d28705af2fe2e0ec0ce0d9a4af8f6b03d29e

SHA256
dffed72db188b1887af367a373d1eff7998ca7474dd914c147223e7ebd39cf6e

SHA512
540689f922186ce09eb1deb256667f0077c2965bf9fd6275e520196d40894ee7bea91afccc1aaf87863fac19dae9437f1f982c45694d7c996415a3c027ac7502

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
1.5MB

MD5
83fa35b5a7b036579d711876e5831b93

SHA1
ba9fe3deb0661e6e348805b12232331d95318c21

SHA256
cb86fb86f2d3c5d523778590c93545c760b46f5f6390f42fb6bb1dfd963f13a1

SHA512
bf67393fe7ea3db0f740e69f1e3069887e3dd4ab1c5e121cc81d2e8f82f8807df2fd958e6731b8752a8d55e13cf70e6d780076905fb2e027b91159358fce7cd5

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
1.5MB

MD5
6e3e9fd78177deb20a53480ea291d652

SHA1
112b2196178223ed1160271fc2568e55991cebe1

SHA256
f442a2c61a516bcf5bbbe00f68f7dbe63317d42562c908dc562f69ed6c824333

SHA512
b48237827fc733f206b9965d15f13f2e834088a011c5e67c69a64f922f71e62230b0fdffb1cac4a734c55340d865d68905df5b6941906322d94303cdd935b19d

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
1.5MB

MD5
e9050970a62d9aabf8e59e6f4a81feba

SHA1
6a6514e474633be9c0e7cbbb7c4daae01c995102

SHA256
6e9ced04187f1186efd7629839456f15b46891d362f8041ef7743dad0cf6adc2

SHA512
7bf44fc4f75e47610eb4b6fcc36b1778cd2192ded02dbf3d0468c6c873cbfeb3dbbd7fd121c051964998d5e9c78aefd898ca75283b61198b41d1adfe2ba32643

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
1.5MB

MD5
23fd9f6ce604223a16705d23c4e4d2d9

SHA1
4b8d401368fcc05154e98c437f75434db5308550

SHA256
c87922c82ad3731c72c0154efaa25b48fb2b836a698c54d0042979ab5a060c45

SHA512
453da9ea49c4fd275781792c2a0e455deffae64efe73f8fa73d631b15cbeab372c60bc2e232612992d388d8436cae2d057745f9ebba6d62cff2758f2c1e0efe5

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
1.5MB

MD5
1fea9226bbb52fc46ac8bdb8e16abc57

SHA1
60e3c91cf2fdf8746fccb71e1f7bd2c216600d63

SHA256
c8b70cbbfd896a5f800947ba60d9ef8600d0ba5edf201f72f57eabd712a03238

SHA512
5cffcb0bfe86528718be9ed61e73dde3bffd7e2b9c81655db833c4fc12c500e46578f27e761394be183b8dce0423013067a6c16f3b9fdee00e29e3efff558891

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
1.5MB

MD5
c6aa73538a705a0809f1546884fe2c86

SHA1
90f6c6b65ec77ee390a0690a7d04e7fc08e44a79

SHA256
d92e1a958b4df82079c4fdc0f308720d8f4af375263318a0029cf3343e3f0e4c

SHA512
b772811b133cb2a8cdd3fb9a5f50ff4e085a48848f16f30158a226d3b495a57c2177e9cc48cbbbf49ea367dd4bc666e5b8e2c6ff6e52a1454a580622ae7cd37f

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
1.5MB

MD5
6acc83661e08ffebfa7d5d28fcb84749

SHA1
80c3dec4577298c5e6a59e2bd8747c0b6bd30440

SHA256
5bcde8ecc407907deb2497eef20b85c4b11f4a62d6af5705036fa4dfbce0beef

SHA512
11397bb65346e2578bf026294ed24d3c527d9eb431263c001da3ef52f5e689b27e861483a3a810c6ef92551eb185fd72a8177d424566adebb824fd01067aa18a

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
1.5MB

MD5
097fb0f990da8c2adc9a4d643a54d329

SHA1
054506db583d64af773821fa6470d05af86caf5e

SHA256
20f856affaa063ec19cedb23be11d2bd8f98bce8e36964908d90fbe24e65229a

SHA512
1a33fef92697201f941d71f620431e2673dcc90ff7c62794d34bfa0f2abaed56aa2ce8c4012f42b5ee0954307855a1a8ae8cd0d09a6bfadc37e04656a82d5f6e

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
1.5MB

MD5
9fefa97313c6d1f31dc9c95830a747e6

SHA1
0fd960ab60015a796caf88ee0cd1594c232d6002

SHA256
7dcf1da8d0425b28957e2cb12db4f489080f5baf72189bbe6b62fdf1a9394d98

SHA512
02cfd604dff62c5b1285a27830a495e2dc2478cb65456fe42147929f4a19a09a55e00331761132bca4f8d5fbcc4c28ad021a0f8b284b34a8f2db5065f70522df

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
1.5MB

MD5
b7a2bb83bb264ae16f7d46760b422bb4

SHA1
214fc33ba47a5e7a93f2503800e6e47cbd2545c7

SHA256
82cdd1ff0576390af9f6b756b782faab04b041f4734bade93d538caa5b8e8c21

SHA512
3617d783dbd7a699bac6ee6a475e30f741f521f7599a6364ee855c51cf425066facce7bc1a652dfe71c759dcbbfaf7ad52e823b4b368b4e44edef92e015b944a

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
1.5MB

MD5
6114e4d9942fd66eb809d34d1612febb

SHA1
3a97deee1dac41e58e539c5b0a53bb671487362e

SHA256
1e260b8d5b23823eb5877b4c108e6f33c1070ab7b3c754d2e8f2aefe6a5e2c98

SHA512
e602b7108b1333ce30bed15089597e63353e3b6e07882ea971c0e0e830743c0036a3e293583ec3dfcd319412ed5cb6f2e657f5dbda2444bdcc4e72bab7fdcb41

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
1.5MB

MD5
aee8ca6f6534bdf3f1d40eee61c07cbb

SHA1
ee97c5f543cdfb684a66cc1491c0b7101b8f2ff6

SHA256
587f04173044aaa93630736a96d836935acda497b41eb9771cfacffa2bf44afd

SHA512
f77103fe80af2468dfd80c225e5d4380e96c4ffaccf26b3f539303ab49671c4b4b0e71d722f54037db76d0cba9e8f6261c8702a4c30efd53f0049170d76e0c48

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
1.5MB

MD5
b941ac68c3f4731a82633c9e19679e1c

SHA1
8a7c6e9608e2dc2a0afbf90d5f2b8983dff6ce9a

SHA256
ed6b9bb0c7dabe0f02d23d915152627e2915ab830f1b8b1605e652a9a7a4ed0c

SHA512
364904dc6097dfd14735db66cb9c0e0b1c2734b9124f9dc490f832adec145e9a511625597bfecf3ca051d8a2bea6d0929452a76563bdc684f8949f61eba84a12

Download Submit
memory/212-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/524-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-973-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5212-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5252-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5340-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5380-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5512-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads