berbew | ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
Size

896KB
MD5

dab15ddf330bce52c2d5eebbee0d1271
SHA1

a6f789c3ca08dd77ee8be82431f76167c502fae0
SHA256

ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1
SHA512

5151b6c9961b651f5750d52c2f6f294c6c3213879c1af637aa03dc907872e157b53d4dba86ccd1241872207c90fa64e55afe1b458c4d101c2d3e7a965d52893b
SSDEEP

6144:YfWU5CPXbo92ynnZMqKLDK2Q9zsyVH3imoQiRLsmAKWEnaW377a85n0R0tHIIF5j:4FMusMH0QiRLsR4P377a20R01F50+5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4428	Jmmjgejj.exe
3264	Jmpgldhg.exe
216	Jfhlejnh.exe
4712	Jmbdbd32.exe
3600	Kmfmmcbo.exe
3048	Klimip32.exe
3728	Kedoge32.exe
3032	Kfckahdj.exe
1624	Kdgljmcd.exe
3620	Lfhdlh32.exe
3536	Lfkaag32.exe
796	Ldoaklml.exe
5024	Ldanqkki.exe
3608	Lmiciaaj.exe
4424	Mchhggno.exe
4564	Meiaib32.exe
4656	Mcpnhfhf.exe
4584	Ndokbi32.exe
2220	Ndaggimg.exe
2012	Nlmllkja.exe
4744	Npjebj32.exe
4432	Nnneknob.exe
2988	Njefqo32.exe
1520	Oflgep32.exe
3384	Ocpgod32.exe
1772	Odocigqg.exe
552	Odapnf32.exe
5092	Oqhacgdh.exe
2272	Pdfjifjo.exe
4372	Pmannhhj.exe
3184	Pnakhkol.exe
4724	Pmfhig32.exe
4540	Pnfdcjkg.exe
4884	Pfaigm32.exe
4344	Qmkadgpo.exe
4908	Ajfhnjhq.exe
4524	Aqppkd32.exe
2628	Agjhgngj.exe
5076	Aabmqd32.exe
3100	Aglemn32.exe
3404	Anfmjhmd.exe
4604	Agoabn32.exe
1468	Bjmnoi32.exe
3976	Bebblb32.exe
1220	Bjokdipf.exe
1320	Baicac32.exe
2100	Bgcknmop.exe
3628	Balpgb32.exe
624	Bgehcmmm.exe
1180	Bnpppgdj.exe
968	Bclhhnca.exe
4836	Bfkedibe.exe
4108	Bapiabak.exe
1476	Chjaol32.exe
1412	Cmgjgcgo.exe
3512	Chmndlge.exe
2844	Cnffqf32.exe
1164	Caebma32.exe
1964	Cfbkeh32.exe
1244	Cmlcbbcj.exe
4516	Chagok32.exe
5116	Cajlhqjp.exe
2028	Chcddk32.exe
3644	Cnnlaehj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	3944	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4428	2456	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe	82
PID 2456 wrote to memory of 4428	2456	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe	82
PID 2456 wrote to memory of 4428	2456	ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe	82
PID 4428 wrote to memory of 3264	4428	Jmmjgejj.exe	83
PID 4428 wrote to memory of 3264	4428	Jmmjgejj.exe	83
PID 4428 wrote to memory of 3264	4428	Jmmjgejj.exe	83
PID 3264 wrote to memory of 216	3264	Jmpgldhg.exe	84
PID 3264 wrote to memory of 216	3264	Jmpgldhg.exe	84
PID 3264 wrote to memory of 216	3264	Jmpgldhg.exe	84
PID 216 wrote to memory of 4712	216	Jfhlejnh.exe	85
PID 216 wrote to memory of 4712	216	Jfhlejnh.exe	85
PID 216 wrote to memory of 4712	216	Jfhlejnh.exe	85
PID 4712 wrote to memory of 3600	4712	Jmbdbd32.exe	86
PID 4712 wrote to memory of 3600	4712	Jmbdbd32.exe	86
PID 4712 wrote to memory of 3600	4712	Jmbdbd32.exe	86
PID 3600 wrote to memory of 3048	3600	Kmfmmcbo.exe	87
PID 3600 wrote to memory of 3048	3600	Kmfmmcbo.exe	87
PID 3600 wrote to memory of 3048	3600	Kmfmmcbo.exe	87
PID 3048 wrote to memory of 3728	3048	Klimip32.exe	88
PID 3048 wrote to memory of 3728	3048	Klimip32.exe	88
PID 3048 wrote to memory of 3728	3048	Klimip32.exe	88
PID 3728 wrote to memory of 3032	3728	Kedoge32.exe	89
PID 3728 wrote to memory of 3032	3728	Kedoge32.exe	89
PID 3728 wrote to memory of 3032	3728	Kedoge32.exe	89
PID 3032 wrote to memory of 1624	3032	Kfckahdj.exe	90
PID 3032 wrote to memory of 1624	3032	Kfckahdj.exe	90
PID 3032 wrote to memory of 1624	3032	Kfckahdj.exe	90
PID 1624 wrote to memory of 3620	1624	Kdgljmcd.exe	91
PID 1624 wrote to memory of 3620	1624	Kdgljmcd.exe	91
PID 1624 wrote to memory of 3620	1624	Kdgljmcd.exe	91
PID 3620 wrote to memory of 3536	3620	Lfhdlh32.exe	92
PID 3620 wrote to memory of 3536	3620	Lfhdlh32.exe	92
PID 3620 wrote to memory of 3536	3620	Lfhdlh32.exe	92
PID 3536 wrote to memory of 796	3536	Lfkaag32.exe	93
PID 3536 wrote to memory of 796	3536	Lfkaag32.exe	93
PID 3536 wrote to memory of 796	3536	Lfkaag32.exe	93
PID 796 wrote to memory of 5024	796	Ldoaklml.exe	94
PID 796 wrote to memory of 5024	796	Ldoaklml.exe	94
PID 796 wrote to memory of 5024	796	Ldoaklml.exe	94
PID 5024 wrote to memory of 3608	5024	Ldanqkki.exe	95
PID 5024 wrote to memory of 3608	5024	Ldanqkki.exe	95
PID 5024 wrote to memory of 3608	5024	Ldanqkki.exe	95
PID 3608 wrote to memory of 4424	3608	Lmiciaaj.exe	96
PID 3608 wrote to memory of 4424	3608	Lmiciaaj.exe	96
PID 3608 wrote to memory of 4424	3608	Lmiciaaj.exe	96
PID 4424 wrote to memory of 4564	4424	Mchhggno.exe	97
PID 4424 wrote to memory of 4564	4424	Mchhggno.exe	97
PID 4424 wrote to memory of 4564	4424	Mchhggno.exe	97
PID 4564 wrote to memory of 4656	4564	Meiaib32.exe	98
PID 4564 wrote to memory of 4656	4564	Meiaib32.exe	98
PID 4564 wrote to memory of 4656	4564	Meiaib32.exe	98
PID 4656 wrote to memory of 4584	4656	Mcpnhfhf.exe	99
PID 4656 wrote to memory of 4584	4656	Mcpnhfhf.exe	99
PID 4656 wrote to memory of 4584	4656	Mcpnhfhf.exe	99
PID 4584 wrote to memory of 2220	4584	Ndokbi32.exe	100
PID 4584 wrote to memory of 2220	4584	Ndokbi32.exe	100
PID 4584 wrote to memory of 2220	4584	Ndokbi32.exe	100
PID 2220 wrote to memory of 2012	2220	Ndaggimg.exe	101
PID 2220 wrote to memory of 2012	2220	Ndaggimg.exe	101
PID 2220 wrote to memory of 2012	2220	Ndaggimg.exe	101
PID 2012 wrote to memory of 4744	2012	Nlmllkja.exe	102
PID 2012 wrote to memory of 4744	2012	Nlmllkja.exe	102
PID 2012 wrote to memory of 4744	2012	Nlmllkja.exe	102
PID 4744 wrote to memory of 4432	4744	Npjebj32.exe	103

C:\Users\Admin\AppData\Local\Temp\ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe
"C:\Users\Admin\AppData\Local\Temp\ea9f891a44b695db69153d6cfb206806ed13fbeb5c310fc2d58d3e51c5cfb0e1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\Jmmjgejj.exe
  C:\Windows\system32\Jmmjgejj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\Jmpgldhg.exe
    C:\Windows\system32\Jmpgldhg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\Jfhlejnh.exe
      C:\Windows\system32\Jfhlejnh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 396
        78⤵
        Program crash
        
        PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3944 -ip 3944
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
896KB

MD5
524537be3ff3445aa37fa18373d09cbb

SHA1
9c4ee24535da59d39601adcda1c57bcf225519d6

SHA256
73833acaa2aa93ede031a33bab90f0b6ac68d1080f841971c3d36b39f5bb219a

SHA512
47dae90a735245dd38fc38af465ae711b8eaf9dbc9f0248d16fa8e2ef83639536043728cb5ce4fb44c561dc921e128a49b81585d7b2c19ad7eda7a326585308b

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
896KB

MD5
71bd7a8b0ec85638c333a1d10216bdf7

SHA1
111cbd8763adc0fefd1d818c751398e5077ddab1

SHA256
1578ee2e2f21476b43e2ebed94e8dc3acbb5ec2e95e4312886530be8ff0d02c4

SHA512
13b0f2f3f98eea44ac7b5e1858810245797b25d3cf4bfa245abc7b24fb3c6cd225c0c83df1b5b539631305c0edec38fc8f68f723c6f1382ca1798c9de0c3d46f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
896KB

MD5
8aafc7f27ab912cf82613695761eeff0

SHA1
d44aaf927b1bd997fbcfc15eddc312907767648a

SHA256
ad62e78ec094cea60e6ce6fe5419fb8423d23b6e52cf59d959b2bb1c0f115ccb

SHA512
5f6581a2b30e811ee22cf871688fc6e849b27d62da50cb196e49b8450737b6241f823c8caf13c3277106fd08e87863b0d35ae656851108274bd7cab96c7961e5

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
896KB

MD5
9ec318e7b53771dd32212dfec737d0e1

SHA1
845edf73917dd8b4b027dd3d19b75e11c37a3c3e

SHA256
a58e54582046c6e1085e2c8595e1da765c7a54f8a84adc1d371828bb6ddb6f29

SHA512
6b3c1389ab552d5678f5615da5de0742b99c67ed7ae9476694438c1b20cf61f67976de7e825e4574621e66c8ccc288eb566c1e02e104e9eb38a0277e063458ef

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
896KB

MD5
7fc3ada395320b4a35e69bc98fd9a1f0

SHA1
41dfbf9d9f7030be063901db1f50082ae0460720

SHA256
50ddad73a28eb7118108415ab584e20315dce54d6993b51216f4cb61a87a7bdd

SHA512
409b5a4c2f1ea756c01d914926ab6e9bbd72b6784ce52dd7c4120c2cbdacef5389f92632600421bf740292e449eb6ea37516605642ffeee400dbb1bdf34fa8a4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
896KB

MD5
020d04c03b68f5efd8ef72253a87093d

SHA1
979e0a9da8737c6d00ce24ca265d93f37d970432

SHA256
68cbf12973b0f4d11bd7a5800258180639e1ff4587076bd2eff3e1b7cb884208

SHA512
0be27e092b5265b14d9764e31f7e8eae8ff5599fabf38b20caa9b2d5bd205d0e4b7e9c3ae9a49f3e2ee417e7f56f9f06087418c5552008ea007e12458e99b29e

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
896KB

MD5
38cb76ac199ed436c805cf236d26cedc

SHA1
4d047142f40e68382b8ecf4db1a8eeadff88ccc7

SHA256
92134a8f45d1a41c2eb3611b13de7e7014e079a36b1ede4e6a66eb1e545d6e06

SHA512
654e861b20e04f8287070d69374884cdb5e107bff516ee395213c1afb9a9662de50614a2e90821fceffdec9f87f2d084fe7cc4dca505aceb906bb9efd30a135c

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
896KB

MD5
7d80ad5b401e712bd5bc0eb3c50e2860

SHA1
900b7f9d684db37150836a5873377bfb411970d1

SHA256
df2e4bf8d9eac7d73dce476e8de735bc46a892158f4205fcf7e9774fcf65ec37

SHA512
5a028cdd6024b9942db697c5042c9c5d526149c341ec10bfb69df01fdd16d6079562722ee3e41941605b30fcbeac4bdc14f31d141cb28a5925fb36aae669c2cc

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
896KB

MD5
25ea1662683f190544ceaa570e08a7fa

SHA1
2e028bb96f17043415d49cb9097165ac5cca684d

SHA256
ea694803b859f158f462b0b5f180fa8a0448bb76ba1a7d6021b0498e3b8f6faa

SHA512
58ca5d80e65f5e49d35e4e4e91e60fcb7933312feb990443ea40e29bab1ac5b6a32ed041dbccf48d8f32fbeb9ea492ebe2b821d17f1c1658880576e8cff1a1b7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
896KB

MD5
8635f0470440bd6a501328c9c0bcf7c3

SHA1
257cedfde94ffc1de6937f3177b548f325dffc1d

SHA256
9b1e4c6a122a6e5b6d69b859fe6aecda0720213008ebf9fd64503406c2484c7a

SHA512
992299de01dd96fd2397c60b765fe0e6a0c57c4308ab772534aeedf7cc0811dd342cafbb68746b88b42c0851222d5c000c186d3a2f32078f3a16fa63872f7fba

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
896KB

MD5
48a1a50c91237d0111d454b2c8a4c345

SHA1
b24edd69680f4b61eff9cebd7106818bd3446e2e

SHA256
0142894a54f5abfc34ee015a9d22f06b508665e1a25ad18861a80435d580d286

SHA512
4598307e831413f59f6df3f11ef34ea079de3af05d084204f3f0b3132acc2c6db8b1630c4ebb8dbad431ee6f127f9087b4a2325a5e4f27c8f3ea381422abdc83

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
896KB

MD5
96a0058d960d8ca790a91077764946ae

SHA1
175522c230e6129d2d31f28729606f0f3b723caf

SHA256
5fbe81fd6318c9034956ff1b69b97ab7444f4c31ce67e8e3bc15a44fcf5135a6

SHA512
6e3cdab962bf21d621a683ffeec03bf940d13dd887996cb9122f73cd839699d74509dd47cbaff992f43c577ab0171f3baac65f76b953962babfd8e26f8f58401

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
896KB

MD5
3341922a61fd0a627f31272c71b49a31

SHA1
1177cc7562552e8209eba1802585ce5c91edc279

SHA256
5d5197f3147e1485d1dfb75d3dd0f83d973f4076ac3d04ca7a80ff255807faa5

SHA512
e51976183b1683971909c689558a70369bd627f7cce6a3b96502d8a7a47e51375d8ffa5e15b8c751708f0a1a3775556552f80ef36f46a36582cbe99a62693543

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
896KB

MD5
f0fdb53c7503ce91d991cde1823fe026

SHA1
63ea343f83deacf446d448b9b614a33095057b8b

SHA256
c1be8f0f2fa78f81269da5cd206e916535c494e530abfd37413544dc6f999a73

SHA512
78e9c35bd52e2220c7e78c3cbdf8f2feaac16a3a788323831ae230a4dcbfe8a721c5e4d5648b08cd322c04660b29390af6c916aee88beed20f40ce6b1e52ba94

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
896KB

MD5
3047423b5dd69d6c97009ab2658d6d64

SHA1
d3245bce0476691e0d3367835b400600efda9fee

SHA256
6159e577119052293eb14ecf0e00ebddd4e161531d7a54bad5b3de569bda7070

SHA512
563a580fb816e9d5fdba40f33fe7bcc90c8974850abc962c9855b362182469548de4f504c9afb27573cba6b863e321869d1bb1e0825d44e5c58b1433b632a469

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
896KB

MD5
c992b233f0147ae5360bb1dd09358a3a

SHA1
9418548c45dd4028561795c6d6ddbebc0d971f23

SHA256
2bcedb69f5dc807e6844e4d2b029ff2609fe52f390d5f4f8a0ac16e1dbb3781f

SHA512
22eb5d85e093a0644045e97f11499cc46da681eef77822799d9216d692190acaebc1b205473756fbffa733a5be04859faeec5f65cfb297b3d1893d3074c94799

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
896KB

MD5
85fd1d4b413dca852d516d720a9e6e3a

SHA1
7fdae6bb9c5b9cbf3ce302d3dfc73f7c3e4a110b

SHA256
2a91ee84f57b12a39e4083c0c033e4c4c69afa603536dd7b826a1cfec5173059

SHA512
c56cff343b273221b67ca2ebf4d42150df165f7fc4502c4d33afbb1864eea69785999a07592ef795304cb4f97ce1b96e02813dca399c3871c2cc147b7a35e39e

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
896KB

MD5
83455decd23084c32bc577950c94ece3

SHA1
de0910fffeed70850072eedbf0496991558d156c

SHA256
933540a2b3a463839f77961cef6c803da1d0b2dd6912ce5e5ae532966fa528b5

SHA512
45212b1673c64916e4be94ec215399731a0aa66cfa1fbdf3a5e53c04bf005da7656e04cf721f1fd651dbf55814305296aba6b010fe8c171a8d632ada11159da7

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
896KB

MD5
3035376d66c6ce8d8dd97d4479ca74f4

SHA1
af1df4fc11a03317be870e95b7381b5af711668c

SHA256
722053679a48ed8464acdfb46aa88962344058dd8ee1dd8bfd48a9db8ba73d23

SHA512
761912c77156f46c150cfb189930909bf03d4807ee947b5dc2b733c7b056dfa44ebe2f9aef136f006ee7baea875a98da97121eeeba31775f8ee35059ec41b69e

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
896KB

MD5
65c9a1ec9973214c8fe3b6b61f209e95

SHA1
93908a73083891b7b14609b756f5cd433e975218

SHA256
2750d8ce4e0868f25fd565157e91ae5d0c4635f3b0beb140e2e3200f041667b6

SHA512
9163fc1a9ef981868845f556e295b9d7df5e821ff9511aa0b91c630cde65eb6063f1ee647d00d726c1fb7d1b9e36bf41c9a80008ba128706b49f1d7073d91869

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
896KB

MD5
cde40048bb3011ed722eb9b614ae9eb4

SHA1
fd74d3505f40ae10a045a1c4dc517400b0cd56e0

SHA256
7e47d3eab6265c9a06e9049db168f60da578eda860ee0aab95185f7bb6259412

SHA512
34e4a4dc8a186cc70f112a899f37ceb3b6029ba6c80d561b73602f7099829a277ea82a8796a767265ddffdc700d4c0d7dd9e7b53bd3dee2bec068413cd247c0b

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
896KB

MD5
48b8af600b5d01033dcb58195c5f6e6e

SHA1
fdb5393e7bd89df255c766349059c0e380439c20

SHA256
074f907b49ad2b7ff7f3e14a780a1ba04562b820e526737438743ff0d62cc758

SHA512
75eba219a3e097f79c31e6f1315c65f83a3903534967d43529e89923f209306b9ae58c2e43190ec478dbc5b083dcf3b3f3e32fb47538701dc2673930ac8cbc95

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
896KB

MD5
7712a074582c8532ab833b2962d7763a

SHA1
6a61e3b0bdbc088c581cd254e7540d58f02b7a60

SHA256
56e7b5eb03bda2fcc93b56e5ebec116b293c572c24cdf2fa153e4699e9953cd7

SHA512
21f4675e33b3fac9b4ecc9fec7bd82ee252e55dacafeb86b2d735256e33b4f1b2a8db42f2e1a78f8f30c99eaeead86467edb8690e3f12b2b9d80e31f34e8dd9d

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
896KB

MD5
01fca2f02ddfe06e6b4e3a1718fe5ba3

SHA1
17cd3caf6eba1cd02def7f77d5108de98587dd0f

SHA256
2ff7c2ee1c9abe0b525b3b5119285a3ce42e5e3bc6437bf7f620fecb8d8cb8af

SHA512
3fceec4a6c41ce7901a7a9b176cec6b318f6b8f94d123a165cbfcf422f2f7c5baa77f0aa33f5f89aff056551c9c95011b2c4f6ae20130869e3ecd4c1b11e09b4

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
896KB

MD5
097d13410e62f008bec154fa16c9f593

SHA1
1a559d2d180263e800ac6a78a6908cee27792b7d

SHA256
a60495af26b4325985906f3e0cb366a6828b565362274df9846db142b72d7c4c

SHA512
9cb3d72f39b459a6b01838ab4add933c76c7cd7948767f8de7a0b14475529a96100e97ae8afc6fc65f574006d526cbf592da1309e9ea0cbdff23d7bcc0161ff7

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
896KB

MD5
29d9de5f161d0cf54b523899e017d760

SHA1
e20b062fd69077196b643cda2d66d9fd819d4b7d

SHA256
50c51eef41732cd739a717646c6e6122b8d10e66c61d11bc0cf5934dbb451987

SHA512
4a3792de6d7ecd781a712fe1f7aa16600762de1e1b54f17c620bddab1d92befd70b75ed5cadd9160c9dff64935f216c7dbf52a84786846443b039a008e03088c

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
896KB

MD5
5a5cb687aecb08da2ccb1d5664864079

SHA1
b7cba275f473410b85f86fc7016f98eee4188002

SHA256
68caaca55129d62844fc1eda16367678509077b549f009eaf09b408ff45f6ff8

SHA512
dd88e889c63314089c7e7849ab9b6d81fb233b56df9134b293c5981f4976c7e6f8a67166aa04a103b241aaefcd51d76e5e719f91cd193b8921f81455f4ce042b

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
896KB

MD5
85263f0182842e58e06be27410686e15

SHA1
f5f20a7b1495cb0588ecf2bd00681b4586d31e72

SHA256
ade6782b96b72b2f4bf58ea745c3b287376588218630ca18f0eec49720e18878

SHA512
2d93efb9f0823ff641dc0e36f7192bb9f8ff8b307370142d17f59c801b1064dfd05e9dd07354a501d6ee74a84bb5b96253a26a3bc93b845303190353227469b0

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
896KB

MD5
f8ba7b1c9d968953425db97e101e003c

SHA1
f2b0b57db32635ebd90ff01ecd0ef7bcf2f1da02

SHA256
71d9119e815d47412c1b0fc076a1c4aec98736eabf694b665a44554cbfd8bdb2

SHA512
7f7ff467a71a4e6315201782757b01e232011c09c05ca86d6251013f15c5943d99dab6195b5298e469f3eb08ef093a4043129e266d33fc4550ed615de0b81d2c

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
896KB

MD5
5dbb0ddb2d9507f48bc132727b04f841

SHA1
ed18a23cf018b12da29a85a8ce4cd7aa3cd88fcb

SHA256
afd6a5830d2cdf80e4903c59215c02f1df020754d924f216fa0e949d992b656d

SHA512
3552e6f7c354207fb56c4af92593926307fab93b6c7679344a1296a18db2609f71e8e404f2c6e7f54c2a06b4c6126a495e7c0006cb69d9295f930c81146d37e1

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
896KB

MD5
e66656919cdff7cc9e96d235e3ef5573

SHA1
6b98bb901155c8e9aae4df7c96771e97649469dd

SHA256
42fded38d07b834c7abc0d0a15aa163596af0ac6bae559a655c8acf7e1edeb7b

SHA512
9b30d73b2f2c82a363acc91683449be4b8df0bffb23f2e71da865a432777f9a459033e3daffdf6e3026cf5e54a1e72b35ca07b093957d37fb32186b4df5fc42a

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
896KB

MD5
5891f7df71de85376857a191b2a43bcc

SHA1
fdb685086b3b9bb0fc2282493c318bb08a4c64d6

SHA256
c13532fa6011f4fdf9fdad3010c26b0932efa15e880e13128e668a712a1c38f9

SHA512
c792a1cdbeb2964f93cf5d2352d62bf35a0905aeff6e7c14272acd52c715a6b24de58ce3e5c0e4d95caa2e523cd2ab18a89edae5e0dc6cfc7047bb6f8fd76cae

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
896KB

MD5
86cd57d05c520ddf01a2bab7292b5c29

SHA1
2cbbe70209c36b952fa4531f1138f0c16d60abaa

SHA256
6d6dcce621935f7f31f2f91dac56698ce2e29a6381564f8567ee6970e0a846de

SHA512
6ae8805f667127f5500f0a6159712f6e258e9b243675282a7189d9a9f9e4953354f6fb2af0f03a3b544c92a9e35789c4f1eb72cab0d523edc8e90fdf2c8d7c59

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
896KB

MD5
9dbd423b5dbb8e04654ad714112f8c27

SHA1
9cb55eb1d2eaf06152707644a906974310ba3a78

SHA256
b2c411f0a458830b54ee43580ecf19c744b1e03f207470ae753756d858cb9b09

SHA512
7b8d20c8471b81fb2007e8074199d2db8657f2401ee9dc40efa48ed968d6cfbc8bec73f22748ec77f923ee495c50e93be10d25fb73bc187d66eb970a8af38ce6

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
896KB

MD5
a9f0f3630d9a083d2147d8c5e053b866

SHA1
c22a0721cc316551062e7c6a9437f2de0128fa1c

SHA256
60fcb42c0f2ed52f987cf93707b86b7f04bbe38cbd39f58880d54db2c3348675

SHA512
4e8c749b99b7db9a42604e6a9984c9b3e402fcb086b7d4edab5ec6e1e92d209d62fdfdddadd8ec537c66063a8451216a0941d46a4d87777f5f3bef3ca8b0ffa8

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
896KB

MD5
885958bd33c28eec33fc58fb287da5a6

SHA1
a7f8b590ff0554b1e7569063f7a48f6aef08b3b1

SHA256
1da81b6e4e218c64a0af166b0560db9b9634b03ae5b9d7b0721fe77c63410cbb

SHA512
b8e0562a9e7f66de062f3bc189c29d5bdd918c842cb2c9755feb2d43cce43a125e9f46b073659138864e9d2c40bea9fc49341e1912c4a02f56bbb42a1ec1f9d1

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
896KB

MD5
3a6e1546d3fb18447aca3f9e90769209

SHA1
f67558575fe1cedc33528e5c49758e3b0b3eca54

SHA256
d2cd3b73b2f1c119889ce5928d01cf341f763301681f9c4464f9ec02fab36faa

SHA512
d386af8c4ef129b70678472f4a4e77d37dbea5cd51682494ea6e1d251b4d451d8a56f5a24068303c26df3a5b1187c174b1b400756625bb500694f2447b9a3769

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
896KB

MD5
ace5dce4021ebfbf957a2fcaff933137

SHA1
22946dc786353fe24ef761be47f089d112caf1d5

SHA256
9e4b675dcdfdd7deb15b7ab96355300a81a6e1691389c7094ae61c431d552fc9

SHA512
f2eb2c97c40a87b9616b14ef1a911464369f89e87129442a1a00800b563771b8da297d977b65b3f896d3acbec93211833163ba405134213519d0f849f8264c7d

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
896KB

MD5
6b9a0ffe6abd21c9383b7e6c899ca06d

SHA1
d2271995b357419bcec91ed57a8940bd68f13b6a

SHA256
a6d9d91f98e34eeae87f9c79edc023de8f034c26cfa8d8704c83c279fd9cc613

SHA512
41fe08ae0116beb1e575913f22ccadb5ac27ce1723360ef34ac6383f3cdc70d1199d31bb748c5c48a8a32c27e92b2ac9ad24c01504b80eb38360bb1cd96b35ed

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
896KB

MD5
1a73bd24ecc704e9c898642f859a880d

SHA1
14cbe5c9d5062e2908fe4e491870bd8738515533

SHA256
bccb6ec7a33c33668928fe3bafbea87e43bfd3e05934e0d808196936f7ffb866

SHA512
fc838bd095b61e56eede64f0936dd033fc9d69e1f8a11df4bc71d4441a93e71d07ac6cda62174a6781713ce6277eac723636c19893f6bc31f712ef8e73b17f70

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
896KB

MD5
fc9565cfa1d19aad08ba34a368b02904

SHA1
beed1f2124fbbe30ab2756301933adecc7361cb6

SHA256
7d40f3b4bf7a223933ec78d47045f62eedf13695541a75630b7eb4e8cb057912

SHA512
b185fe195fd651aacfd050622fb57fe165d6fb7bb41f8564e198d6a4de6434c8a995de9f598df89bbde25aa3573c42882465605897034ad244e98292a0fe30a6

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
896KB

MD5
a61c373f0cb5867ab033336a0c756251

SHA1
1510c78f885c455e7fd692aecae93e5dd5effaef

SHA256
7d3a5784292b711495134065f4bbe2e00fac5e93fc7626e33163cd4eb6304c1d

SHA512
d66edefe7b31474eb7ae597e69d83c96e62c0baaccec3b1ea8d134b1fa05e5fd5d3a8e77ecbacb3c9c1fb70bf6f6a3ed7eaf4e0a842c1dd0a5a6299170d1a429

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
896KB

MD5
6ca5cfd466a1c4f96a7cd16616e611e2

SHA1
9bc933ef7b8d9f5e9d61c7dd9bf266b1ce4abeab

SHA256
4cc175527d4ca7401f87a5b3817dcd2f804d63f575a3df7cc2b82bae6b6f4b02

SHA512
3440bc1ced19faa15c06455e1fb00e72311d89e9d78e57e21e27c09dfbadf52e43e3de7dd3a789e2e243cefd46be6ac728e7f8b80cedcf6619057acd9d779a04

Download Submit
memory/216-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2628-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads