berbew | 5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
Size

64KB
MD5

74d5796237fc7891bd49bbe8806a1ed6
SHA1

6558e0e31016fb705ae1fe86e444c58aa7e358d5
SHA256

5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00
SHA512

8af3ac9a6483a800d4949dc6c96af12c4b76e9f8d9353e3004b425a512f13a3c19acf8d0d4324d1204f7ec9557299fe0652cca298c39e2de5dedff393f561a6e
SSDEEP

1536:54P2QDrogwEiGJmY0+r4xEVtclHE2LarDWBm:5SDrogR01xEVtcl9a2Bm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnmgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpebmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kffldlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcbjlmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgqkbb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqnifg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpebmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnoiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbbgdjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngkfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnmgdli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgedmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcqcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpigma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbbgdjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnoiio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekiphge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kffldlne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgqkbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omioekbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngkfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcbjlmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napbjjom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
2604	Jpigma32.exe
2632	Jlphbbbg.exe
2964	Kekiphge.exe
2872	Kdbbgdjj.exe
2932	Klngkfge.exe
2896	Kffldlne.exe
2740	Lpnmgdli.exe
2284	Lkgngb32.exe
2980	Lbcbjlmb.exe
1656	Lgqkbb32.exe
2056	Mgedmb32.exe
1764	Mqnifg32.exe
2052	Mpebmc32.exe
2464	Mpgobc32.exe
432	Nnoiio32.exe
940	Napbjjom.exe
1728	Nenkqi32.exe
1148	Omioekbo.exe
1088	Ofcqcp32.exe
2564	Oplelf32.exe
2444	Oiffkkbk.exe
2336	Oabkom32.exe
2492	Pkmlmbcd.exe
2092	Pebpkk32.exe
2372	Pidfdofi.exe
3040	Pkcbnanl.exe
2828	Qndkpmkm.exe
3068	Aohdmdoh.exe
2908	Apgagg32.exe
2948	Ajpepm32.exe
2708	Akabgebj.exe
1832	Achjibcl.exe
1460	Aoojnc32.exe
1880	Bdqlajbb.exe
2332	Bjpaop32.exe
1924	Bmnnkl32.exe
1660	Bchfhfeh.exe
2252	Bmpkqklh.exe
1380	Bcjcme32.exe
1796	Bigkel32.exe
1512	Cbppnbhm.exe
1284	Cbblda32.exe
1036	Cileqlmg.exe
272	Cpfmmf32.exe
2540	Cagienkb.exe
1672	Cgaaah32.exe
2520	Ceebklai.exe
2524	Cmpgpond.exe
2076	Cegoqlof.exe
1600	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2240	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
2240	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
2604	Jpigma32.exe
2604	Jpigma32.exe
2632	Jlphbbbg.exe
2632	Jlphbbbg.exe
2964	Kekiphge.exe
2964	Kekiphge.exe
2872	Kdbbgdjj.exe
2872	Kdbbgdjj.exe
2932	Klngkfge.exe
2932	Klngkfge.exe
2896	Kffldlne.exe
2896	Kffldlne.exe
2740	Lpnmgdli.exe
2740	Lpnmgdli.exe
2284	Lkgngb32.exe
2284	Lkgngb32.exe
2980	Lbcbjlmb.exe
2980	Lbcbjlmb.exe
1656	Lgqkbb32.exe
1656	Lgqkbb32.exe
2056	Mgedmb32.exe
2056	Mgedmb32.exe
1764	Mqnifg32.exe
1764	Mqnifg32.exe
2052	Mpebmc32.exe
2052	Mpebmc32.exe
2464	Mpgobc32.exe
2464	Mpgobc32.exe
432	Nnoiio32.exe
432	Nnoiio32.exe
940	Napbjjom.exe
940	Napbjjom.exe
1728	Nenkqi32.exe
1728	Nenkqi32.exe
1148	Omioekbo.exe
1148	Omioekbo.exe
1088	Ofcqcp32.exe
1088	Ofcqcp32.exe
2564	Oplelf32.exe
2564	Oplelf32.exe
2444	Oiffkkbk.exe
2444	Oiffkkbk.exe
2336	Oabkom32.exe
2336	Oabkom32.exe
2492	Pkmlmbcd.exe
2492	Pkmlmbcd.exe
2092	Pebpkk32.exe
2092	Pebpkk32.exe
2372	Pidfdofi.exe
2372	Pidfdofi.exe
3040	Pkcbnanl.exe
3040	Pkcbnanl.exe
2828	Qndkpmkm.exe
2828	Qndkpmkm.exe
3068	Aohdmdoh.exe
3068	Aohdmdoh.exe
2908	Apgagg32.exe
2908	Apgagg32.exe
2948	Ajpepm32.exe
2948	Ajpepm32.exe
2708	Akabgebj.exe
2708	Akabgebj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdbbgdjj.exe	Kekiphge.exe
File created	C:\Windows\SysWOW64\Qpceaipi.dll	Lpnmgdli.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Kekiphge.exe	Jlphbbbg.exe
File created	C:\Windows\SysWOW64\Lgqkbb32.exe	Lbcbjlmb.exe
File created	C:\Windows\SysWOW64\Ollopmbl.dll	Lbcbjlmb.exe
File created	C:\Windows\SysWOW64\Mpebmc32.exe	Mqnifg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnoiio32.exe	Mpgobc32.exe
File created	C:\Windows\SysWOW64\Boadnkpf.dll	Kffldlne.exe
File created	C:\Windows\SysWOW64\Lbcbjlmb.exe	Lkgngb32.exe
File created	C:\Windows\SysWOW64\Pkcbnanl.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Nnoiio32.exe	Mpgobc32.exe
File created	C:\Windows\SysWOW64\Blangfdh.dll	Nnoiio32.exe
File created	C:\Windows\SysWOW64\Omioekbo.exe	Nenkqi32.exe
File created	C:\Windows\SysWOW64\Aohdmdoh.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Jlphbbbg.exe	Jpigma32.exe
File opened for modification	C:\Windows\SysWOW64\Kekiphge.exe	Jlphbbbg.exe
File created	C:\Windows\SysWOW64\Qqmfpqmc.dll	Pkmlmbcd.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Lbcbjlmb.exe	Lkgngb32.exe
File created	C:\Windows\SysWOW64\Mgedmb32.exe	Lgqkbb32.exe
File created	C:\Windows\SysWOW64\Bjibgc32.dll	Mgedmb32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdbbgdjj.exe	Kekiphge.exe
File opened for modification	C:\Windows\SysWOW64\Napbjjom.exe	Nnoiio32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Kffldlne.exe	Klngkfge.exe
File created	C:\Windows\SysWOW64\Oabkom32.exe	Oiffkkbk.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgngb32.exe	Lpnmgdli.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Kffldlne.exe	Klngkfge.exe
File created	C:\Windows\SysWOW64\Klngkfge.exe	Kdbbgdjj.exe
File opened for modification	C:\Windows\SysWOW64\Lpnmgdli.exe	Kffldlne.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Mqnifg32.exe	Mgedmb32.exe
File created	C:\Windows\SysWOW64\Cddoqj32.dll	Mpebmc32.exe
File created	C:\Windows\SysWOW64\Oiffkkbk.exe	Oplelf32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgedmb32.exe	Lgqkbb32.exe
File created	C:\Windows\SysWOW64\Mpgobc32.exe	Mpebmc32.exe
File opened for modification	C:\Windows\SysWOW64\Oiffkkbk.exe	Oplelf32.exe
File created	C:\Windows\SysWOW64\Nfdgghho.dll	Oabkom32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	1600	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenkqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekiphge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqnifg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiffkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbbgdjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngkfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgedmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpigma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlphbbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgqkbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpgobc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcbjlmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcqcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkgngb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napbjjom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omioekbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffldlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnmgdli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnoiio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnmgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiffkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbbgdjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll"	Nnoiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnoiio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpigma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll"	Kekiphge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnmgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll"	Lgqkbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll"	Lbcbjlmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll"	Lpnmgdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenkqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Napbjjom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbbgdjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpgobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpigma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll"	Kdbbgdjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgqkbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekiphge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgqkbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Napbjjom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjmdhnf.dll"	Oplelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbcbjlmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omioekbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcqcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll"	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll"	Klngkfge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2604	2240	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe	30
PID 2240 wrote to memory of 2604	2240	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe	30
PID 2240 wrote to memory of 2604	2240	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe	30
PID 2240 wrote to memory of 2604	2240	5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe	30
PID 2604 wrote to memory of 2632	2604	Jpigma32.exe	31
PID 2604 wrote to memory of 2632	2604	Jpigma32.exe	31
PID 2604 wrote to memory of 2632	2604	Jpigma32.exe	31
PID 2604 wrote to memory of 2632	2604	Jpigma32.exe	31
PID 2632 wrote to memory of 2964	2632	Jlphbbbg.exe	32
PID 2632 wrote to memory of 2964	2632	Jlphbbbg.exe	32
PID 2632 wrote to memory of 2964	2632	Jlphbbbg.exe	32
PID 2632 wrote to memory of 2964	2632	Jlphbbbg.exe	32
PID 2964 wrote to memory of 2872	2964	Kekiphge.exe	33
PID 2964 wrote to memory of 2872	2964	Kekiphge.exe	33
PID 2964 wrote to memory of 2872	2964	Kekiphge.exe	33
PID 2964 wrote to memory of 2872	2964	Kekiphge.exe	33
PID 2872 wrote to memory of 2932	2872	Kdbbgdjj.exe	34
PID 2872 wrote to memory of 2932	2872	Kdbbgdjj.exe	34
PID 2872 wrote to memory of 2932	2872	Kdbbgdjj.exe	34
PID 2872 wrote to memory of 2932	2872	Kdbbgdjj.exe	34
PID 2932 wrote to memory of 2896	2932	Klngkfge.exe	35
PID 2932 wrote to memory of 2896	2932	Klngkfge.exe	35
PID 2932 wrote to memory of 2896	2932	Klngkfge.exe	35
PID 2932 wrote to memory of 2896	2932	Klngkfge.exe	35
PID 2896 wrote to memory of 2740	2896	Kffldlne.exe	36
PID 2896 wrote to memory of 2740	2896	Kffldlne.exe	36
PID 2896 wrote to memory of 2740	2896	Kffldlne.exe	36
PID 2896 wrote to memory of 2740	2896	Kffldlne.exe	36
PID 2740 wrote to memory of 2284	2740	Lpnmgdli.exe	37
PID 2740 wrote to memory of 2284	2740	Lpnmgdli.exe	37
PID 2740 wrote to memory of 2284	2740	Lpnmgdli.exe	37
PID 2740 wrote to memory of 2284	2740	Lpnmgdli.exe	37
PID 2284 wrote to memory of 2980	2284	Lkgngb32.exe	38
PID 2284 wrote to memory of 2980	2284	Lkgngb32.exe	38
PID 2284 wrote to memory of 2980	2284	Lkgngb32.exe	38
PID 2284 wrote to memory of 2980	2284	Lkgngb32.exe	38
PID 2980 wrote to memory of 1656	2980	Lbcbjlmb.exe	39
PID 2980 wrote to memory of 1656	2980	Lbcbjlmb.exe	39
PID 2980 wrote to memory of 1656	2980	Lbcbjlmb.exe	39
PID 2980 wrote to memory of 1656	2980	Lbcbjlmb.exe	39
PID 1656 wrote to memory of 2056	1656	Lgqkbb32.exe	40
PID 1656 wrote to memory of 2056	1656	Lgqkbb32.exe	40
PID 1656 wrote to memory of 2056	1656	Lgqkbb32.exe	40
PID 1656 wrote to memory of 2056	1656	Lgqkbb32.exe	40
PID 2056 wrote to memory of 1764	2056	Mgedmb32.exe	41
PID 2056 wrote to memory of 1764	2056	Mgedmb32.exe	41
PID 2056 wrote to memory of 1764	2056	Mgedmb32.exe	41
PID 2056 wrote to memory of 1764	2056	Mgedmb32.exe	41
PID 1764 wrote to memory of 2052	1764	Mqnifg32.exe	42
PID 1764 wrote to memory of 2052	1764	Mqnifg32.exe	42
PID 1764 wrote to memory of 2052	1764	Mqnifg32.exe	42
PID 1764 wrote to memory of 2052	1764	Mqnifg32.exe	42
PID 2052 wrote to memory of 2464	2052	Mpebmc32.exe	43
PID 2052 wrote to memory of 2464	2052	Mpebmc32.exe	43
PID 2052 wrote to memory of 2464	2052	Mpebmc32.exe	43
PID 2052 wrote to memory of 2464	2052	Mpebmc32.exe	43
PID 2464 wrote to memory of 432	2464	Mpgobc32.exe	44
PID 2464 wrote to memory of 432	2464	Mpgobc32.exe	44
PID 2464 wrote to memory of 432	2464	Mpgobc32.exe	44
PID 2464 wrote to memory of 432	2464	Mpgobc32.exe	44
PID 432 wrote to memory of 940	432	Nnoiio32.exe	45
PID 432 wrote to memory of 940	432	Nnoiio32.exe	45
PID 432 wrote to memory of 940	432	Nnoiio32.exe	45
PID 432 wrote to memory of 940	432	Nnoiio32.exe	45

C:\Users\Admin\AppData\Local\Temp\5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe
"C:\Users\Admin\AppData\Local\Temp\5bd9c68cc80bedde999355d30bdda93fdd60ee711415e9f57f5c1777578ffd00.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Jpigma32.exe
  C:\Windows\system32\Jpigma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Jlphbbbg.exe
    C:\Windows\system32\Jlphbbbg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\Kekiphge.exe
      C:\Windows\system32\Kekiphge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Kdbbgdjj.exe
        
        C:\Windows\system32\Kdbbgdjj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\SysWOW64\Klngkfge.exe
        
        C:\Windows\system32\Klngkfge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Kffldlne.exe
        
        C:\Windows\system32\Kffldlne.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Lpnmgdli.exe
        
        C:\Windows\system32\Lpnmgdli.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lkgngb32.exe
        
        C:\Windows\system32\Lkgngb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Lbcbjlmb.exe
        
        C:\Windows\system32\Lbcbjlmb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Lgqkbb32.exe
        
        C:\Windows\system32\Lgqkbb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Mgedmb32.exe
        
        C:\Windows\system32\Mgedmb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mqnifg32.exe
        
        C:\Windows\system32\Mqnifg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Mpebmc32.exe
        
        C:\Windows\system32\Mpebmc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Mpgobc32.exe
        
        C:\Windows\system32\Mpgobc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Nnoiio32.exe
        
        C:\Windows\system32\Nnoiio32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Napbjjom.exe
        
        C:\Windows\system32\Napbjjom.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Nenkqi32.exe
        
        C:\Windows\system32\Nenkqi32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Omioekbo.exe
        
        C:\Windows\system32\Omioekbo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Ofcqcp32.exe
        
        C:\Windows\system32\Ofcqcp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Oplelf32.exe
        
        C:\Windows\system32\Oplelf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Oiffkkbk.exe
        
        C:\Windows\system32\Oiffkkbk.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Oabkom32.exe
        
        C:\Windows\system32\Oabkom32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 144
        52⤵
        Program crash
        
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achjibcl.exe

Filesize
64KB

MD5
9705a82f82f564b8e266cdd0f1d22ec9

SHA1
1fc0101034ac5d7f84872f05ce97ecf960b5b3a6

SHA256
b2cfff81dd6e2776bb293d7bb7be94bec26d7e56eacbd3fc031a2bce22d782a8

SHA512
42bf9f16b1b740ba8cc65571e74c2ba85770bc4280dd587c2a50074fe475f87b86c895b0dbd7da9b05b780d25ba4eb93dc4233c29a3d6c78831d0773ab7c6d2a

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
64KB

MD5
e395aad42f591dd1d58d778a676faf86

SHA1
56f0648bd2eeac66db8c93501c32cc05ac734280

SHA256
c512a56a6ebc38b5ac4fc0b306a7dab0506e6de84510d27a0e20033b94a283e3

SHA512
dd9c98a7bc58bd931a029b5c49dd546b752ced29092965ffebd9619ce13a1caabe8049d753243b1c2af6338e52d35ca15b05130dae334874f52a3fac50f9ca41

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
64KB

MD5
ecb6d75a826b0423fa9f652feed64464

SHA1
48fadcf794cd3140e4d3c90cb8f735bbde855fa4

SHA256
99f46180166b1b46e3205c6b14679c143e184ea6c5eb84b331cf670776c4b2ab

SHA512
a2c1897fbbc776828949b2e6924290c9dc3d13c8391686e08a46fbd3790da586973b30992abfc674bc0f4f8faefbe9c80197cf23ad54660618000592d4d6eada

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
64KB

MD5
abfea9646ad53f0b24c69215a45f9619

SHA1
db375df38959913a6af19bb576a35ceda8508958

SHA256
64eba9bd756133deb446e8e9bd599b05fa1a29e8ab1e437d2833c057abf9dea8

SHA512
ab29a6937bdeebd033c4ebc558fee3cdadba29635a9339a5e42aeb2f67a7249f789136f3a3e8bc491ebc259b25ffa5c6d653684849a6988d32f7ea6ce1f2546e

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
64KB

MD5
3cf7efd95198585334c13190b5b2453e

SHA1
918eea77c9c74d2a3a7dcdacc07b83b686336e74

SHA256
775b89044fceaef80d9c0318c84f84c02f4c41c64f831aae4285db3cbd398e48

SHA512
343855337a435b60e3721147e204ad2b6ac37a60004646cacd673bdfb73abbef753d16e6d5099fc9480e3f50b7a2324fca6538f6a2ef21e41fd000992b1cbe00

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
64KB

MD5
d7af73d112293d88328567a9eeef6116

SHA1
b81805601cb08e4ba3e3697536c2b9e18a0bd112

SHA256
a339777ebf0e87515ddb90aff3d12e7d4df338214c9acd9cd2890d380d22b3a3

SHA512
8a7add225b71491b552d4c106386b3c953c0b81c266979daa626d84ed6c9f395b471b68a4fd09c8f9218f1ceaa74d093c0fc460638deca8478a668bfc5ae5aa7

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
64KB

MD5
c35a98c1d6f68ea3045abfd48c8ae353

SHA1
b7873b1201bbbdf79ce3fe8ee00209e865ce36b8

SHA256
a83de0467611aae00f9cc449e403b80aef62044166059eb1ccfb0cd98ff4ec14

SHA512
e483ad6f72f83aee84e7fa047f728e9c13e31715e5a727ed6cfa3dfa9f9be988655d7a296451ab5d4ac4be86f4f1755becf8165e5d4803c454c3be3605ad1931

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
64KB

MD5
ab086dc21326e20443ed68cacb4aba4d

SHA1
07e0c1665ceb5e002b7a48e064ea034e64b32dbc

SHA256
0fa3e75169f6c50adb93de572370aaac4dd701d2ee5758114098665f43dfd9ed

SHA512
429ec1b6103d2c36e626c6dd5b76b114f9b1253a846c7612f457f20022d97c819441706f5cf72ec043bd706e53ccc35b98c56afd309467d0b778a6dba3426740

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
64KB

MD5
f200b070bb21aa79ef8c4d2b6420fac5

SHA1
51668004ae4205c4079e7a9d79296b24dc2516de

SHA256
b9ef207cd11fd48d600be98437053d74fe53ee445c59fb7e0e34e124745a5bec

SHA512
40685649df9bdbb5b63b647eada40e737e973c0c9c9344a4e0de676bb497e39eed4e93f7ac2ff6010b4701befcc46eb9dace328b27836a6dfc624b7a2f7b970f

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
64KB

MD5
49fe950ec9589747ca10315cc19903e3

SHA1
e2e232948c52511efd1da135cb60f22ef46e1107

SHA256
8e0d8de0058438b19aebfb7586fc7ebb6dba8831ac9274c006fcc4d8be045c84

SHA512
099d36a06de9210337cd467cfb1770eda339f42bade512deecf697aef0343c892103b8f14f265cb8afbdf4ea735a25906da1933bb482033821b17601ddc31fad

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
64KB

MD5
240db78c3c690e9006b5ebbe8cec09f4

SHA1
82fd7fa927f7f63954d2503eda8188db5fc695df

SHA256
daf415453b78791f7bf21bcceeb6f25948160852ded807bd522862a41548b2fb

SHA512
789e5996e774b2f22fcede99f711f43f33c6e339b15138fac97daee5550b76ad637bb963e876f29a6e9604358be0a29023ab4b5b4f451d8468b5bb44c50e87c8

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
64KB

MD5
06bd01ac4a762d7ef72a653a7ae66eb7

SHA1
4e18092443c1c43933646eb7b654ae9f62852139

SHA256
51edf4bb953b64fd0c2d0b4cd67aa9b1c16f6dcd85e4c657298a0f4a6aeb86ef

SHA512
68d2987859c1932702f752d6186b52ebca60caea1df33a56a0c346e349605008445fcef9deadd799a40118dd2daf9fc51cd3b36b00947a79b39b3f0dc6b4a17c

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
64KB

MD5
432e4296279f4a604802a992610fc167

SHA1
7d358442d90d73f5aeb5e33e5045049071fa1a37

SHA256
66fa674a9ae69f6e80f80fdbd297c1835bbdf2d38d7cd25782ddab86b10da552

SHA512
66d132e0ed863af365e130a2765392510a49f51efd33fc04b9db990123b2991e31eb8412a3bd7abf364cdb0bbda0c24fe7c0bc1be95ae0107f029300c7b2b276

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
64KB

MD5
09cd3d03a6b528231c32ecef634ed27d

SHA1
840afadce9b3fbb712999b366cc24fa2c2ef9f5f

SHA256
7df151d91e68d21c23c4fcfcf6d63b98bb52b14453a8a081925ac76315356bca

SHA512
6ddda49042cb08da0131b473eda0bfbd86eef343441fbc5f2c7840987d803731dcc3ad93553d43aed05088cda30b2b088b68174f97000af26bdc96c500da3c8c

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
64KB

MD5
7bb48e59b9c4f52c45b999cb31c80626

SHA1
b8748a866fee069de0c420707e91ffaa97d0d9c7

SHA256
da7fa433d36fda3913022df7abc70c11429547b32dc57a2cff7b1b8852c573f7

SHA512
69591ef0a9f142bea00ddc812b0bbf55d2b71ddb0c333a86ba645503250d46e4d39e9860909bcd6eb772c7b3191a67e8e776273a6bae3c1a5bbf9f05e9f1eba4

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
64KB

MD5
94aaee8d51f1aa059cffbb3e06876e8c

SHA1
5b9c7229a968b573f7b6616c2c66fdf4cc30ab16

SHA256
274c13818d49a0686503cb93fb905af8cc2fefdbcba72e2023463ad7c6d6e009

SHA512
3066937d8f872ec00ce50f93c0336cf3028a913b2fb84fa42a2a67e465f7c8625e7031afc991d4f8f46d54471ca4a530a91ff9ec4cf743dcef32d3700d8a4984

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
64KB

MD5
b7a90dc0bb0a790ccd947a8b875ff499

SHA1
7b366e9087d6fece61fe9497f4a3a2314f4e2761

SHA256
db714261198b8a5182928761872e6456649332a5416d338e1af7c98b6822d802

SHA512
8d18deb337f2fe7df42f582867738cc44969da4b71f95a5e48b76923b4b626f1fbabe207ced3bf1be726c2c1f306d3e4255f2714ae7283105d53e84908f18c73

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
64KB

MD5
994c0d2d8a0ae370d76537f524d79b64

SHA1
291f49ab5e35a52ddc8e2d6fa71ebfca960d8694

SHA256
ea214632c888c2c7b26f100bd1bcf026b4f6ac00c1b45e541a929b2974886f7b

SHA512
a61917974c120108a6fbad8fe15a347cf6b9593a3444217f691f9312ab36687b3cce154f3a0b2e8ca10b64d2f32df06ac79f8c59f98e09895895b5eb5b978042

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
64KB

MD5
31e6265b1946e3ee2156bc45a51f7d95

SHA1
dd88447787e416604d8a8eb266c6e1362e3fe4b3

SHA256
59972b1b8ab5f157d8425597900295095587ab449f79e0c515fed0d32e092a93

SHA512
02608709def976c108a63cd53602e75985a751e4ed4eefb6067cc84d314e5a546feaa72459593f864cd36660010481a0c2cbb7c578d928108f020b8f39f78993

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
64KB

MD5
057feb2baaa98171f6cf2bb7a202ac60

SHA1
d192d472af843a185bae8b8bf1db3db55d70f482

SHA256
6ae40904cde8fa293d36cda0856a8710c1a0d2d5927c20faf92a0eb27ec615dc

SHA512
f6838b37491ded309eebbaf0f0b3f125071857f745260e4da991538572da350bd2c5c0ddb8ba15d82c44bf46f9bf4972763f1dcb4ea6befe6d3b888709ac5069

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
64KB

MD5
f1b53021c2a59aab43e7c25aa1739769

SHA1
9d619fc20bba9f635602507d0bf9861e43ab9fe2

SHA256
8b556a12d1f43e8c21841fb11b76518656fb3ca6daeecbdb132d215abb796086

SHA512
4a4cc190a02ebf75b9cd66ebd048aa5a12b63b98cc88964b7bcf9246306b84928fab77702c417112042d233d620d80830ec82a757ef2d475a9f6b13efc5cf6d7

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
64KB

MD5
c8a63ab230a54a26407b4093217239c4

SHA1
ccacef86608ce34cb74784a056624d42f477b85a

SHA256
ad555ca77e9e5972fdbfcb5976e84b52050f365cb51713c2999bb45994ec9472

SHA512
3793caae372147300dc9dd2d4e0ece494a84ff00afbbcd3d80743e1a229395c1940b767869969e4f944e44a574c8f79da98fd4fd54750197a39e75f914acd118

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
c455782e566a0bfa726de31f5a6d85d5

SHA1
b649ee0f7eced802218eeed12df73c631e9deba5

SHA256
e33375988583ac7cd8cf9119b8caaa0537c8a4c2a06ffef3d11e9dc61481af09

SHA512
ac3355a35c1b2a575ce26e2ed3c6fdb5dae000410d0ec1cf8d9f83736b44c1634059537fe4dce71227a73a7f3cd2a6a8e7a5ee56efc304335306825b5d47fde3

Download Submit
C:\Windows\SysWOW64\Jpigma32.exe

Filesize
64KB

MD5
567321d0a74f9acab742097e39bf3918

SHA1
07723c3a5cec26e279422e2fe46aaa9fe8e72527

SHA256
11320e4c6f57ba153f33966ec7966d5ef78efb4245ef742eb7b7f16fa95229f3

SHA512
2779eb80962f6fa182971e0421732d53f2b9ac1780861cf879c73d69e20c3d60450d8dd75b3478305a1699e253fa35b0de5994eb2cbe929d7bbfcd4f694c750a

Download Submit
C:\Windows\SysWOW64\Kffldlne.exe

Filesize
64KB

MD5
b59f3c1c5d7d37513e7e2f14d8fd141f

SHA1
52d7d9ac8015b6027628b4a54491909f14a742b1

SHA256
28af0cfaae1cf7c2e5431506cc42ae64efb00bbe859337dfdcc7a133925863f8

SHA512
d0af530beb99a1a11143395696e6bfe82cea5b21847f1614147cc513f6ebfecca38d4d87a2137ea0440e8e6416c86e21a3ca7637642310fb338b0ae1599eaa8d

Download Submit
C:\Windows\SysWOW64\Mqnifg32.exe

Filesize
64KB

MD5
0785ed09668fcbf78959472ad092547f

SHA1
86a217d8052cf5c74ce2dc3e362bc0fdb9950e81

SHA256
6395e8c067ca7f73c8a84b1a78cc194a1a70cbe88870fb6077e94710c116ec08

SHA512
419bd1964158717ff9f10302613ce67eaaae99d2ad3021da41f52fce8084a0d3f3522760dc0bfea1101444c89e59c090f3554818b93bfbd8bb8d785e7b820733

Download Submit
C:\Windows\SysWOW64\Nenkqi32.exe

Filesize
64KB

MD5
e86e2595b1f69b04f1b7bdc5bd8f38e3

SHA1
91f4e6417d9de96afd8f1d2eade2d7b18d5280ea

SHA256
5737522eba16390d84f1a57e55dee0740dd1cb57d99bce9e21e9b28dcc0538c0

SHA512
4eefed5586d3d7cb2df0453e9c070e93a147c2f36eaf1125c59b8311bdb93c95f8d1dd8ef018a0e93baaac46973a6bb3eef03b109cc62d43bee21082b4b36829

Download Submit
C:\Windows\SysWOW64\Oabkom32.exe

Filesize
64KB

MD5
2e4ea54853e3187696750f84cbf8f672

SHA1
644a1b3279a149165cb59788ecb2a2e3e99b3688

SHA256
5f0b4b8eb368290787b8cc9b36ca3175a2f7c1faef2f8579e7ab2cc99076deb1

SHA512
be92b877b000afbf8286740092a833b9828c14f5b8beee13b40fdf677d3ef7388096cd6321690dcb91f80adefec3a47f2c676cad24f74745ed3d2d8a9d088da2

Download Submit
C:\Windows\SysWOW64\Ofcqcp32.exe

Filesize
64KB

MD5
d423ebb40cc86f36b62ba70554259bb1

SHA1
13e94f0234c77159eb0623cf2df82fe4b0c17ca3

SHA256
47c82e91d8b6e201d07bfc75673f5dc96eb5293d1e011370f71115490c0f8af5

SHA512
88b5dd03d861556fc4323e0e3df8f88a96663fb57f77e6232655db498adb0506a2f4ee0762af2aa1e7a1365dfe0cfffa8f4df64ebe1320a2880f8964ec9c73e2

Download Submit
C:\Windows\SysWOW64\Oiffkkbk.exe

Filesize
64KB

MD5
5bdfa49e8c1e13742492d5a920958e27

SHA1
9731e8091e159d8398d247621e94ae9087c0d8c7

SHA256
654c01c982c56ff86922fdf5797bb2446b2eaf1b446a9c6916bacb7cb0a53afb

SHA512
1e04c2d19541798d1c02d64a3323bca90283f98625e2d35604eeb5623ecc2a2cac6e05fcd081e52b3fdcacb384a141bad24acdd5a0976a9c4b90def0d05bfc5b

Download Submit
C:\Windows\SysWOW64\Omioekbo.exe

Filesize
64KB

MD5
fb52542647de3c42a61468e73978b021

SHA1
e960b53a6b56a02dc1861fa6178a03f08077cf2b

SHA256
99c11e43177bc261b4999f1d1c9b2ff176ad6cdca264aa01b3566e7bb0159ffc

SHA512
87dd684b21a590f212f01b9c9be8ece252e86bd715a5bf5e7c9fee89622ea6eeb4f13b317bd7d084da63f75676311bfc2fffce22297f98c4a5e707ee9b455e09

Download Submit
C:\Windows\SysWOW64\Oplelf32.exe

Filesize
64KB

MD5
ad96250adcc8b5f9d5156c595e3a711e

SHA1
924e3a05012b9b9de1225d96483aa078eba83673

SHA256
15b9b929005a5a05ef6229fd95eb5e6e083932e51a9ba94501d4b070f39c2d38

SHA512
c3d9e565192974b4e828fc1c58cbb148b5b02847d599d330a73651384fb69b9231696a43a936ce5baf0daa8178281d8392d54826608f92bb1ef8d276a19502e1

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
64KB

MD5
2a4c924b6d792daa49ade3f4065947a0

SHA1
3950f7da0355e252b1162c5a1704781e07e8d0ba

SHA256
b7ee0da18cfa2ebf83edc0149ee2e588df21dc8f76cd3f5dbef299f7053cb0e9

SHA512
0001f6b3fae6013b2573c9dde740985cf7f30f373ac346901078999255847a4c3dfdc17ddb362aee0ccf9ed5f30db31de05f8881e5900954b32f00c05e486f01

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
64KB

MD5
e353ae8250ee91294ac26271f735a6a4

SHA1
b87465cb9ce69b6122c7938b172194282b99af4e

SHA256
451e396d4450df2794f982242df5cdce2b5e099fa262111c48b5197d3f0cc24a

SHA512
a23d50aea438c17a1788c6ba1544e99e2a08b76121bbee4fadcfc4e5f42b3c220031f68002e41bdcb8325db41f1a55221bb7f7129ca40b2c19db3beb1a21f28c

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
64KB

MD5
8f8ada9f2fc80cb01a620fa10b528ae0

SHA1
d76fd72a472383ad33858bc4395bfdd8a7b0faea

SHA256
c1e98b0a9061e10200979cdb59c8a6b8e5785dd911405940fa02373066d09be7

SHA512
1159f3aa97145effaa9345521558d2a15872b533abbdf8bb19ead9d4ff272b07e55778a7527f747c50c099aefe724ff3a07b629b59d09bbe90b35818c7cfd4c5

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
64KB

MD5
ff27699737add849a8732d7d679cef65

SHA1
bf7b06e4eb32d141a6bd57c8e4a23ad551a8d254

SHA256
41763b1ff61f77cbdde4e677d00aabf7b220e5b411e629ce6f7b88fcf291297d

SHA512
63b904b67116e67cbd26e696f06b2ba249332ba5d624b5a5316bea0be88d8301fabb79b2a5ec1af81cb240e27a1327d7d95936b13d01df15c84970cef029674c

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
64KB

MD5
5d6ab3d87e76c4b407440ade56dfb0b3

SHA1
5fd4bea6c4576b5554e7b17338dec9ada2c8245f

SHA256
4b911235f366eac2f375dac6286518c224ff970dfd7731cfb502ea29e9251fe6

SHA512
67c181a1cba7b5d92a92ca3baba6666e36be9f087911c0480ba9c34ebc53fb79505c7ca404f8eb5356e8ec801a60f267534131e8a8efd8dead3335798b70e25f

Download Submit
\Windows\SysWOW64\Jlphbbbg.exe

Filesize
64KB

MD5
1fb434b70c0ce406fa269d5cb2c3a494

SHA1
fb84f2693bec4b04d49b56913748a6c71d6462ca

SHA256
e0ad0d4c63ed29aa7fe562583f9a1dce5c9b9ea6db40be6a11c6d6ab4beacb4a

SHA512
53b578f59a0eb2cc13feee381197eba1ef8ef365e2982f512397bdc8440c60f0226cf966aa2ccb1591a76a6d0e47737a253e069bb88c343a2d0941f196745668

Download Submit
\Windows\SysWOW64\Kdbbgdjj.exe

Filesize
64KB

MD5
f43bd1af96f3b286b7597306ce7bc4ed

SHA1
6fb239c9860aec09e402be2cbc215fedc90f0adb

SHA256
23177dc8b1211f5eb0121998df8adbd4c253cd417026febae19eeeaf4f497303

SHA512
039901f05103f81fd98db6f6e8b67072416e9f3f5f0f26b1ccd01a14a54843667e9458d0b77603847efca77974ca11b8d2f157ae8e5e03235854e77cf51f0bb6

Download Submit
\Windows\SysWOW64\Kekiphge.exe

Filesize
64KB

MD5
499ec36901b860ec391b06c35ac7a3db

SHA1
8fc0f011eba31c77a38b2cf4f2bd80af0f4347b4

SHA256
f162840f788ac8f6b022fb7f65831199288c6c3b715be219a7fdbab43d4126db

SHA512
eb4958d965eef7397a5a296778e890bcb795e213ef258ff3db4a56915ddd6fe91d5dcdf81c2694b7219ab445af7fa86b9fc3e4df19fbddf75a957531f479d755

Download Submit
\Windows\SysWOW64\Klngkfge.exe

Filesize
64KB

MD5
724e6c59e63aaabd312c3b77d14237d4

SHA1
949bb7e04282ca0cf2f7b5f8c2c548d3dd774218

SHA256
086eae41f232c43e2c88b60ee7f490dc9fdc9ea075f239a822594860fbbb3884

SHA512
acd61d5eef9ad3ef27cf43af7b8f5ef1f958dfd4eea73855a408cf91200e7fb9f83091325a8399d9a21b54c74f05047d971016fb072b18aab706d54ad6d4ccdc

Download Submit
\Windows\SysWOW64\Lbcbjlmb.exe

Filesize
64KB

MD5
eb122336a9578c48d4ab6680e841eb74

SHA1
de667576f22b71a59a5181d7b99441ff7ceaa939

SHA256
8eb7c5393b64c753d6090bc3a1b39374167409eb7a66f8a1fdc8bb476d4a5e7e

SHA512
954ad00e4a9a0bc8927c6a81765852bab9e2d6bbe47a2251ad6bf93f58409ac51ddb276a448e5a7948fb9ff5b8c7cfccce619aaf8059c3491cd44b9ef6a34df7

Download Submit
\Windows\SysWOW64\Lgqkbb32.exe

Filesize
64KB

MD5
361b21458a7052fa21d635cfb38d1433

SHA1
748bb82511f528f0fb257d00231ba55e516d7e42

SHA256
885051be570e54cef720ab12a0f7be4fc447b339b1741c3852e49d7232459d1f

SHA512
ea8ecc6cafdd620b5a59bc735e08de836a55ca008ee51b5c11e9deaae7f8e6b80e312e118b6e5eeb7d02090e56b9265587ae1ec4743aaa13a5f65388bce55ee4

Download Submit
\Windows\SysWOW64\Lkgngb32.exe

Filesize
64KB

MD5
2e299b78c1e94b7d88943a089eec2810

SHA1
1b76b98d06b8742726358351b955fa97bfa529a7

SHA256
c59902f0d75f432fdef40ffd9f1ed3436c3695847ea80e42c691fcd968d2f2e5

SHA512
7214a07dea626bbf52b6f8b0d371c27daede433a83d5b71b376ef0131880282d6812935e7f9f55bd37a62cda99af9a212fe08687c03616e71e31c01430cd971c

Download Submit
\Windows\SysWOW64\Lpnmgdli.exe

Filesize
64KB

MD5
1881fa0c5b48b8a43fad20270f8b52a7

SHA1
9d10a4a4f0f97f3b9a2b3c31d81376242e4320c3

SHA256
1585ee7afc268e972c1994be7a294db3b47895733c9c161d1e139dfa63271f57

SHA512
74c8ba0b9a0ab830200fefaf73265817853f9a75bf7358912f5b3494f57f6c5ac79fadac88db773ec06e647d195d31bdd9ed98b7293b439b7aa7755aaadd8786

Download Submit
\Windows\SysWOW64\Mgedmb32.exe

Filesize
64KB

MD5
b9f99b94e236bea08a104464fa6bf8ed

SHA1
bfddc065038d86593d724b9c70474670d053c345

SHA256
42255294b05c1f537786489557851b98f37910e6a2e626289b79787ee583cf1f

SHA512
8784264283abd1842d8174697de3696ffe3d7c9363db71e9f4c4c2f92560a7b6910fc69a3024f53adf5d2e70a0f4de1a6a496d66f793c12c6cb904fc953f7f1b

Download Submit
\Windows\SysWOW64\Mpebmc32.exe

Filesize
64KB

MD5
9ae3960724e8c629f74fe6c3078a5d8b

SHA1
4423911084692be5a9d20b22dc04dcda5950eaca

SHA256
8123c13b6c66d25a00a7c2a43e2a021e3f59083eeacf9a40172af62d8336e7f3

SHA512
dc66406b736b3289e14251c9c63895ab7874dbe358924d87f824acfc6fd45fa29314220ac5f7ded9d41408468a704526d1ecb4ecd8298249ec6b2c080564feff

Download Submit
\Windows\SysWOW64\Mpgobc32.exe

Filesize
64KB

MD5
73ed711cd59feac8649b825f9e3f630a

SHA1
3185bc84b476be23d3135c896fcbc1899913b898

SHA256
324326e80d13b1cc800c6e040f75582829a8e6ef518560c8b8b6f45abe260654

SHA512
9edfc59d8f99d1694e63bfbf45f5c2291300a2923dd0378e50be2a5703d683c030a3d0be60fc75aad8eab85ffb53048f12b0f516b967ea8b907130156737a65a

Download Submit
\Windows\SysWOW64\Napbjjom.exe

Filesize
64KB

MD5
b16e2cf18e9e9c724a83b888e3da319c

SHA1
a04730594cefbb4c1f97ebdf04b4ea1c16ab44ac

SHA256
3c29ee10e6d21d383d5cd6d6f6915caa3feac0cd3e10a01c3b82de0389ad9bf7

SHA512
107d51eb3668060baa8a47051c58d467d4f00aa5a3646a24608d569c31fb6fe65cb6296111c0f685197ff0c74caa078d90b777cc2d3d7026d2d3f5b7f73877ca

Download Submit
\Windows\SysWOW64\Nnoiio32.exe

Filesize
64KB

MD5
585947518aad3c7ae09b8d8171079cab

SHA1
7c88590a27627b85367f22a93a4e49caebc7a2a1

SHA256
50e1e39990fa149cf2645596c0088fec58c863ed2b24f92552ddaa0d5a6abb87

SHA512
6d4668bc9815b613ed8c750705653360a7e8638f38aaddf58b2af130ca83c0a65f748d8c1174db445dde1ddb83e000fd5122861bed8e3c21276eed8bd3e1f8cc

Download Submit
memory/432-278-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/432-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-237-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/940-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-285-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1088-334-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1088-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-272-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1148-277-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1148-323-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1656-213-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1656-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-161-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1656-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-265-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1728-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-305-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1764-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-191-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1764-243-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1764-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-211-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2052-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-254-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2056-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-178-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2092-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-380-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2092-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-347-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-13-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2240-11-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2284-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-181-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2284-179-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2284-129-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2284-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-319-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2372-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-312-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2444-357-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2464-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-222-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2464-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-370-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2492-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-298-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2564-343-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2564-342-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2564-299-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2564-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2604-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-40-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2740-162-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2740-163-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2740-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-128-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2872-64-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2872-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-69-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2872-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-95-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2896-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-85-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2932-132-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2932-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-142-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2980-196-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2980-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-366-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3040-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-391-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads