berbew | 8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187

Analysis

max time kernel
92s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe
Size

96KB
MD5

56dbbe37321b85483bf796d1ec8d9ec0
SHA1

e55d26a85137b65b5db2ba137c0becef2c4bcfb3
SHA256

8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187
SHA512

1955c70045ae7bfc71a4c3d5763416e7f30d84a6de58c120490ae74903160e506798a29e882c4f387b1b98dc7903a87dd9e74e52cb3a7510e641791f31d71d65
SSDEEP

1536:JJD9R+w0Q7zBUQjlTuKDx/exISpT2LDsBMu/HCmiDcg3MZRP3cEW3Ac:JJp8wRD9uKDx/+2Da6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3240	Imdgqfbd.exe
2944	Ifllil32.exe
2224	Ipdqba32.exe
2416	Jimekgff.exe
1080	Jfaedkdp.exe
2200	Jpijnqkp.exe
1084	Jfcbjk32.exe
4904	Jcgbco32.exe
852	Jidklf32.exe
4644	Jblpek32.exe
4524	Jmbdbd32.exe
4332	Kboljk32.exe
212	Kmdqgd32.exe
1016	Kepelfam.exe
2068	Kfoafi32.exe
1660	Kpgfooop.exe
224	Kfankifm.exe
4716	Kmkfhc32.exe
2600	Kpjcdn32.exe
3776	Kbhoqj32.exe
4988	Kibgmdcn.exe
2852	Klqcioba.exe
820	Lbjlfi32.exe
3828	Lbmhlihl.exe
4800	Llemdo32.exe
4660	Lenamdem.exe
4856	Lbabgh32.exe
2604	Lpebpm32.exe
4608	Lingibiq.exe
908	Mipcob32.exe
1564	Mgddhf32.exe
824	Mmnldp32.exe
1088	Mckemg32.exe
1932	Mdjagjco.exe
4180	Melnob32.exe
2660	Mpablkhc.exe
4216	Menjdbgj.exe
404	Npcoakfp.exe
3088	Nljofl32.exe
2400	Njnpppkn.exe
2108	Neeqea32.exe
1576	Ncianepl.exe
3560	Npmagine.exe
1540	Nnqbanmo.exe
2476	Ogifjcdp.exe
1228	Ojgbfocc.exe
1816	Ofnckp32.exe
3052	Ocbddc32.exe
1628	Oqfdnhfk.exe
1532	Ocdqjceo.exe
2948	Onjegled.exe
3172	Ocgmpccl.exe
740	Pnlaml32.exe
3336	Pcijeb32.exe
3116	Pmannhhj.exe
3940	Pclgkb32.exe
3512	Pfjcgn32.exe
4756	Pnakhkol.exe
3328	Pflplnlg.exe
4948	Pqbdjfln.exe
4292	Pfolbmje.exe
2140	Pcbmka32.exe
4220	Pjmehkqk.exe
2864	Qqfmde32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ifllil32.exe	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Khchklef.dll	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Jblpek32.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Ifllil32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Gnchkk32.dll	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Afomjffg.dll	Ifllil32.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Imdgqfbd.exe	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5352	5232	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifllil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imdgqfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3240	4024	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe	83
PID 4024 wrote to memory of 3240	4024	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe	83
PID 4024 wrote to memory of 3240	4024	8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe	83
PID 3240 wrote to memory of 2944	3240	Imdgqfbd.exe	84
PID 3240 wrote to memory of 2944	3240	Imdgqfbd.exe	84
PID 3240 wrote to memory of 2944	3240	Imdgqfbd.exe	84
PID 2944 wrote to memory of 2224	2944	Ifllil32.exe	85
PID 2944 wrote to memory of 2224	2944	Ifllil32.exe	85
PID 2944 wrote to memory of 2224	2944	Ifllil32.exe	85
PID 2224 wrote to memory of 2416	2224	Ipdqba32.exe	86
PID 2224 wrote to memory of 2416	2224	Ipdqba32.exe	86
PID 2224 wrote to memory of 2416	2224	Ipdqba32.exe	86
PID 2416 wrote to memory of 1080	2416	Jimekgff.exe	87
PID 2416 wrote to memory of 1080	2416	Jimekgff.exe	87
PID 2416 wrote to memory of 1080	2416	Jimekgff.exe	87
PID 1080 wrote to memory of 2200	1080	Jfaedkdp.exe	88
PID 1080 wrote to memory of 2200	1080	Jfaedkdp.exe	88
PID 1080 wrote to memory of 2200	1080	Jfaedkdp.exe	88
PID 2200 wrote to memory of 1084	2200	Jpijnqkp.exe	89
PID 2200 wrote to memory of 1084	2200	Jpijnqkp.exe	89
PID 2200 wrote to memory of 1084	2200	Jpijnqkp.exe	89
PID 1084 wrote to memory of 4904	1084	Jfcbjk32.exe	90
PID 1084 wrote to memory of 4904	1084	Jfcbjk32.exe	90
PID 1084 wrote to memory of 4904	1084	Jfcbjk32.exe	90
PID 4904 wrote to memory of 852	4904	Jcgbco32.exe	91
PID 4904 wrote to memory of 852	4904	Jcgbco32.exe	91
PID 4904 wrote to memory of 852	4904	Jcgbco32.exe	91
PID 852 wrote to memory of 4644	852	Jidklf32.exe	92
PID 852 wrote to memory of 4644	852	Jidklf32.exe	92
PID 852 wrote to memory of 4644	852	Jidklf32.exe	92
PID 4644 wrote to memory of 4524	4644	Jblpek32.exe	93
PID 4644 wrote to memory of 4524	4644	Jblpek32.exe	93
PID 4644 wrote to memory of 4524	4644	Jblpek32.exe	93
PID 4524 wrote to memory of 4332	4524	Jmbdbd32.exe	94
PID 4524 wrote to memory of 4332	4524	Jmbdbd32.exe	94
PID 4524 wrote to memory of 4332	4524	Jmbdbd32.exe	94
PID 4332 wrote to memory of 212	4332	Kboljk32.exe	95
PID 4332 wrote to memory of 212	4332	Kboljk32.exe	95
PID 4332 wrote to memory of 212	4332	Kboljk32.exe	95
PID 212 wrote to memory of 1016	212	Kmdqgd32.exe	96
PID 212 wrote to memory of 1016	212	Kmdqgd32.exe	96
PID 212 wrote to memory of 1016	212	Kmdqgd32.exe	96
PID 1016 wrote to memory of 2068	1016	Kepelfam.exe	97
PID 1016 wrote to memory of 2068	1016	Kepelfam.exe	97
PID 1016 wrote to memory of 2068	1016	Kepelfam.exe	97
PID 2068 wrote to memory of 1660	2068	Kfoafi32.exe	98
PID 2068 wrote to memory of 1660	2068	Kfoafi32.exe	98
PID 2068 wrote to memory of 1660	2068	Kfoafi32.exe	98
PID 1660 wrote to memory of 224	1660	Kpgfooop.exe	99
PID 1660 wrote to memory of 224	1660	Kpgfooop.exe	99
PID 1660 wrote to memory of 224	1660	Kpgfooop.exe	99
PID 224 wrote to memory of 4716	224	Kfankifm.exe	100
PID 224 wrote to memory of 4716	224	Kfankifm.exe	100
PID 224 wrote to memory of 4716	224	Kfankifm.exe	100
PID 4716 wrote to memory of 2600	4716	Kmkfhc32.exe	101
PID 4716 wrote to memory of 2600	4716	Kmkfhc32.exe	101
PID 4716 wrote to memory of 2600	4716	Kmkfhc32.exe	101
PID 2600 wrote to memory of 3776	2600	Kpjcdn32.exe	102
PID 2600 wrote to memory of 3776	2600	Kpjcdn32.exe	102
PID 2600 wrote to memory of 3776	2600	Kpjcdn32.exe	102
PID 3776 wrote to memory of 4988	3776	Kbhoqj32.exe	103
PID 3776 wrote to memory of 4988	3776	Kbhoqj32.exe	103
PID 3776 wrote to memory of 4988	3776	Kbhoqj32.exe	103
PID 4988 wrote to memory of 2852	4988	Kibgmdcn.exe	104

C:\Users\Admin\AppData\Local\Temp\8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe
"C:\Users\Admin\AppData\Local\Temp\8048e1a8f451d95f958c930c910d300d1df0c7cc9b9ea353af68d523440c7187N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\Imdgqfbd.exe
  C:\Windows\system32\Imdgqfbd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\Ifllil32.exe
    C:\Windows\system32\Ifllil32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Ipdqba32.exe
      C:\Windows\system32\Ipdqba32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        31⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        35⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1940
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3580
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        87⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        93⤵
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        94⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        96⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        101⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4840
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        108⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 216
        109⤵
        Program crash
        
        PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5232 -ip 5232
1⤵
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
ce716958bc9ca8dab631de36f40521b2

SHA1
ae5602d5b3f93ee4969698041fe260cd778b81e8

SHA256
926289f7629c9af5ead7071d3edd8ea1428dac61b9092a031587ebceed4ddce8

SHA512
1f316274f4d3f4c51d9609cb132fda3809b1e83de848c8f35c5130810cef630eb942b1dc276a5e4dafba0e8a20396c9b0c0b64c729b756160e132ab175c6b4ef

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
03c15ae78b4334c07466e0c2cf88db3a

SHA1
5f8953a731f79819a8dc6a0b4764ca6266a03e47

SHA256
abb6a568116681f830c827d1b9851db4cc90713a2d0ded245efc4e7e004a59e3

SHA512
39e7738d96917a726c19d16c795880cbdaa773a348ee669969aeae976462c1f7d1c7a692a979b27bc227b43b0e429895a17e3287c3bc7179fa72212df8e19549

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
96KB

MD5
5f55e2a04538cb59c1a611534b7f0cbd

SHA1
e2db6e4f4c5ad1a239736c5266c00b4fd035a20a

SHA256
8c00f2a57dc8a3fd2f8f0874d00476ee04aa22c6e5be16cc6cbcc7a486fb94bf

SHA512
0cfb5bc6aa7eb216e9991e132f8290c24f1cd8ebd38456113d0004f9df1c0e05f694b731ea04bb6ec5b5c0f1e494bc690dc31f859686eb29b8ffae1fb2670044

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
a4038e1aea5b5d7521ac29d2afa005f3

SHA1
c99fc20048ddd5b0a90f2034773891d2da8f1d48

SHA256
ed654f8dce0269d7b5d45749d4a5df1657f16922142739139ff7899f400983fe

SHA512
10a85a48a6a6781b71ede012766bfa6d26f720db0c6ccdd67523349f9cd05cbec2be997af2fa2e37d21cf61cfcce072a4d8e3a5555f8dcaf8898d0f397e69973

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
67a6ecaa854a6dc67dda9e29ee646de6

SHA1
6f9fd573b917f161f3a0404c189a6b24290c1e41

SHA256
38736f8fbb9e144bb1548c352969a462b152bcea186c44e421eb27aeddfcf9c0

SHA512
6012939bade9cdfaef1fead95a2724348e5821e17a8c2d62424487a3e4594992c997e6293bf427cd9c3fc4e748f9699df4aae36b55b29b4f34870a4886774f8e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
5c7ab292352b83cefdef1f3986d0b0f8

SHA1
57210420935604614140273cc73533c18dcbf478

SHA256
87b90b3731f6727612f5f9c347680a217cefa96bafd5ce85c1a1a9c64ae83f1f

SHA512
956ab74c09730ceb85b07bc5dda534ceb7f6c93bb0a1636ba88c42b0b4f0356f14c7fa7cffdc6ac0e996e9214223ba908a43a9ad3f1b9ddb893bfe66605f38be

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
9493a80b9f4ee4bbc8aa709a9a81e76e

SHA1
83b2001a34a95858852fe506744ed67bfee7c2f0

SHA256
db4c29339ad491a3a10fcda50469f81d18ae339b64b3ca8dec9685ef9a646512

SHA512
d9f2486eba893cc32c879a1d8f4927842eb96e6aefe746812181fcb71e56ceb919b402240d637757b4d40575ddaa1f8606570ac3d0f14a3f5417f20766efea14

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
9c168689211f1612c1703e2c849137c9

SHA1
d141acae030d1cae7c49245b52cef96dfcb18be5

SHA256
1d5a269e7b4caab79ea06ea7f833c8fc8806b551b7eb1136cbce5da05f9a4a31

SHA512
63a30ddb94e7a817257bf3eef4d8380d2bb71fb4218bd39350bb20cf1c1dd0c503a59ed685a5b25599434f2b6dfd7ac4006c2cde9883eb737349a5df574a75a9

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
96KB

MD5
88efde3f7b89667611355e6bc7b40451

SHA1
4dc33a2f3fefacccdd91a7b019f26ae86ea58bb9

SHA256
8a367555beba135789770f62caf3f2dd82ebf403045ff9ccd9b5a096fd50ec0a

SHA512
5615693b2920f7b01b12210d0cad7cbd5973ac65533d5fecce189872acff908efc98359c6555412ed8afd94b5c58150e729d74085fa858ee136d8abe8ec327a9

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
96KB

MD5
51cfef6002870383210051b4d4013b70

SHA1
39b012cd59a82d9943d097440bc3037d24ad94e3

SHA256
7edce8514b4b9de416abc77a24eeabae6163773c2d1094032b666bcc2f95a448

SHA512
1cad35eb07d3454ac8158ca0354f003faa2b52545b6b78f8a335e656ff7b4855770ddd657a20a27b38336a54c5adc7894bc7c72629629e2edd82f98d4cc12d0a

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
96KB

MD5
ed48af811d769fbc4a1713bd01946f47

SHA1
b0e2418c425d05a3c1c376b127c9de0a3e90a715

SHA256
e762bd7bcd8bf7d9b6a453578e59d2d53fb1ee26de2b14e07a8b356ea899f20c

SHA512
e819ceed61bdd868329508749c51a99dc76f4ca7684614f027f33b015d5dbdd2190a7821687b74a9c07dc4349b8b0446a527a28873273146dc9b4c7267de6c6a

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
96KB

MD5
6cc9cc74afb5db7bd48d417b898d183f

SHA1
d4db15d81a5de90b41281ed4a52ccd4c6843023a

SHA256
f9d8836fd02f434448537637b8ae033d53b4745cfe5d183c611713ca5fc75ea5

SHA512
16c0a1155cd7cb17d7ca782a7539d049a7d4748e10f27ed6239db637f68e82ec98ab8c0e4e330ad5d8df3f4acadd1a04fc056f81b096cb823735d4cd4949f79d

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
96KB

MD5
147eda4e43e0412e2972866c08fa35d5

SHA1
76022ae53e4001332e7568355fbbb974bfb9f15c

SHA256
48936a5a2c98be7586ae58fcff5a2318a57c5d38e15356bb98edc24442480e29

SHA512
1481c8bca1c1462d9f3492e1436173e3df25488604f486055e35c75cb4eb0c9b94028fcc9190216a14a64b730e0fc9d3774de42ac2a90a1df23446eea1388407

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
a21a6a78d3724027c4e0029dea5b0d3c

SHA1
eaccca9636eca20b10e0dd6082f787247dde4899

SHA256
8f17ed48554e4026db1d949275b8c7f20449342ee37c5b0d753977e1f0077e0d

SHA512
28c4a9dcb0e971a732ed9a5fa7e6f14336dde1f9a92e207374dd32951dad48e05e8cd2cd29e4d2c0398730b808f839c4c8f8000d825e6309abdf45698a684e52

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
6f110a18bc7a5825d33dc6de0a986bbd

SHA1
d7c6078eea12d808516d9adbfe13a51d30b072ca

SHA256
04a49164d219d2a90dc224dbe394b8c631881e263f00ffd8c257b745494c08f0

SHA512
2b4df4ec0dc79aee8046f86ecb14f7a6c4cc996243d5a0553ea8801a821d66d345094d6726f0868359eabd73fd40a635d16f62145a2d70431834ed664740a38b

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
c138dd4a6cf196bccc4d754df39a6e1e

SHA1
f155e1417211cd8fb2f37aaacd7622af1e2f3889

SHA256
837454204a5eb9805eaf661e30c89f3f9a5df7609c32e6ecf3c1d0ab1af86672

SHA512
02121326dc72ed7856600aea8cf8bfee07e209703f16d88bf9341077b2942563f22f0cd1198cafc0402514051862da7fb28bf3612ecef19452f544d001a6b944

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
96KB

MD5
2219bb81014accf501fc9a098f57aab4

SHA1
6e680fe6130453e323bcd7667032e4613fffe7d2

SHA256
08c5725c62b3f9c7b5d843b92fa77c5a6508260eb44a3f567c7cadfb0e735391

SHA512
b2c0cbe7998f062c200a6098d818c94b910fd225dc8922d960836b42e183f5bead23e5cf7abcf2fc480dc62ec9321e9849766846bcd3640cc4636520ed0b9e17

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
96KB

MD5
e42a15aa9dd24ea6f27598d2c9519a33

SHA1
875482a8e3c3c0b3a0bc39d1334a5fd5aefcac59

SHA256
94c8672992e69e73fc2b075ec66defbabcee1adfc87c044f8ccac0c8ce557682

SHA512
2d08ee11f28bcc2861ee78ca459fdd03148b3ed2ed03f9b42abaf28ebff5f68c25572142e9f96ec4d8aab12ea876113cb0a558e8c6ba8b39b288065f998e9037

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
96KB

MD5
36786fc70337aa3e638393fbeb756b13

SHA1
143e4e9afd270a7654ef4ae01867e4709e877728

SHA256
12ce2d0e7d8dc6d02afc600bbdd123194e2ee012b7a968c54adc8c84382acbf4

SHA512
036350f4e9ad4a3ae8ecc58f84d35294705ee7ff3319c4e34dba0ebbef29b25b3348c2efeea1dc6f60eb3cc028594d89767e298845b9f33dd266ca5ec8cf9bd1

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
a3c8c6a2268fe56f063401f3bcdea55e

SHA1
1985fdc4587dd9eacc3fb4b03b22fc5eeb5a3fc6

SHA256
8393c0a4f6bc5d821985e4271df56afdd143d5479a10ba4ee56f317c4edd7178

SHA512
ed8551f429057aae01454196170d030d241c9e6ea565a894d5ab9406b53dba0aa3bc657dbca26e575ba4a3e55cd84ff5aa4a947bf258ac01c6009a61b457989b

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
877ee06560bd238be4c1905ff0722868

SHA1
5ad7088274a192f2373d1f34ea58c662c3778b28

SHA256
4b070237eb2c79e1a676c86bac8ae0481194b938283baa9a4ee7f55f934b3d88

SHA512
e6b1b9fe1ba6c59725d3518c7a6d3711122f808cc4cf7b14f57a1df44abcc4a743cdb9f80fb2d507d2664cc1748b593a01d43572b9993f9ea805c9aa46d104eb

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
aa9c244184bdacd604266f5086aa4596

SHA1
f459b67c22ad55ce06b33691eda4c86a1e1c74b4

SHA256
769c149675a2ff3f217030bd0c26c262cd35ce3cf9430004b8962fc71c174ca7

SHA512
a497d99abe361e479a74df490ef3fab63f8cf82289543f27a7fb8b3ff38e024abe850148f1f73fd4147e3c8b2371c6eb43b7c33cc33f7c31e9565a73f7524aae

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
96KB

MD5
792861a6611d25d28644dda4be0d5e79

SHA1
7849215c590c1fe0f04fdc9e640ec2d1f5ca1031

SHA256
f8954d2b0f2b436d7d5473628cee739cb7567e5a27c7e8795db0d7697f3b4c5f

SHA512
da2a9b350a919315d66a0581bd422d97e648da2bcc2e57adc0b185e2f3c661be64583a089d0b35e4032a27bf942cbd209b9496eea8adb37ffeda04e49c934016

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
2bbacc48243f8af968b2b0d7e9241f0c

SHA1
a4baf30c0d5e2facd68afc5db998f82ad4dadb17

SHA256
fb163156d686a96e5944892bf087fbbf8798a6318e4fe20f024bf30250dbf4ca

SHA512
7be5d62a13259e1ea7967d93484316671c76db98b6977f8e2cc6978d043c9b639e7c2a4c588388159e8d813f668f34d0f13b4d47eac056453794f2fb26edb50f

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
2512cf61b3bfdb2000cd96675f669a57

SHA1
1b77c2e3eec76ca6b43d420c839ade936d7aad68

SHA256
6de6987aa29a587819244aeffc27119a7400eb9120c6dc1ea7583001ddf21bb2

SHA512
7c012f35c787e2dde554474d77ed997d17b32163ce6fff1f8deb7ee2f65459793e5f7f51e5589d839d7049c7efc63656e3cdd522c9f5c039f0138c7fd3086bb5

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
96KB

MD5
41d4da0aeb8816bb19b7489fa5b7991e

SHA1
ca08d6e7e3644a641974966ce842a79a5800e385

SHA256
a91ca316082b3f449909c075983d56b56e09a0f8e906b697dbf68aae977c25d2

SHA512
e2463b73c287d33333949b5f219a77b50b36744f78d7c9353b280dcf77906b1cd0c9b9e1fa80c6910cce7a544c6f1731e746cc402cbf2029f0a1436c7d35f660

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
7a8f2b9065152ce61731c4ee1e85ef72

SHA1
4723116e1d96e726ef2e3376a835cb167ab39ba7

SHA256
07af0159518c8f43a31adcff284a6ba3398e4ef6a52d12055a71cd64643f13e1

SHA512
1ea415642953faabaa33dbc7b3eda75e9b52c6c87cd727175cceaca19d7031edfeea49a5ac296ce1e1ec7d51d247963da9870e64577fa1260af44386d90fbf4a

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
96KB

MD5
11a348b9f526e17ac0938f7dc1050785

SHA1
63c4ecec3c07fe5ea18bf9e588f7b6a7acf2d515

SHA256
b785869e8f816d6b0f45d078b9f157191ef2cb3cb8b58605792495aaa0135f66

SHA512
8d5ca19d21b473af0e66ad3f7ad5f9cec2e3dbef0843d7aa43d00f0326718a0c65f214d01b9cd5d62ef248d317ee7b99085c07b88f4cc85c37babe37b96e9f1f

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
9ce21aa9d2aa9bac21ff3b164233be38

SHA1
627d7bd524aa48aaab98aaed6011b20a0122e1c6

SHA256
c6eb64d754ab13bcdce90f62cf82e1a02b730db13f58800117331d80f0a3a137

SHA512
3b3488c1094ca23c9b8ecfefbd3aa73af196ad264b32da124eae03e8cdeee7e723e6d71729a1e5e4ecc6050b4582143d0b2f383bb1fa8e6aac21845caab1083b

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
96KB

MD5
e4f5bab0c33e4190cffcaf1a3e1839a5

SHA1
5ad9af80ba85dc69f12a91cd282246ee141da064

SHA256
b4985602bb02892472cc627abc153abed894393a857f42d524075d12eb2e07d7

SHA512
b7e30f57bde8e75ee5dc4f291881e321637c761fcaa045dc48a706bcbf8d6aec5a67a266e541f36c64a7431d5f5c378ae72be1914f8db7733242ef6b476faed9

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
9bf5035131cf26a37b0f72e49d99e114

SHA1
eec1c032004a3d67a521d6704cd4794d3082fe0b

SHA256
0394730bea6419d7beb5db76fe33f98e0b31c97885fefe5caecbf3f9a6e9fbaf

SHA512
73ee84be4cf4abe762a7aa33f7d2f1e63cee7e3a5c1df7ee73b5605f7e68d6df558bff3d539322dee21bcf42c2713db1bd80724aa24c0972c93d18e7bc1450cf

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
96KB

MD5
2e55bcd8093bdf8ea452d5176eff7b5b

SHA1
9c5d91251e02f17b8fdd5a5e310b070bab0d413f

SHA256
eb0e4ab445bdf39bb413da4069e05218c6bfed66b061c03ecfa5942eae81741c

SHA512
f4ab3e3691e9da72e89f4f370be2628d8dd049c6988927934ae5b79f76d269124a0a5e683f33bf2b6dbf27d78a29644cb5013a111b06fd368acfdc78fe8c36d2

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
5b91ec1496d48db8c4e7d90915828160

SHA1
4a394862f25f6f005e3d4a618d9d7c9fdc1229ed

SHA256
9cc614070712393772aa9d661bff280e9a66604584baf013e365ba9d530d5528

SHA512
cee717e3be0751d8c51bcd8fa30528307296fa9cf3500bc2afb813f0158b18dc3c6a370c536cc33df310f6fbe184cef41591c2a4b245cbad6e486ba558418f2f

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
2b11b4edd1c8ddcce9b027b68fa9c9b0

SHA1
bb377ce1d5386e4f3d324be82349fd75f03212f0

SHA256
e94318394a165399df4e1507f67d3baf9bdd0c9f14638188cee23278035ed63b

SHA512
e611d75a1cc8af8304e7db6f5b4941d036a67570a35561f35cba1138c4bebb79e89875a8b3f45593107f9301ee181c36698e14c59f71aed73781d6ac4f0f830f

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
96KB

MD5
211d630036a6d137f906c04b0700d975

SHA1
bf814c386941cfd7957fda25d0132c339beb03d5

SHA256
6054c0bb454fd9660c9a0841203a4934e82e70b2c34c9767da999660687a278f

SHA512
c87db907f392a288dea5c0c0b3466223119d56d432add76a2e0705b1362ad4bd54d357d533109a36e6a59ee8758955404540054b565cbda37ba8fe3ff2061c65

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
96KB

MD5
832cf5cb22e654937941a1e2faa61eda

SHA1
1b255c35c4704f50199b99e50c162a512dd4bdb1

SHA256
7678e320d2904c3258939051b31838fb78d9fc8ead768a8bd1660bd9726b732f

SHA512
bb053ff3488a07045fe7abf2be482d15ebf40cd3214d16b62b054b448a99843c4bef7ea2b05e60cdc8ee650e9616657e2b0945774fc548618a118f0586c72f55

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
aca348e9547c8a2e2ca69875f15e3019

SHA1
5e9d79ea71961f69f996fd85f3d927994650723a

SHA256
656c066e6c2a17ca0a0c51c6acefc762988ce5d7339a6761444dc436c988762e

SHA512
dea0431e602f4c1a14b132c88e16d04fbfdcda3c9c047beb3b20cafdd2028462c1fc1f50a7be3e1f595e11c7ee63df8022eab2895bad61f26cd48e3c823b5fd5

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
96KB

MD5
2ba275e6fdd193213ca64d0a2a7ccef6

SHA1
1ecb25d00b89fdfa96ddd49785dd807c62c4c7b1

SHA256
7ec4de07ff8aa2919df80c583f9674f9c74ff8942367af8e94ed1beff1db296b

SHA512
ca9f9ee783cca6213c73af5c5a8583632a505260e85192415c64c7bca630e15cd28ce05c867e6601180c95ea4f8bf2a4376e1ce5c2089147d7aac0d9a3ed78c4

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
89469777c4ee965bd217073127474318

SHA1
5b127ed39790ac9037053bdef4731a05a79b3b16

SHA256
53ed8b3413bf2bb1d6045309fbefdba370a7ec03016413f9d003123f1a5bc986

SHA512
7f93f4fcc28461bd51d26110bb7ea93b26b49b260e169b7774ff10f5517ae57736aadc5efaa1436498a99ba6f1f0c538a991a14f88c18584d5a52c1bec50c269

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
96KB

MD5
62ebeb670568ba9bcbd46cff9ff65751

SHA1
0c1f098b8df79516d7dbe20d6c6c2d50a06c77a6

SHA256
71a4c08d3f6d1813f834f9762955e3ea420ae014ad73109469d73d4fb41d9512

SHA512
f0a4e5db648a3742b2d1780f199a63fe7768d7e91781597ed93dd263e2a07ebdd174fe0eef9e8e8911c84f13266978207257d0cbda050b9cc24c6339fda92ba8

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
96KB

MD5
5008b796b6c4f641d278af559516a13d

SHA1
d2b6f0e6173d39ecd778b9a1f2cf0b2a50dd9f6d

SHA256
448789d76c01e28e7bd1e3b2913c592c31ecabd9acac31774d3be9dbceaa7768

SHA512
6b0af290a70c4409fdb7f0ca3f4452d9422792a9ddd3ac1e7f6825d6f840890d54dbb09b16048b3e593812c9a8319dfa727227541c8b40a39219e880e09e18bd

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
2779cc0fcc38f515833d0ec12b698ff1

SHA1
6e1240a80f16e769250916e85b0cf0a27d344b10

SHA256
93dd9d08b0c2d2632dec9e15cd6c8b1384d65da43ef4bc215683fd135cb715d5

SHA512
00a07d6f29bf42e93700d403368aa21db79c3e67fbf5f963d9dc7853f11e7d5b9a34e3cbcc3bd727ff891bd5c9f17f5e9bd72f789affe3891ef32f3264d373b1

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
1b91dbecd280ed943ae675b911063cbd

SHA1
ba59c4600a2a42f256694bf31591bc5f0e3c8c52

SHA256
fb136b4462186677bb90813bb16595e4a87151a72267d5c159107e90699c97d8

SHA512
683004e0fe943e1841cae286083bb2efde2f9e7bf4e4b06fd6b604f8eb2cc13244a57efc0a48653c73332dd33c0bcb25ed6e2097a10854f6762d7e2c51a64bc5

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
73c00cc6cb5b5fcf68afd6463c228dae

SHA1
eaa309fea87eba8a2ffecfcfe11cef1b3e36936a

SHA256
7f1aa4b2419c2acbd90e6dcd496ad3643e7b56ca654e09408df09d5d45d64fe8

SHA512
fe8cf32a68b286994618141acc3334e900e5f7db808f1fccd7e57b7fd6536096985fc147b0f4a7d1e43f11bd301a71092d276578bf9dbb925c9d93b18614d051

Download Submit
memory/212-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-781-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-768-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-751-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-826-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-830-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-827-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-782-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4072-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-757-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-791-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-764-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads