berbew | 5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe
Size

1.5MB
MD5

a379aba3244053ccb39a74d118f8c7b9
SHA1

c00ce9fc43f9d92ccfa457565286ef718252b399
SHA256

5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6
SHA512

ee71f6ab0a93bd164ae573046e5e6be4e3fdc95581a4a76bb78ee88615cd7b809a303db3a444bf0b2224bcc7e38a5f2e4507d33747ef670cf8fc3dbfee390ddb
SSDEEP

24576:QHx6Q2xZmk6Ux6Q2xlPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3o:Q0lmkIhbazR0vKLXZe

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agbbgqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcgqgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmlhbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnpnkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peefcjlg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plpopddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gajqbakc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dboeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gajqbakc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Honnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmaeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cqfbjhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fccglehn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkqlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcilc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghgfekpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghgfekpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgoff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdbpekam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcbfbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqmcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncnmane.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknafhjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adipfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
2972	Ofnpnkgf.exe
2572	Oimmjffj.exe
2536	Ofqmcj32.exe
2532	Peefcjlg.exe
2464	Plpopddd.exe
660	Agbbgqhh.exe
2880	Adipfd32.exe
1800	Bhmaeg32.exe
600	Bcbfbp32.exe
1448	Cqaiph32.exe
1944	Cqfbjhgf.exe
2832	Dgiaefgg.exe
2176	Dboeco32.exe
1036	Epnhpglg.exe
2716	Ejcmmp32.exe
2304	Fkqlgc32.exe
2268	Fkcilc32.exe
1664	Fccglehn.exe
1972	Fimoiopk.exe
1660	Gcgqgd32.exe
2844	Gajqbakc.exe
1620	Gamnhq32.exe
1720	Ghgfekpn.exe
3024	Gncnmane.exe
2368	Gkgoff32.exe
3008	Hjmlhbbg.exe
1700	Hdbpekam.exe
2608	Hmpaom32.exe
2684	Honnki32.exe
2408	Hiioin32.exe
1324	Ifmocb32.exe
1508	Iikkon32.exe
2864	Ifolhann.exe
988	Iipejmko.exe
1896	Iknafhjb.exe
1888	Inojhc32.exe
792	Iamfdo32.exe
1768	Jgjkfi32.exe
1864	Jikhnaao.exe
448	Jabponba.exe
1132	Jimdcqom.exe
1820	Jllqplnp.exe
620	Jedehaea.exe
1152	Jnmiag32.exe
900	Jibnop32.exe
352	Jplfkjbd.exe
1980	Jnofgg32.exe
288	Kekkiq32.exe
1744	Klecfkff.exe
3004	Kjhcag32.exe
2640	Kkjpggkn.exe
2644	Koflgf32.exe
2444	Kipmhc32.exe
2428	Kdeaelok.exe
2768	Lmmfnb32.exe
2896	Ldgnklmi.exe
1904	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2796	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe
2796	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe
2972	Ofnpnkgf.exe
2972	Ofnpnkgf.exe
2572	Oimmjffj.exe
2572	Oimmjffj.exe
2536	Ofqmcj32.exe
2536	Ofqmcj32.exe
2532	Peefcjlg.exe
2532	Peefcjlg.exe
2464	Plpopddd.exe
2464	Plpopddd.exe
660	Agbbgqhh.exe
660	Agbbgqhh.exe
2880	Adipfd32.exe
2880	Adipfd32.exe
1800	Bhmaeg32.exe
1800	Bhmaeg32.exe
600	Bcbfbp32.exe
600	Bcbfbp32.exe
1448	Cqaiph32.exe
1448	Cqaiph32.exe
1944	Cqfbjhgf.exe
1944	Cqfbjhgf.exe
2832	Dgiaefgg.exe
2832	Dgiaefgg.exe
2176	Dboeco32.exe
2176	Dboeco32.exe
1036	Epnhpglg.exe
1036	Epnhpglg.exe
2716	Ejcmmp32.exe
2716	Ejcmmp32.exe
2304	Fkqlgc32.exe
2304	Fkqlgc32.exe
2268	Fkcilc32.exe
2268	Fkcilc32.exe
1664	Fccglehn.exe
1664	Fccglehn.exe
1972	Fimoiopk.exe
1972	Fimoiopk.exe
1660	Gcgqgd32.exe
1660	Gcgqgd32.exe
2844	Gajqbakc.exe
2844	Gajqbakc.exe
1620	Gamnhq32.exe
1620	Gamnhq32.exe
1720	Ghgfekpn.exe
1720	Ghgfekpn.exe
3024	Gncnmane.exe
3024	Gncnmane.exe
2368	Gkgoff32.exe
2368	Gkgoff32.exe
3008	Hjmlhbbg.exe
3008	Hjmlhbbg.exe
1700	Hdbpekam.exe
1700	Hdbpekam.exe
2608	Hmpaom32.exe
2608	Hmpaom32.exe
2684	Honnki32.exe
2684	Honnki32.exe
2408	Hiioin32.exe
2408	Hiioin32.exe
1324	Ifmocb32.exe
1324	Ifmocb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Peefcjlg.exe	Ofqmcj32.exe
File created	C:\Windows\SysWOW64\Fkqlgc32.exe	Ejcmmp32.exe
File created	C:\Windows\SysWOW64\Aooihhdc.dll	Fkcilc32.exe
File opened for modification	C:\Windows\SysWOW64\Gkgoff32.exe	Gncnmane.exe
File created	C:\Windows\SysWOW64\Pbonaedo.dll	Hmpaom32.exe
File created	C:\Windows\SysWOW64\Hiioin32.exe	Honnki32.exe
File created	C:\Windows\SysWOW64\Ifmocb32.exe	Hiioin32.exe
File created	C:\Windows\SysWOW64\Kqkmghhf.dll	Ofnpnkgf.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Jimdcqom.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Fimoiopk.exe	Fccglehn.exe
File created	C:\Windows\SysWOW64\Iipejmko.exe	Ifolhann.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jnmiag32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Bnnjlmid.dll	Dgiaefgg.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Plpopddd.exe	Peefcjlg.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Bieepc32.dll	Epnhpglg.exe
File opened for modification	C:\Windows\SysWOW64\Fimoiopk.exe	Fccglehn.exe
File opened for modification	C:\Windows\SysWOW64\Gncnmane.exe	Ghgfekpn.exe
File opened for modification	C:\Windows\SysWOW64\Hmpaom32.exe	Hdbpekam.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ofqmcj32.exe	Oimmjffj.exe
File created	C:\Windows\SysWOW64\Gajqbakc.exe	Gcgqgd32.exe
File created	C:\Windows\SysWOW64\Gnlnhm32.dll	Gamnhq32.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Ncmljjmf.dll	Bcbfbp32.exe
File created	C:\Windows\SysWOW64\Plcpehgf.dll	Fccglehn.exe
File created	C:\Windows\SysWOW64\Gncnmane.exe	Ghgfekpn.exe
File created	C:\Windows\SysWOW64\Flpkcb32.dll	Hjmlhbbg.exe
File created	C:\Windows\SysWOW64\Hmpaom32.exe	Hdbpekam.exe
File created	C:\Windows\SysWOW64\Iknafhjb.exe	Iipejmko.exe
File created	C:\Windows\SysWOW64\Iamfdo32.exe	Inojhc32.exe
File created	C:\Windows\SysWOW64\Jgjkfi32.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Ppiidm32.dll	Adipfd32.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Ejcmmp32.exe	Epnhpglg.exe
File created	C:\Windows\SysWOW64\Ojacgdmh.dll	Fimoiopk.exe
File created	C:\Windows\SysWOW64\Hjmlhbbg.exe	Gkgoff32.exe
File opened for modification	C:\Windows\SysWOW64\Hiioin32.exe	Honnki32.exe
File created	C:\Windows\SysWOW64\Anafme32.dll	Iipejmko.exe
File created	C:\Windows\SysWOW64\Kbclpfop.dll	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Pihmcioe.dll	Ofqmcj32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Jimdcqom.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Pnalcc32.dll	Hdbpekam.exe
File opened for modification	C:\Windows\SysWOW64\Ifmocb32.exe	Hiioin32.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Hdbpekam.exe	Hjmlhbbg.exe
File created	C:\Windows\SysWOW64\Cdiedagc.dll	Oimmjffj.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Ifmocb32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqmcj32.exe	Oimmjffj.exe
File created	C:\Windows\SysWOW64\Gcgqgd32.exe	Fimoiopk.exe
File opened for modification	C:\Windows\SysWOW64\Ghgfekpn.exe	Gamnhq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
992	1904	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgiaefgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcbfbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oimmjffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Honnki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agbbgqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fccglehn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plpopddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adipfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghgfekpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gncnmane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqfbjhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqmcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmaeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnhpglg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqaiph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkqlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gamnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjmlhbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnpnkgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcgqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcilc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gajqbakc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iknafhjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peefcjlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboeco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpaom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimoiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcmmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkgoff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdbpekam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plpopddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhepmkh.dll"	Gajqbakc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gamnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmjmajn.dll"	Honnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqmcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll"	Epnhpglg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkcilc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidjhoea.dll"	Fkqlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fimoiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnpaigk.dll"	Peefcjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkqlgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmlhbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gncnmane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oimmjffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafme32.dll"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peefcjlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gajqbakc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkcilc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifolhann.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnpnkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll"	Cqaiph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cqfbjhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfifa32.dll"	Plpopddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcbfbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmpaom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihmcioe.dll"	Ofqmcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cqfbjhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffbkj32.dll"	Gncnmane.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdbpekam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhdddb.dll"	Hiioin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnpnkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oimmjffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igejec32.dll"	Agbbgqhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgiaefgg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2972	2796	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe	29
PID 2796 wrote to memory of 2972	2796	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe	29
PID 2796 wrote to memory of 2972	2796	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe	29
PID 2796 wrote to memory of 2972	2796	5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe	29
PID 2972 wrote to memory of 2572	2972	Ofnpnkgf.exe	30
PID 2972 wrote to memory of 2572	2972	Ofnpnkgf.exe	30
PID 2972 wrote to memory of 2572	2972	Ofnpnkgf.exe	30
PID 2972 wrote to memory of 2572	2972	Ofnpnkgf.exe	30
PID 2572 wrote to memory of 2536	2572	Oimmjffj.exe	31
PID 2572 wrote to memory of 2536	2572	Oimmjffj.exe	31
PID 2572 wrote to memory of 2536	2572	Oimmjffj.exe	31
PID 2572 wrote to memory of 2536	2572	Oimmjffj.exe	31
PID 2536 wrote to memory of 2532	2536	Ofqmcj32.exe	32
PID 2536 wrote to memory of 2532	2536	Ofqmcj32.exe	32
PID 2536 wrote to memory of 2532	2536	Ofqmcj32.exe	32
PID 2536 wrote to memory of 2532	2536	Ofqmcj32.exe	32
PID 2532 wrote to memory of 2464	2532	Peefcjlg.exe	33
PID 2532 wrote to memory of 2464	2532	Peefcjlg.exe	33
PID 2532 wrote to memory of 2464	2532	Peefcjlg.exe	33
PID 2532 wrote to memory of 2464	2532	Peefcjlg.exe	33
PID 2464 wrote to memory of 660	2464	Plpopddd.exe	34
PID 2464 wrote to memory of 660	2464	Plpopddd.exe	34
PID 2464 wrote to memory of 660	2464	Plpopddd.exe	34
PID 2464 wrote to memory of 660	2464	Plpopddd.exe	34
PID 660 wrote to memory of 2880	660	Agbbgqhh.exe	35
PID 660 wrote to memory of 2880	660	Agbbgqhh.exe	35
PID 660 wrote to memory of 2880	660	Agbbgqhh.exe	35
PID 660 wrote to memory of 2880	660	Agbbgqhh.exe	35
PID 2880 wrote to memory of 1800	2880	Adipfd32.exe	36
PID 2880 wrote to memory of 1800	2880	Adipfd32.exe	36
PID 2880 wrote to memory of 1800	2880	Adipfd32.exe	36
PID 2880 wrote to memory of 1800	2880	Adipfd32.exe	36
PID 1800 wrote to memory of 600	1800	Bhmaeg32.exe	37
PID 1800 wrote to memory of 600	1800	Bhmaeg32.exe	37
PID 1800 wrote to memory of 600	1800	Bhmaeg32.exe	37
PID 1800 wrote to memory of 600	1800	Bhmaeg32.exe	37
PID 600 wrote to memory of 1448	600	Bcbfbp32.exe	38
PID 600 wrote to memory of 1448	600	Bcbfbp32.exe	38
PID 600 wrote to memory of 1448	600	Bcbfbp32.exe	38
PID 600 wrote to memory of 1448	600	Bcbfbp32.exe	38
PID 1448 wrote to memory of 1944	1448	Cqaiph32.exe	39
PID 1448 wrote to memory of 1944	1448	Cqaiph32.exe	39
PID 1448 wrote to memory of 1944	1448	Cqaiph32.exe	39
PID 1448 wrote to memory of 1944	1448	Cqaiph32.exe	39
PID 1944 wrote to memory of 2832	1944	Cqfbjhgf.exe	40
PID 1944 wrote to memory of 2832	1944	Cqfbjhgf.exe	40
PID 1944 wrote to memory of 2832	1944	Cqfbjhgf.exe	40
PID 1944 wrote to memory of 2832	1944	Cqfbjhgf.exe	40
PID 2832 wrote to memory of 2176	2832	Dgiaefgg.exe	41
PID 2832 wrote to memory of 2176	2832	Dgiaefgg.exe	41
PID 2832 wrote to memory of 2176	2832	Dgiaefgg.exe	41
PID 2832 wrote to memory of 2176	2832	Dgiaefgg.exe	41
PID 2176 wrote to memory of 1036	2176	Dboeco32.exe	42
PID 2176 wrote to memory of 1036	2176	Dboeco32.exe	42
PID 2176 wrote to memory of 1036	2176	Dboeco32.exe	42
PID 2176 wrote to memory of 1036	2176	Dboeco32.exe	42
PID 1036 wrote to memory of 2716	1036	Epnhpglg.exe	43
PID 1036 wrote to memory of 2716	1036	Epnhpglg.exe	43
PID 1036 wrote to memory of 2716	1036	Epnhpglg.exe	43
PID 1036 wrote to memory of 2716	1036	Epnhpglg.exe	43
PID 2716 wrote to memory of 2304	2716	Ejcmmp32.exe	44
PID 2716 wrote to memory of 2304	2716	Ejcmmp32.exe	44
PID 2716 wrote to memory of 2304	2716	Ejcmmp32.exe	44
PID 2716 wrote to memory of 2304	2716	Ejcmmp32.exe	44

C:\Users\Admin\AppData\Local\Temp\5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe
"C:\Users\Admin\AppData\Local\Temp\5fe2e50c7fe43106fcf0fa719be9c320067e077399e8bba57c6cddba2a9923a6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Ofnpnkgf.exe
  C:\Windows\system32\Ofnpnkgf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Oimmjffj.exe
    C:\Windows\system32\Oimmjffj.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\Ofqmcj32.exe
      C:\Windows\system32\Ofqmcj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Peefcjlg.exe
        
        C:\Windows\system32\Peefcjlg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Plpopddd.exe
        
        C:\Windows\system32\Plpopddd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Agbbgqhh.exe
        
        C:\Windows\system32\Agbbgqhh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Adipfd32.exe
        
        C:\Windows\system32\Adipfd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Bhmaeg32.exe
        
        C:\Windows\system32\Bhmaeg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Bcbfbp32.exe
        
        C:\Windows\system32\Bcbfbp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Cqaiph32.exe
        
        C:\Windows\system32\Cqaiph32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Cqfbjhgf.exe
        
        C:\Windows\system32\Cqfbjhgf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Dgiaefgg.exe
        
        C:\Windows\system32\Dgiaefgg.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Dboeco32.exe
        
        C:\Windows\system32\Dboeco32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Epnhpglg.exe
        
        C:\Windows\system32\Epnhpglg.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ejcmmp32.exe
        
        C:\Windows\system32\Ejcmmp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Fkqlgc32.exe
        
        C:\Windows\system32\Fkqlgc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Fkcilc32.exe
        
        C:\Windows\system32\Fkcilc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Fccglehn.exe
        
        C:\Windows\system32\Fccglehn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Fimoiopk.exe
        
        C:\Windows\system32\Fimoiopk.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Gcgqgd32.exe
        
        C:\Windows\system32\Gcgqgd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Gajqbakc.exe
        
        C:\Windows\system32\Gajqbakc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Gamnhq32.exe
        
        C:\Windows\system32\Gamnhq32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ghgfekpn.exe
        
        C:\Windows\system32\Ghgfekpn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Gncnmane.exe
        
        C:\Windows\system32\Gncnmane.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Gkgoff32.exe
        
        C:\Windows\system32\Gkgoff32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Hjmlhbbg.exe
        
        C:\Windows\system32\Hjmlhbbg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Hdbpekam.exe
        
        C:\Windows\system32\Hdbpekam.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Hmpaom32.exe
        
        C:\Windows\system32\Hmpaom32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Honnki32.exe
        
        C:\Windows\system32\Honnki32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ifolhann.exe
        
        C:\Windows\system32\Ifolhann.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Iknafhjb.exe
        
        C:\Windows\system32\Iknafhjb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 140
        59⤵
        Program crash
        
        PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agbbgqhh.exe

Filesize
1.5MB

MD5
22bd06b7c85d9f01dd69fac12bb3da9d

SHA1
c4d40463a7122ed2c361da2ef2d178caaf8631e6

SHA256
fbaa638f074ebedf00c5f3fac812d83afa9f20cd6793b3b79b42d0d1bc46b392

SHA512
c37ae973322d98d290d9d15e787ba6fbc6b182cafe7944ad29c6fa3bdc5fa41d7f5d1ac1fa7ba15c4c6c0db8b4927cbc2fbf3e6c5e0aad9ca13a0af4f6d200c0

Download Submit
C:\Windows\SysWOW64\Bcbfbp32.exe

Filesize
1.5MB

MD5
401998555ecccd3180276a4d0f435bf7

SHA1
78f2558cc18ecfcfffb4941bec077fa08ae1923f

SHA256
d08887777de376aa6f6b6b0256c94a9a434333aaf21a453ed394bf76ca105eb5

SHA512
45ce50803faa3da4393fd21902640b9b0bbb286ef43a760f9d42027bd3e800be477bbbf353012fe66901e7788d9c2696c963c187347897abbb9010371e5834b6

Download Submit
C:\Windows\SysWOW64\Bhmaeg32.exe

Filesize
1.5MB

MD5
139524d4a05fcc52af14657ca8b48065

SHA1
49e25bfd7c5bab3e4a18ffa2248fb5ce9f637c45

SHA256
e18f693d1ae68635e6028179d078cc79a9cd10af1af496131a04974ba4ee1094

SHA512
ba3740b084d11de55a2d4fbfbf714237c85ad65143b4357ea257e7eb197ed4fcc74f95688fc7e7dd45aa733a10ca7e55f7a20b4ad3648341c093e1c5861129a5

Download Submit
C:\Windows\SysWOW64\Cqfbjhgf.exe

Filesize
1.5MB

MD5
a441b37ae1196f1ae459af5495cd386e

SHA1
df9bd913952856aa271caad9f7b205d62a53ce35

SHA256
c36d54abca972a9e8ea5cb5cd31e821570a481414b541104800d034c56133c09

SHA512
407290ffc2f6d3f222f86ef84d252a1db85f12b173f59bad3fadaacb7565b58839295e61f2471f20d501a97064ef581f1bc21eca19083abc7078f897b15a37b7

Download Submit
C:\Windows\SysWOW64\Ejcmmp32.exe

Filesize
1.5MB

MD5
136f95d0c2692f10a0f88b7215eeb634

SHA1
e34dc550e5b1b60c07db20958edaf2b82bb2f10f

SHA256
f71d71e004b8debd185cb9c61c17d6b7b35e2fb268ca7e54e7fe3b7ee5390c5d

SHA512
2a91ca706ff1b2d177b3532f8275b3226f2533a682818e5250863ed2417b9b14300644d3f3f2df7b726fc55e79c67ddb3ad7390c020199ccc045ac36ee7d325f

Download Submit
C:\Windows\SysWOW64\Fccglehn.exe

Filesize
1.5MB

MD5
70cf104ca81fb1d00a169f1bbbc77e59

SHA1
a93c1003075d0d5e0857e62a9071d7741b8b4afe

SHA256
a8fd38c83cdda4e789e9e647ec409def0890e562ee57e71b4294dfa14e784df9

SHA512
a9bca96a6920debe68ff57af400b04127c45e16b623db776a080646e2148a53e95be297f54a7fef165298f0d3c63ada77be2a11b7545f9be88da0e2b9c87d410

Download Submit
C:\Windows\SysWOW64\Fimoiopk.exe

Filesize
1.5MB

MD5
4f9d5d2f752c8e77877c74c86f750813

SHA1
2375cea19ec377fa557250a45882d6b840ce8ff5

SHA256
caf058e69c61f0693ceae38489cf078fc7721abe5d1707cbffc7820c7407e1aa

SHA512
a89913fcd8f8f171e616405fdf9eb6ef81361c5bda0d3799a02ad2fa1f7e07adf301f458fd096ca4a113742bd5c25277aa32b91e9f300763052b258d9b1b0d47

Download Submit
C:\Windows\SysWOW64\Fkcilc32.exe

Filesize
1.5MB

MD5
2e476eef3273e37a4438806d3f9ab48b

SHA1
4be67159092b5ee8f818e2745ae26bd4e6856486

SHA256
73d41408c5de7f850f6ae9a1575679e7b4a812ede879db22a24f9fe8a0b05a40

SHA512
20e94c905939b330f0febc8603f942ea0bd509671ead26b2aee4d301b9683676628e3ed27e785abee66721ffee604ce1e90831d29acd76ee5595bb505471a87e

Download Submit
C:\Windows\SysWOW64\Gajqbakc.exe

Filesize
1.5MB

MD5
dd623c66fd7e46333fa96abcf39e8d87

SHA1
3c61479de0f816346aeb2740c4f681ccf04b1175

SHA256
4a33a158db4caa23d5cbce5bb46659b61e181ed86c7e0c5939a739ec8fcf02de

SHA512
914ed78d4b7e3879fca6ab4e65ddd73b918756ed897ed0441e4146ec653aa1df86ab62906da77ca34583aae076b888a1fbf25fd842cd711b1802faff45e7f64d

Download Submit
C:\Windows\SysWOW64\Gamnhq32.exe

Filesize
1.5MB

MD5
edfc93fd7726b41b38499b7e64330b31

SHA1
a2cd7155222d120bc077bd889f7cbc921bcacdb1

SHA256
06b20e9d01ed252cfa5a9add3200fb911bf937095acdcc08b522cb5156f05a7a

SHA512
ceb1386e5e72b148b049c5d6139ac247cfa8068244dd01e5c3b2ca928acfbfd4ed08bdc107300961458ccf0b89e7d2cc043e4ab3b4800c6639a66cfe5aa1b1a2

Download Submit
C:\Windows\SysWOW64\Gcgqgd32.exe

Filesize
1.5MB

MD5
9371cb568c094814257949fb68a33e83

SHA1
b785060794bee88743261be7e879819064d07620

SHA256
7b2008817515dc29fbb43fb8fb72b834d813159811a4c609ea4740bf28f0282a

SHA512
e0385c1dc16cde72f315baa3abe7c06d9b951090df021559368704a8cb97c7a24b6c38146532a418fd64a8afa4d12956f8ca92e7e8d5426eb407b551c0ddc24d

Download Submit
C:\Windows\SysWOW64\Ghgfekpn.exe

Filesize
1.5MB

MD5
b4cd95eb2f6530c015d628e2c45a4a81

SHA1
b19f521e7829ed0c47eb2b544287440a3ace93bd

SHA256
7dda549c48d66e8bcf74a0fa9693ecc2e82a7379adc230b6128429fb082ee446

SHA512
ebaa8f7723d45d8d12923f7a1afab7d50d33a584e6abdd5aaf708eace450cfcf588a9fa1619a3e398fc9788f2dd49e8479e2db01c06582cdae0d276164500972

Download Submit
C:\Windows\SysWOW64\Gkgoff32.exe

Filesize
1.5MB

MD5
e5cf1d18a2181fcb27093bb7f052d531

SHA1
80d7f6ad54cbfc20183a577d59179e26db4df4ee

SHA256
f94b1b846fedfb32e93f9474a853f3aebf406dde9def780214aed1578919ef8a

SHA512
05ddf84432bb6385027ade258afcbcdbe8e27b8ffba8028907db49c1a0a22ec027e5e4a6a181210540f7963312921ae0c0fda70937a9846acbc9412598d29b08

Download Submit
C:\Windows\SysWOW64\Gncnmane.exe

Filesize
1.5MB

MD5
8af098b672a0ceade6edf72c563d97b2

SHA1
90d69075a57ebf86bd15300dc977025af40b8deb

SHA256
a5f34e5184f832f37af20ff61fa1d441c77fe9302b5266db6d44230310049bf7

SHA512
9150908b7e03b7d039b468ed1c22125bec4cbc2ab1850955d3c040617b9fe9999b90ccc93cbd6190dad68aa67d48236572b73fc3dfcf5bae7c27ed4d2b2ca7e1

Download Submit
C:\Windows\SysWOW64\Hdbpekam.exe

Filesize
1.5MB

MD5
4a2919b5f392915dcef8d25a6051d4b9

SHA1
93df80b69057a99c2caa7e17d86d596adf063d35

SHA256
2a9c689cf928c45328e389e45fdaeba0861e87e8b5c529eb856e1b05d2626265

SHA512
d0c776abd3cdba181ffb32372add62c101c4f7871c997fbfce964e41dbc427d60e4f8ff75e962c264961bc2e3448c85ce013900ba5712b5679c9d64f8653a9a4

Download Submit
C:\Windows\SysWOW64\Hiioin32.exe

Filesize
1.5MB

MD5
1854d1d70738c59df9947144aecce6a9

SHA1
8a1e93b5107381b0b13e2a35e44f99ac6e7f54b9

SHA256
813d9fc1e86d466959d93fc588a9d0af8e0d41c3f7472f3ee2bab2aa4ffa60b7

SHA512
b171a1e0780ca909176a9069783a5491a968975d51e4b1c7b27fa4e3bbcff16ab0b3878c7c12b5725bab2d6f6a88b7abf21889c85120f1757f0b1ab32d4cbf8a

Download Submit
C:\Windows\SysWOW64\Hjmlhbbg.exe

Filesize
1.5MB

MD5
1b943fdc070806d76623dfd20db14aab

SHA1
6c7b47e74bfe7b047ab26a24a76a36d13643c742

SHA256
bc388048d9348abbcb673a120836204995651b40ae3cf6b6e499f318a94848cc

SHA512
5a9c221de095d8d84f254ad14e3b2514cad340d7ab37bb6944feabdf16a7f6054cd80f36931ad7baaedd3de1639e19d8c833518207960c39b37f61fa7c541765

Download Submit
C:\Windows\SysWOW64\Hmpaom32.exe

Filesize
1.5MB

MD5
803fe06ef958028c2a4aa3271abaa31d

SHA1
440989384500bd3d85a9325136c220f3a12b7259

SHA256
cf196d8c06c38c2367e4359ab371dac10966ac28dd0a9caf9be2bd099847358f

SHA512
94462be2e4f3549a8015e7ec09a053ae5874ede1be308697e2d0821c1542dac077c00ec9a73ee654ba739395d036e14b77b533dd360a7534b3c007574f77a0f7

Download Submit
C:\Windows\SysWOW64\Honnki32.exe

Filesize
1.5MB

MD5
c1df0a68f9f31ca29153d18cab5ec3ec

SHA1
58e022341452ec16908bdd16f94b20cd89159a50

SHA256
b542c2317046c63e07799fe0a2d0c1ec96d4f6de063ad699c693830c2304eddc

SHA512
37faa36e2d8409d7028d00ee173e301d9d2dc3bba147bec8878625b652a91df7f29b72ae70215069c7b35246aed5667888b8010880491c3ecca4f2f361286427

Download Submit
C:\Windows\SysWOW64\Iamfdo32.exe

Filesize
1.5MB

MD5
cfa020dc3008a88228ef0084d40f608f

SHA1
2f4de50975672b9c0240b478dc7172e38a27e472

SHA256
b2244ef0aaef3a87435568b196a92b3176599e15400ed01cb646c3129504e161

SHA512
988daad614a4b99e9dddcb1b179864495a7389ccc9ce121f8c36bd02de102598ade638c10916295b748ba18084050de440563ee3c2d6a7e52101b2bfac367742

Download Submit
C:\Windows\SysWOW64\Ifmocb32.exe

Filesize
1.5MB

MD5
0c837f39558cca3d61783cc8d6c952a5

SHA1
7ed3347f0bf9bff53e8a8f5929b2693268a53cb9

SHA256
d2caee443ee2e78ca7e9a17fc5299367680e202f689e5370a3bf7ad04e6221ec

SHA512
e5f1f672c09392ed66857d1f4e4496071671ce4bc84d5fe52e67e2ff006db53fdda2d1e71498b43288a9b0549ac481fa87fd2dfc39b7f78f64426dd96411f6d5

Download Submit
C:\Windows\SysWOW64\Ifolhann.exe

Filesize
1.5MB

MD5
4b927b0126dba156af7d093aaa693f24

SHA1
a048e6a2b9c640c39efbbbeb56b06ec3f6d187f6

SHA256
b86ae3a90c7abfc86c6961be075177fe5c6714722fc2fbd165396ef4de22a757

SHA512
5c58dcdf4d24e34398f471d33d98a7cb96574fff2b99622f74dcadb3dda629a9b7142af5fa4b153072f8d2160c8eba77fa814367c8d1372e5efb02c657389368

Download Submit
C:\Windows\SysWOW64\Iikkon32.exe

Filesize
1.5MB

MD5
6d00da73506304586b2872a121635b00

SHA1
39d463ac599e81b31dd2ca278d4a1234d7ae62ed

SHA256
c57fd776cbc2697f296571c28db1c73ba0aec17ecefba22c31f275562c9478eb

SHA512
5b8bdf1a7dcd45a5a4ddc22052db90f4f0447f9e9778176f01d614928cb75dd600c32bcc7b1ea4a35f5220e45cd01f60f4876566832dbe0b858efb844f43f281

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
1.5MB

MD5
d2c058532895da97a16e86b9e5ad80a8

SHA1
3e2345f5cde697c7f5607febebd81107897499e7

SHA256
9dda2c7dd5dc2dd0b0cccf2c26bb2d7cee5bb4eea1e48ff4d1729e7adfbe6ccd

SHA512
63fd81b5a2c23aa0c35e39e5d21d1122d5169e71f32fae650a38d966b42d8e40c50b378df77c2fcf45310c2f053dfb4bff494ddbdacef2e1a7d0b59742a395e4

Download Submit
C:\Windows\SysWOW64\Iknafhjb.exe

Filesize
1.5MB

MD5
8bd603ef82e8ebc03b9def64870d4227

SHA1
3b46847d6b15744efb3679bf77e0b369df0867ac

SHA256
1fb033275ab974da7f31e07f092e8b19d7e5e920f46d4a3aab5e514e567ec7f0

SHA512
ee0b700881e13979e73d2daeac194cd17adca29686f656c5be53d0a5ee62b0e97dfcbed9d00b3d043d8cd5f1bd29144a92c8bb42e6ca7bbe3ede2dcba8557375

Download Submit
C:\Windows\SysWOW64\Inojhc32.exe

Filesize
1.5MB

MD5
a3bd8e731621ddee3f68ad0708639529

SHA1
52e6f019eb43edbacbe8cb12e48cfbff246dd620

SHA256
74067c65d9fd2e02a41528164809e35874309ee819e8a4fba94795511816981b

SHA512
12a46e06783cee59b444c1d239b271bd914d2d34ab49b7baff38fc02bdd592fad263827d7ee4c41af70b958397c11b5ab5fe2579d8589a3b7f960ad7e912b4e7

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
1.5MB

MD5
d3ee95edea3fef17578d82e68bf4fd8e

SHA1
d9ece5ce2bdb2f5ba6eda4e5828cf43fbe0ddf41

SHA256
3e7a5354d7c89c6fd724032977a4f080087b0e7c9623823ffd8e0fbc247e0260

SHA512
e14d20688a0f9deddb1e139525fdf45f23df5051eea5a264853088ee53df507441f30ce0f86e4e06b3bb03b83f5dec520ecfc80e000508fe7dee10f79286888b

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
1.5MB

MD5
959dde52986c40ae1f487f949e96bf28

SHA1
9dd7db4c035d3eff56fade9e733e946435a59cf3

SHA256
80c53c8e41a73d4bf738880bc7ef040ea201b17716dd7f3d476b2f8ad0cd248c

SHA512
5e7ec5129255884a19b70c0ce0f0f5df0ee7dceb6f5a1dddc04ba9844ea4ea7ba662d4ab0427107adbcf98c269ee3ed71a5c06412651e92454f2bb1011111399

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
1.5MB

MD5
929db8c4ef6ef2081745d19e52539296

SHA1
867beb7f6cb15b04cdd30a7ff0b128d88e7744af

SHA256
d2e83c07553be54aaafddd8f6f3336ecc90b7ad744cddd30516a94eafadc241c

SHA512
01e5fe8ad4d43a7d6d9fe8d4b325c1c10d724126a9487f415d1db84ee2f39dfffef3594cebb60d298560dea868518d6c88763bd4e104c814b192bd6c52d43745

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
1.5MB

MD5
7564220dd633a521fab60f0279e5112b

SHA1
802f5b19aba20694fd28d7f77a75b2f790ca8542

SHA256
07234d92f566df18badf5aba744b3befc58c4573cef245813a34bbf3c19b2906

SHA512
9aac5ff7e32591161de4dc62cb44e433acf9a6e6c10a09e8ec5ef93437a86ec9c07a6e5a4fe27dfd9d26f1a0d0fa2ff3ffc8b66ce58f671088a4cd9ebb976810

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
1.5MB

MD5
a287ce06129e29abfde950e869e6d4c7

SHA1
d6f13f38a26aee0c9a5076d37be8af4b825d29c6

SHA256
347b292a3ef027fda782b35378343ceacef4e8ceac9b0e367e530f9418814e95

SHA512
38c182b049496051435bce830f607fff9e1988b0175f0363a3eace090708f82b3bc492369dce43422ae6d376cd0078408ebfc5b9fc90da1ab24941ea9f6a5af9

Download Submit
C:\Windows\SysWOW64\Jimdcqom.exe

Filesize
1.5MB

MD5
b86d6ddebd937f1dfb78d120d7e67d3e

SHA1
c9eb14daceaff1820b77455bcb0759aa1ce6c688

SHA256
5987a81c4fa56cf78038101d3af27020991dd5181bfd75c629559f9d1c0c2414

SHA512
734fc10b3df8a99ed3db2859101d147339854b52b9433aec12d4529a2bd10b71e1b5db4547c7993cce649ef4d15380c5a23da6db4cf9f6b8a2aea4d477becdd4

Download Submit
C:\Windows\SysWOW64\Jllqplnp.exe

Filesize
1.5MB

MD5
0f15fa2380f78a7cac3b2d500b039e40

SHA1
cada8d0238e276b5846b8187deb8a52fb4ac9cae

SHA256
4568c42f3dedb3af5c989a176b550165ff66deaa07cf3c0d39819f35292d9e87

SHA512
16afe2b9c2516482e0161af37d63a6569dd164fe6047548d38833250425e6eaefd7d69250d6fbc7bec4b7ab232df952233973aa7443700840db8c92446228ee3

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
1.5MB

MD5
56de5316772d3ede8d6d09549f98dc41

SHA1
f61ae729ddfa4d5846e3a35da6d1ed8dab921f2e

SHA256
91fd95e7041655af7bd1107580757b81609354e0feb59fda5445c893feaf6fc6

SHA512
c45138d693655339794e3621757a0dd4b75dbe1fdf8f3a80c6c9ceba1f0574d2840c52a06183a99d28efd601458dc5068eeeb90aecbd05f525e5f082dfaf02bf

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
1.5MB

MD5
710149af78925ff3f54d075aeb22340f

SHA1
53928bb4e8e9ebda50ef6370c6c8b8ec2d1b9903

SHA256
9b5299d52bb89c5f19ca69f713499c872cc276f7a39bd9befc5b91cf294bc06c

SHA512
8b2b48a03db110203295e7787b2787cae9334e1ae741f9bfb259b6f58a2df6f4dcc7a5e20145fce19ef0106a1cdabd4b7885d1731ffeed1ed57ed9e3c47462ad

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
1.5MB

MD5
aed92c6a1ee16b25f11784947b3085bc

SHA1
fc0c83df13a4763ec549768121e70769042d3055

SHA256
13723b0e1e158066b4f04a0dc8febcd8d74bb9b8818aaf5d7917990775513c02

SHA512
fcb83f00d3d1a908bfc238a4ab5ea31d50484510b85f9fb9fdf9490accfa32ae1db99f436a7537c0070a64ea5e576497e27b8862b2710aadc1a74359e6ead8dc

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
1.5MB

MD5
3fe527b05cce29269c5ae3ee9c54dec8

SHA1
d8c4f4bb254af0bb4733eab733c9fc1a16565e46

SHA256
d16e025e49c8f9642733e6131a04adf8dfcb3a519d1e03637fe6f44eb094f5b7

SHA512
00c9ef3a33929be5fa403ae9de2766fd3bc28411bf835f29a3475611f554f2b2f93ecf20db7365765b0a188b71a566f2910e6a6e250c56ef914d8f14fad91ea1

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
1.5MB

MD5
f4f766be200b516156910d0e4303670c

SHA1
4aedcf85984275e2ae09e6fc266363ca661e9600

SHA256
362fac8b2d6d5bbbb597b6b3898eb24f7094c457b3f99838c9ef484cdc5e2f7d

SHA512
f034b5b208e28868f56bf1f599e1989eb662e9393c3c6b697ece39312070055833ca28ee9b82098fce903bf93c9e18f52d30f0329ca278981218f3622330db71

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
1.5MB

MD5
ffc3eb2e4d4f511905912ed607240638

SHA1
751bceb595fbf60e937e3e0ec7a105168cb2a0c8

SHA256
abf220154164ebfd6f50d67605e1bbec88379cb7d676ca663289f2d53733c5df

SHA512
57c4bd56a8fd90df0411814eb1bab138a968c5e2650e01ee42970f8e779b504cd6cde2ccbc5f74ec9c972b4e8140e614c3f4d4d3df5d63eed2b043ab061a029d

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
1.5MB

MD5
71f446bfe4d91bffd30b87f0fe5c3f37

SHA1
f55caa6027115073889f33ecb0e7e7fb3a2fff3a

SHA256
019ee75b1db2683361d91f63bae1426d34932b727c1ae6b0784789cfdff0015f

SHA512
10b889b2f7a8ce5cb9d336917e4f09c86287218dbf081f44562fe7f87f8be949f9df6a8faf088b277c3c141d9d6883c074e38653991420a515f8aeb01b9e96d5

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
1.5MB

MD5
8a4682c6a5100092155b167c4bab95d2

SHA1
a42207fefd230f2c49fa8fbfbd1e46d400aa424d

SHA256
16821d2e21c1f662c1ff77b292b1e4da7f1c382d985efd4c6342125d7607f65d

SHA512
ef0565fd1384ab77f71924c8029dd2e4b95e5e495e1df92893fd8a22ad10fe6c94832e650fb12647c9fb122e8ee78de7fecd007c8648736ab5759f84cfe85088

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
1.5MB

MD5
2baa0c1200590703047a189db5a93d5a

SHA1
7f5a022191e94686f39c0c82f1b162e64eab197f

SHA256
f972eb92bc40e190464942e8cde8dc2be5b687e3a7dab3035a08e2e0442f7282

SHA512
803b403666f48ab7e7b2115290ba8b70b0b3385893728170b28b2b0dbb6e0c855cff586e5d9ceb6c37615a1997dfc3efffd364d4d58603a11ccad1df8a0cc321

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
1.5MB

MD5
ff4198707958c9e36eb322a4dda464a3

SHA1
9f68761c54ebc86eb2a813e899d52cb7e80fc9c5

SHA256
7f462762c46a4c24871ef7cc34b195723c32a7a17f04fdd16e27c20c0a4c863f

SHA512
eacdef473dc74e245b2a917d7c254fd2f164c3f865f51bee0e0777562fefb469eb450398792558d2d7f4fb66723be951175ea136bf5bbc3e7f01d6f2956e5a3b

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
1.5MB

MD5
e30d81b1e168ad9447c62b93cd507645

SHA1
808e2394004047de83665feec720118ecdc0e60a

SHA256
be630b41d7372d109d8b70be0cdde5c7224c627594db031146745736ac85eb54

SHA512
d8ca9e347f95d421e17ae45df6333a28318d7a7e4563a718a97baae573dd55a08932f3cc3ae2d48a42794c65dda8eae471d8ba4c8e77921e4738239173fc7adb

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
1.5MB

MD5
a2a8620b87a88d3fbf28fb1fd0580720

SHA1
1c1b82b1db6dbcf56845563e6cdac5870221de4c

SHA256
2473d55d1508a3c65d71c1ea0aac132cb24598526b37b3eb9f750033a8c18596

SHA512
6dee19a6a791bf4a2accc7d2d9aaa25c8f5cdc818b8c43d0f9dbf902556fb027c691aace2501f16b080681293afec4dd29f7fba7a1f5cdd3e5cfe8a8134de50d

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
1.5MB

MD5
489c3e116452031a43f4b2d277748cdc

SHA1
05ffcb5f2d004938a59d1aef40777cdc994d5799

SHA256
9df5fa4313c3bccf4522a6a65074d821bee5ce0ba8baca39b7001b5b673d0aca

SHA512
a9b8df9e91335bf680d44648e08eb00c94554bb1b9fe58aa9ac2b839cbd06cd766312129476c6833a0fb6ef8c8d7dadb1dc2ec3fc3cd9e7105eb3b043ba40647

Download Submit
C:\Windows\SysWOW64\Ofqmcj32.exe

Filesize
1.5MB

MD5
6df91bb3fed4f0f8b2a0a4c643444d0e

SHA1
85bbdb693ab66b1590a662ca04fc944df7bb4f37

SHA256
fe8962b1683bf8f89e1c68113082f11960445d24c5aa00d6b7b3992e21cfc932

SHA512
bf3f5e8b78f14fe6fd7af2b5c712a9a8644e27d260ece85300750d6af7c9d8188156c66ce923aaf04ba477bab14b1507027396869611b3282b7746f2c35769ac

Download Submit
C:\Windows\SysWOW64\Oimmjffj.exe

Filesize
1.5MB

MD5
4749eab789574a570702e785b0ae321e

SHA1
1681fded296e8df675d1cb2ae92708058d31d9cb

SHA256
20b1383fd380c8ea29684cb5b073b97e2fe84c9cefc9eca3d6310f3c474012ab

SHA512
58c3549e72c354a016f865f77ba69101d158090e0986a385ddbe878eef65d07b4ec3f2b78946f349721ead83f8f41d62796fe3e93baf1d0148a45b2cdceda4cf

Download Submit
C:\Windows\SysWOW64\Plpopddd.exe

Filesize
1.5MB

MD5
63dca323183d4f992f8fc3d5ba38554d

SHA1
5282d71a0bed4d2d7df861acdb9d6768ea9c0cae

SHA256
db7e157bdff7a8ebcfb4cda56a640202a715e320157f0c9754a2d7cf6b6984ce

SHA512
c1762f97ba1931203078bd494fd40f082749645b11fc27e120f4cd3037adf42381f29830c0c7ec81b307b93646e6729337c9968d5ac1d69f9b6cd0a8c573a459

Download Submit
\Windows\SysWOW64\Adipfd32.exe

Filesize
1.5MB

MD5
cacca2d1daccaa5f478f02963d74f99f

SHA1
44b70a67d9b051c6d1862d46fc9a8d9034ff73ca

SHA256
b0b8b78a97b748d427d960e023e111a181cea092b566ee61308a13311f123539

SHA512
373a54f6e8b1ef4ffc3e6c7190d2e9c147ba8b37d61a4ca90c2585cbd021bec402baac828c4e446446b14e5a0c8f62827f8e55f8ed8b56f254ebcdf4cc20653d

Download Submit
\Windows\SysWOW64\Cqaiph32.exe

Filesize
1.5MB

MD5
1de073e60ca2c547112246af8a23c71d

SHA1
fa31bc3779a5d7600933c4612fb5e2060c5ad856

SHA256
bcad5c07590c29ffab3158399ab6dcfb738346fcd92adca8a32e5764435bc77a

SHA512
16f8971c566d9f019041639c4f379ff1edc7f1b3402f437e406295f01a9e6da4a92fd8d30cb97d1c8ca51a5165c8a9edca6025bf01cbbe60e6f2c6ddd52de619

Download Submit
\Windows\SysWOW64\Dboeco32.exe

Filesize
1.5MB

MD5
d80434a22a3e23c6c5668409f07cd4ea

SHA1
012ff9411595ff897cb1358ef469c669927edbf9

SHA256
edc57f99511efa70dcf5d39d43320b8db3b461fe58e5667b22cad4a65966199a

SHA512
08121cdeed38663f3262dec3b10cf2881c35ab1be326a7ace0eed5de927247184094af9ca4bd91a54a5a8d9a1fd50c419516932c5f186bf9086a3e1c51f811fd

Download Submit
\Windows\SysWOW64\Dgiaefgg.exe

Filesize
1.5MB

MD5
de57dea026d00032e5b54bbaa301c35e

SHA1
2768b9939f4a0927f1990d1cb09ff6dfdb574046

SHA256
82e8b3094623ce0e905cefb79c62f865cd5ffc562ef59d88027876c832d18212

SHA512
2812ebac9cb3dc6925e0a724008fd9a2f1abc515876b908743f015708709891e8a3dc92e50c0fdd68edcb5bc2c4a37323c8425375f27e694598ce38047bb49a6

Download Submit
\Windows\SysWOW64\Epnhpglg.exe

Filesize
1.5MB

MD5
1725489c8f5cef8d04ed35c102df8e2c

SHA1
82970d93ab618e8d98685be244e604f5c71092bb

SHA256
41a57441537d24fe59363d03a4684ba5ef3bccd52eb6ab7a328d121868c0e79e

SHA512
f81feffd101fcb4cc5abb05487b7fe1e12e6587a9e1a9b0524913289975d9a25f76fd725ce5a13b3f0d62c8c023ca5c771dee61716865e568e5a9d236f541ecc

Download Submit
\Windows\SysWOW64\Fkqlgc32.exe

Filesize
1.5MB

MD5
fa04a114d46c37dc87d5b17d56d358e0

SHA1
ec834c5c88ae9abd1c8107c2f97cb940b4bf09f0

SHA256
72adbb49f782440fde3800b5cceba9a3641adda8959b9437002ecfb124c591ba

SHA512
14f8398b6c71ab54f1cafd6a207ec79607af9c2fe3b26ecd9ce4e07999fb78a1fa14eff0a60276b581a0928b27115f15ea543f98df57c70aeda3230a3c795f89

Download Submit
\Windows\SysWOW64\Ofnpnkgf.exe

Filesize
1.5MB

MD5
8e00efaffaba96650218593d1558c0ea

SHA1
179ed672afb485588244291ec8c6fa443d13d82c

SHA256
e9d153631f39024fa88b915fa6472dd424bf6123897fa7c6562117696ed5c3f9

SHA512
31efaceb07fce30d464550aae636b3478ca2b6c2f5c9910f4f1eb4611473a74b44c2cba1a5d7593b2ccd721142f4b02c687ad25d9ff34f029cbd1d64738290d6

Download Submit
\Windows\SysWOW64\Peefcjlg.exe

Filesize
1.5MB

MD5
2d8712d2946aff95ac20c0d0c275cff7

SHA1
4ec27cdf247154a4d0ae2a55b337f07982d6897c

SHA256
c814feb10a08ca0d4bdaa81e9bc7c863d2aca163469f0256e36bb6810c115467

SHA512
53ab300902fa106b01dbd50a4ce62a45dd476fdd8d7a3a73ff278ef2841ac4dfbab1cd530db6a550ebabf0184933afce99fabe7435590665034707a1fee7aceb

Download Submit
memory/600-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/600-139-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/600-451-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/600-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-429-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/988-428-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/988-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-396-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1324-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-153-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1448-455-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1508-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-289-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1620-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-343-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1720-300-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1720-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-299-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1800-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-452-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1888-453-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1896-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-440-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-167-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-242-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2304-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-322-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2368-318-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2368-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-407-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2464-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-85-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2464-80-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2532-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-386-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2532-385-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2532-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-70-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2536-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-368-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-56-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-383-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-360-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2572-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-42-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2572-41-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2572-361-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2608-359-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2608-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-369-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2684-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-216-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2796-335-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2796-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2796-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-336-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2796-11-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2832-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-181-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2844-279-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2844-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-112-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2972-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-358-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2972-348-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2972-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-22-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2972-27-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3008-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3008-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3008-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-311-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3024-307-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads