berbew | 20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
Size

96KB
MD5

40d5bf0a7ab1102caea7556f039d67e5
SHA1

f8b05517e2cc5016514a04018c825417181ccbdb
SHA256

20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7
SHA512

da59548d22d9cd06d07607d24434ff319c0a5ed04a183fd92d8f9af6e2b855da9699c08658794c037f26f39f9735bbaddb4e49114fc4bb091c9c24eccf31dbbe
SSDEEP

1536:PPHBY1SlGmzn0INfgdjSXBl/fnrpYv6ml+GOduV9jojTIvjrH:XhM+4IVgIXvLy6u+GOd69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcefjgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcjdpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lclnemgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmplcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
1652	Jmplcp32.exe
2612	Jcjdpj32.exe
2884	Jgfqaiod.exe
2088	Jcmafj32.exe
2436	Kiijnq32.exe
2080	Kocbkk32.exe
768	Kilfcpqm.exe
1400	Kkjcplpa.exe
2604	Kbdklf32.exe
2836	Kebgia32.exe
1592	Kohkfj32.exe
1940	Kfbcbd32.exe
1912	Kpjhkjde.exe
1868	Kbidgeci.exe
344	Kkaiqk32.exe
1588	Lanaiahq.exe
1784	Lclnemgd.exe
1108	Llcefjgf.exe
1020	Lnbbbffj.exe
2292	Lapnnafn.exe
1360	Lfmffhde.exe
1604	Lmgocb32.exe
1852	Lgmcqkkh.exe
1792	Lfpclh32.exe
2220	Lccdel32.exe
3056	Lccdel32.exe
2692	Lbfdaigg.exe
2572	Lpjdjmfp.exe
1448	Lbiqfied.exe
2440	Mpmapm32.exe
2412	Mffimglk.exe
1968	Mieeibkn.exe
536	Mponel32.exe
876	Mapjmehi.exe
2764	Melfncqb.exe
2820	Modkfi32.exe
1704	Mencccop.exe
2476	Mkklljmg.exe
1316	Meppiblm.exe
2668	Mholen32.exe
1848	Nhaikn32.exe
2972	Ngdifkpi.exe
2900	Nmnace32.exe
2196	Nplmop32.exe
448	Nckjkl32.exe
2276	Nkbalifo.exe
1284	Niebhf32.exe
2236	Nlcnda32.exe
1028	Npojdpef.exe
2156	Ncmfqkdj.exe
2320	Nekbmgcn.exe
2632	Nigome32.exe
2716	Nmbknddp.exe
2420	Nodgel32.exe
2488	Ncpcfkbg.exe
576	Nhllob32.exe
684	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2184	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
2184	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
1652	Jmplcp32.exe
1652	Jmplcp32.exe
2612	Jcjdpj32.exe
2612	Jcjdpj32.exe
2884	Jgfqaiod.exe
2884	Jgfqaiod.exe
2088	Jcmafj32.exe
2088	Jcmafj32.exe
2436	Kiijnq32.exe
2436	Kiijnq32.exe
2080	Kocbkk32.exe
2080	Kocbkk32.exe
768	Kilfcpqm.exe
768	Kilfcpqm.exe
1400	Kkjcplpa.exe
1400	Kkjcplpa.exe
2604	Kbdklf32.exe
2604	Kbdklf32.exe
2836	Kebgia32.exe
2836	Kebgia32.exe
1592	Kohkfj32.exe
1592	Kohkfj32.exe
1940	Kfbcbd32.exe
1940	Kfbcbd32.exe
1912	Kpjhkjde.exe
1912	Kpjhkjde.exe
1868	Kbidgeci.exe
1868	Kbidgeci.exe
344	Kkaiqk32.exe
344	Kkaiqk32.exe
1588	Lanaiahq.exe
1588	Lanaiahq.exe
1784	Lclnemgd.exe
1784	Lclnemgd.exe
1108	Llcefjgf.exe
1108	Llcefjgf.exe
1020	Lnbbbffj.exe
1020	Lnbbbffj.exe
2292	Lapnnafn.exe
2292	Lapnnafn.exe
1360	Lfmffhde.exe
1360	Lfmffhde.exe
1604	Lmgocb32.exe
1604	Lmgocb32.exe
1852	Lgmcqkkh.exe
1852	Lgmcqkkh.exe
1792	Lfpclh32.exe
1792	Lfpclh32.exe
2220	Lccdel32.exe
2220	Lccdel32.exe
3056	Lccdel32.exe
3056	Lccdel32.exe
2692	Lbfdaigg.exe
2692	Lbfdaigg.exe
2572	Lpjdjmfp.exe
2572	Lpjdjmfp.exe
1448	Lbiqfied.exe
1448	Lbiqfied.exe
2440	Mpmapm32.exe
2440	Mpmapm32.exe
2412	Mffimglk.exe
2412	Mffimglk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kkjcplpa.exe	Kilfcpqm.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Jcmafj32.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Lbfdaigg.exe	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kbdklf32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Kocbkk32.exe	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Kilfcpqm.exe	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbidgeci.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Llcefjgf.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Ancjqghh.dll	Kfbcbd32.exe
File created	C:\Windows\SysWOW64\Lmgocb32.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Meppiblm.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Pikhak32.dll	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Kbdklf32.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Kfbcbd32.exe	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Ogbknfbl.dll	Kohkfj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjhkjde.exe	Kfbcbd32.exe
File created	C:\Windows\SysWOW64\Lclnemgd.exe	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Lbfdaigg.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Lbiqfied.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Mffimglk.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Npojdpef.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Iimckbco.dll	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Mapjmehi.exe	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Nkbalifo.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Npojdpef.exe
File opened for modification	C:\Windows\SysWOW64\Fdbnmk32.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lbiqfied.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Mponel32.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Cpdcnhnl.dll	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
File created	C:\Windows\SysWOW64\Kmfoak32.dll	Kebgia32.exe
File created	C:\Windows\SysWOW64\Deeieqod.dll	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Modkfi32.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmplcp32.exe	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
File created	C:\Windows\SysWOW64\Badffggh.dll	Jcjdpj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdklf32.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Pplhdp32.dll	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Kohkfj32.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Kohkfj32.exe	Kebgia32.exe
File created	C:\Windows\SysWOW64\Llcefjgf.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Effqclic.dll	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	Mencccop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2804	684	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkklljmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfdaigg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmplcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnbbbffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiijnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbdklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kilfcpqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjcplpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kohkfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjhkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclnemgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfbcbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcefjgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mponel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmafj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanaiahq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmcqkkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkaiqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbidgeci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgfqaiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffimglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcjdpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfoak32.dll"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnecca.dll"	Jmplcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll"	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcefjgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcnhnl.dll"	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmplcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcjdpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mffimglk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1652	2184	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe	28
PID 2184 wrote to memory of 1652	2184	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe	28
PID 2184 wrote to memory of 1652	2184	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe	28
PID 2184 wrote to memory of 1652	2184	20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe	28
PID 1652 wrote to memory of 2612	1652	Jmplcp32.exe	29
PID 1652 wrote to memory of 2612	1652	Jmplcp32.exe	29
PID 1652 wrote to memory of 2612	1652	Jmplcp32.exe	29
PID 1652 wrote to memory of 2612	1652	Jmplcp32.exe	29
PID 2612 wrote to memory of 2884	2612	Jcjdpj32.exe	30
PID 2612 wrote to memory of 2884	2612	Jcjdpj32.exe	30
PID 2612 wrote to memory of 2884	2612	Jcjdpj32.exe	30
PID 2612 wrote to memory of 2884	2612	Jcjdpj32.exe	30
PID 2884 wrote to memory of 2088	2884	Jgfqaiod.exe	31
PID 2884 wrote to memory of 2088	2884	Jgfqaiod.exe	31
PID 2884 wrote to memory of 2088	2884	Jgfqaiod.exe	31
PID 2884 wrote to memory of 2088	2884	Jgfqaiod.exe	31
PID 2088 wrote to memory of 2436	2088	Jcmafj32.exe	32
PID 2088 wrote to memory of 2436	2088	Jcmafj32.exe	32
PID 2088 wrote to memory of 2436	2088	Jcmafj32.exe	32
PID 2088 wrote to memory of 2436	2088	Jcmafj32.exe	32
PID 2436 wrote to memory of 2080	2436	Kiijnq32.exe	33
PID 2436 wrote to memory of 2080	2436	Kiijnq32.exe	33
PID 2436 wrote to memory of 2080	2436	Kiijnq32.exe	33
PID 2436 wrote to memory of 2080	2436	Kiijnq32.exe	33
PID 2080 wrote to memory of 768	2080	Kocbkk32.exe	34
PID 2080 wrote to memory of 768	2080	Kocbkk32.exe	34
PID 2080 wrote to memory of 768	2080	Kocbkk32.exe	34
PID 2080 wrote to memory of 768	2080	Kocbkk32.exe	34
PID 768 wrote to memory of 1400	768	Kilfcpqm.exe	35
PID 768 wrote to memory of 1400	768	Kilfcpqm.exe	35
PID 768 wrote to memory of 1400	768	Kilfcpqm.exe	35
PID 768 wrote to memory of 1400	768	Kilfcpqm.exe	35
PID 1400 wrote to memory of 2604	1400	Kkjcplpa.exe	36
PID 1400 wrote to memory of 2604	1400	Kkjcplpa.exe	36
PID 1400 wrote to memory of 2604	1400	Kkjcplpa.exe	36
PID 1400 wrote to memory of 2604	1400	Kkjcplpa.exe	36
PID 2604 wrote to memory of 2836	2604	Kbdklf32.exe	37
PID 2604 wrote to memory of 2836	2604	Kbdklf32.exe	37
PID 2604 wrote to memory of 2836	2604	Kbdklf32.exe	37
PID 2604 wrote to memory of 2836	2604	Kbdklf32.exe	37
PID 2836 wrote to memory of 1592	2836	Kebgia32.exe	38
PID 2836 wrote to memory of 1592	2836	Kebgia32.exe	38
PID 2836 wrote to memory of 1592	2836	Kebgia32.exe	38
PID 2836 wrote to memory of 1592	2836	Kebgia32.exe	38
PID 1592 wrote to memory of 1940	1592	Kohkfj32.exe	39
PID 1592 wrote to memory of 1940	1592	Kohkfj32.exe	39
PID 1592 wrote to memory of 1940	1592	Kohkfj32.exe	39
PID 1592 wrote to memory of 1940	1592	Kohkfj32.exe	39
PID 1940 wrote to memory of 1912	1940	Kfbcbd32.exe	40
PID 1940 wrote to memory of 1912	1940	Kfbcbd32.exe	40
PID 1940 wrote to memory of 1912	1940	Kfbcbd32.exe	40
PID 1940 wrote to memory of 1912	1940	Kfbcbd32.exe	40
PID 1912 wrote to memory of 1868	1912	Kpjhkjde.exe	41
PID 1912 wrote to memory of 1868	1912	Kpjhkjde.exe	41
PID 1912 wrote to memory of 1868	1912	Kpjhkjde.exe	41
PID 1912 wrote to memory of 1868	1912	Kpjhkjde.exe	41
PID 1868 wrote to memory of 344	1868	Kbidgeci.exe	42
PID 1868 wrote to memory of 344	1868	Kbidgeci.exe	42
PID 1868 wrote to memory of 344	1868	Kbidgeci.exe	42
PID 1868 wrote to memory of 344	1868	Kbidgeci.exe	42
PID 344 wrote to memory of 1588	344	Kkaiqk32.exe	43
PID 344 wrote to memory of 1588	344	Kkaiqk32.exe	43
PID 344 wrote to memory of 1588	344	Kkaiqk32.exe	43
PID 344 wrote to memory of 1588	344	Kkaiqk32.exe	43

C:\Users\Admin\AppData\Local\Temp\20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe
"C:\Users\Admin\AppData\Local\Temp\20278ae206ec53682de19439a6f622e8a8f49fad592633bec4a3b471736d16a7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\Jmplcp32.exe
  C:\Windows\system32\Jmplcp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Jcjdpj32.exe
    C:\Windows\system32\Jcjdpj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Jgfqaiod.exe
      C:\Windows\system32\Jgfqaiod.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\Jcmafj32.exe
        
        C:\Windows\system32\Jcmafj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\SysWOW64\Kiijnq32.exe
        
        C:\Windows\system32\Kiijnq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kocbkk32.exe
        
        C:\Windows\system32\Kocbkk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kilfcpqm.exe
        
        C:\Windows\system32\Kilfcpqm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Kbdklf32.exe
        
        C:\Windows\system32\Kbdklf32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Kfbcbd32.exe
        
        C:\Windows\system32\Kfbcbd32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Kkaiqk32.exe
        
        C:\Windows\system32\Kkaiqk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Llcefjgf.exe
        
        C:\Windows\system32\Llcefjgf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lgmcqkkh.exe
        
        C:\Windows\system32\Lgmcqkkh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Mkklljmg.exe
        
        C:\Windows\system32\Mkklljmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 140
        59⤵
        Program crash
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cljiflem.dll

Filesize
7KB

MD5
095cacf5e875d07ef7547fa71cba80ba

SHA1
5766645946f0e8093fd118dfdc250fd5a3b7791d

SHA256
1ade0c9f5d91c20077851c1a7d52c8f9239380f91a60027e887b447d3662c6d7

SHA512
05a5db9a62e257cfa86195c2855f7507cfe789989fad3234917a738f4801f903d096f0a8067e74210c9535c93daffd320a072b021879038b127195d1ae9b966b

Download Submit
C:\Windows\SysWOW64\Jmplcp32.exe

Filesize
96KB

MD5
1036cd477fc1db4551fa5152795f1e1b

SHA1
c60a4576ee43ffba1e5767a0210625ce812129e0

SHA256
27ac50749c09cdea83da25ff21e0d3e31f5af7a1b23b52ecbec6a4e17419d4c8

SHA512
c4d1d7617f0f2b2fffd22f95128634489daabd53e63542401890c650a79b8743a2bca069e0325e001da6ec57f9f9bb7198756f69140813255ff9b4b1cc15c8be

Download Submit
C:\Windows\SysWOW64\Kfbcbd32.exe

Filesize
96KB

MD5
2cf3a26042d5f8fd059a1b8b2acf8515

SHA1
4e3eedfb597c190ddfe0eb0decc6f5e993b0fa6f

SHA256
cf82d6ad8230cba04eed357e63bfbdb60380380405c17c04656e94b933401936

SHA512
0cce88c47cfbc28f4acb1b631c1adf60498430ce41512bafffa6535af51b5db2e51f66ca66c21aa9aa055a31c265cd250c61f6b925e8513f7054bc6f80a22aa5

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
96KB

MD5
0bf2de690b286f526ae8680d0c12973c

SHA1
3667072ec2b1c102682f604b7c4ff35e62ce8140

SHA256
6d578f3986936fa609bbfa0a2315b893bb14114274f86250fcc3e5d9e962dd43

SHA512
0996162a231db70e3aa6bebd144de42e66f66e8e6e2e7e3843d6cdbbecc586e9c7d254a0344f6946b384b05ecf7c57cef848e9fca611deab98a926d420d34db3

Download Submit
C:\Windows\SysWOW64\Lanaiahq.exe

Filesize
96KB

MD5
58ff98ddff542b081a443da643fd8eb0

SHA1
5f2baf34ae9fc725432a01611b57a4817f4e1883

SHA256
8ec2d5b9898c2228bd94f7a673796e1750ad1b2a9c6fb5b777d7f3099578ad78

SHA512
f9d6ca842647c432aeaf90b57aef8e5e85ff291fbcf454a4cba562f91b664265a56faf1236d43fa2d88c9fe609a0153462e7961f1e4711183cfe4e9b7e9be367

Download Submit
C:\Windows\SysWOW64\Lapnnafn.exe

Filesize
96KB

MD5
974582771c1161dd1a1cc67a13d447ac

SHA1
de62bbde67834113586422c77531659eeaec83f7

SHA256
f9e2e3453ed90211409762049bcc0ac09706f4fbbb59f765f82b2b5dc3811a45

SHA512
204bbc5f9fc2df197a56f451a3273773756a76791bfc702e652897973a08eaf4eaa8a48358e41c256951e99234c616fff819b4c6a3515174f0d88bc1e55780f0

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
96KB

MD5
68bcdfce99b9125aab13b73f71bbcdce

SHA1
1b2beeef7cb3a3849ad0753cc8c91ed99d0de1a4

SHA256
12caa82abadae27e5acb6c22d6c6dc3cd2b143cb09501cd57506ba93757539a7

SHA512
751284de6cba1d9318f50a72cdd22d52ff6c09ea962d6b42f1832a502147588a33b9ba6adad66d415aea59d121aab0134bf477c44e9b3bee8eca45babaa1606e

Download Submit
C:\Windows\SysWOW64\Lbiqfied.exe

Filesize
96KB

MD5
73546600f76fb8ea54ae3bfde872bf92

SHA1
df733f4e479d5a8d2977f48bfb070d7bcbb5d51d

SHA256
d22570803e2b4a132f44829a6ad9492c8f0d7c8c46499c5aa623291e5f8f7294

SHA512
8a1d57dda0511be099e1b726e98cee24875abc7fe94fee35bd4ddc7a81350bcfe7cf6c1fee4e92e7893ff86a9b41d8dbfca0cbd14cf005f289dd49f62eb54b24

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
96KB

MD5
2bb7c664a7fbe2f965d54cad5935f3c1

SHA1
a9f80587c7407a86480e0256c54bd2e9d2c225be

SHA256
d62c957546d7d65fe55fca428dceeeba6183565400eabd6f431029f3fca0c1fa

SHA512
4046bd2c9b42b36ae8fc6c1fe2f5795e6e7d4a6b3624892f582747e071b981ad91b43d2f9d7767003a6b06fbbafc9deffa764ac66c6fd6b552a6805f782942de

Download Submit
C:\Windows\SysWOW64\Lclnemgd.exe

Filesize
96KB

MD5
a929bbf7af2c41d34c2f28e1c27af2f6

SHA1
0b0b47fe477f5c19e5acb91a4175d68436c7e481

SHA256
1dc47d1d0fd24fb13474ba4b2ba64a44acb471c33adae6c7c7ad1e5b07c1b145

SHA512
8f35c77e18e44f8ee274c4fc55fe936b286a9d911e83f0a0463dd8cacabd1d4fd3c6d698673223f514c9de60fbc86483696e0caadfd76eb11abfaaef85a89d2e

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
96KB

MD5
a2c737b8c6e53f20c5041ee2483903bc

SHA1
030fbcc3d9225447c22a00683d5e825ec6fbfcb9

SHA256
13a033a384134b904b37b36a104cfbb869527ad63f7c2066fc136412a9df9d83

SHA512
f3dccc011d0543839b27859c8838b6bbe1cf1f494302cef3ee0d173101073cd69caa5c98a2ee4dfc18e4c9f3d3b19dff2b775733797ab8cd3d9b0d5ab3f609c1

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
96KB

MD5
9a1e158d00d2e0eac77c8c513919f6c8

SHA1
c25ca2385cc0ab81531948b092a41bbef5ef1a4b

SHA256
e67aecc248d8074432e1a703b4cb1e61fb75f2f4bd45ff0a6c2b6d53f890ad71

SHA512
bd318ea7e08865c95d951bfd86b5feec6d82deccf17838297a25560ebfd3b645ec96b99010b2efbe2c554a964e2f28fccd07424af0854632b3e0709de68ac89e

Download Submit
C:\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
96KB

MD5
7ea0dd84dcfff4ef52a91e957316220d

SHA1
65c568fa439035a19aa3507449d763b4eb9a1232

SHA256
ef25f3feee02337ff97c60b955eb8994aaa734e260f3e8cdbee6d3f622293f66

SHA512
4d5aa3352b1012f2ed6185ee49336e436bf8dbc1541ce44048aa1db185874b8b73f019d2f73491be55ce169ee935360fa64c6054c0b3caa881071d0c3b568136

Download Submit
C:\Windows\SysWOW64\Llcefjgf.exe

Filesize
96KB

MD5
386bf172cd4a3d539d458ff35c5b7ee0

SHA1
e8de03a242026809de0dc9e6c63c1c457bac9a2c

SHA256
29e7287afe581a536b47e5bde8ca2bcc5c475fc24e75cb708f184ca18449fbf1

SHA512
084d932ad211ed45422333d873a53cc5f8f934c28b32876dbb66f1c394d0ed0a0a9fd0b9bc34a3d63681921b45851b2940c9bbe9b585a1d3853cb9e7443c5bfc

Download Submit
C:\Windows\SysWOW64\Lmgocb32.exe

Filesize
96KB

MD5
47d5c2772c2dd730770178f49f2266fd

SHA1
afef7c6620c96db391e2d15d99c72a2cf5f5dd04

SHA256
894afecd565bac5dad7ffe6f442ea8009991f52fa33f814c7360cf02dce7641a

SHA512
13af41cec004a1e604914190891f0a14255a349880cf095dc536713e488467f579da27302c641d96617db840683435378bcf6656bd4667e607e706ff1c85e122

Download Submit
C:\Windows\SysWOW64\Lnbbbffj.exe

Filesize
96KB

MD5
642b387d87c69c21dc0bddd744bc2e4b

SHA1
65dc2bb6bc7edeaf4c8ca20d87a4eef83d24e0c7

SHA256
f198cd15a48c787f717f238d5d60d2d66c186dfdff0ebd2a575b831639478b83

SHA512
0eb569ce36790974f703e688248d53e811d8cea2485effc836697b4ece859c6fd03dd0388fc881ce5100c118dd1fb2a363ee1b8c01d089077e177b89cb52aca1

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
96KB

MD5
20d88b372d09f988b2247c14bbbe71e0

SHA1
20c95fa8d88b615a90080756f1f2771d866330c3

SHA256
7eed4865c2ea576bc947a99a848525f26d364bf7d008553c64e0cf181b12bc9c

SHA512
5ae57740d6e77997a23a4bba70a176ab4b8bc015711e1b21d8d9a2d7bef2e058fa00c41bf671ac59de1a16183f825b031797eb08793cb3e5b5c6180d4677b018

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
96KB

MD5
687e7aa40064342da3960601c0bc49c9

SHA1
0737b3f4e2aeb65782fc722a82516a2f15f3fba6

SHA256
c27716c0c2a9719066a2171b7a26710b3f5998d2190816be4a98ba262c5d4b72

SHA512
91d9ee9790792c627c029d5af1cc49721c066de61450be34d8f071fd5be467f22335c4c9a056e8742ad2a92235002212646b7ea99bbcb6c69d5924ad29c55528

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
96KB

MD5
6e7915ee9cc7a905b35958a7ffc3efaf

SHA1
ae7eec0f83e6d216a10cabbd1e474a1c4b98a312

SHA256
e813cca4ce4f36f12b6b025316a13423c66a0e19be52181b70fe34f5b929ed39

SHA512
dbede3c43c0fd0c29208874fb28f371954ffbb13a81c0bfff2a87aa11d1ec478ab54acc6cab50def86e565eda48e68e2dc03fc44c14f15ea075d4b6ee2a67bbe

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
96KB

MD5
9da1ea2a7cba83c313a9ca64f3a991bd

SHA1
6fc58a70160b2bd6376187b5e65254c6bdd6f242

SHA256
29d4e47262bd96305f4f4c1f825daade1fd0d452ff168319b2572e9ab8c40acc

SHA512
109ed5ee5c40a381226a1397e49487ddb91cf9ca060cddd6f0c8a21b3465d14d719428083b0098b32b96b24b9adb1396a97292e8c0603d1f643c2d8ceef05ec0

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
96KB

MD5
7452e3bd247c19910c07b6fd7f5b36b5

SHA1
23ab8b2fb9a8b52d5158f146cfb5c7040282df4c

SHA256
27c5ff4e3d1a156452420229a614b58499580d1bc1ca0fdfa1d9e2eaf169e4dd

SHA512
ebe347deb0211b4117f0e97bea1bcce9c239be4c088b0ce8b1c2a0add0de612bf98369e1f6cdcbc74051dfc8b3d807f6f58561f145812785e0a8e2a65082f568

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
96KB

MD5
2f9aa64e2f35c84ebb95a752993c1d17

SHA1
3fa8f7487722250c56787eb0a0fd2ec67a226de3

SHA256
06644374ccd32f76bc19607d508fd779b6cd1525aaf45a3db7799721ce2de23d

SHA512
d991efd949d035b2ca894bb0186e0b889ba33ef77757881b1cb194e7aa5f127c0a5af29599381f74170d0e646ebe3ad482b7ab951bcd41c3c8d88b0351de434a

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
96KB

MD5
e0f0ae8d32de5d57b10a4975e2a27909

SHA1
e37e89d32d39e5e0e1ce68f5bcf02fe63b1e2cdf

SHA256
9a1b8ce7ea94fa62da714e2aab8c77e93badd4b892113eaccb1dd1d929890217

SHA512
d3e46b467c820c5fed3f48c66a84adde4305f4af4f4a3e427c76468d0cf7790cd6196b01139002df4f7759011bad0b9f5079e74e630faeaa2d7bc216aa09b32f

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
96KB

MD5
67f6a0aece4283abc2f02d7d7b14198b

SHA1
7161f222091a869cfc3b2be593beefe4ca79eece

SHA256
e76261b1c1e9f8699339f2517d5f72b520f38465b032a5a12d49c89e025c9b12

SHA512
f725a2319c20a66c21e7b615250c7b44567edc89d6c711ed1443c48c955500a958f7ffbbb0f7b9cd9cf631e6ef799a7c35e5b7a8f0e4170dfbd1d46c33ec87ff

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe

Filesize
96KB

MD5
aa9329ad7033994ccf01935f9db62417

SHA1
8e173dd7a50cbb0d52ec6d7eae2f5625689ae75a

SHA256
6c03cff430ba7aa4ff3bb2f2d8c01e9d608537f58a49d21975341f0909fb3d1c

SHA512
11c5db5a15ab1cb7c033a41bb106f28d4574e53b27e554ca43f2f923a61ed528659a620ff9ba3df70596bb149d023cace6c9995b64e38f7682e9af903703f41f

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
96KB

MD5
7a35b611235b8b721fc9aa63ebfb2833

SHA1
61da70ec9a0d8766666314a83752266f57b0482e

SHA256
0ff54f46fd9e053dc110f7a52e011e0d81f5ba3854a9532f3209f852bd4b343f

SHA512
7a8893b339c1896993789817d197542d7cc1a9c85f72f743aae28a5909070671096e332c83375f820be8804391eeac22a3430f772e6e83b3ac1820d66c006f98

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
96KB

MD5
ffac8e1ddb4c4533d15ac09a714e5374

SHA1
015ba0d3584c5002a69e9f52b430f7f2a37923ad

SHA256
38ce7416411684611d9e8e16b6e05b27630917b9118e33f30195763bb48b3d09

SHA512
99e5cbf4cc0aa552ec176ea94ca617cb440fe619b933029632b2c55ffe516903a274ecf60b4d539c3a63f7b1006b32321ed8d4e67ed8286ddd130eb4eec61c76

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
96KB

MD5
e1e2e42235e830f466b45faac852d024

SHA1
b1f428b1a82c914822d2cf67ca03913504d325fb

SHA256
70ddc2ec1765787a1d14f9d12bbc8511096057b599a129cbc595560a2f4c0848

SHA512
2c982a314871c96ac84e321e44333ff3306b529ca5366a27c6ba32d9485bdd5942a715962fa0e7fef032a196f47d418324e5e8fd2878b1d29d4ed60a20ea1eb1

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
96KB

MD5
fe5198a6b3d2f7ad0d28c1d9533b5ec8

SHA1
d30bb088e02ed709acaf442681f59585d1901926

SHA256
d4414f7d06467b66663b0605bdf77774aae174c250abd405b73d078204984ecc

SHA512
93394093a2f2c9959e25622bf525664e12af2b5f35dcddc71d3155678184746de8eda4196a9bbd84142c38fb0c66439fe903b5fbfc4a829d14a7e7358f212861

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
96KB

MD5
4ad56471a33f09f1bc060c0b4df09b72

SHA1
09f8d4163f33de84c11221586c1ae1fe4448c168

SHA256
bae256862dd95d2fffec91f3ea67cbca4b669f01723df70aecb8fb5928d495aa

SHA512
3ab337108eee195d9a023f440e3bde3b3bce191ff4d38ce05d4dc490a8a1be0ce448b8b8cf2476cc14333a74ba2736840df5fc2d2e334d811aaca845c8b56bcf

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
96KB

MD5
cd391c434b7c37ecaf0e347ad2e99e24

SHA1
1a771a45c39bd8aaae1805197aea3818222b31d4

SHA256
9158922d197b7865dd47ad8127ceff30c6c1f2ceb0ba9201e3afd141ea954e1e

SHA512
ae5591f7b4ed07ba43b473c1b6bbba47099dc48534ed9eeb5c2d5f20c49af0b1fce992be7441b2bd3e64d5c91e7a92230fc6a11722f1f6040a5574dd463e4fc5

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
96KB

MD5
b54d8e0843441296abdd5c15b7ed8a68

SHA1
59545e631237c2ac5b0c3eaa1778387bff10b386

SHA256
ed68c5672febab3b7f421f7461144c2fd3a8a65efa1b978ddf5e55fc923d05e4

SHA512
09c04ff37f62ac4dd44613c2cdfa6fb7ea949f13ec50e933c3482bf38eb89a7a4f7fa03fc68592da9fffd4a68ba918d102af5a10da611b2285aaa24fc719e73b

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
96KB

MD5
95f6235a85a67d85ca1d94c3d0872724

SHA1
84900c24f20ee9b3e979a7e3831f4e2d54799c41

SHA256
e86e3d7bc295f94bb4f80e06d3b20acfe2b2c5637fd78dfb17514cb329e62940

SHA512
8365567290ec2183bca0b95ca288d6e5f1eb85102e1d0a470979bdf73f72db9d371c7cf7d3146e9687fd1e100e35b92ea5bef56991f3f4d0d364fd99e70b7fd2

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
96KB

MD5
a1e4dde19d49a1c0a6fb11a298beaebc

SHA1
bb208ae2c521540784bb39a17e4fe2056dc0a6ab

SHA256
2b91549209b0eb8599af9ae1e5d94947982d75793202b6b234dcc6d4fbc99fa6

SHA512
defd17caa8ff2b74efa2a0e60120a1b12fb7a313e4e4e2c6c181f4771a5a433b52406c444c2df3b7804f4721f826d106fd5a0fbfd6296889522e68af4a2cfcdd

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
96KB

MD5
1820d79d42120e6f34403d11052637c9

SHA1
d6c5f228d3e93e81fbb0b917d650bc21b1aac47e

SHA256
a000bb47a2be3233d4107d3e1db7ca3abb132c8f251c5aea5ff30af2997d2c69

SHA512
d48bf9cb624e9a02c44b342ec81662018e6eebc57d204788789fd777b21f068b6b27a13f2b8ad71249d4110345f07ac9da2f0a1ac2813cfc228a18aa3b9b1af9

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
96KB

MD5
305ef900970f4de42586d4bdebfe7515

SHA1
39a204a793ad8fffd123c0c2a48e7c81d582458d

SHA256
1f3e28f23c008962d22e0cc097b534bee1b51cd24861b43a07ceaebbbaa38642

SHA512
917538b324660a9810d1954786eef6ba059109268b6903c8061ca1082491806c85bc275c0e2c06f5a3e187b24786ffd69e1e5e4acc2fafffc76fe9101a8344b3

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
96KB

MD5
5943f84916f4348ae0b516db8fc6c356

SHA1
6e10e26179f7f40f7fbdc485d4455a83ef52ce2e

SHA256
a4630067a972115daae1d2ba9d3b2d8e8f0a0a760c21efd5fe084f56e0507411

SHA512
28b6f5347d29a061240b161bdf045b2c55036db92d02cd848895c522157bed05f98521999788c171ab42a9d4c2c14601b5de10be53b21c6440db6dd3f17d9770

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
96KB

MD5
fa72bf2b89ca83d891263cb6b83e8712

SHA1
e0df90cd6695717041154fbd21bd5860ea5d07a8

SHA256
0db7a608cc6e73debeab1d15d72aa8c73837f17315aa3904d5a49071b8740a86

SHA512
32985c3994cd5e35654773b73e5e408317c5acb762e61b9cb5bce03e24ade65ce1bb93d0dae32ecaee16d63939a93d779638c68723e5cd5e7a9ab44e531af487

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
96KB

MD5
21ddae1263114859d4e704e39cbd6929

SHA1
5bfa06aec0f455485b8080ac3572e3bc24a4533f

SHA256
a00703edd1d16a9e72ea758f643269b4e3d18f23f8f1aa4f881c393405142d43

SHA512
1af1f448d896290aedc8809909d4793bd9ff76d53e70c4ca2e774fc757f52a17f6fc5761d225a98ef18919f7aa0dbc70a72f0cefdc4960a66a71a6a838f4bfc7

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
96KB

MD5
ae2a5e27f0a33f67e55e7b3cd37acb23

SHA1
2b03918914dd972a347ddcf09edddfcd8f84fb95

SHA256
6f6bd6d5c3b42767be808a0b79ee199fe51045b1e6c0f72d4ade31b4474f2801

SHA512
679973ca98c51d573b4bf5826ae6ceb806e75ff6cddcd135484e7a7012d8946cd4f2e918dc9a494b1824327e7705ff99438aa061d6b82eeb22dba6875f59b16d

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
96KB

MD5
85fdcc820425a5c17b238a63e761c5f4

SHA1
a531799bca86c7ff62c2e4f4df8f978d1353b363

SHA256
f16f9cc4604de8f278dcf36bb1e504cc2e15ce4dc5789585e1a6f0ae14cb1389

SHA512
53f7fffaec6f7b7ed00a9930ba716aa24e7776a272de358a6d4564b53ecffcddccd1d8271ea3d5479029ee4616dff8c49e1947f472e9576c6e939f55755a391e

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
96KB

MD5
dd0d7b3925dbccd886de9e83919e4155

SHA1
2e9d910b954ecb65399b6fd4d74307e859892757

SHA256
f45668f30d43b60bb1849209440f0f07560ef1ad44e75dc0f00a14916c8e6f14

SHA512
90167510470d2a754a8cccc8f80c366fe3414ec58370ff522d43339436d499e3d2b053c090089637f5c489adcb0aed5ec02b17a5d0422016eb275d0fa0bf1329

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
96KB

MD5
42671f1c87899de859d5151019231dbc

SHA1
8ae40ab26976564d2a3581d59a0cd7d57aebe569

SHA256
c5e2e7e18068e834bb120537986cd0c70bedf6d38e4c20ad007cd895eea4cfda

SHA512
c39a7932a24d3c7493c2544f6d404b3eb64bc1d60c67eb763ca7ea11ac6631dd32b4e91d6a8b531dbc23b5815501d4890c261ac349fc0aba73b3f5608638f29d

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
96KB

MD5
2cfac043d1fd84c87832a1d601648889

SHA1
64b0a48103fa33df941a07f21a82cfeb67a9d46b

SHA256
6dca3923e6be99aebbc79052227645367c88a8ce145924d15b70add4a12b68d9

SHA512
23e0b01246850d5ba86de545c1d29c62e0e13aa20c820e340219f455f41f095977f7c4099cf7225fbd848bd17f8f241b7de029a78e16e1c135c6e60066ce683b

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
96KB

MD5
ccb66c3566eeabbd4bd8af00614f7803

SHA1
1a37abcdd5b02158b45a87f5ffd88fb85b51226a

SHA256
5f45e5493e41e9a3d52ad048774b244df86bc301f97b9d94a23c606b46618de1

SHA512
9edd0abb4b41506a44f35326a3671fae1fa8ea2e98ec75e0d57a4557af0e591b806c043e3a487e4939b70f43586654d8581c4063fc5b720d61d59ce7ffafc46d

Download Submit
\Windows\SysWOW64\Jcjdpj32.exe

Filesize
96KB

MD5
31bad9c98d9b8565a26d927229088a7c

SHA1
04aa92f2da5d0ffe60223b8a5ade7d2d56dff0d6

SHA256
8c119e2e260b3cbdcb10f2f0f3328f5b836e8e032491d2d97fb649ce38d91803

SHA512
18f9cc76d2214b43f35c2b93c1ebdbd104b19bef70b1dc3ece51fc671b82b4fd2322e6bc34f5d2a5b45c803354eab2ca9c9122d2a0fd196dbcf234dbf84d2412

Download Submit
\Windows\SysWOW64\Jcmafj32.exe

Filesize
96KB

MD5
0d38b51c13e0764ea57577cb470feb1d

SHA1
fe803a413d70d30762b1e457ccdbfbbfb6ffcd1b

SHA256
d16c861ee2bb91f0543bc49ae7d944782f57081d22bbd7c86c844ac832be4984

SHA512
461dd5775c7e95cb3d4ce8daafcc4436b0a94e6726418a4f31384ef640f128ea923f1649121600af3e641b50a270a73322015b0cd3b9c314ce618ce11142f45f

Download Submit
\Windows\SysWOW64\Jgfqaiod.exe

Filesize
96KB

MD5
6f9d8a50a9bb042607d0b0af11c80a4d

SHA1
0749b06e624d3f8c7452b3b9c3178456db34eec5

SHA256
a981cdb024bd3500563ddac12b0a716f30606f10461852035b256c0ea6230963

SHA512
a108509b9c827966df61d9c3709d31351edb01111be8709f69d7f2c392912d002f3c03625dd9ebe9e2caa35a09d00f02040193b62a258fed8d91863553b5009f

Download Submit
\Windows\SysWOW64\Kbdklf32.exe

Filesize
96KB

MD5
2af8682bb83405cd8028ecf5f5f34e12

SHA1
4760a981ee5cbb34803e498bd49a7603c0662e18

SHA256
9b88ca012a70738f4cbfb520033027c9c9a460159ecae9029d44df8313e059fb

SHA512
affd6d0e26a2668bb13605b6b58883050601635708e4480179084ab34fc56a873e0151f29285820afb010afe59b45c95a1565eafa97a9ec2c382057a24246d09

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
96KB

MD5
632959d762331373b3d1f9baf5d917c2

SHA1
887bc076aa975d6209ab2eed019fbf175b729bde

SHA256
676ead8a349df4374aa89ee54f75d6dcb5309fd124a45cafe5ac608dc98a0e35

SHA512
3e6ea1e19ffa7de3029a690555902bcef8b925b33b76cffac4c4964b5152b4bbfa1d6b6aec0753cc32af665ecb6b4e1ddde549da1e4b9ae21bf3b33bd7b635cf

Download Submit
\Windows\SysWOW64\Kebgia32.exe

Filesize
96KB

MD5
75d0084930610e7b4a14963598725c53

SHA1
d10cb94a203c72b4ac69ba1a2a4071e9fabd95cd

SHA256
3eb1d57739272fb740eecc75c39f5eee3d810fd85c6e9303370bc617ab38642a

SHA512
6fbb2439d12c60b2fe9a9123d959537377e6ca4ad45840c340c5016e0b27a5e7836ee0d7073eed209fba847ba75e1f1d8d581df6fd143aaf9a3af8decc7c57b4

Download Submit
\Windows\SysWOW64\Kiijnq32.exe

Filesize
96KB

MD5
e19cd527c25004e6ee78556dbd726ca4

SHA1
69d287369f3baccee347f25dcd93f6baa394f114

SHA256
3ff0ae4e311311194657d8a741e286e3aa13c019688fe39e430be70476ca0204

SHA512
7e18cf55fcfd1fd107bbafba8f1554fd0de41c0053ba7254e30fc217dd47c0fc3a6fe3dd67f2818a41397b4c640fa0c117aa0643fbcebabd211ab4f84ace8c76

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
96KB

MD5
0be14601e1441a5646ea0620823a4b55

SHA1
b16314b435ceea116b63e5278448f5f9c0ec0efd

SHA256
aa0edb4db1f22ea22804000d32b8af8de1b12134c6387259f8656c3f4ccf611a

SHA512
a0df96c85f11e95134713d470c432ef8c779a93512acea09c4540a74afeed5df49d651917a2752670b9c67c53289fb4a5882703ddede11475f4eda865c154754

Download Submit
\Windows\SysWOW64\Kkaiqk32.exe

Filesize
96KB

MD5
25b16e3d63c88f9978daface7c694ba7

SHA1
290568598bb06bc16b789205af8e464dda5eef63

SHA256
3fc80c0da407a881d5519ebeed1c83cc497aa768190df46de94432bc29812e17

SHA512
7ad2ae41012a5847fb25dfe02f56250ff36be81de20b65101f5b8aa1a5e7535341ddd2b435c103daa03b2212cbd01ba3d502546954bde45a2a76ef58bb01849d

Download Submit
\Windows\SysWOW64\Kkjcplpa.exe

Filesize
96KB

MD5
f757b2880e989a9f89f66700d4fdf5d9

SHA1
ff0b73067408a9f233958d0a3187eaecaa5dd509

SHA256
e33cb6ba8284620439149142b665de92f86b2a91b17d734fbaba2c6451359552

SHA512
37a7379181b8d79ed0bc33d63f095462818d62d1b00c647edf881292b8015dd8714a3df5619af56bc2d4ec1a0cb41a665f3afccfef1f4c9cecee667ae471e79e

Download Submit
\Windows\SysWOW64\Kohkfj32.exe

Filesize
96KB

MD5
a60506a9a220c138c750e09cf912e6d9

SHA1
5e369facce0f719f3fc45ee8c43aa5e3c085cc41

SHA256
70e95daa1189e43b4456bc7510c30d6193ab73f1f5749cb9517c572aefe67fea

SHA512
8478a8d371bbe54dd86bbd4b37b7ca19560fe6bc1d35ce6c15ee43e489f353aa49b1209cde5fed516b090c9bc19c9e83c39a4760e48e318f053f4178d41ad4d1

Download Submit
\Windows\SysWOW64\Kpjhkjde.exe

Filesize
96KB

MD5
80cf05b4decfb9398f638ef9e4bdb6b4

SHA1
146a703933a8aa36c4926ea6eabcdafd375694f1

SHA256
5097de09850c44282aafc5d629be7079f222eb5303e99a4affd2f57c2233c561

SHA512
def40b39f3e561ac863c22533c91112c0a56846d1026a25e67585606184df2581e1662496d5688b32c4046da89ee225cb0c959ec2f76dd4dcf44c4a123b8c8f9

Download Submit
memory/344-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/344-215-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/536-401-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/536-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-412-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/876-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-254-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1020-256-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1108-235-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-245-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1108-244-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1316-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1316-468-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1316-469-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1360-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1360-276-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1360-277-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1400-114-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1400-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1400-470-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1400-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-358-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1448-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-354-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1588-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-288-0x0000000000460000-0x00000000004A2000-memory.dmp

Filesize
264KB

Download
memory/1604-287-0x0000000000460000-0x00000000004A2000-memory.dmp

Filesize
264KB

Download
memory/1652-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-444-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1704-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1784-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-310-0x0000000001FC0000-0x0000000002002000-memory.dmp

Filesize
264KB

Download
memory/1792-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-309-0x0000000001FC0000-0x0000000002002000-memory.dmp

Filesize
264KB

Download
memory/1852-295-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1852-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-299-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1868-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-196-0x0000000000620000-0x0000000000662000-memory.dmp

Filesize
264KB

Download
memory/1912-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-186-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1940-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1940-171-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1940-172-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1968-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-391-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2080-88-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2080-445-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2080-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-61-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2088-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-413-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2088-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-24-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2184-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-313-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2220-314-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2220-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-266-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2292-265-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2412-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-368-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2440-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-457-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2476-456-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2572-347-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2572-343-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2572-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-380-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2612-33-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2612-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-335-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2692-336-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2764-423-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2764-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2820-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-51-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/3056-325-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/3056-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-324-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads