berbew | 65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
Size

93KB
MD5

1a1885947fba0503b6d96446f78ed699
SHA1

58427174f724d6d9606ea9e8b48613248f1b587f
SHA256

65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2
SHA512

ba2cf6b03bb67cd9b22fa4d10c073282e5a99a8c0ee96ac088d1da624d1c11cab6bc015a43d3f1d42e28a0253ec5c5800093f43cb5cc1113da11d2701484886a
SSDEEP

1536:8amxadJpTVDJ5zJx0dd4ZNishDmA1XyuPyuG9h1DaYfMZRWuLsV+1D:uodTTF7Xw2iUv1BshgYfc0DV+1D

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
112	Klqcioba.exe
4604	Kdgljmcd.exe
4644	Lmppcbjd.exe
1400	Lbmhlihl.exe
2196	Lmbmibhb.exe
1540	Ldleel32.exe
768	Lfkaag32.exe
3564	Llgjjnlj.exe
1472	Lgmngglp.exe
2292	Lljfpnjg.exe
2440	Ldanqkki.exe
4560	Lingibiq.exe
3724	Lphoelqn.exe
4056	Mgagbf32.exe
4540	Mlopkm32.exe
660	Mchhggno.exe
4104	Mibpda32.exe
2968	Mplhql32.exe
5060	Mckemg32.exe
4972	Mmpijp32.exe
2616	Mpoefk32.exe
2496	Melnob32.exe
3124	Migjoaaf.exe
2776	Mlefklpj.exe
2992	Miifeq32.exe
3912	Mlhbal32.exe
3868	Ncbknfed.exe
4616	Nilcjp32.exe
2372	Nngokoej.exe
4388	Ngpccdlj.exe
4680	Nnjlpo32.exe
3516	Njqmepik.exe
4948	Npjebj32.exe
4828	Nnneknob.exe
4140	Nckndeni.exe
2832	Odocigqg.exe
2520	Oqfdnhfk.exe
3304	Ocdqjceo.exe
2164	Onjegled.exe
3720	Oddmdf32.exe
2864	Ojaelm32.exe
2224	Pfhfan32.exe
3696	Pmannhhj.exe
1812	Pclgkb32.exe
2236	Pnakhkol.exe
3980	Pflplnlg.exe
1060	Pncgmkmj.exe
2960	Pdmpje32.exe
4368	Pnfdcjkg.exe
4444	Pqdqof32.exe
4060	Pfaigm32.exe
1908	Qnhahj32.exe
4516	Qmkadgpo.exe
4404	Qceiaa32.exe
1212	Qjoankoi.exe
2104	Qddfkd32.exe
1600	Ajanck32.exe
4532	Ampkof32.exe
3560	Ajckij32.exe
3760	Anadoi32.exe
4776	Agjhgngj.exe
4984	Andqdh32.exe
3972	Afoeiklb.exe
4400	Bjmnoi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4916	3708	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qddfkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 112	2664	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe	85
PID 2664 wrote to memory of 112	2664	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe	85
PID 2664 wrote to memory of 112	2664	65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe	85
PID 112 wrote to memory of 4604	112	Klqcioba.exe	86
PID 112 wrote to memory of 4604	112	Klqcioba.exe	86
PID 112 wrote to memory of 4604	112	Klqcioba.exe	86
PID 4604 wrote to memory of 4644	4604	Kdgljmcd.exe	87
PID 4604 wrote to memory of 4644	4604	Kdgljmcd.exe	87
PID 4604 wrote to memory of 4644	4604	Kdgljmcd.exe	87
PID 4644 wrote to memory of 1400	4644	Lmppcbjd.exe	88
PID 4644 wrote to memory of 1400	4644	Lmppcbjd.exe	88
PID 4644 wrote to memory of 1400	4644	Lmppcbjd.exe	88
PID 1400 wrote to memory of 2196	1400	Lbmhlihl.exe	89
PID 1400 wrote to memory of 2196	1400	Lbmhlihl.exe	89
PID 1400 wrote to memory of 2196	1400	Lbmhlihl.exe	89
PID 2196 wrote to memory of 1540	2196	Lmbmibhb.exe	90
PID 2196 wrote to memory of 1540	2196	Lmbmibhb.exe	90
PID 2196 wrote to memory of 1540	2196	Lmbmibhb.exe	90
PID 1540 wrote to memory of 768	1540	Ldleel32.exe	91
PID 1540 wrote to memory of 768	1540	Ldleel32.exe	91
PID 1540 wrote to memory of 768	1540	Ldleel32.exe	91
PID 768 wrote to memory of 3564	768	Lfkaag32.exe	92
PID 768 wrote to memory of 3564	768	Lfkaag32.exe	92
PID 768 wrote to memory of 3564	768	Lfkaag32.exe	92
PID 3564 wrote to memory of 1472	3564	Llgjjnlj.exe	93
PID 3564 wrote to memory of 1472	3564	Llgjjnlj.exe	93
PID 3564 wrote to memory of 1472	3564	Llgjjnlj.exe	93
PID 1472 wrote to memory of 2292	1472	Lgmngglp.exe	94
PID 1472 wrote to memory of 2292	1472	Lgmngglp.exe	94
PID 1472 wrote to memory of 2292	1472	Lgmngglp.exe	94
PID 2292 wrote to memory of 2440	2292	Lljfpnjg.exe	95
PID 2292 wrote to memory of 2440	2292	Lljfpnjg.exe	95
PID 2292 wrote to memory of 2440	2292	Lljfpnjg.exe	95
PID 2440 wrote to memory of 4560	2440	Ldanqkki.exe	96
PID 2440 wrote to memory of 4560	2440	Ldanqkki.exe	96
PID 2440 wrote to memory of 4560	2440	Ldanqkki.exe	96
PID 4560 wrote to memory of 3724	4560	Lingibiq.exe	97
PID 4560 wrote to memory of 3724	4560	Lingibiq.exe	97
PID 4560 wrote to memory of 3724	4560	Lingibiq.exe	97
PID 3724 wrote to memory of 4056	3724	Lphoelqn.exe	98
PID 3724 wrote to memory of 4056	3724	Lphoelqn.exe	98
PID 3724 wrote to memory of 4056	3724	Lphoelqn.exe	98
PID 4056 wrote to memory of 4540	4056	Mgagbf32.exe	99
PID 4056 wrote to memory of 4540	4056	Mgagbf32.exe	99
PID 4056 wrote to memory of 4540	4056	Mgagbf32.exe	99
PID 4540 wrote to memory of 660	4540	Mlopkm32.exe	100
PID 4540 wrote to memory of 660	4540	Mlopkm32.exe	100
PID 4540 wrote to memory of 660	4540	Mlopkm32.exe	100
PID 660 wrote to memory of 4104	660	Mchhggno.exe	101
PID 660 wrote to memory of 4104	660	Mchhggno.exe	101
PID 660 wrote to memory of 4104	660	Mchhggno.exe	101
PID 4104 wrote to memory of 2968	4104	Mibpda32.exe	102
PID 4104 wrote to memory of 2968	4104	Mibpda32.exe	102
PID 4104 wrote to memory of 2968	4104	Mibpda32.exe	102
PID 2968 wrote to memory of 5060	2968	Mplhql32.exe	103
PID 2968 wrote to memory of 5060	2968	Mplhql32.exe	103
PID 2968 wrote to memory of 5060	2968	Mplhql32.exe	103
PID 5060 wrote to memory of 4972	5060	Mckemg32.exe	104
PID 5060 wrote to memory of 4972	5060	Mckemg32.exe	104
PID 5060 wrote to memory of 4972	5060	Mckemg32.exe	104
PID 4972 wrote to memory of 2616	4972	Mmpijp32.exe	105
PID 4972 wrote to memory of 2616	4972	Mmpijp32.exe	105
PID 4972 wrote to memory of 2616	4972	Mmpijp32.exe	105
PID 2616 wrote to memory of 2496	2616	Mpoefk32.exe	106

C:\Users\Admin\AppData\Local\Temp\65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe
"C:\Users\Admin\AppData\Local\Temp\65d152645ff2d3f0e132741161ab9cc8c6ecabe5b85c5da8d457bc7e529728a2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\Kdgljmcd.exe
    C:\Windows\system32\Kdgljmcd.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\Lmppcbjd.exe
      C:\Windows\system32\Lmppcbjd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        54⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        67⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        94⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 396
        95⤵
        Program crash
        
        PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3708 -ip 3708
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
9926fd788b2516f1df9a2bd7578b449d

SHA1
1af17677b95ce96c76c7e8e2a39dc817dadd4b9a

SHA256
477342993c10aa475b4f0aa73ae0dbefea0cc8533279b02191c9efd76e07fd99

SHA512
f679a1ed37813bfc6256e2afefd558defcff0a7dfeddb5d209ecfcdc2f9c7592ede8e9eac4bb1d32f8d941c9a1b4a2a5856b69a55435dc3274ebc324b6229841

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
93KB

MD5
58bbf896721d23ae7f745dca14e9f7cd

SHA1
a4e8030a334b16f6de1183d810934abf4e2fbbe4

SHA256
b49eaa0238b8effeeb3dae12eaa6e36525066cf552a01b790c79ee6c9c1070d7

SHA512
c3c3b6c9a7c3163fa36354588ab2275d8b1dc72b7b898b5de0ac010bcb069cfb12f190f8d4d74de716ec20f31b7a45cef21955dbc844112b5656b83d3aa86555

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
bb563c96a5338afd66ad8402a16234ec

SHA1
b10eb7aeb657599c0a1bf571b670beafdf2185ff

SHA256
f50b5dce4f3a69de53ac1d4ca8ce7880902cbaaeed11667bb744f0ccc9fc3d0d

SHA512
bdd9fbfe2e80113de37e5d192311b36d61e1f56018f3d4df6e00af7c617fe79c58daec65e004a30f6b3922ff225d6529009040825859af647bd2814f1393b967

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
989bb9b6822371dd3159c0feed473958

SHA1
6999a82c3d6df8a4bd283578a79884807c9aec97

SHA256
65144a04f26c4db6b673aef1ca8407535f3987e1246b4e9afe8d1e2f95fce5ef

SHA512
e31e27dbe10b0749fea435708c3dee416edcdc7498e05a6ae3c14e8e5dc0abe470e26a5727510cb7896d169a394f3caadd56eae315d5e41e5cae5e06d2c066b1

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
ae8bcc16d81e4d59bcc21c478804b604

SHA1
678843f36ce6586516b7b636d363b1a1c46ca825

SHA256
69255e30e6f26949b51471587e1309660bcf78c656c74b00e755c25c360d4367

SHA512
a027ae9191e2aa2b4b3609b104189931c78a7c9491c6ce56647e304944cca757fe3e4893a7e62346d79d4ca8f1f45b29a86946ae943eeb8b84d750f800d3f5b9

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
9706fa8bcec6bbbd6d3292d4d7dbf7d4

SHA1
058169847c81ee89fc818b01b652d3b3a24c69db

SHA256
bf70e469548734568e61eaef60f99e5d307a0bd576be5274af6d511239ae7f7c

SHA512
5c87425fc24a7241f9618352438704b71bd5b84c67d44ac9cfe252ebcacb0c569ccbf46042bd64df5e0fa01c5c8174bbd18778ffe55c03de20cb20793fe1b889

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
93KB

MD5
a1c9aee5ac7915401578a3e527fd67af

SHA1
b7049a4e1ad52ef00a81a0cdfd8a7ed6e34e2d03

SHA256
2eaaf10ded4c8d683a28236d03c2e376fa968a21599149c56bbabe9c81be79aa

SHA512
d274aa3dc642a77e1b0031d635be71acbc47faae1bf7f2b79be06a9e22a8e231237d073bbb7620900444341467d29cda5d1fc7d6494746c378c596e77da05a18

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
93KB

MD5
3c2e55931e972aefb3bc0690d2a9a78c

SHA1
0dd97a943a0b02d5f35e9fb2fa9220f9252b3fa1

SHA256
8abf475588fef585e40248992e804b729328a93b46c7d97165811fe054723fce

SHA512
cc9c74fa93c9023f55da625baa419169142616d8d8f8a4e64908c715f9abb39fa601d9c5e9e53ffb29c9a3c808c76b3a260e8d4f44ccfb3289a8756a88bfafd3

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
93KB

MD5
bf7eb329ac683343561c6f7212e02629

SHA1
70c74880262b62cdfd81419d4e1ad00a331893c4

SHA256
b6789969e5bcee5606ffbe108bf689d88d98d0b59ed97711531aa9c0817c3266

SHA512
e58bcccb3008b9448913bb738fb67a0769e60cda37342a16edb52ee392d8aa1fd322b6d4c39c40e34c70db47e19ede2ae2b123fba937ee174112dc2ec17785ea

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
93KB

MD5
4fcca7a68188d1030ec2f511c378325c

SHA1
a1de711f340a7e281b46c6d42620a8c41a3b8de9

SHA256
d52a3cf1184d43c1aaff8769d8c2ddf0c098b251fbac7fd092cc18a892f959ab

SHA512
e01f064470d7c123e63041f15393b95d5c44820d714996aa79b94d389011cf91d52d112665095c983c09500f7ecb30ad409188dca2cec74fb5690919d3b308b0

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
93KB

MD5
261b7c8825e266e25001c194cee4f0bf

SHA1
6963c8f8dea35d80ac27738bda42105d626a6d86

SHA256
47236ad40db211c464a32a3739cf5c751b494c8ff40c7a188fe99e09c08edbaa

SHA512
ff42075d8961170b05afa30c4bb28273a456566c6ebd6463ccdbeae7991e950fe69ca9df80662e7aa5df53682d91b57aa504dce482c66e0d2ad7f92d9c8cdd06

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
93KB

MD5
3bcd2a70204058bd710bb877c220853e

SHA1
febcaece3f5182e5a1d67fb97e36dbb57e85cdec

SHA256
8de70f554a34ebb2087a246ad46bebd369a6371ec9208f828ca286062904fb18

SHA512
129fda42970fe3c5341d2644de5dedac712a47341970209bc8973605ac3d22f6b919078fe9e0e6792f25652afcc5c38e83abd371cc508284df9fc92d02f38a29

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
93KB

MD5
25aa1cb6934523c7cd4002422162c778

SHA1
3b7fb9e4297c9058dde135c4eb5d6e1c14cf067d

SHA256
43ad2671ee8cc08b83822e9db7e7b169e88c5fae080f6ccd38f26417811480a6

SHA512
1af044bce6ceeff59ed4937b07a31b239d4ddb289a754bb307e032b106e1d4622c842b9a39b471c080c530015c1ff11f3c057d7b0e4d2c17215b6f7abef44141

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
93KB

MD5
1f4e406a2d247411af05be19c23d2d8b

SHA1
924caa9cc560e3746e3e7c339486cbb0870ab0ee

SHA256
94aceb18cf94780698c765f195bf906854c10768275f940bdd83178780e2b697

SHA512
4c2b417ba0b7df2d1d47e9d33c0a753f75010c6bd5511351979febbc351b53044bb321fc8741290175539d4f4dfba3dd0cf0bc0b085b9a30fc1b44f7c89c244e

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
93KB

MD5
fbbc5937401391708d5b1e0db4e1aeb7

SHA1
48df7e686f11b491bd20b19f5593770deab7b7c0

SHA256
41764191cf1f7968a5af05daa812f0b597b4be776a580e2ee2761107c6d3a04a

SHA512
e9eb32091a8d856e950207951129ffabfae6c399b023f8259699452a2367a4f1e2da6cb57503a0928d2788e5d9820288a44ec8dd9a6d0c41a1d550212dc6aef0

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
93KB

MD5
4296c5c25e3b26db682b7560f2ccaaff

SHA1
83143dd25ebe3b930f06838816379fa1e4a6cf69

SHA256
2cbe6669dae1fc74a9c5d6f1a1d6424b4c84e397a2f9b3fc98c030550018d84c

SHA512
fa17574ad6e2c98aedf4a4e2d5bf049da0c92dc11b222dd5ce664b964ca52fa0d4accbfd542a027c7d6adbd647ee8f9fbb8e6c90e8eb3876bdfba6ee3ccf4e1a

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
93KB

MD5
022b69009fd94e122ce669e7e8a2e9bf

SHA1
3f94467ef89d0e05c97216d6460d013bc834ff0d

SHA256
373f69bb39059489034a76b8acb6ac767daa6ebe8f9039b0d0ae08ade33d5ceb

SHA512
1f8821928ab1f94a3a2021a6f0ef879e006e2a001946aa58efef4853558356d07a858876d262b1c3e5f4f251298703f41f600ae2d5e2bbbe6ee056dfe7c34737

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
93KB

MD5
b89e3c69ee4660ac577f0ddf4604695d

SHA1
d80c103f420685e18912e47a0dd43e322a074551

SHA256
70b07dee4538de80a0aeaaf9e7b553037e3d7f18ef8c05845a40ca7733a75a0b

SHA512
62e4d5f9f515e4c80c964305b6f43f57679aad1056149036ba9944ac06e9c55c4c4c9b5a84e138d54fe62432683f80982c0c7f420acafcced42351b4433b8d33

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
93KB

MD5
d561897da36af08ee0c3f490c59d457e

SHA1
a25ac6a724974d7e7dce34e487dfb8b1724cf633

SHA256
90ed11cd69b58b5ed6f3df219732eb5543bcf1398969deddc7a73f280829dddb

SHA512
4f56784477afdda9c62427c4a93bb447efbeab5b29f014ecb2cba0973f2f79e5ca05da5132269d7941d93dee469e3fe0f7464d4c99531284bec0442a2fc7cc12

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
93KB

MD5
5ca790317a0817bf46f0edc2a15106b7

SHA1
dfae0e14c602c22f2e66dad8a7ed49031c386146

SHA256
62312cc855538f6c102abfd9be83a4a05a178890402cea6e3067a8b7255469cc

SHA512
25b2f39009bc86060c7ce51212fbbe8bc2d0246958b2e0a143caaced778eca63e368d5f25bb63ef2c92488e04f58924d033308b86420e711f182d1926371d494

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
93KB

MD5
b859c2b1b3f2e41a198470150befc259

SHA1
0561d858b88747740b43bc24abd681a55ce43e44

SHA256
3faa4f64e8db5facad5fa335d2ef639645bd984b21ea5c9fb2ea395241e5c751

SHA512
0261ca5bca18776c3e4acfae0d57eb16251905719fa9522b216b63dbb256e93db026fcc0b8d3319ed2afdfa6710e465486c21af055aefea3e56149740a586143

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
93KB

MD5
f21badfbbef18bce142d2f9f3d4c6f08

SHA1
547531dcfc78a2447fe1f6c291a313700e2cad08

SHA256
6dec73e6fdac3f59609cbaec8ac90173dc4acf9961c30660454fecd46cea4095

SHA512
2d7aa3d37f4580c9250f4b8ffd3a184c184c9bc6e76271eb65684199a209a88103b23df3388d94e74732133db1ba625a0a28e70270fbc14839dea39155301ad9

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
93KB

MD5
20ba2711ce9f762225422a613c8e3ad3

SHA1
34c24bf5777a6f4304c61dceef30f451613cfd1e

SHA256
9833c31c2ab30ba92e98157b6b1c2b995648f8e1d7b859e250c1fde429a7648b

SHA512
978628c577a1d67bf2c3b821e2ba952484c43cfd98e63273be5c710e3969b3e7e1277d41908af89c7be675815996ceaaeae4cdd7dec8cb14106e40fa173f197f

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
93KB

MD5
02671cc2c866ec5b5c5180069802196b

SHA1
0253bf2d69168a4813de5a35810534c10115e15b

SHA256
ec1bac8600d5e23ab1fe291ad35360339ec4f19e77820e7a0a69bf997e871226

SHA512
e7cbdc5c2f255d4a47dcb4fd862433e3dcd3db77677e779393b912856cd3c6d8733a7c504cd8206efceed735f204c9f92fd53d48d053341b3f9404024193e319

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
93KB

MD5
9b2bb0270142ca8b40007acde4fe6b9b

SHA1
f48fbdbc63b5868fa6d8a3123393a5e33053f34b

SHA256
daf866af30d2c6ef23fc221a08c48d4749b31bddcf9497be97f44d34164c1c94

SHA512
6c5f20e71ccd781d150e16ef6cda588228ecee7d4fcad8115dc568cba3c2cfc7c080cf05a0a8739710b0ab71b3acfd0743646410a4f893ff5cdd914cef9d428c

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
f9740071a7d667ff6f304512065dfc0e

SHA1
8f9786e140f3cff163d80bb76d10ae082c4b0814

SHA256
fe10615bb156e46d621588b2d491f44ed729c2854e04d8d55c284224576f9d91

SHA512
f0b6018fff3d2e35329b2ccc180e38726ea8c3ce21162dc3fdb492f1f4933315752ae1323dcba27f93f6f823cb0908d39352c4ff34e070a4bebd8700f1cd030c

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
1ca103d9f3136d8234540e43e41c9a83

SHA1
5b31387352ca8817ab137efca420586d4db4d949

SHA256
6c0c3d27e1d2ca0e0079dee85c766f2801fdf355f259442313e3b7a3e0f8ee66

SHA512
04a3e25f837563d62cbb612ace8141a07e6700a21ed8f1ae97a9ca10ae2890d02b555c349d9ac8f22d414622872a3b3944d937897f0a7a4ffb634e445a9047f8

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
93KB

MD5
054c1834fb63c56b2f937d40f5c8ccb4

SHA1
88aa6421d51bd5716d4e059e65e3293dc85e6ad7

SHA256
71eb235b54a017537d45ca48a283a6d87db50ed52f8a84eb6a406447024b2fec

SHA512
35a8643220332adb26c5f64145a8a95a787911736e80906a275ddcbda258593b6d560b917df8e660ff5c607c94af800d4e050a3208f28deeb22c3277fb0b6b24

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
93KB

MD5
f47a24a5bb233deab8f2350f9ed7965f

SHA1
0494f47ebb0bff3537508429c71847f98cb3a0a5

SHA256
32011fd01385706723372f41788d725a5443b87043ab5233dd48d75ee5172532

SHA512
b687ef13bf4e53036764ddd2e5a204b61068896e12b449f906a0c8dc2f6b3040733b27cc097efb8b7ad920556a54c346a511ee69324dfdfdbfea09b0605a33fc

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
63245641e77a93cfdf24acacef2ae418

SHA1
7309777b6f451f06027c3fbe89b48cce411f1b20

SHA256
1b63603cc9e7031ba657b1499b77ba64f1fb99c2883209c4713e2bbd260fcfdd

SHA512
85aab7aa79838ec9547b62019fcb50ea6586dfa1855d82af229c1564b947bf30c7dfd7fbbfeeb84a22dfe25311984cc5adc04e87ed86074ecfe62becb6bc9ec8

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
4a64ab013c92f0272f40b478da7e69bb

SHA1
fac15b0eba024941409c69b5630f7859a7efa624

SHA256
2633645368c67c407da67a649e1d2eeb6388ba7839a8273c619bd8e08a4930ac

SHA512
5d85cd16c188af93ed77375d0fdb34126dfb9c5ac82a5546ede30de314dbcbb461286c1c0e89a6443078c04b2b87f141f796978c8d200bb1a7563b63c5bf1461

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
93KB

MD5
f458be8910a7031bf8b228122b59e2c8

SHA1
0042ff29d5a7f4ada9079ebd43495728a9f20902

SHA256
922f4994667f2536f405dd9683b63b63c774616c20f5a2f3e25b4434bfe82cd6

SHA512
4f69e7a68a6d9f094c11ad469714f63646884dcf126fd93ed7f28439a2f4dfd078f9de9095c671b2181469e79e2d8a64b8453da0da876c60ae655781f48ee7bb

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
93KB

MD5
10d3f5fa06fbf63348e05034dc177201

SHA1
60f83a9bded2c4dc4e0652592def824dc9edcb52

SHA256
7e3039f16f5d0f7440bb77aad3102e3172c8bb3a84a522bcbd4e7ad874048a64

SHA512
a92daef141c2f2f6d29deff283cf560f8d5c7b5d95c95380a4d8deefd64c6f0ffb69c76d96a8c2361392c668e085a4ce5cdd68e9613e90e2f7df70b04a18aa73

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
93KB

MD5
21b4f014b1b9ac353b4f768d178f32ba

SHA1
cce4e899f8b2808e5f8b2a0122732b4c5e5150ca

SHA256
a7e9a44219759caf50b8ed94c18048694b6320a5cbc6c3bbe1b6839910fdeeeb

SHA512
9de9e3f7a5693ba06e5a9f14563c93cf65da74065c9de82431edf2ad9c45089a15de6701acf6496c6291d6a4d38287d4e8b1a9bdc3e657f815eacc6a23256291

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
93KB

MD5
bbe46576fbf12ac5170f2556b385c394

SHA1
87f3e4899df1b747f185d52201a9e33dc0a7170e

SHA256
3590e7f16ef01ebf4e480262f67663b01075cf173c37b0085912a6c25ced9822

SHA512
00c4a6393fff1ff7522b16d2df3928600705f5179cadad7e7f87cf7913d07b6b6f9d25e9f2a990cc1749861a887ac943cb071c961c46b19e45b117cb9b10aca4

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
3c2abc64a20642b62abe25b661366cc9

SHA1
713f732e7cb9c60d38ed7cba5ef3ad1bbcbe88cf

SHA256
2ec402aa2bcfe7f70d4a865e6005ac27c91d41cec0ccd0bc0c004579050e3e6f

SHA512
4dc28cb38eda9f650a108bce90f50f860e2292600724c02bce637110f25236a5b5e897f96e4eb2f7ea1b7678ba4ce08e17c931acdd31eb30455d95d57b57cd2c

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
4cf35241d7dc65d5b7efbba54b3a9e8f

SHA1
e7c9cc91df840d7a8132a0041bde4f12ece62f4d

SHA256
e82ee847a99774558ecf88a936dff64914a59092cd2d9a67b413fa8383f8a26e

SHA512
c4da1a8cd5392f7c95cb902969757fb1abcfdaba9054189b3e97843eadd63cf4468df56fccb546214e4796ee5157c7a635f8c6607e10bd9b91f6b9f20d61ad5a

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
93KB

MD5
782e59124f01d91bf9cb1fbe534a56f0

SHA1
f5c7698e925af8e5510514313cd25de5f37e50f7

SHA256
aa4d497c81c6cc933cc4b418259fc1b45d0db0cc52cd8e9af92c174908b41933

SHA512
c3ae28df005fb4ee7cd174244f6d0bf50df6a974818e53b857aadee53e645e59df0cdea86eb764952c49822e04843c96e0f7a9a62ec7ffd5b012786c1288ea45

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
93KB

MD5
5a281527f0cb22a844c272dd136cbf08

SHA1
8deb72b20d0924315062487e26951dda023af75c

SHA256
d7600d196fe6c6068b35bd81eff8c948c70f15bbb746c98bb8cfb8d8c9a49e8b

SHA512
d8c854b2ff27cd27ff5878af8d81bdf8464a648bdefd57b2e40ad46797e3c18fce0c46c6a2ffa27a764606f48cb734e132aa5198f1a7dae1c722612af5fd6d94

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
ee505c401d20735d5d28d6e8f73c5f93

SHA1
fc3e29d503fbf6c71521ee17282472a7efd1ea7a

SHA256
94f167e44939a17a3a6ee4a1899d9af773d561059e18e0eb9b1c002dbcf2c6cd

SHA512
d0684ec1849312b568bdea9f0ad6bf06d7b801f638d8573fd1d5401fbd1e2a5dee257ebef6bb36d6b3a86f1b812d0d090f5c7616307506c5fba4dda01c4c164a

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
93KB

MD5
91487626615b4bdf23359de58c08f3b6

SHA1
80a12c44d28d5a907b40fd950b789edf9b3e6824

SHA256
605eb01743e41beb8f2763a567ecc67f59b10d193c6a81ca8999a6c66f24e806

SHA512
3926e5f4697e9d76962b13c800c6819a67fc755bb5fbeecc049d6c6a479c408805e2fecf2c148ad8ab29dfbef9dff6eb7cad6dbfa14315247f8f304dcced6e2b

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
93KB

MD5
c25b2b49fe79674eed2bb0f5385c1bfd

SHA1
41fb627aee2bb9d57dabb74a098cdb24f421b8f9

SHA256
4617a8871c0019592cca378eaec2dff906e02874e1fdac4fa758d8091fae4324

SHA512
fee3acb9e2ec9c6c5d0d0d5e4bb90b9d8e8caff90e78b7dacf03bcee9092c36d3ed6cd8986a3c2d8684c95fdbf9caeeb35dc66c126b51f5713aded337d354adb

Download Submit
memory/112-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-727-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-675-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2664-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-749-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads