berbew | e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf

Analysis

max time kernel
29s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
Size

93KB
MD5

2327bdf9eaf78a2114446745233e5fad
SHA1

ae6131c073d759e6e4c3c9d8400d6a4d69573ac5
SHA256

e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf
SHA512

17ecc87512cd8e922b31e9140ae885acba4fbfe4d3818e9bad759bf3ac95a9035e38a8529e24b79e6ccfafba372d231518e34c57da69989acf54f8f35cc080f8
SSDEEP

768:opWuskP1dUVGLQtVCq+/NASXmVxRZ/4sH5IFnTgisq5BhPuX/1H5OXdnhgyIUaYy:owLM0q1KSo48VgG61DaYfMZRWuLsV+1p

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joaeeklp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knklagmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Labkdack.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmhgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Labkdack.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkaiqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfknbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjojo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghjel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joaeeklp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 53 IoCs

pid	Process
2804	Jfiale32.exe
2432	Joaeeklp.exe
2884	Jfknbe32.exe
2576	Kqqboncb.exe
3012	Kocbkk32.exe
792	Kilfcpqm.exe
2400	Kofopj32.exe
2196	Kfpgmdog.exe
1344	Kmjojo32.exe
2328	Knklagmb.exe
2012	Keednado.exe
2988	Knmhgf32.exe
1452	Kegqdqbl.exe
2956	Kkaiqk32.exe
2340	Kbkameaf.exe
1776	Lghjel32.exe
1204	Ljffag32.exe
1136	Lcojjmea.exe
2168	Lfmffhde.exe
2448	Lmgocb32.exe
1864	Labkdack.exe
3024	Lfpclh32.exe
652	Ljkomfjl.exe
1320	Lmikibio.exe
3032	Lccdel32.exe
2776	Lfbpag32.exe
2716	Liplnc32.exe
2904	Lpjdjmfp.exe
1396	Lfdmggnm.exe
2628	Libicbma.exe
588	Mffimglk.exe
2236	Mieeibkn.exe
2164	Moanaiie.exe
1944	Migbnb32.exe
1980	Mkhofjoj.exe
1408	Mencccop.exe
2900	Mkklljmg.exe
1448	Mholen32.exe
2760	Mkmhaj32.exe
1640	Ndemjoae.exe
2296	Nhaikn32.exe
916	Nkpegi32.exe
444	Nplmop32.exe
2256	Nkbalifo.exe
236	Nlcnda32.exe
1676	Ncmfqkdj.exe
1328	Nekbmgcn.exe
2380	Nlekia32.exe
2772	Nodgel32.exe
1696	Ngkogj32.exe
2732	Nhllob32.exe
2696	Nhllob32.exe
2560	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2156	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
2156	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
2804	Jfiale32.exe
2804	Jfiale32.exe
2432	Joaeeklp.exe
2432	Joaeeklp.exe
2884	Jfknbe32.exe
2884	Jfknbe32.exe
2576	Kqqboncb.exe
2576	Kqqboncb.exe
3012	Kocbkk32.exe
3012	Kocbkk32.exe
792	Kilfcpqm.exe
792	Kilfcpqm.exe
2400	Kofopj32.exe
2400	Kofopj32.exe
2196	Kfpgmdog.exe
2196	Kfpgmdog.exe
1344	Kmjojo32.exe
1344	Kmjojo32.exe
2328	Knklagmb.exe
2328	Knklagmb.exe
2012	Keednado.exe
2012	Keednado.exe
2988	Knmhgf32.exe
2988	Knmhgf32.exe
1452	Kegqdqbl.exe
1452	Kegqdqbl.exe
2956	Kkaiqk32.exe
2956	Kkaiqk32.exe
2340	Kbkameaf.exe
2340	Kbkameaf.exe
1776	Lghjel32.exe
1776	Lghjel32.exe
1204	Ljffag32.exe
1204	Ljffag32.exe
1136	Lcojjmea.exe
1136	Lcojjmea.exe
2168	Lfmffhde.exe
2168	Lfmffhde.exe
2448	Lmgocb32.exe
2448	Lmgocb32.exe
1864	Labkdack.exe
1864	Labkdack.exe
3024	Lfpclh32.exe
3024	Lfpclh32.exe
652	Ljkomfjl.exe
652	Ljkomfjl.exe
1320	Lmikibio.exe
1320	Lmikibio.exe
3032	Lccdel32.exe
3032	Lccdel32.exe
2776	Lfbpag32.exe
2776	Lfbpag32.exe
2716	Liplnc32.exe
2716	Liplnc32.exe
2904	Lpjdjmfp.exe
2904	Lpjdjmfp.exe
1396	Lfdmggnm.exe
1396	Lfdmggnm.exe
2628	Libicbma.exe
2628	Libicbma.exe
588	Mffimglk.exe
588	Mffimglk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hkeapk32.dll	Keednado.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Gpbgnedh.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nhllob32.exe
File created	C:\Windows\SysWOW64\Hebpjd32.dll	Joaeeklp.exe
File created	C:\Windows\SysWOW64\Qjfhfnim.dll	Kmjojo32.exe
File created	C:\Windows\SysWOW64\Keednado.exe	Knklagmb.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	Kqqboncb.exe
File created	C:\Windows\SysWOW64\Kfpgmdog.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Alfadj32.dll	Lghjel32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Lnlmhpjh.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Kofopj32.exe	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Labkdack.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Kqqboncb.exe	Jfknbe32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjojo32.exe	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lcojjmea.exe
File opened for modification	C:\Windows\SysWOW64\Lmgocb32.exe	Lfmffhde.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Jfiale32.exe	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
File opened for modification	C:\Windows\SysWOW64\Jfknbe32.exe	Joaeeklp.exe
File opened for modification	C:\Windows\SysWOW64\Nhllob32.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Fhhiii32.dll	Nhllob32.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Mkoleq32.dll	Kilfcpqm.exe
File opened for modification	C:\Windows\SysWOW64\Kfpgmdog.exe	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Knmhgf32.exe	Keednado.exe
File created	C:\Windows\SysWOW64\Lghjel32.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Lgpmbcmh.dll	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Ghbaee32.dll	Jfiale32.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mffimglk.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mffimglk.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Dlfdghbq.dll	Lfmffhde.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Lmikibio.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Nhaikn32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Ljffag32.exe	Lghjel32.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Nkbalifo.exe
File opened for modification	C:\Windows\SysWOW64\Labkdack.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Labkdack.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Moanaiie.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Oaajloig.dll	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Lmgocb32.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Nhllob32.exe	Nhllob32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2560	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmjojo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knmhgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkklljmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqqboncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kegqdqbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljkomfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffimglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfknbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kilfcpqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keednado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkaiqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmikibio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joaeeklp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfpgmdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knklagmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Labkdack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liplnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfiale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhofjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll"	Kmjojo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knklagmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joaeeklp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll"	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjojo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjojo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoleq32.dll"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2804	2156	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe	30
PID 2156 wrote to memory of 2804	2156	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe	30
PID 2156 wrote to memory of 2804	2156	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe	30
PID 2156 wrote to memory of 2804	2156	e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe	30
PID 2804 wrote to memory of 2432	2804	Jfiale32.exe	31
PID 2804 wrote to memory of 2432	2804	Jfiale32.exe	31
PID 2804 wrote to memory of 2432	2804	Jfiale32.exe	31
PID 2804 wrote to memory of 2432	2804	Jfiale32.exe	31
PID 2432 wrote to memory of 2884	2432	Joaeeklp.exe	32
PID 2432 wrote to memory of 2884	2432	Joaeeklp.exe	32
PID 2432 wrote to memory of 2884	2432	Joaeeklp.exe	32
PID 2432 wrote to memory of 2884	2432	Joaeeklp.exe	32
PID 2884 wrote to memory of 2576	2884	Jfknbe32.exe	33
PID 2884 wrote to memory of 2576	2884	Jfknbe32.exe	33
PID 2884 wrote to memory of 2576	2884	Jfknbe32.exe	33
PID 2884 wrote to memory of 2576	2884	Jfknbe32.exe	33
PID 2576 wrote to memory of 3012	2576	Kqqboncb.exe	34
PID 2576 wrote to memory of 3012	2576	Kqqboncb.exe	34
PID 2576 wrote to memory of 3012	2576	Kqqboncb.exe	34
PID 2576 wrote to memory of 3012	2576	Kqqboncb.exe	34
PID 3012 wrote to memory of 792	3012	Kocbkk32.exe	35
PID 3012 wrote to memory of 792	3012	Kocbkk32.exe	35
PID 3012 wrote to memory of 792	3012	Kocbkk32.exe	35
PID 3012 wrote to memory of 792	3012	Kocbkk32.exe	35
PID 792 wrote to memory of 2400	792	Kilfcpqm.exe	36
PID 792 wrote to memory of 2400	792	Kilfcpqm.exe	36
PID 792 wrote to memory of 2400	792	Kilfcpqm.exe	36
PID 792 wrote to memory of 2400	792	Kilfcpqm.exe	36
PID 2400 wrote to memory of 2196	2400	Kofopj32.exe	37
PID 2400 wrote to memory of 2196	2400	Kofopj32.exe	37
PID 2400 wrote to memory of 2196	2400	Kofopj32.exe	37
PID 2400 wrote to memory of 2196	2400	Kofopj32.exe	37
PID 2196 wrote to memory of 1344	2196	Kfpgmdog.exe	38
PID 2196 wrote to memory of 1344	2196	Kfpgmdog.exe	38
PID 2196 wrote to memory of 1344	2196	Kfpgmdog.exe	38
PID 2196 wrote to memory of 1344	2196	Kfpgmdog.exe	38
PID 1344 wrote to memory of 2328	1344	Kmjojo32.exe	39
PID 1344 wrote to memory of 2328	1344	Kmjojo32.exe	39
PID 1344 wrote to memory of 2328	1344	Kmjojo32.exe	39
PID 1344 wrote to memory of 2328	1344	Kmjojo32.exe	39
PID 2328 wrote to memory of 2012	2328	Knklagmb.exe	40
PID 2328 wrote to memory of 2012	2328	Knklagmb.exe	40
PID 2328 wrote to memory of 2012	2328	Knklagmb.exe	40
PID 2328 wrote to memory of 2012	2328	Knklagmb.exe	40
PID 2012 wrote to memory of 2988	2012	Keednado.exe	41
PID 2012 wrote to memory of 2988	2012	Keednado.exe	41
PID 2012 wrote to memory of 2988	2012	Keednado.exe	41
PID 2012 wrote to memory of 2988	2012	Keednado.exe	41
PID 2988 wrote to memory of 1452	2988	Knmhgf32.exe	42
PID 2988 wrote to memory of 1452	2988	Knmhgf32.exe	42
PID 2988 wrote to memory of 1452	2988	Knmhgf32.exe	42
PID 2988 wrote to memory of 1452	2988	Knmhgf32.exe	42
PID 1452 wrote to memory of 2956	1452	Kegqdqbl.exe	43
PID 1452 wrote to memory of 2956	1452	Kegqdqbl.exe	43
PID 1452 wrote to memory of 2956	1452	Kegqdqbl.exe	43
PID 1452 wrote to memory of 2956	1452	Kegqdqbl.exe	43
PID 2956 wrote to memory of 2340	2956	Kkaiqk32.exe	44
PID 2956 wrote to memory of 2340	2956	Kkaiqk32.exe	44
PID 2956 wrote to memory of 2340	2956	Kkaiqk32.exe	44
PID 2956 wrote to memory of 2340	2956	Kkaiqk32.exe	44
PID 2340 wrote to memory of 1776	2340	Kbkameaf.exe	45
PID 2340 wrote to memory of 1776	2340	Kbkameaf.exe	45
PID 2340 wrote to memory of 1776	2340	Kbkameaf.exe	45
PID 2340 wrote to memory of 1776	2340	Kbkameaf.exe	45

C:\Users\Admin\AppData\Local\Temp\e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe
"C:\Users\Admin\AppData\Local\Temp\e770611ef5dfbbd305b7c1a6bc55252588117e3c38d6fa0d5cd8f6e75abf13cf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Jfiale32.exe
  C:\Windows\system32\Jfiale32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Joaeeklp.exe
    C:\Windows\system32\Joaeeklp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\Jfknbe32.exe
      C:\Windows\system32\Jfknbe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\Kqqboncb.exe
        
        C:\Windows\system32\Kqqboncb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Kocbkk32.exe
        
        C:\Windows\system32\Kocbkk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Kilfcpqm.exe
        
        C:\Windows\system32\Kilfcpqm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Kfpgmdog.exe
        
        C:\Windows\system32\Kfpgmdog.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Kmjojo32.exe
        
        C:\Windows\system32\Kmjojo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Knklagmb.exe
        
        C:\Windows\system32\Knklagmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Knmhgf32.exe
        
        C:\Windows\system32\Knmhgf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kegqdqbl.exe
        
        C:\Windows\system32\Kegqdqbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Kkaiqk32.exe
        
        C:\Windows\system32\Kkaiqk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Labkdack.exe
        
        C:\Windows\system32\Labkdack.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Mkklljmg.exe
        
        C:\Windows\system32\Mkklljmg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 140
        55⤵
        Program crash
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfiale32.exe

Filesize
93KB

MD5
96f752fd214510d95e550b151a5a2f58

SHA1
75099733379a74fdc09fc20879226e4c876e71f8

SHA256
c269d792bbd235ef42a2ede259f4a9c9fb055282ce3359d4f6c170afb5397943

SHA512
0495b2fd08522ddf5218d668533e3fb6cb1f73ee9503b02b0a9ae490caae154d6568900311cb4ef90b3231365a7088f602df79d55350e33e4072ce7d29cd396a

Download Submit
C:\Windows\SysWOW64\Joaeeklp.exe

Filesize
93KB

MD5
286af3e628ae0edf2f6e4207ab7a3b31

SHA1
a56a2db1484be66d2ed4009abb03fe841597c087

SHA256
202edf06e1960aaa74b6d2b4f11985bce83bc51c20c359e2dc5756e5521f386e

SHA512
0bcb30e5ff8424987f435cc3c5ab79069cfb4fc2ac1c7aee75b7ce232cec6f71aca034937995b3713d1cfcfb42e725e61732f04b47671ba8260b2eb3a2dea566

Download Submit
C:\Windows\SysWOW64\Kegqdqbl.exe

Filesize
93KB

MD5
4f8d8bbf82a60452c4b3c86d8b866c2b

SHA1
6b236ae5d68d55a59429dfae3aed09810a0bbcc3

SHA256
3c59c9e3ff85877963e6e757c3a2a9f637af7556112c47fa0439f896a20a08e2

SHA512
c62a5a5c780ed66676cf9907e863d2daeb66d9404cabc803efebca351919a0ba23636c356424d23a21e6dc99edfffbdc0e4ee5ee474aa7be5d8ff56ebae410a3

Download Submit
C:\Windows\SysWOW64\Kmjojo32.exe

Filesize
93KB

MD5
f416fc14639368e8c1d5ef2d930ee1a7

SHA1
a61c716444eb4321efd472059cc8e7f8454323db

SHA256
987709bdd81fab9b2373066f4af5daaed31226b4d092480605c55a5557dfb61c

SHA512
50ee89e0ece4947a6437bfc4d0fb7cd2aa5dc9315ae3ed747ecf4e257331281d6291f76f8a3b9776eba8b6c9591ea72ec63d3db632423a03610e69910bf0595a

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
93KB

MD5
4cbd7b76adcc8bb867f6804eca6152b9

SHA1
1ed58d4d07bdbf04894deae5224bbd8c2f2e2bb5

SHA256
3c4fc69c18b86f294b17479524ba8de8393c7845a9f761322ad89e440ecac4f5

SHA512
31cce24ae5defbf2c90133d4fd23ed093320d50c02fd169fbd7b8141ee715acc2506b157e064196933c856ca5bae180867c762fcd0630ebd763efc076471e15d

Download Submit
C:\Windows\SysWOW64\Labkdack.exe

Filesize
93KB

MD5
0691782177e0239f9b5e27f155b20346

SHA1
e89b73caf19fbc78252c8706ae2ecc7f517272f3

SHA256
880c3577557fddc2f35ef00925ad2f71360dd50c10d06ec845d1e8fd0f5b3b49

SHA512
fcbcdbe73bf12e173fc6a6a11807c4d7142906c70fffa5100a858b500534ea9b2ac56a8a5ba97fa65e47f78fe3581ebaa78fbe966719828ac159db1d2f23958b

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
93KB

MD5
3432114afb6443d3d318c610cee8e876

SHA1
ee578023b266c73e85e55562858858fa85874c75

SHA256
60528f18df243d67d249d8b35d64f9d1d665c9776cfb892668f6da954f000d62

SHA512
23f1736ce556086d49c4ef5eb576881e3bded28845245b04954d2318cc3980520a54dd0d8b3d187827e38dfa5f749dab4c35211593176870cef00eeb3d47b638

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
93KB

MD5
9aad2879b802543376e2c76468b0cbe3

SHA1
0a6a7194babe76ff0217c113d8f2854099ab63fb

SHA256
c954b9ce5658f02e744f28edd43f7a55315890f42d8f70905bcbf60440247de0

SHA512
744b8fbf57a7ee3f59111abd77cb42d06e4f4681841701bdd3639bd905b3a2c60c7a254259d463c2dbaee97d04d13a0c2c373ed62197df1213a29d8fc8fca861

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
93KB

MD5
3f27943b00900b140b18f0ddee8f8a1d

SHA1
5f5a18cb83436aca3544a8cb558e5d7217babe5d

SHA256
be5ba87ca70266803940e22387ecc6883458481203442749fa1d5d3d9b248647

SHA512
a1c6c6e308ce1ef0610545d66a0e49f18c33b3524a5a3e8848b40853e451740a21ebd1ea07e2bfe0c86ab53fe8d1c77b0aff4ac9cf957ac6b4d4b11dedc0fb9b

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
93KB

MD5
cc9935d75d275f9e9b76e047443c5363

SHA1
cd8af595dae20669081a45e3d4585671f7c49328

SHA256
3a9e5a8ab0df65078dfa53eac0bde9178085faad49aa743f9ef1c79a74c44633

SHA512
05871ae70ab1aa991f3fdb0d719c7dadc730c1d21f7909fe5f138953739dd2f16feb3ef3a34688981afc17ac33b0fc0c338a760626344cc131610e59d00e2b50

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
93KB

MD5
0d8a21ff468750ff010558a0e111c382

SHA1
76ce8c29e8674c200a0819d1fedd574e3707a41e

SHA256
96279601ac0490fab690a9eff3721bd147103545636238b2ef64ac3297b77726

SHA512
bc5c7cb8be7b7f928b6b49999686b1ba0b6e2fb47c4b85082ccf41c52f335341772eb2453744b2a4bd5435828baf4aa1e930d4acd17172fce826b2596674c381

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
93KB

MD5
e1f2ca6f57a8b8c0865c876ad6ec4762

SHA1
5a18d5ce215547ad4a5bd2ef649630478cd3a556

SHA256
5870bae91ec5a70e8271eb91a0c33f2c10ef4e84c6f0a3071655acd5bfc60ab1

SHA512
051033fb314dfedb5a4f2a5ca2b518cd503b39c4a3f8da7f2f35a95289b700d729bdd66dacc56c8ac5495035473dde32d3cfc309830964509d807a57b70cbc48

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
93KB

MD5
727a8835e9cc53f8b76c5002e78c372b

SHA1
438d12afdfe745ec64ca4ab4aeedc5784b437544

SHA256
204cb1952b621a548468dec73d062735e5e67e0742cb419b987a08d26bbbac92

SHA512
04d804c25c0d9c57b7bebf92a6a2f877c07b5b2ebd29d90423867a32e6a7df41fb0321346085ae39ca6d579df52095401541669674aa1888fd10fb2e1b98b8c3

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
93KB

MD5
f9cc26bb1464e29120a0d40b38c3f1ef

SHA1
0e54499cc8eca43b521964828d664e8e064239f3

SHA256
dd667d6997790d5e38cbffff8b47d3452e13bd2a9190400ea57a270d5c3a1c69

SHA512
bc40aa8a8300dd692076b2aed3cc38a6e49834c120ae0192338fd837c14007d071394e05b91f3a5f3b564b5bdc7fb97674ced00f787cab0f680d409cafbada3b

Download Submit
C:\Windows\SysWOW64\Ljffag32.exe

Filesize
93KB

MD5
f80f6c6c8194fcca920eda771ef6e99e

SHA1
da28c4148d2a1d625169470d03b705e3058ced32

SHA256
4e5756de76e3ffd0c1a50b96d8dee21eaf6d579819a5c12468f4f10e73c98623

SHA512
f319450a42f3c8d58f4cf4c885ef7158ebfe31ee93a30fe51dc931f6ac76acb6495fc9a33749baa7b75b43d93dcdbef5a18fdd897a2da3b67f4548b820f4523f

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
93KB

MD5
d06a92585408f81a3d80e2d811d528c5

SHA1
e245b0fbe6d127a2a0855bca5d8beba2e8b49fbf

SHA256
ee034e258a3d406073b14bcce9d404ef70e35ce72320191039000f29f5600a59

SHA512
f77f82c89859ad0c89a708201c49760fab5599933914d6ab440a4fc949f4cac58e3b0e96142d3982b038c4facee095c7bb3e11f21d26bb25a6b238dd03aed05e

Download Submit
C:\Windows\SysWOW64\Lmgocb32.exe

Filesize
93KB

MD5
bf45af874c735b84b4383f0a2fe6102c

SHA1
f71b0e45a1a50fe0a48277ea3744dc5416a6e361

SHA256
5ad060a0eb33518fae732a647ce10b3a19e12f152122aee5594c9e6930221077

SHA512
bc04e51513013d5b38e80e6bb13545af144df274c00d1b7d54c95756c31e11faacf7969a2a3672651a66375e19474e82829cdfdadc08ea2cba493de08852676f

Download Submit
C:\Windows\SysWOW64\Lmikibio.exe

Filesize
93KB

MD5
b3ad9d78e3260dba5f6888d4cca515ac

SHA1
df91941d428d53d8adc0c4cdfc7e0251e14530bb

SHA256
2d24cf62e016d574597d0c55d6f61551acd5067f6803e2745ef1203ee743676a

SHA512
fad8bc9e190b706e43352a77202e9244e4bc20f4fc7796ad1f275751168030ee91f9d377b90b52804dd7eb977772103a98be3e69ccbefeb5d7ef7b17af3ffd60

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
93KB

MD5
1b135edaa5e3b589c737463a26c10800

SHA1
97eb4fe6b1c5b12e3f2d5ace7d206515b47146aa

SHA256
d6a7a727e14bc95527b2e344a3132d7d58b62eea9535dc4f5de7a7a6d236f6bd

SHA512
37aaae799e4530b084c0c7d06d2e60eb44411d158c098c43cfedae2a2cf0d510d734efb72b6437de22ac6e40faf7cc6fba00beb9058c468977cf6385810bb6c0

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
93KB

MD5
f3bfeba121dd3970f053ab5c09b508a3

SHA1
3e8bc7d73ea626347233f68a462af0f455749645

SHA256
396ab312161bfc6ebbfda1cb224bdd705267a2217ab39d72a475683d009effc6

SHA512
7104823f05c537e5ed526322177346725cbaa0f1e2d77abe9bd5ec20f0ee38f87c6e81eaed7d764055ca3f3422d30293557793df40a78034ede4ff3562e39418

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
93KB

MD5
bd1642e5c1949ee4dc9effa948569929

SHA1
8de065ee9eefcd4cb5656f7092e055e79a660bce

SHA256
a2191b67b55c4cd4f88d5eebe7ef6db3737707c5e62e95b450a0ffbe693037d2

SHA512
62f6530df44e1de895a2fade8989d0911cea2e276540c8567847cc2338ff32b04ddae3b154d2a7868b3baad58b8247dc49ef7285f7ce36e9e77da8180d151bb6

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
93KB

MD5
2fe3580857d1186113397f1597f0725a

SHA1
81681e0d1e09125dbcf5fa1a436deb4e5605f2dc

SHA256
d1dfccd98d991647558adb16afd92383588a86446f18ee7cd63d8cf40c8025f6

SHA512
92b0b19f578d9b4f59ceef13d86c7153e5b5acd0ad28c3670246f3fec306f6a589acdc20f00139e21262c12a29cee6c432dafcc058f527abe835dd76d790d8bf

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
93KB

MD5
fd300c9a77283254775a6b6548dcd3ef

SHA1
76b31c6c91b206429054cb302ecb65db493ba345

SHA256
a7c4d0e9cd1520462363609ddb59dfef1834c3c238370ccc6a5d9beec713fe38

SHA512
16d4270e1ca1a2335bead57f8de6300478c3aa3f2ca5a937ef77b59d9f79bc8494273dedccad44c601662192b9a74daff5a85aa3907ae1742d56ea575c71e26f

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
93KB

MD5
45410757b5040cf02e78b0840d2ea5d6

SHA1
b002548d245caf0e8e815bf0f0c27194d10c81e9

SHA256
f07865a30cc292c18f1c9e3dea971baff3bb70bedf56245fbf265a352d4d12ce

SHA512
c75ef9962c2f1f9048415a89cfaec7398901f458a4e96c3a7ed89d97fb054ebe1c4736561441d74830894f1739b4e0b914ad37433e790f697dc9fb312a918b2a

Download Submit
C:\Windows\SysWOW64\Mkhofjoj.exe

Filesize
93KB

MD5
ddfeebe5fdb31963a6b8a1f9aa2fa156

SHA1
dbd654964f4ffa088e02f0d63a7ddd2c530df078

SHA256
f059a1a24aef95f29e805878801dcb8c70df51e4a099372d299110c855b85140

SHA512
93cd50d6752ed173249ce099b44774bee30eb6b075eac04fa8682c4a82a962f2e8e394295b2b7beef01a4fd2b1dfa441dcb504371a5b2878e1c5d7ac5fc115be

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe

Filesize
93KB

MD5
32e0e6e7c3ea364234aeb530cf898164

SHA1
d7fec8457865506312795f3e20f11ebd570e6362

SHA256
7739530a9e5943b4beb4d1a518e7c4a37624813f94ce15f9e15c2dd9568310b4

SHA512
bb562a9db41f77b9e4dd25ffb265ee4813af5cd28a6e4ccd3958d8230208cd9473ce5402242d411c35ece016f81e4415af927391639bbc5a9d659b96f15593a0

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
93KB

MD5
25ea442adced7580676334c726facb2c

SHA1
e53180b5240f174202da3323df8a68ce33e06cf6

SHA256
f4ed08b08a2e5b57baac35a4fd0ea63763c7c8b401b280fd586f8064b49ade21

SHA512
c475ae4b951152146769bca58f715ede5af02ac1747df80c99dc15739b3b67d884a10a25a77eec39c58430315d5526ea5c940d51888a15e9fd6ad73f64fb9e94

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
93KB

MD5
1dddbb5fb030f1dd85f9a3da2c8e5e11

SHA1
4887960130e91eb1647cedcc6e0efece9bc1b2cb

SHA256
8777b8f7d8fa22e05d5577a691272437f71e4e2e4bfc96041942a5ec920c59e7

SHA512
1fa23cd648cc57ff7b091dba29715193470899a11745752edaa1f03140cf22e2436af076e5a3db0cb07692e9a7102e3bb6fbc8d2484397a8419d0b0855660069

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
93KB

MD5
99d17f1506bb5f283828ade9f2f01999

SHA1
028cb43592caef8bbd3012572280230d35b92db3

SHA256
adc6c1e1c9c284d040e47f9023131712f2470c8d23504aeefa6885faf070f944

SHA512
4e8c3cd2f24417c0d6244ee82f45fdcce681f2baf58ddb809f9e304acb4d6cebd5e0650329a07624d9d441fb7eb43d3a0de6f511ee02700ae5a9d0e05ed3b200

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
93KB

MD5
e00e20750985834cedaa176b89551721

SHA1
c57d37b7d9fbd1a06e1ad2167d9329fa900e1dfb

SHA256
d18a879500381f783b97d93b6b7a17193167bd4cb9f9f9bda2bbe5e0351d395f

SHA512
87cdc0ea7f1fd80f808e68545e02a062b6d15af1f7f7393716e153675a033ba2f7d19ff310b70a9b97e6a0ee981b0424d8781ea3ef26b8ed7201a91357ce5ac9

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
93KB

MD5
d7dc44b525485447dfd509ea0ae4f429

SHA1
b75c5b5d55256b845b1f518de745b6c2dd04a1f0

SHA256
40515d92800ce2b9ed0911bb706f65c7f25f1721ac3b86d7481e13e0d172796d

SHA512
7cb3e9d8abf044722ad7ef4ba96d72301792710ce5673386209e88f246fb2914896c4a3466b1c2b084a340d351500a8c5580a03a6179f6885cfe47322f5bc0be

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
93KB

MD5
42e386af295630a5c3ebadecfc1f90ba

SHA1
3a17dafa0d2b43c551f0c4a6e20515b1e12a2ba8

SHA256
d7fd907bef18a9465fc38b8501ddab41810c6669bceb1c89c1bbe9584126e506

SHA512
ab4a41a2b6cc5998d3ab8ed2762340b2b8e2411370488c7bbd076f71664fbf9f50da127650f623cf25285b64385fc3e93590ec626bed72eebb0826cbb112ff92

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
93KB

MD5
f7f15ca6f232b949cbd3991fb8860421

SHA1
f46f04ff822e69920a7ed2d815f88a4b00aca6f3

SHA256
f898f270119ac436b836d5011f481a52bd4f36ab92b3aae1bd151dd6c8b1e139

SHA512
c2b69e4a5207bcc7d643bd75d8426567664026c875ed9a840268b17058bdd84e13ad26443a530fad027fb4f8c1733909c00cf00082582f074c2af5bd4dfdf12d

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
93KB

MD5
f76a37a5c3bdedc02142d2b80cd5d1f3

SHA1
bc89f00b3966089c4c8f2f9b5499569f062be9ab

SHA256
c0591595c44a9ea87af75cbb4b37bdd3a567c293ed1b07d4e1d1c45e9791f191

SHA512
b02c487cd1385c80dc1258c9d9b73d44bfadb720e8fb3a407bd63558883f5dfde62224253aa059f756549da877332372098bdadd306db6bca485e88b2acac085

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
93KB

MD5
44a16ca1af2037071c58614b670f8a5c

SHA1
8d077217c228590d7d21c218ed6a24b21c02a59a

SHA256
4bea9c829c6651f02370dec72586c5e08335b3382b19bf9bea2d75ce421386de

SHA512
bb136aae95dc634aca4438fc947a5c3d09ead9b52f74910aa6e935f6fb244874f4eac238a9dbaa1b0d29e125387cd3f175c822fc20ae1025465331372d5ee0df

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
93KB

MD5
0f9fac9086d761edc40d4122d3544c2f

SHA1
710381807a999d10263b5112a64eb6fcf834c55a

SHA256
b5257e7fa33680170b2ac270444f5c02864eb1f41ab8ca50f6a18f8ab5b44689

SHA512
5c65196b743753c843f3ea13babc8bda82de96bb1de7e1db925eb21547f85a2a1984afaa1a4394ae113533a02b79db30c1ccba9f29d52e48641387cea17ab13f

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
93KB

MD5
93c8fd95b5e712316c5431437cc30fdc

SHA1
3447c1c7349eff5a2f334f850cebae2661e216ea

SHA256
76757a0670abe7a1507bb9afc4e2ccd80cf27a3dc14310c928a0ee4a07933d23

SHA512
d4afbe4799a0054fa4918cd984bf8933c6fa374ab9cf3e4b7cebd420cd79f93f9a2758bc6c0b5d14d6ca7d2356722752651ca0a4b5262d175f94191df9481492

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
93KB

MD5
6dc6b4eaa9e4b236ac9cf4f8a790dc38

SHA1
4258749928b122305a5c3a9477f5d28bc40ba45b

SHA256
d257ed687466ee2794df30c9189a88825ff579bb633d223310c1e5896ab671b3

SHA512
86aefbd76911df82f23273fc0f30a2e993237ce1d047c170e158420eb3c9309268c6bf7d00c454f52eef833cda8b9b2a17e275c6e996318f1b1677ca1b4c78ff

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
93KB

MD5
c4cd06ab631e8b1e85843b2950475715

SHA1
3026cea05104b0aa4500958c9916145fe1400277

SHA256
4156f87da663726ff8911f76cd5944797a7dff2176116f4fe0508f6ced47ce2b

SHA512
0419f92fc229ec1e2d7d6bfea405bf898ea34e29bcaa917ecab297dabf67098e6af87f04c71ce9654916c9315e6392c9ec1e0ee5a47080b957d9bdde43598717

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
93KB

MD5
c37cee73e728308bff1a11fe35f31f72

SHA1
1ca278a5bf50197e6531eb971a0d5a03b49e7e90

SHA256
b1b513199060ad82f07b0c05a649c79a4b878cdbed27124f5996d1ba7f1c1d66

SHA512
d896196fee0554ed5919c0b08e7e4fd89ead299a772dfa301a6c726f906dacd3932de49478ddce9f17850e787903399986d45d2382a4e2856396fd50b7b4492d

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
93KB

MD5
aa7ba7397bd6a4b037f62c70b23b7d62

SHA1
aad22f9844220f5caf5d97de4ad0e2d2ef084f5b

SHA256
6068b62571e0e3ff7c43a4ab924051f7739f5fd7938725f5bb3dd1871fdb4263

SHA512
0bc2bc455e5daf944d3bbc1acb81545ff45bb07db5adc50ff4f388e91bfebca611d7b07b965d7241a7ae634ce8d8bef44a9407ab7469b970c046be624cb94bee

Download Submit
\Windows\SysWOW64\Jfknbe32.exe

Filesize
93KB

MD5
c385fa2406fabc7466134c3f0d0259b4

SHA1
f1a01d563b4411c81e43eb43d3d434b1ed9c136d

SHA256
0e4190a2b5fe4400cdde72f174c6f67e258b191937a434e31cb6ee7110ee6b8c

SHA512
b06e48eb977a1397711f001d435e6a296753235676169b9721a0848b88c34dda6cd8ab29746162b692b6196f2e82506838fbdc7633b7353adbb042360ff30c60

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
93KB

MD5
8de2f6c0e8683ad233f65e107845a66c

SHA1
64cc6a92a05fe051901d5ad64141a5155ad739da

SHA256
251c29537f203d5f447363f5925dcb912cb9354a12fb8466c87f759cf15554d9

SHA512
219142ff6e99d5d303905a9b84745293291b01ab031f399ba4b3e66f08396f89072a928ed2557111a9eee00ea5031acd02f5c9505f97cf13ea0b088626fd8309

Download Submit
\Windows\SysWOW64\Keednado.exe

Filesize
93KB

MD5
201f46f359b5ebd337da92a5da3cacde

SHA1
e4128ef340f80f293d9d724bae56db158c8cf251

SHA256
bcc48414f4a5c036ae638fe1ecc8a0aea64ae72065de2bf96432e68e3691534e

SHA512
05975cc9fdc3077bc58fbba0e6dd68bc82fa7f25b1a7b392def059130ac4ce4a6da283ab4e992dee8ad8f12f09ebc12a83bf66112841abd939e613e0476d2206

Download Submit
\Windows\SysWOW64\Kfpgmdog.exe

Filesize
93KB

MD5
f2d6a545b8a873aa3d052c4240d66765

SHA1
b1933d64e4b3d31cf3847da8f7ceb05952177e6d

SHA256
e42fbcf964389fd92a01580ded3d4b549a4a42d9b9b21cde2ef5ad867288eb0d

SHA512
79eaa39d27eca788fdf10645ec8d9f6627779b0caad8b0a7f9bc0c0aedd8394e0634d1db0468b9d3af78cbc947f0e3743c9580bedd661d479de8def0104e6897

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
93KB

MD5
5c4429144eccc5313cce5f41d1bb79ab

SHA1
ee10d56de6504dd3678e9aa3713a539fbd7e41cc

SHA256
c6b5b3cd6512605feb8f2b8a57bacc6258eda6bf2700e6468c37da3cca80926f

SHA512
0975aa3edfd6b90eaa41e8435b87f131aaa64b2b1608d1b783d747116d8d12fd83936070933c79e0ddaaf4ad5d5fd1b1de041ddb268290fa215a24fb2cd5d49a

Download Submit
\Windows\SysWOW64\Kkaiqk32.exe

Filesize
93KB

MD5
aaf1427330a888e6e8ad02db47a60fea

SHA1
2b0fc706aac2bd97e36de0717b8d22c7b25c53c0

SHA256
35561ab232ed45a7fd5339fdc2fb14893080fc86a5bd501660ccf1f921b81360

SHA512
dbea72278b6f42d945cdc89c2e17882dad42c1dad8107972458c75ce67b9ff24f713a465681d673d0ee03b786a4fd507c4ec619dcf1d46394e072afcef8d6572

Download Submit
\Windows\SysWOW64\Knklagmb.exe

Filesize
93KB

MD5
5e49137772d7db337819ff1cb7a32fba

SHA1
81e212476b636be0e41a8d9a026ad7c136a4c01e

SHA256
9c27ec5c405e905187b1bbda679954c2d09b986d0257026195cdd4a22213ebba

SHA512
b8d5408be6301559c941dcec7e6246d51d1a733c5f8872474f384633249c6e51f5b851b0e106582df6526966f5b4a29e9fade03469fbf4c5e6e3022e1435d48f

Download Submit
\Windows\SysWOW64\Knmhgf32.exe

Filesize
93KB

MD5
458b6ddfb20e1708ec0430993d3c27af

SHA1
871c0100575588fa600910a0df2ea0c8aaf7ca4d

SHA256
e3df0e2bd850958bb7048dd7886bb8e7a4516a0ac7256dbe47e0eba6369ade0e

SHA512
ae4c8efb29e27c811978a3931befc57cc6bcd656c213d208cd1335bc6a5a632dfc2f07d0d64c76fedf64f0c9a491677c1dfa15a54fe0923ac403cbf579cb0bbc

Download Submit
\Windows\SysWOW64\Kofopj32.exe

Filesize
93KB

MD5
5d8649469a973ae97322154acc329586

SHA1
5af8d10680b7800a36931368bc644ceb2ce23b8c

SHA256
c82258bd92e876d65ef3dac43cef650b2b005c5283393a96d26f62e09d32cb67

SHA512
7dc81368a1d112f4e920747edfe8c8e7cf3bba915af7fbe4ea094780015de5deccc5f807ee3c77ed42de35f8f6494ab17b153051a7e4c13224bfd6d1a03c51fc

Download Submit
\Windows\SysWOW64\Kqqboncb.exe

Filesize
93KB

MD5
713ce836d839fb5cb9b1cdb0c0189b16

SHA1
b734e1e8d18d4d51a0bd9404ad968d468a5badb9

SHA256
5d1a95a9ea5f83a4fb6b8213cab1756034c6d3507ebfa6df4e3c67bdbf228b4c

SHA512
82b8714ef89c8cb3a0895a56112aac9ed8f70c598fdc51c9527d06654bd18f2b579d4f09ccc6510e7355cfdd770f4ba693219668a74221b15da912d1dbe1d6c1

Download Submit
\Windows\SysWOW64\Lghjel32.exe

Filesize
93KB

MD5
584bd0012c2f5b206cf803f701f7cb0d

SHA1
2bdfa07de37bf968b2ab76f6e84b571204743783

SHA256
d0b6951185a1ece04c847221a75a527675e66fa923cf168ddaef603ce0077c4f

SHA512
fa0d5e309270b3cc683bb5c2441ca9866807a41869b7af3b74edd529a832cf708f698513c79804766a1d2ef5e0ec19047b59a9b99fa77292a965512db1d41d62

Download Submit
memory/236-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/236-526-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/236-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/236-521-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/444-501-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/444-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-372-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/588-375-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/588-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-652-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-285-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/652-647-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-281-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/792-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-493-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1136-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1204-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-227-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1320-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-295-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1320-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-352-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/1396-348-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/1408-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-450-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1448-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-449-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1452-177-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1452-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-477-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1640-471-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1676-535-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1676-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-220-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1864-263-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-406-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1944-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-422-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-421-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2012-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-156-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2156-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-340-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2156-341-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2156-12-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2164-396-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2164-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-113-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2236-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-139-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2328-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-203-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2340-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-100-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2432-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-254-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2448-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-327-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2716-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-326-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2716-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-618-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-315-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-316-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2804-21-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2804-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-27-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2804-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-439-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-338-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2904-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-165-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3012-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-74-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/3024-272-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3032-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-305-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads