berbew | 3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
Size

451KB
MD5

ad59eaeec9ec8151c785ff92f3bfdc70
SHA1

9059b494cccf4f82c0e58bfd94786a617311c26a
SHA256

3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7
SHA512

a31bfc4e8f79f2b434d7931afe044485b46127057ebf38db3c0c1f7c5c6f1bd4191c95940195d658744140bce787bc3c73c82c3eb71afd811b931e8b9029f466
SSDEEP

6144:CgV/GvSwPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:C7I/NcZ7/NC64tm6Y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2412	Kfmepi32.exe
444	Kdqejn32.exe
3212	Kbceejpf.exe
1016	Kbfbkj32.exe
1856	Kmkfhc32.exe
4400	Kefkme32.exe
3412	Lbjlfi32.exe
3076	Llcpoo32.exe
736	Lfhdlh32.exe
1500	Ldleel32.exe
3260	Lfkaag32.exe
2888	Lpcfkm32.exe
3720	Lmgfda32.exe
3516	Lbdolh32.exe
2376	Lmiciaaj.exe
4584	Lllcen32.exe
5108	Mchhggno.exe
3032	Megdccmb.exe
4416	Miemjaci.exe
3592	Mgimcebb.exe
3048	Mdmnlj32.exe
2432	Ndokbi32.exe
3776	Nilcjp32.exe
1368	Ndaggimg.exe
2796	Ndcdmikd.exe
3868	Ngdmod32.exe
3472	Npmagine.exe
4776	Njefqo32.exe
2568	Oncofm32.exe
2640	Ojjolnaq.exe
4608	Ognpebpj.exe
1048	Ogpmjb32.exe
2916	Oqhacgdh.exe
3328	Ogbipa32.exe
4616	Pmoahijl.exe
3768	Pgefeajb.exe
4008	Pmannhhj.exe
3228	Pclgkb32.exe
3312	Pjeoglgc.exe
2896	Pqpgdfnp.exe
2052	Pcncpbmd.exe
3236	Pncgmkmj.exe
3332	Pdmpje32.exe
384	Pjjhbl32.exe
4548	Pmidog32.exe
2912	Pcbmka32.exe
1516	Pjmehkqk.exe
2248	Qqfmde32.exe
3984	Qgqeappe.exe
3232	Qnjnnj32.exe
3100	Qddfkd32.exe
5028	Qgcbgo32.exe
660	Ajanck32.exe
1848	Acjclpcf.exe
2548	Afhohlbj.exe
2928	Aeiofcji.exe
1528	Ajfhnjhq.exe
1928	Anadoi32.exe
1440	Acnlgp32.exe
1912	Ajhddjfn.exe
3844	Aabmqd32.exe
3452	Afoeiklb.exe
4348	Aadifclh.exe
3480	Accfbokl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kbceejpf.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kbceejpf.exe	Kdqejn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
968	3476	WerFault.exe	181

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2412	1496	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	82
PID 1496 wrote to memory of 2412	1496	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	82
PID 1496 wrote to memory of 2412	1496	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	82
PID 2412 wrote to memory of 444	2412	Kfmepi32.exe	83
PID 2412 wrote to memory of 444	2412	Kfmepi32.exe	83
PID 2412 wrote to memory of 444	2412	Kfmepi32.exe	83
PID 444 wrote to memory of 3212	444	Kdqejn32.exe	84
PID 444 wrote to memory of 3212	444	Kdqejn32.exe	84
PID 444 wrote to memory of 3212	444	Kdqejn32.exe	84
PID 3212 wrote to memory of 1016	3212	Kbceejpf.exe	85
PID 3212 wrote to memory of 1016	3212	Kbceejpf.exe	85
PID 3212 wrote to memory of 1016	3212	Kbceejpf.exe	85
PID 1016 wrote to memory of 1856	1016	Kbfbkj32.exe	86
PID 1016 wrote to memory of 1856	1016	Kbfbkj32.exe	86
PID 1016 wrote to memory of 1856	1016	Kbfbkj32.exe	86
PID 1856 wrote to memory of 4400	1856	Kmkfhc32.exe	87
PID 1856 wrote to memory of 4400	1856	Kmkfhc32.exe	87
PID 1856 wrote to memory of 4400	1856	Kmkfhc32.exe	87
PID 4400 wrote to memory of 3412	4400	Kefkme32.exe	88
PID 4400 wrote to memory of 3412	4400	Kefkme32.exe	88
PID 4400 wrote to memory of 3412	4400	Kefkme32.exe	88
PID 3412 wrote to memory of 3076	3412	Lbjlfi32.exe	89
PID 3412 wrote to memory of 3076	3412	Lbjlfi32.exe	89
PID 3412 wrote to memory of 3076	3412	Lbjlfi32.exe	89
PID 3076 wrote to memory of 736	3076	Llcpoo32.exe	90
PID 3076 wrote to memory of 736	3076	Llcpoo32.exe	90
PID 3076 wrote to memory of 736	3076	Llcpoo32.exe	90
PID 736 wrote to memory of 1500	736	Lfhdlh32.exe	91
PID 736 wrote to memory of 1500	736	Lfhdlh32.exe	91
PID 736 wrote to memory of 1500	736	Lfhdlh32.exe	91
PID 1500 wrote to memory of 3260	1500	Ldleel32.exe	92
PID 1500 wrote to memory of 3260	1500	Ldleel32.exe	92
PID 1500 wrote to memory of 3260	1500	Ldleel32.exe	92
PID 3260 wrote to memory of 2888	3260	Lfkaag32.exe	93
PID 3260 wrote to memory of 2888	3260	Lfkaag32.exe	93
PID 3260 wrote to memory of 2888	3260	Lfkaag32.exe	93
PID 2888 wrote to memory of 3720	2888	Lpcfkm32.exe	94
PID 2888 wrote to memory of 3720	2888	Lpcfkm32.exe	94
PID 2888 wrote to memory of 3720	2888	Lpcfkm32.exe	94
PID 3720 wrote to memory of 3516	3720	Lmgfda32.exe	95
PID 3720 wrote to memory of 3516	3720	Lmgfda32.exe	95
PID 3720 wrote to memory of 3516	3720	Lmgfda32.exe	95
PID 3516 wrote to memory of 2376	3516	Lbdolh32.exe	96
PID 3516 wrote to memory of 2376	3516	Lbdolh32.exe	96
PID 3516 wrote to memory of 2376	3516	Lbdolh32.exe	96
PID 2376 wrote to memory of 4584	2376	Lmiciaaj.exe	97
PID 2376 wrote to memory of 4584	2376	Lmiciaaj.exe	97
PID 2376 wrote to memory of 4584	2376	Lmiciaaj.exe	97
PID 4584 wrote to memory of 5108	4584	Lllcen32.exe	98
PID 4584 wrote to memory of 5108	4584	Lllcen32.exe	98
PID 4584 wrote to memory of 5108	4584	Lllcen32.exe	98
PID 5108 wrote to memory of 3032	5108	Mchhggno.exe	99
PID 5108 wrote to memory of 3032	5108	Mchhggno.exe	99
PID 5108 wrote to memory of 3032	5108	Mchhggno.exe	99
PID 3032 wrote to memory of 4416	3032	Megdccmb.exe	100
PID 3032 wrote to memory of 4416	3032	Megdccmb.exe	100
PID 3032 wrote to memory of 4416	3032	Megdccmb.exe	100
PID 4416 wrote to memory of 3592	4416	Miemjaci.exe	101
PID 4416 wrote to memory of 3592	4416	Miemjaci.exe	101
PID 4416 wrote to memory of 3592	4416	Miemjaci.exe	101
PID 3592 wrote to memory of 3048	3592	Mgimcebb.exe	102
PID 3592 wrote to memory of 3048	3592	Mgimcebb.exe	102
PID 3592 wrote to memory of 3048	3592	Mgimcebb.exe	102
PID 3048 wrote to memory of 2432	3048	Mdmnlj32.exe	103

C:\Users\Admin\AppData\Local\Temp\3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
"C:\Users\Admin\AppData\Local\Temp\3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Kdqejn32.exe
    C:\Windows\system32\Kdqejn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\SysWOW64\Kbceejpf.exe
      C:\Windows\system32\Kbceejpf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        26⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        39⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        78⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        85⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        89⤵
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3164
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 212
        102⤵
        Program crash
        
        PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3476 -ip 3476
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
451KB

MD5
23adb554216cd1753b2474517ee8e53d

SHA1
96c917c1fbbdd104c775d2a79f9ed7308b103c9d

SHA256
dd9693f216dc91deb5ce8bddb6ab1f2992e063431da4a61264b7e8aabf64fe35

SHA512
143a92d7f302a0f270952e95295367c7c68bccbb572d4ee9f7da35863582067d489e441f052e1908af1391c3014aa8d8b310beee0c06e2c3c6e0cf493bc133d1

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
451KB

MD5
9623410ff019722110ee93139f24f5ad

SHA1
3b2851b2bbfedbf9797ed0da9cf29f050b8f9f99

SHA256
f05237bff807d3fd806ee69a7a2b26df592663d7507ec30be4d07e4561546c1b

SHA512
1add2200697688daaf612e270e26fef58983bb68b84f89f1d46c4c42f58585ec096d1858a6262c96e0e756cb92b9d1ba63ad91f573f8d340f9fd680bd1c649a2

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
256KB

MD5
2ac28b1d5df9801c3572c9436eec6fea

SHA1
d2e7c9b1781c9cfeb30ec9e1ce5bf4b10ce84252

SHA256
13de7954a57d5352e0d9df3de6fd351852ea0ccb6dce94404b21aae284ac53b3

SHA512
f5ff96dbb0024fe684b323fa054e13f020961e018ea6ae2d984861e0817914c0bf8f331560437bfcc0c5a3f303fdee54c7cce2815274badef195ea71478179af

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
451KB

MD5
c2aec9d9464859c815f5ededc9cb13d1

SHA1
41ef39d1ed55544830cde4a75c9cdce9516485a4

SHA256
b74113bb4ed9711c5eabe8676f11a5056efef07be5ed0308879a32011536914a

SHA512
c91fe6485ebcb3cdc7736b6372c92f9e5e406971df02d2b640cb779c918b4f46ecff2311b0608fa1d56a947d756905db9192e7e6ab954f1b1dd73404a6b5d1e8

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
451KB

MD5
52c49717a4b27e2a17f60ed7b10f59c8

SHA1
a89135dd58e13e183a381c911a7aa4eab2176ab9

SHA256
eb3a672c3b5c08b99b69e2955f86a0afb1ddf0acec4bf5e49406b9c7b4026d6a

SHA512
6a4b1df44e9537683e3c56129686adff8eeab2d8ab2b8ac27e10947b61403f171b0bce4125bbe32f0ca8d8cd8169165dffd7dde9a55312240e92e341a2ed8001

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
451KB

MD5
6c16fd5beebda5996680e25077ff450d

SHA1
2a3d877d4972c1661c5b34f66f72a88d5d418310

SHA256
df6793d0999cfbe5f379ad638465c6e66ca706ec2f234feaeb751d77e987e88a

SHA512
77a6ebc7892ed4455bac9e20a4bae45d692d6bb6ba2979363ee3aeee56f6eb38685ff5ac254ff8a80def7d8359a0e6d7b400057ccad80d308b598547deb3599e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
451KB

MD5
54f41e10729a54533928028cb85f2100

SHA1
252871a11e814a48a40f7546380050b535ce9658

SHA256
e8902d8fe9c990e653f2dbc2c876b7df6c89fa4578ff827fed552813927d51f6

SHA512
78c74f459e08a457fc0f68a31a7f4a023ed0573b121660aeb2e8eeb074f8afbcadd411f7dd876f3c31474f4e9240dce6b44457d2d8edcd8e9237ff4892d43028

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
451KB

MD5
d9fbdfd69711f1e789a7489e7b0aa1ce

SHA1
f26f4a5ed0722583bfa9964366b0afb57b5ebbee

SHA256
a42210b657840bfd31adab8f6e8b39d7c50f4c0e039137980f30cad452cb6f8b

SHA512
afd4a8b674627e19914bd5c3e7b63650adaa6e98bde2693b487bb6e8fb00834d9e3810bef94656079fe312c39af15242efc5c8937581f0eee7c2694cfef69693

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
451KB

MD5
3760892cf66e48570c85229b5ccdcd99

SHA1
d3a88fc204b62fc03b3ae6735b3c00178f65a59b

SHA256
bd67794403065e536463845f534fb80164ff7b4ad2290a731b1b51c4f7375ea2

SHA512
7c4942570e82a252c60be623a4447312c4c26094cabf198252c4c8471fd635222ce6635fe013511d8be9d6c81d4c09a5b76fb550ec0540b4241488d418239c90

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
451KB

MD5
fd959e8f6828ef63f7fe99bcb883ce23

SHA1
6cb3792f820d3b079b35cbf4fd9533815c88eaed

SHA256
277402deb4b9ea58c91c190da4fc98ad4f4cfb2799535b9d3593dd5221e6a69b

SHA512
b51afc502a68d2c07a819a19d259753969c8f9e5b08ce3579da3bb443439757a80f4450466de4aa5d4f0090484a8ab0183f8933f5ecbbe5e164816049c77cd8a

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
451KB

MD5
4f31f4475319cd74d6fae3eff368ee85

SHA1
bfe9d099429342bcc96ab4e5dbf375fcbfc7f427

SHA256
19dae6a01c70ede1787219558fcb5418bd46ad9b5f7dcbbfac4be02bbd27eee9

SHA512
ed7e42433267107b75e99364c87b2ba46591429a2984400df489989c06d410382dba5b058195a9679423ccc9035038b70435085fcba0b5d8284d711c00e5e2b8

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
451KB

MD5
49225f8b74577dae7fdba4c6336e0305

SHA1
ba69ad366b5fca46ef87bd08fe2de5d62d33341f

SHA256
4606776ec58af6766e61b68a007686c1ca09946d9fb811977033a37f759323ce

SHA512
62c3fb0c2e0218d80b481a948c8244eaac2b8f12261191c5ad22961f865fdf56bd685634983ab8fb859f88ca59fbd3f818824814e1843af437ad4a94cf2ce424

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
451KB

MD5
4946603270723a55e99d3b118d9515c5

SHA1
83b539263937cdaa91751b3cca9b245eec889e6d

SHA256
be57d1b260df5e7b942ed763db1d9105e0cbc16db9f1b957097f8aae02241057

SHA512
3b08ebf87441352d1532a9197260ec3a9a4e08c041dac680bbb8ef490bdf1cd9bd192fa091e08cd42a5b74c76cd72b0f3255c3db50445791f628bced14f79bd6

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
451KB

MD5
807cb6250b916b542eb395270c5ecd76

SHA1
61698ab6539bdc313873b2ffecd40e90a57445da

SHA256
f5f297fb5e6ddf5d08275cef5506e94d9431f982108a7d0faf40f5fdaf94986a

SHA512
dc5bc7487c1f35ebc9f02c165ba33e10e28882158ce21a870676fef47f34f69c03440fcb06e57749c4a84f08fdc2481fb79e3688dcf9a912650d591313e58c32

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
451KB

MD5
d9e879f061de1a3aaeb2179e628bed9f

SHA1
a50f02b55e5134292f437d0615a655ce054dea41

SHA256
3fa4c79d301ca40741ee1777969358fea5736b18baedce70f5200ab7163a9aab

SHA512
cc2d2195eefe8b25865f0aeabbeb70fbc5a7180b7dc2c628ab26917eb697ac5018b994c19051bac422e40ea2bd0e85c727d945c4682cbe1d2b79d58b0ffba304

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
451KB

MD5
fd2da323e8723579e8b912963f6ee66a

SHA1
edf1d6a1ab4c2db251629ea1d0d16df52e5909ef

SHA256
a764209a2d8fa5cf61bb44a9334b2b1fa741181b78f84c78918336347f2c66e3

SHA512
ecd646211b939cc366b35e8fab31b1feff6280d99b8a231c0bf16e16e2af9161f2ef617a1313ef1236a7de0f2a016a1ac9f42d16c36f56597946f7ec29b8de1c

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
451KB

MD5
5d10a8d8c3b6beee7880df48c4d1cb5a

SHA1
357be520d1766df9303e39df66b9b6831f4f7e3a

SHA256
d26482826c6eeee2249c054d9c0987d932f5290be4225e2c596380f0edbd2fbe

SHA512
3d377a0388a70a1bdae994d5acf4358e0d4cbb834552eea509d611e758748c5c7dd641fcaf1afb4865c73ecbc2255c6f579f6eef23fead121ccd3169bc13c90e

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
451KB

MD5
57c24b2f93809a88ef23590b59b7c295

SHA1
f0bf0c081922b0e41ee5246732065d739bd74457

SHA256
8adb1e58e8a57490279c1340ac646e38b776f83fe0dba350ff693112f274cf46

SHA512
96d36f39945c782097fbed66d65bd0c25c08df289b58187b122d7464541628632b06b1ebcc0ace673adb07dc4c27f3bf34a3878f0ad0e3ef33e09479062ad4aa

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
451KB

MD5
d0a2cdd62aebce4464b50ce6d7c22395

SHA1
bda9dc9ef62707a274c03b120ca0d7082cafffef

SHA256
b73d9039b8d4f7e23a1e0b73639044fa8f88eb12d395e3f63a0fe0f74c441808

SHA512
0e46e01f2c8c93b69ef1baaf992eea185a4704ae4cd4d3fa863e075d7afb28a2008e0a6a2c3d07d05458d45922c6c50296243531f70812426945cd2d091f3294

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
451KB

MD5
544b5227e1ba7200d1b3d13cb2d10075

SHA1
920c1b681e6f95d547b0a9acff35fa62d05c56af

SHA256
bc2e01139f25d6ddd345326da9112a5fd861c649255e2e9a676633d799b054a7

SHA512
d015e4ea6653fb446e736d193961064775d6e7c20634f125e52a0f10f84001f8d17c4c6d792cdc74dd57a88a08f863aa14918e90881493cb23fb494dcc6b5050

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
451KB

MD5
b2e866de697e5a432e67651586d1a9f5

SHA1
1a315e847ee1001059acc05739e78617ce1e8217

SHA256
781c06bc33c2766bf0c8a8ad8cd717c23f559b4dcef65155ced2070f590cba33

SHA512
28d781b298c9d8dd60ff5530c57e220b4010453244385422818c7a67d906e08f5344473a5d1492eb71cb8ef58ff912dd16c76a635d44e809634454a3d6e3ccce

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
451KB

MD5
d8d2a8267bd4ef0802794fe829597b30

SHA1
a4f67066024b207bff21011dea1150384ebcec03

SHA256
fbd1e21848dbeecf23467b84dbf06660e25dfdf5bf375a107cbd71940639942a

SHA512
c470ac733d397217f2d116e0824f53292ec3454ba30d08eab6d68d9e24bca277bd704119a949e54ae66da6458ea6ab4075995d415f3d46e6631f42e7928c8e46

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
451KB

MD5
598896396f4f5a63fcbb0578dc591cb8

SHA1
d7fa23925e9b0f82a2b15db6a6a078fd674b03f0

SHA256
e68638aeaa053e4f98de3ad08a61928f01b1162119789b7e23ecf9085f6d3f3d

SHA512
19f192e9859ab95d91dc1ea8a5000fc1603d65240f3d2e6ea17e453711494aa2ee4271dc5e664d3f96dc7272e768540606a8948259c96fb8f0dbfde7c57f061a

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
451KB

MD5
9a5275e1f4092a1a6468b33253279a7f

SHA1
bc50bbabe1ccaa9df2c8f5fcb993d6201da50bbe

SHA256
e772ff3e77427bde002710b43e29be09760f2dacc7d896b1f3c1abed3fdb03da

SHA512
583f65df6d50868459220e97a030c4e73e28942dac733ff7129f501d9edc6fd3b271d6c93506a841fbf7c370861f222f1c9fbdfb953d16349ce95d07a7a66a95

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
451KB

MD5
0200a63e1a0dc32b112ff8011f8ceb8f

SHA1
3d33dfeb4f1aaa613bfad5e8bd9cf05cfe412bfc

SHA256
09491608db0e1cd5f12ff2d0422090ea0dbd8ff9a9af8f62758f932c13451c7f

SHA512
8bb740fdb24c47d6fef607a91c6eb54e3a8fc177d81b2a3de8826c5691371775821d66a8cd9bfa9f6165865a2317429a90289712006009e0c72db95468162aa8

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
451KB

MD5
a13643f2cb15645ff3f0916de7c919a1

SHA1
f2b72dfe8236636654d7962a9bf3170475cfb33b

SHA256
53b4449ef4002458249755bda6164454900cc2e817264c6b44b70e2cff5e5cd0

SHA512
be44246cef8e2447756f10ed0718682387c9f46414ebb54e6da0bf18f543d6277b413e6a6223f8441dd496cbe52a656977dc322fa23b9ba1d2d3ea1e11a8a012

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
451KB

MD5
8cb0804741385c24bd8ab97dbb6838bc

SHA1
71f426d842ea97f28ef25799ff2bbb8cbc423fd6

SHA256
0bab7e8e2cb833299bf6be82daa29039c1d178cf674abaf25422adbaea072841

SHA512
371a00c626232ff5435d3d155bea9604df2fa79a963944511c00b472ea3495d96c13e451d7ddea974c9458716e6b86f53cda41e7303a43239938dcb7938c0564

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
451KB

MD5
dd329b6f94033b6ab2c53f72f457a408

SHA1
dbf05e3ce70f6fb0b96c050b8f0025837f25cf74

SHA256
778bf49e5e6f9a424873ecbfcf927d2ee44548b617191293ea16a8d7be868a2f

SHA512
10c9166fba2c3a9e6224dec9e912f5add6fe65d5606a485b2d33233c9b02ec653ec445316ad0e326b51d1db419631d6ae95ab9e9b78e1d70aa02f353a58798e0

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
451KB

MD5
88419fa40e4af01cfb686e40f6dd8bf0

SHA1
515f0d071146531e44dcf71bc1f6dabf760b11c2

SHA256
a0a3d2cdd2997f60b7f5abba2ce4155d1264ed3226cc8645c88700fb10c52343

SHA512
6dbe335d5482d3e7f1f00d6e8b6710d911d130e48185aeda848b2cf1b2fa61efdb43a6520b4e454ad4522efd42e8bd16c173da0c21bdc6cc0f3581a70d7b93f0

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
451KB

MD5
9cf1fceb8101ff93ae45602effa7bdc2

SHA1
41ee78a1fdd44ed9dbd7173a04f7ae8c4f538865

SHA256
0261cd932b2edecd0282461d248722157ce3cbfd3c2515cae0e48dbe9df00655

SHA512
f4ae420e1202a3a109e6fd9726bd18c1ebb10460497e2d6abba8f126a6bdd64114cab12a3faf0fbe734da938fde1e2905d273e0193278f81e032441d0ccd483e

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
451KB

MD5
2f2d5fbf97fe5b06cc68f5b13e0d46ab

SHA1
65818b58e320fb79158ddaa806806881e4ebfa74

SHA256
89efc868fb57db2abcc3dc37ca008125a2226246b232fca112d1a7f968d70160

SHA512
e5b9631e53c58a661598bffe895224cd85054b598a91cf666e8a32110e3a6928fbad86d0287bce46234242d67d1f9b82087268469d87e248bd0b231918b4784b

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
451KB

MD5
f22a1aae542171f8c61c9dc9e92ef9f3

SHA1
4ce5b08526fbf08be38aed2708634465bb99cc4d

SHA256
aec7981ae4ff0c96a117e4661fa627de69d4c6f1b349f52c31572629f17b5bbe

SHA512
ffb22ce86074f0eb9edc75671222f2f6dbba96b99527fdcf1365b155c9b477cf1879b9674962935016189402c53995e3373e6788b7ab867877e5a8468b6d9e38

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
451KB

MD5
a408f5647e19a61548b0ba00642d7d35

SHA1
6b1b979765ecd1338009b58c518fa1133350658b

SHA256
3007b4fde6928ca04def982c80940346ec2fded765ed163fcaf86c4006acf2df

SHA512
76173e46d38a055af03c0ff6d839fe7b47cabedcf5a6e73dc84a11f1ac36c2535d27006a82f513c841c75e050546f627d8ae303d2780bc6067c7e99cc1bdbe6b

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
451KB

MD5
e281b12ea4153df221e68447de016efe

SHA1
4e316529b5da023a1408f024ed457b01757d746e

SHA256
21aff0103400b6bd115d19448f68c57a3641c86bc81a2d5ecd2cbea1a1b7fc8f

SHA512
babc8dafb28c375ff1812456d0f60c7700070a0babf13a1bd7200271b9afa4f548f5d5fcf8cd65e5e47266b6cde2b8983a9af9fcd8fe6b45a4de709bff0f47be

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
451KB

MD5
c41339e952457bb02a69715dbb65d4bf

SHA1
319bd6bcfbdd9313584a79b5c2cff3fab2872445

SHA256
5c613afc57ddf55d0c9bb944d7574ba984387f393c69abe9e868523d01b9b7dd

SHA512
610d29300adda0da49b68257f15b7d432ab72536eec35595e46eaf2967a5dcef2575ef018ae3d741532c0318016f24c3fd3fb43e23ee981521a8d6331a896dcf

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
451KB

MD5
f21373f1c440c19e56dc0c007fdd5273

SHA1
6074d315e0870adf080394638a597af383c7849b

SHA256
bc1e1e3b682413eebc74527a5ed9078a0164104e1ce4ca16d564dbad8f9b3ad8

SHA512
dadc04134f6067ed80661cef55bdeb52eae0bf1b51099640a45780cffee60414764adbd0191054d04e3d0e3d596facf00a7b13eaae9fe929b4cf9f7d3d700a6f

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
451KB

MD5
dc3d1c47e77e6ba97c8d3d24a1708f4c

SHA1
1a763c1f9e365b2c3871e87ec2fb7d92cfaca81e

SHA256
0ececf8fea3a31e4e220555142031e4d975892c936912fc89c2193052bfd702a

SHA512
bab12510f5d63badb142adb3f9573f1b53b41e3f05a33533f9d2da8b00777fc9d74336968eda40d51f01e1e756609740639ced026f8856a4f97a03af3e604010

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
451KB

MD5
42b2047767d9a715feab48d99b7c9756

SHA1
2388889d4d3d2eb66859b79165e2e863a42ca2f8

SHA256
4408158e1cf4ae93f0f56294e0290796ba953c4339743aeb8f5a14749f949311

SHA512
945d91faa55b6c550f5716c04f056b6557b2dd71738f8628095e10c65c49b5299a6f4a12ebff7070c33ac1b9fa39173bfc91c9a9260198719e0875113ced852f

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
451KB

MD5
9680abac53608bd07dfd82350be53be1

SHA1
0f56229b4dbfdb20440ad7e55fa2aefe7ec6babc

SHA256
db1b034c5bf96e22ae4110436e04c318fe90e6b1f6ba65ceec0195815a45a2ad

SHA512
8f3583a4c99201f2e5183dc6a78880318291502b917c6f00f2e91bdcd52a51a2e9c70f7042a24268baa70a5f21bd41af96bccab9f5ce2c6c015d31a22cf5a91c

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
451KB

MD5
09157d60b69d3f1e5616c829ea213a74

SHA1
89be93abaf173b578c35846a1592ff8ddbfb9c9e

SHA256
e5c9c7d2c6fcea6c3b7339cc951d4867a6a9f2ea11ef834a7c82f5a2217fa7bc

SHA512
aa7ffd65f787dca5b774783843446dff90694fa8ec3d3c17efee8acc1b599c718e864359f5c294ce1258154a0784ab4add35dd1a751f88fec3b162692d2f2835

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
451KB

MD5
a1ff010fcc08554bb73f46b669898230

SHA1
82d36d331b1d7e7758ef364a78fe040a2b165d15

SHA256
cc204957ddf68fc17c7bb281d0c990b42e52ce69ae8ee1b91bd91d6592e775b6

SHA512
c356ec67de0bc3fd92b9d25f76a2a89b247268b2ea2f1be8e441ccaac1663f7dc597aab5892f97eabc15890e6bd4c93c58e71a2be14744bce16d82fccd18db44

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
451KB

MD5
f0b020af81f79110448e0ff8961c5a90

SHA1
65dd14f4b094c41e67088ffabf2b2b3b962ce47c

SHA256
8096db85c8b3a8778f77dd459f3b644255454747ed00a1daeffb8840afcf422c

SHA512
e018303b44d58e8e6914af1d36a8880b23426ea46ed3a44f4eb57d916ef0e4163e0d4e879b787a239bddf3830d12ebb64a259352491f981b5797f4d77753060d

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
451KB

MD5
bfe6392f526e3f7ca7fb8721f2e9192d

SHA1
a7a26089277c6072832dd6ba94cc328a7a53ee9e

SHA256
abbccd680a3611b1716f176201fb7ace09eb1af288a931fdbd0e92ee5bc0b879

SHA512
470a2f7b12291095d2371638964b7ad3f83985a264d18a8c7193ba049ae6a05a5bc4bfa1823cf821d32b1b032bfb096218630ed9dc4f38a39d476fdefb6bcce3

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
451KB

MD5
f130902ce597894d8ca9ed3424f578dd

SHA1
6bc04a69a65211b2a51b4ea91bd4bc4cc2bdf935

SHA256
2417069085e765786b9b4a719a79f839f6c35c1078ba7ff455538ab5b5d7a4e6

SHA512
c598d3666f7abcb2a3ebf3cee1d73636b1c56a85dd6b555ee3648b952bcf84dc6e7b54bd475a72ae47a51cd77e0548ddd5d30c4d74ee56471d8fff1e93afa0b8

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
451KB

MD5
21fb56b6b2313a7dc63716695f065019

SHA1
5a7670b9a66fbd349c3ecc610f7777d5e1d8e50a

SHA256
e04b1f2a358aaf11a52c8f712f5619ae44aca3419c621ba2b591615f50f3c33d

SHA512
d979b795d55375ff66845139ddb12bec9b439fa3219a287ab7aeacd6847089ca4d7b91f3cea926ed6f7807fe84d81e93827c9b7c12789dc514f8e905317deaa7

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
451KB

MD5
26ba6c10489c268b20b0f2eaba16c46b

SHA1
6ae2a17d63d3888079b625cef64d5481c2be140a

SHA256
66c2f29e0719d30cdcadb73864320aadf89ebbae14e397567ee37a0fbc30c43f

SHA512
50b903de107cc9b532ff74d4503be83873b8975683bb3f84a560ef35df441dcf7ebea8e34128090b30200bb0324ca85c138b4086fc5639c9159fa4f8d16381b1

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
451KB

MD5
27879811f8c8ef9f80474932fef8d2cc

SHA1
39c973b3b250f50b14003c8c8715cc65a4f8e3ef

SHA256
2532e8592915aed1b6d31b0e054e6bf553715e671d4b750dd03a544b5bc7e5a5

SHA512
b3560d8c456859512f1bd64fc8a48aa6dd66a489b17400b4a5b9226ed3836ed4afb7d63ed8265638670ba6818ab455bb1a62b703e47e3a0704914772f9f29c52

Download Submit
memory/384-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1500-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-768-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-727-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-772-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads