berbew | 437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779eb

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe
Size

337KB
MD5

eafb53df617540a2610fcd49bc9268c0
SHA1

d72f9a7d1e447c6f9d14d4799881984c80683068
SHA256

437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779eb
SHA512

2ca9c71ff4f8b5afeedf8595a885fded4a23cd9661e1df15dddb7af340513019d1b54a308367285f8f1aea4bbbf73c35a06cf262584ee9455472447e0da9a79a
SSDEEP

3072:MS6+bAFHpYUEAEdggYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:g+wClg1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcnljkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjbcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjemgal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcdhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpebch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccooc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olaejfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojefcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeojhbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhjcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcppimfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcgopjba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Badiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhdde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anedfffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anedfffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adplbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakfcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlnpnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olaejfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocmjlpfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnoneglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflpoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmpmpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlciih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijhnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agniok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjjalepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celeel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neialnfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbnlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeojhbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcnljkjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjagmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhcgll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakfcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbpbjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncoihfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqfdac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdkcgqad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeioio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Memapppg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcgopjba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deckfkof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefngkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mccooc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfkec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnadadld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhcgll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmlmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjlpfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbicm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
548	Lbhocegl.exe
2168	Libgpooi.exe
1264	Lffhjcmb.exe
4492	Llbpbjlj.exe
844	Ldjhcgll.exe
2208	Lmbmlmbl.exe
4364	Ldlehg32.exe
4504	Memapppg.exe
3080	Mcabjcoa.exe
3020	Mpebch32.exe
4000	Mccooc32.exe
5028	Mcfkec32.exe
1328	Mlnpnh32.exe
2400	Mgddka32.exe
2760	Mnnlgkho.exe
4304	Ndhdde32.exe
3316	Neialnfj.exe
2800	Nlciih32.exe
4336	Nghmfqmm.exe
3624	Nlefngkd.exe
3076	Ndlnoelf.exe
2096	Ngmgap32.exe
4276	Ncdgfaol.exe
1524	Ofeqhl32.exe
3620	Ociaap32.exe
1540	Olaejfag.exe
1228	Ojefcj32.exe
3124	Ocmjlpfa.exe
2632	Oncoihfg.exe
4912	Ojjooilk.exe
3272	Pqfdac32.exe
2716	Pjnijihf.exe
1456	Pgbicm32.exe
1156	Pnlapgnl.exe
2076	Pcijhnld.exe
1828	Pjcbeh32.exe
4848	Pnoneglj.exe
3856	Pdhfbacf.exe
3392	Pggbnlbj.exe
1972	Pjeojhbn.exe
3656	Qmdkfcaa.exe
3388	Qdkcgqad.exe
2984	Qflpoi32.exe
4592	Qcppimfl.exe
2772	Qgllil32.exe
3732	Anedfffb.exe
2484	Adplbp32.exe
1468	Agniok32.exe
632	Aqfmhacc.exe
940	Aceidl32.exe
2660	Anjnae32.exe
4952	Acgfil32.exe
1868	Afebeg32.exe
244	Anmjfe32.exe
2708	Aakfcp32.exe
2612	Ageopj32.exe
2628	Ambgha32.exe
2016	Aeioio32.exe
1896	Bjfhae32.exe
1560	Bnadadld.exe
1340	Bcnljkjl.exe
3900	Bfmhff32.exe
2692	Bmfqcqql.exe
1892	Bcqipk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmngcp32.exe	Bjokgd32.exe
File created	C:\Windows\SysWOW64\Ofeqhl32.exe	Ncdgfaol.exe
File opened for modification	C:\Windows\SysWOW64\Aqfmhacc.exe	Agniok32.exe
File created	C:\Windows\SysWOW64\Dckpch32.dll	Bjjalepf.exe
File created	C:\Windows\SysWOW64\Oinlcn32.dll	Lbhocegl.exe
File created	C:\Windows\SysWOW64\Apjqeeca.dll	Bgnafinp.exe
File opened for modification	C:\Windows\SysWOW64\Djpcnbmn.exe	Deckfkof.exe
File created	C:\Windows\SysWOW64\Mbaohc32.dll	Pjnijihf.exe
File opened for modification	C:\Windows\SysWOW64\Ambgha32.exe	Ageopj32.exe
File created	C:\Windows\SysWOW64\Bjokgd32.exe	Bebbom32.exe
File opened for modification	C:\Windows\SysWOW64\Aakfcp32.exe	Anmjfe32.exe
File created	C:\Windows\SysWOW64\Cmdmdo32.exe	Cfkegd32.exe
File created	C:\Windows\SysWOW64\Gkilmilg.dll	Cfonbdij.exe
File opened for modification	C:\Windows\SysWOW64\Bcqipk32.exe	Bmfqcqql.exe
File created	C:\Windows\SysWOW64\Ldjhcgll.exe	Llbpbjlj.exe
File opened for modification	C:\Windows\SysWOW64\Ojefcj32.exe	Olaejfag.exe
File created	C:\Windows\SysWOW64\Pggbnlbj.exe	Pdhfbacf.exe
File created	C:\Windows\SysWOW64\Ojiefj32.dll	Dkdmia32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeojhbn.exe	Pggbnlbj.exe
File created	C:\Windows\SysWOW64\Qflpoi32.exe	Qdkcgqad.exe
File created	C:\Windows\SysWOW64\Ddjemgal.exe	Dmpmpm32.exe
File created	C:\Windows\SysWOW64\Gphdlf32.dll	Bcnljkjl.exe
File created	C:\Windows\SysWOW64\Bcgfbo32.dll	Bcqipk32.exe
File created	C:\Windows\SysWOW64\Albmog32.dll	Bnhjbcfl.exe
File created	C:\Windows\SysWOW64\Cmpcioha.exe	Cjagmd32.exe
File created	C:\Windows\SysWOW64\Cnopcb32.exe	Chehfhhh.exe
File created	C:\Windows\SysWOW64\Mcfkec32.exe	Mccooc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgfaol.exe	Ngmgap32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeqhl32.exe	Ncdgfaol.exe
File created	C:\Windows\SysWOW64\Mcabjcoa.exe	Memapppg.exe
File created	C:\Windows\SysWOW64\Ngmgap32.exe	Ndlnoelf.exe
File created	C:\Windows\SysWOW64\Qhigml32.dll	Djmgiboq.exe
File created	C:\Windows\SysWOW64\Hhlohbjc.dll	Cmpcioha.exe
File opened for modification	C:\Windows\SysWOW64\Mnnlgkho.exe	Mgddka32.exe
File created	C:\Windows\SysWOW64\Ncdgfaol.exe	Ngmgap32.exe
File created	C:\Windows\SysWOW64\Adplbp32.exe	Anedfffb.exe
File created	C:\Windows\SysWOW64\Hjekkmnh.dll	Anmjfe32.exe
File opened for modification	C:\Windows\SysWOW64\Danefkqe.exe	Dkdmia32.exe
File created	C:\Windows\SysWOW64\Nlciih32.exe	Neialnfj.exe
File created	C:\Windows\SysWOW64\Mofhdehp.dll	Ociaap32.exe
File created	C:\Windows\SysWOW64\Bmpjpg32.dll	Anjnae32.exe
File created	C:\Windows\SysWOW64\Dokpoq32.exe	Djpcnbmn.exe
File created	C:\Windows\SysWOW64\Afdkim32.dll	Pqfdac32.exe
File created	C:\Windows\SysWOW64\Qdkcgqad.exe	Qmdkfcaa.exe
File created	C:\Windows\SysWOW64\Lbhocegl.exe	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe
File created	C:\Windows\SysWOW64\Llbpbjlj.exe	Lffhjcmb.exe
File opened for modification	C:\Windows\SysWOW64\Ldlehg32.exe	Lmbmlmbl.exe
File created	C:\Windows\SysWOW64\Lccdjk32.dll	Pjcbeh32.exe
File created	C:\Windows\SysWOW64\Ageopj32.exe	Aakfcp32.exe
File created	C:\Windows\SysWOW64\Bjjalepf.exe	Bcqipk32.exe
File created	C:\Windows\SysWOW64\Gnmolp32.dll	Bmngcp32.exe
File created	C:\Windows\SysWOW64\Kehnkl32.dll	Dokpoq32.exe
File opened for modification	C:\Windows\SysWOW64\Mlnpnh32.exe	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Mflhqocp.dll	Neialnfj.exe
File opened for modification	C:\Windows\SysWOW64\Pnoneglj.exe	Pjcbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjjalepf.exe	Bcqipk32.exe
File created	C:\Windows\SysWOW64\Jhphlj32.dll	Djpcnbmn.exe
File created	C:\Windows\SysWOW64\Ebbnpfad.dll	Mlnpnh32.exe
File created	C:\Windows\SysWOW64\Bhijdp32.dll	Qflpoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfmhff32.exe	Bcnljkjl.exe
File created	C:\Windows\SysWOW64\Dgqmpg32.dll	Agniok32.exe
File created	C:\Windows\SysWOW64\Acgfil32.exe	Anjnae32.exe
File created	C:\Windows\SysWOW64\Kijcoe32.dll	Libgpooi.exe
File created	C:\Windows\SysWOW64\Ljepon32.dll	Ncdgfaol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4904	1016	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnadadld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnopcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmgiboq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ociaap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccooc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflpoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjagmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjemgal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libgpooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjbcfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcgopjba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celeel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmlmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnnlgkho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcppimfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhjcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfmhacc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afebeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcqipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adplbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhdde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlciih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjooilk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbnlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agniok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aceidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldlehg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabjcoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlnpnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neialnfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjlpfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlapgnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmdkfcaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdkcgqad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhcgll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Badiio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcioha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmamdkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anjnae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nghmfqmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgfaol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfhae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfonbdij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dokpoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeioio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deckfkof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpmpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbpbjlj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chehfhhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjnijihf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnadadld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmfqcqql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcqipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjbcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbpbjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqijbj32.dll"	Mgddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbmmb32.dll"	Llbpbjlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ociaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnoneglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhphlj32.dll"	Djpcnbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djpcnbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colpjg32.dll"	Deckfkof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmlmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlnpnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnoneglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmdkfcaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcipiaka.dll"	Nlefngkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifpeb32.dll"	Dhcdhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbnlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomfcogj.dll"	Bfmhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljcdici.dll"	Cnopcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgfaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqgehi32.dll"	Pcijhnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijhnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokpoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnapigob.dll"	Cjagmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deckfkof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djpcnbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neialnfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjooilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdkim32.dll"	Pqfdac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaplbcc.dll"	Adplbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Badiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiefj32.dll"	Dkdmia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepdbe32.dll"	Bmfqcqql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnopcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlefngkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qflpoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmiofec.dll"	Aqfmhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqfmhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfmhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnehjqi.dll"	Badiio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libgpooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckaqiakm.dll"	Oncoihfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjooilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkibbp32.dll"	Aakfcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmolp32.dll"	Bmngcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmgiboq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkiip32.dll"	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpaefka.dll"	Ofeqhl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 548	416	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe	81
PID 416 wrote to memory of 548	416	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe	81
PID 416 wrote to memory of 548	416	437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe	81
PID 548 wrote to memory of 2168	548	Lbhocegl.exe	82
PID 548 wrote to memory of 2168	548	Lbhocegl.exe	82
PID 548 wrote to memory of 2168	548	Lbhocegl.exe	82
PID 2168 wrote to memory of 1264	2168	Libgpooi.exe	83
PID 2168 wrote to memory of 1264	2168	Libgpooi.exe	83
PID 2168 wrote to memory of 1264	2168	Libgpooi.exe	83
PID 1264 wrote to memory of 4492	1264	Lffhjcmb.exe	84
PID 1264 wrote to memory of 4492	1264	Lffhjcmb.exe	84
PID 1264 wrote to memory of 4492	1264	Lffhjcmb.exe	84
PID 4492 wrote to memory of 844	4492	Llbpbjlj.exe	85
PID 4492 wrote to memory of 844	4492	Llbpbjlj.exe	85
PID 4492 wrote to memory of 844	4492	Llbpbjlj.exe	85
PID 844 wrote to memory of 2208	844	Ldjhcgll.exe	86
PID 844 wrote to memory of 2208	844	Ldjhcgll.exe	86
PID 844 wrote to memory of 2208	844	Ldjhcgll.exe	86
PID 2208 wrote to memory of 4364	2208	Lmbmlmbl.exe	87
PID 2208 wrote to memory of 4364	2208	Lmbmlmbl.exe	87
PID 2208 wrote to memory of 4364	2208	Lmbmlmbl.exe	87
PID 4364 wrote to memory of 4504	4364	Ldlehg32.exe	88
PID 4364 wrote to memory of 4504	4364	Ldlehg32.exe	88
PID 4364 wrote to memory of 4504	4364	Ldlehg32.exe	88
PID 4504 wrote to memory of 3080	4504	Memapppg.exe	89
PID 4504 wrote to memory of 3080	4504	Memapppg.exe	89
PID 4504 wrote to memory of 3080	4504	Memapppg.exe	89
PID 3080 wrote to memory of 3020	3080	Mcabjcoa.exe	90
PID 3080 wrote to memory of 3020	3080	Mcabjcoa.exe	90
PID 3080 wrote to memory of 3020	3080	Mcabjcoa.exe	90
PID 3020 wrote to memory of 4000	3020	Mpebch32.exe	91
PID 3020 wrote to memory of 4000	3020	Mpebch32.exe	91
PID 3020 wrote to memory of 4000	3020	Mpebch32.exe	91
PID 4000 wrote to memory of 5028	4000	Mccooc32.exe	92
PID 4000 wrote to memory of 5028	4000	Mccooc32.exe	92
PID 4000 wrote to memory of 5028	4000	Mccooc32.exe	92
PID 5028 wrote to memory of 1328	5028	Mcfkec32.exe	93
PID 5028 wrote to memory of 1328	5028	Mcfkec32.exe	93
PID 5028 wrote to memory of 1328	5028	Mcfkec32.exe	93
PID 1328 wrote to memory of 2400	1328	Mlnpnh32.exe	94
PID 1328 wrote to memory of 2400	1328	Mlnpnh32.exe	94
PID 1328 wrote to memory of 2400	1328	Mlnpnh32.exe	94
PID 2400 wrote to memory of 2760	2400	Mgddka32.exe	95
PID 2400 wrote to memory of 2760	2400	Mgddka32.exe	95
PID 2400 wrote to memory of 2760	2400	Mgddka32.exe	95
PID 2760 wrote to memory of 4304	2760	Mnnlgkho.exe	96
PID 2760 wrote to memory of 4304	2760	Mnnlgkho.exe	96
PID 2760 wrote to memory of 4304	2760	Mnnlgkho.exe	96
PID 4304 wrote to memory of 3316	4304	Ndhdde32.exe	97
PID 4304 wrote to memory of 3316	4304	Ndhdde32.exe	97
PID 4304 wrote to memory of 3316	4304	Ndhdde32.exe	97
PID 3316 wrote to memory of 2800	3316	Neialnfj.exe	98
PID 3316 wrote to memory of 2800	3316	Neialnfj.exe	98
PID 3316 wrote to memory of 2800	3316	Neialnfj.exe	98
PID 2800 wrote to memory of 4336	2800	Nlciih32.exe	99
PID 2800 wrote to memory of 4336	2800	Nlciih32.exe	99
PID 2800 wrote to memory of 4336	2800	Nlciih32.exe	99
PID 4336 wrote to memory of 3624	4336	Nghmfqmm.exe	100
PID 4336 wrote to memory of 3624	4336	Nghmfqmm.exe	100
PID 4336 wrote to memory of 3624	4336	Nghmfqmm.exe	100
PID 3624 wrote to memory of 3076	3624	Nlefngkd.exe	101
PID 3624 wrote to memory of 3076	3624	Nlefngkd.exe	101
PID 3624 wrote to memory of 3076	3624	Nlefngkd.exe	101
PID 3076 wrote to memory of 2096	3076	Ndlnoelf.exe	102

C:\Users\Admin\AppData\Local\Temp\437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe
"C:\Users\Admin\AppData\Local\Temp\437dceec55b3f4ce5d5d1f64eeec0f7427c52f5ace83e01a287a8ea0ecc779ebN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\Lbhocegl.exe
  C:\Windows\system32\Lbhocegl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\Libgpooi.exe
    C:\Windows\system32\Libgpooi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\Lffhjcmb.exe
      C:\Windows\system32\Lffhjcmb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\Llbpbjlj.exe
        
        C:\Windows\system32\Llbpbjlj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\SysWOW64\Ldjhcgll.exe
        
        C:\Windows\system32\Ldjhcgll.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Lmbmlmbl.exe
        
        C:\Windows\system32\Lmbmlmbl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ldlehg32.exe
        
        C:\Windows\system32\Ldlehg32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Memapppg.exe
        
        C:\Windows\system32\Memapppg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Mcabjcoa.exe
        
        C:\Windows\system32\Mcabjcoa.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Mpebch32.exe
        
        C:\Windows\system32\Mpebch32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mccooc32.exe
        
        C:\Windows\system32\Mccooc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Mcfkec32.exe
        
        C:\Windows\system32\Mcfkec32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Mlnpnh32.exe
        
        C:\Windows\system32\Mlnpnh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Mgddka32.exe
        
        C:\Windows\system32\Mgddka32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Mnnlgkho.exe
        
        C:\Windows\system32\Mnnlgkho.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ndhdde32.exe
        
        C:\Windows\system32\Ndhdde32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Neialnfj.exe
        
        C:\Windows\system32\Neialnfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Nlciih32.exe
        
        C:\Windows\system32\Nlciih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Nghmfqmm.exe
        
        C:\Windows\system32\Nghmfqmm.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Nlefngkd.exe
        
        C:\Windows\system32\Nlefngkd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Ndlnoelf.exe
        
        C:\Windows\system32\Ndlnoelf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ngmgap32.exe
        
        C:\Windows\system32\Ngmgap32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Ncdgfaol.exe
        
        C:\Windows\system32\Ncdgfaol.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Ociaap32.exe
        
        C:\Windows\system32\Ociaap32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Olaejfag.exe
        
        C:\Windows\system32\Olaejfag.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ojefcj32.exe
        
        C:\Windows\system32\Ojefcj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Ocmjlpfa.exe
        
        C:\Windows\system32\Ocmjlpfa.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Oncoihfg.exe
        
        C:\Windows\system32\Oncoihfg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Ojjooilk.exe
        
        C:\Windows\system32\Ojjooilk.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Pqfdac32.exe
        
        C:\Windows\system32\Pqfdac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Pjnijihf.exe
        
        C:\Windows\system32\Pjnijihf.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Pgbicm32.exe
        
        C:\Windows\system32\Pgbicm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Pnlapgnl.exe
        
        C:\Windows\system32\Pnlapgnl.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Pcijhnld.exe
        
        C:\Windows\system32\Pcijhnld.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Pjcbeh32.exe
        
        C:\Windows\system32\Pjcbeh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Pnoneglj.exe
        
        C:\Windows\system32\Pnoneglj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Pdhfbacf.exe
        
        C:\Windows\system32\Pdhfbacf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Pggbnlbj.exe
        
        C:\Windows\system32\Pggbnlbj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Pjeojhbn.exe
        
        C:\Windows\system32\Pjeojhbn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Qmdkfcaa.exe
        
        C:\Windows\system32\Qmdkfcaa.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Qdkcgqad.exe
        
        C:\Windows\system32\Qdkcgqad.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Qflpoi32.exe
        
        C:\Windows\system32\Qflpoi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Qgllil32.exe
        
        C:\Windows\system32\Qgllil32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Adplbp32.exe
        
        C:\Windows\system32\Adplbp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Agniok32.exe
        
        C:\Windows\system32\Agniok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Aceidl32.exe
        
        C:\Windows\system32\Aceidl32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Anjnae32.exe
        
        C:\Windows\system32\Anjnae32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Acgfil32.exe
        
        C:\Windows\system32\Acgfil32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Anmjfe32.exe
        
        C:\Windows\system32\Anmjfe32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\Aakfcp32.exe
        
        C:\Windows\system32\Aakfcp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ageopj32.exe
        
        C:\Windows\system32\Ageopj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Aeioio32.exe
        
        C:\Windows\system32\Aeioio32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Bjfhae32.exe
        
        C:\Windows\system32\Bjfhae32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Bnadadld.exe
        
        C:\Windows\system32\Bnadadld.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Bcnljkjl.exe
        
        C:\Windows\system32\Bcnljkjl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Bfmhff32.exe
        
        C:\Windows\system32\Bfmhff32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Bmfqcqql.exe
        
        C:\Windows\system32\Bmfqcqql.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bcqipk32.exe
        
        C:\Windows\system32\Bcqipk32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Badiio32.exe
        
        C:\Windows\system32\Badiio32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Bgnafinp.exe
        
        C:\Windows\system32\Bgnafinp.exe
        68⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Bnhjbcfl.exe
        
        C:\Windows\system32\Bnhjbcfl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Bebbom32.exe
        
        C:\Windows\system32\Bebbom32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Bjokgd32.exe
        
        C:\Windows\system32\Bjokgd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Bmngcp32.exe
        
        C:\Windows\system32\Bmngcp32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Bcgopjba.exe
        
        C:\Windows\system32\Bcgopjba.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Cjagmd32.exe
        
        C:\Windows\system32\Cjagmd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Cmpcioha.exe
        
        C:\Windows\system32\Cmpcioha.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Chehfhhh.exe
        
        C:\Windows\system32\Chehfhhh.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\Cfkegd32.exe
        
        C:\Windows\system32\Cfkegd32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Cmdmdo32.exe
        
        C:\Windows\system32\Cmdmdo32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Cfmamdkm.exe
        
        C:\Windows\system32\Cfmamdkm.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Cmgjjn32.exe
        
        C:\Windows\system32\Cmgjjn32.exe
        83⤵
        
        PID:908
        
        C:\Windows\SysWOW64\Cfonbdij.exe
        
        C:\Windows\system32\Cfonbdij.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Djmgiboq.exe
        
        C:\Windows\system32\Djmgiboq.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Deckfkof.exe
        
        C:\Windows\system32\Deckfkof.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Djpcnbmn.exe
        
        C:\Windows\system32\Djpcnbmn.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Dokpoq32.exe
        
        C:\Windows\system32\Dokpoq32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Dhcdhf32.exe
        
        C:\Windows\system32\Dhcdhf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Dkbpda32.exe
        
        C:\Windows\system32\Dkbpda32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Dmpmpm32.exe
        
        C:\Windows\system32\Dmpmpm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Dkdmia32.exe
        
        C:\Windows\system32\Dkdmia32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 400
        95⤵
        Program crash
        
        PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1016 -ip 1016
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adplbp32.exe

Filesize
337KB

MD5
49dcc103ce25387efe73be63cd383343

SHA1
6459de3400a4488dcbc38ef3dbb74dbbd35af940

SHA256
3f806506ab14d7bc63994d7067401866f7193ea7fbe8d7f3a9acf47e79771558

SHA512
391cb5946e441f11f84f05b7067adf02bce188894b01b59a93b736cd4ce28d6d0cabf355b7124a0f68ab6e01ec03a3ea612b60d8a1bb46417ec9f7235bb4d7e6

Download Submit
C:\Windows\SysWOW64\Aeioio32.exe

Filesize
337KB

MD5
f3b719f08274f17e00d1be8b37b472f0

SHA1
857c6128364170656be00940b3ca4c1e550fef3e

SHA256
8b4e40d6a632eb07ffd1b96071a1a95771dcd9eed1eefa7c0f512222f1af2f92

SHA512
97f66b97f25977c6e12010b7843f559c5c9e148a729f3839f0d7deae6ac5abb905598cc43ed8780d530ad794359256760d57198c6cc411f8ae9aedaf0b48d150

Download Submit
C:\Windows\SysWOW64\Anjnae32.exe

Filesize
337KB

MD5
7bf60e7d7aab3b453df5a6265c6a230a

SHA1
c4ae3fdfe9e7772ad6cefb5346126c0394c3cfb2

SHA256
a40ec9372b73ad3a03e6edb57d2b02a6a56b116994465e4bf984ad345943a9d6

SHA512
6603e705f4d7fabc76d6f661db380ff31245e0e62dd07d31d80392d8dce8899194a81b9753aea0de4ea161694e4e378f2980c98c2cfb01f44ca732594a5515c3

Download Submit
C:\Windows\SysWOW64\Aqfmhacc.exe

Filesize
337KB

MD5
47f65a21ed3260c8ad3b824e3c0473c3

SHA1
2262556626349219bb6abc2b75d980d29df8f1af

SHA256
21ad55b87ef1345ed8668e703dd5b714dbed4b642df8e9a4c553fa70824b9687

SHA512
06da175efcd88d728fe368fae710345595b9756127dcd4eb7e80e2ae7844ebc1e101f3bc36dbfa292512a4867f899cf01926ebba771cdc303a3d75a17d021b77

Download Submit
C:\Windows\SysWOW64\Bcnljkjl.exe

Filesize
337KB

MD5
84af09fa30371daf51eaf7a1c0e06845

SHA1
0b256020e8346589ac2f55d696041caf0c3a9a46

SHA256
56c619395ba789b1ee451afe71026ba5de5d75e75f89cfa11f32746ebc2144e4

SHA512
63af2d813cfd11cd92fff657d33e963c30e6792c2b4aa2ad0fff3c06a9414d0bb1a0efb6e51f02ca8752e48982e414fa0e4a01cd2feae69852250038ec51333b

Download Submit
C:\Windows\SysWOW64\Bebbom32.exe

Filesize
256KB

MD5
e15d002f5df2c16e9fde01c054195a2e

SHA1
28b9186995b557e1be8a20d936e35ca6325afb48

SHA256
ffce434b4a1f842da12d8c53d10c3cf84a3f8248b081870fd1319160b8f54399

SHA512
157179d7af8e63e5775b24c6345e1e7d73a2c11c0adcccbe5e9098db9b91c0f9a46575b49cc743bda05bb0eae535ac7bde6b633bfb5f53c3c8412b6393f6eb67

Download Submit
C:\Windows\SysWOW64\Bjjalepf.exe

Filesize
337KB

MD5
df16d12a00fb1ecefef5d8e94063d41e

SHA1
3712d5c9d244fb5aa238523235c0db60982a71da

SHA256
885a25814ec9d92402070f981a0482141063e320898237453d163e8f161c673d

SHA512
0a46cf0f1096172fcc69247934c648afe851085aa6ecd700b0a1f5c7bd489d690de3c0627b5a1f7967278266aa0ebc373b07a5ca0696f43f7de9667ab214d3f0

Download Submit
C:\Windows\SysWOW64\Bmfqcqql.exe

Filesize
337KB

MD5
b64892955df3b325ff0bb61118f5b39a

SHA1
2975f97baeca06615a3a8f1fd55b3fe41c197287

SHA256
73041ffcc807836cba93c7ef2df6639c3b1ae9df20919831c6c9510ce0f7fd39

SHA512
29542de7c0f05f5a5ef5538e05b8bfa6cd67d6be4b14500a30ae076070e91c94245c9ffeb80d8f23ece3d40a59fed13b1fb15dae6c8f20dcfbf663c6d3dcb396

Download Submit
C:\Windows\SysWOW64\Bnhjbcfl.exe

Filesize
337KB

MD5
c01a0819060b6e4efc8fc192f2a9bcf0

SHA1
9f52beff6ee1ea9d904cf1cea6594dbc524ed860

SHA256
48adcea91c7e116a1d8fd7f7467a2661b8fb39c057211de6dd2ab2beb84dbea9

SHA512
2b5200599c1ec8c12532c38ec654e7fc48ed04e9952dbb5d3ad52c8db4df149f2344aaee89e60a919e47527c00644f3fd02aea534e3fa611f0c931c3523d77d7

Download Submit
C:\Windows\SysWOW64\Cdlhki32.exe

Filesize
337KB

MD5
36d6d5998217c3fc7b2899fe5d97da08

SHA1
ef7b33ffa29e8ee7ed4fbc32dbdcac238936c822

SHA256
4f6694a2716bcb604abee80850e9a09262acd312bf92ebf112162a2f7509d10c

SHA512
d9cfc8411a3318311157fc0b15e542db27ebd4571f25dd7c3fed1ce67f4f445ee18149b3fa6a490ccf453ff3dd061b77167cefcb07f72e2b6a657dcf3936f937

Download Submit
C:\Windows\SysWOW64\Cfonbdij.exe

Filesize
337KB

MD5
58ba0238a6bd2b90ea10b09c1204d585

SHA1
080d627d30ecc861bc2829da4112156c217e9eaa

SHA256
7ebbb7ff86819cc3495ef14c066ced710df91b525f68ba85db4de9c5c24a05e4

SHA512
37600be5ccb487769130cf2a448793be22699d3a18c192f9e1bcd43012974de51d27d469da468c76864c24111d5911d0ac834684a99caf807b275b95828d2ba4

Download Submit
C:\Windows\SysWOW64\Cmpcioha.exe

Filesize
337KB

MD5
aac982b0843a55d6a8bc14f723c3a8c3

SHA1
520f6689b4bb57458658101c36f4d290e8286e4f

SHA256
0cd9f552e05361beea689cee54571d1839fdc32a8a64c0a89c27c52548fca227

SHA512
69cf1007448975e990e7cfd4283a16c30bd6d91e182e261453a8434e7bc496887f6cd654bbd0d0e75eaf29bc38b5ef9cc090c5a64fbf854a88b44393468097a2

Download Submit
C:\Windows\SysWOW64\Ddjemgal.exe

Filesize
337KB

MD5
e71bb7488a69a1dbf522c2ce623f7aaa

SHA1
58bf2ee2424f1c95fd295fd90313662ce38197b6

SHA256
52e20d413c85a758516136c86027811814ab06aeb0ddb1accf9fe9523aa23a5d

SHA512
ee8187cbe9cddf9965091650193d7958d9f51f4373145d4c2a51ae28db683dd12f4278438cfeace6599de18ea8e13649e74f118595dfd30d4c4b0f42b2b604ee

Download Submit
C:\Windows\SysWOW64\Lbhocegl.exe

Filesize
337KB

MD5
33a7c8efd47827a4829a9019e1074abe

SHA1
ba467b7a8f80ead4160373911fbdd24b27625bc7

SHA256
8008571aca0218309160b96c7640845c62e4cfaf232ab33e7788798c8805db25

SHA512
0afd92c9700315e9602eaa7c44509601137b7a39dad89777813d77a6a627e0c2fff4c3b6a74a10ed55f811fb5602d817404aeaa7617490c1e2f793997822bb79

Download Submit
C:\Windows\SysWOW64\Ldjhcgll.exe

Filesize
337KB

MD5
decab8fe14f94c217411cd5efaaa22b4

SHA1
0fa88376c8c1a93ffc7a88efc06091fef14f407f

SHA256
ea8c6d3191453261da0eac4b1707bc039433c27a2e932ef2747a114e2e073fb0

SHA512
39fe7bc04361d12ba23e9db0cfaf64bf1c8264cab4f3512f5368df88312139f1fefc1f6aaaba956ab2918cbf726ccbe846d6021370607ee3b369f2f7c88c1b0e

Download Submit
C:\Windows\SysWOW64\Ldlehg32.exe

Filesize
337KB

MD5
feaf6f93e2b48ba4b8fe5160f90cd32c

SHA1
29782c7fbf37da0939589705ce8dc05b8abd3c52

SHA256
b52310d053b1533225d83a7b35068c0b8b7dc791405a1de2b472e5533d4518c1

SHA512
560f065b9780964b07ac260b994858699c291a9a8ff05e4d7a64fc1bebc23a68ef66b1b4fffac3a0eaeef9e9f9cb5fb12a6f9313d8e773bc56e1f8938d648bc6

Download Submit
C:\Windows\SysWOW64\Lffhjcmb.exe

Filesize
337KB

MD5
a8ef8056d644356f400ee4f58651dec8

SHA1
689b25c3399c48d33588a022309c150d7fce3b41

SHA256
70fe6e9d08c524cb5b3bec02b8eb3a6c6a2fbfdb1f07d90ce68c65485f196f49

SHA512
67dd83fdf52d0c054133eb146c393a61d57051c19df8168c06d7fdca1a48fd205a3ca23092eab818c1951797905524c3d693d88c492261bafc3a881fb1e64fab

Download Submit
C:\Windows\SysWOW64\Libgpooi.exe

Filesize
337KB

MD5
35e963dbb89a9d631d7c968f80c51b99

SHA1
730c72b49d2e0ff576d0b1bde8811820a274c642

SHA256
388ec9d020465d6f9e94bf81158f3d7fce8b3a6192f2cd3275f46c3a321022c3

SHA512
6aed1fec2fe19bb6e27454be55e5c1dea25d23aaa30185c9a1bc478de2d07641027cda9b5310d1fd401cf81f16f0cb87924d03be7bbe7f886c9cec5809c1cff4

Download Submit
C:\Windows\SysWOW64\Llbpbjlj.exe

Filesize
337KB

MD5
7cc18197a536e4269e764e5ec1d86e5d

SHA1
6ff5ee8b982f4df7c51d09fb5aaad4734a7aef2d

SHA256
d6c1ccd31a19c5d46ef88d31cf20a9c4aa195cff4b8cb2073417ca74745469e2

SHA512
eec11dff2cf7d8b1a0c386a12e3c2d820fb13598d426b2b5fe22ef30abde26a03ab923a5b75c0cdd883f3db1118c0ac33a12773b204fdca395d95dbc89cb24aa

Download Submit
C:\Windows\SysWOW64\Lmbmlmbl.exe

Filesize
337KB

MD5
90765ad7fd7102544f3d1fd99bd3af13

SHA1
0028c6ba4b27d3194dcf35e74746e2b7c147b656

SHA256
1b9c7fa6a1c60830ff1a113a75eeae4bf27213f3820b77d1742326d22bb99ff6

SHA512
105705eee8da1cb295f12cc21c0cc40f68edbd7ae01eabbeb79cfd40be4bc1ca0ebaa3754ae6a09bde480c970e3ff27791829d84e293ac0837092444e055f155

Download Submit
C:\Windows\SysWOW64\Mcabjcoa.exe

Filesize
337KB

MD5
c08c45a0516f8823d290a17b13ead997

SHA1
72a856e4e51693c209dba58119a33624bbc43218

SHA256
0a00cc1241a86c88fa06090bcde53719a17508ab4256e91044ac909ab975b0f6

SHA512
a90217e5b7d13beffca54fef3def940ba60491e10f928176b9233aa7ca2a08c470e8cfb2367f4902ac2f5dfcc3f55743b8d8139ec1e4b1ad8523c433e5634d63

Download Submit
C:\Windows\SysWOW64\Mccooc32.exe

Filesize
337KB

MD5
9ab9e1646c88d31a9aeb9d090bef664b

SHA1
d879cc7fc203f23758087cca89089f5aab17272e

SHA256
83cdae4988e1a7e0b292c1b7b951d2eaef6995cf7da10daad82f550bef3887b2

SHA512
871229b5b32f09ade4bb1d1dac597521d3f6b3b8ef496b990b55ea0ea1c9f5e00d6b2c936237a202c203cbcdb21878119dedc7d8021869c78f8b1481ac108a1d

Download Submit
C:\Windows\SysWOW64\Mcfkec32.exe

Filesize
337KB

MD5
b284ccab7d4e87232723f9b489c5ca61

SHA1
b4b97a14602d97593f77dd4db82f1debb705aa60

SHA256
88f8ed81ec2b3160e125f3c210f72c7220b902ea77c5e4497dade0c9de82eebc

SHA512
11d44737b27106c870000ee56f961fc0004548e02e10929c06ef1eeb48dac6fa7440158be62f9fb1ce8a27b30852be55e63750cee9b4b9f4797ad2dceaa2fed5

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
337KB

MD5
d6341951428b40b1591db65a0c5e3c85

SHA1
3c10f7d630d35a811ed6626bfd604cd3ed3bdffe

SHA256
47b4e4b992c608464cec4bf1bdc846834a1f98da740f02f637fe88dbcf80e236

SHA512
16414c6f19326266d4d59f76acdc49ddc80e7cbd82ee7518ac6c92b5e52a3d404b4bf7788bd4c530d2760302b27af6fa9120d227efb50dc53354a83df7045420

Download Submit
C:\Windows\SysWOW64\Mgddka32.exe

Filesize
337KB

MD5
9b6ce696a67376156df8ac88d3949a21

SHA1
a9c82678a847aaa1291e0857b81c3737eb3ad35b

SHA256
53fffa4960029cc90a4d8f79eeffdb91061c8f4121fcb7a3bf326c1443c127fc

SHA512
d2447ac25c8dbc93b84381f4928632c25a78196d1004cc0d87815463449a0b7ce05f352d2d254a5d2424d1a51e9302bc3d067c200ee3d548a99f612bb227c9f9

Download Submit
C:\Windows\SysWOW64\Mlnpnh32.exe

Filesize
337KB

MD5
0fe903702abb79d898545bdc822d30cc

SHA1
e0174bcf10fc5509d4e08378fff5c88359e22750

SHA256
8612469bd4eb334a6d4cb3765e024c9987e8c35cef5826a40e7c82f232de5f6a

SHA512
c42018557f2f3a7f005200e8ad0c2b4224b163bdf287bdd2879f925661499eda6e3785a8ad8064320d46222eba94ab73a4835c701a67668d0e87609d3c8e0ade

Download Submit
C:\Windows\SysWOW64\Mnnlgkho.exe

Filesize
337KB

MD5
7d8bd07eb2b999f4ae53c200f6679169

SHA1
0c9e9d69a0300b8e038a0bef652da2a15a158dc6

SHA256
40d6c831113f8468ee5486983719fe78c6332967d7b519f3a64e8a4c16271232

SHA512
434a953f9e36da55fdc988ef29b8d8fb8c078a9b70e5000a9fe33e2459fa8ef69311c73c428764ea347b5f687fa3e91f227aae98539067d16f5ca35655c92ed4

Download Submit
C:\Windows\SysWOW64\Mpebch32.exe

Filesize
337KB

MD5
f96661e4605429ae697f43a4b883c012

SHA1
4c4915207f66390cde8250346bde65ea02264797

SHA256
ef6c04fda1ebb8f4a1461dbacbbb65c9775746c099868745f1216f191ddb15e8

SHA512
f922b7357e9b67c4dadb11df339a7f6a67a2e834f96de3023c9ba2b00225cf510db6c817a81bc98e0731010e96f0a0507edf8eb8e64f30a9a4a8a4c3081da5eb

Download Submit
C:\Windows\SysWOW64\Ncdgfaol.exe

Filesize
337KB

MD5
6112c09f262e770bc9e36cd9ea43a6da

SHA1
9edad24247a0071f2c10272c433b5bfc1fac96be

SHA256
5cacf5cd7b1585ab97f94cf02859a366922f79ee6942c86b00755876834b83a1

SHA512
7ff241719ec077b1c7ce00d7ff9697d65774b84db4a90d66c499572754f8e6cbb294f91627ad20427878fe01b8dacdaa57c375d400f9d829657febd3c732dd50

Download Submit
C:\Windows\SysWOW64\Ndhdde32.exe

Filesize
337KB

MD5
183888706fd216f121ca3d5eb3fa1a74

SHA1
3b99d85f56049174de987fac0f8c1a9d3cb757f9

SHA256
0ea96cf78a6f623a724f7b088bbbf9295f4864aaf59df94ee540fd8174d68dd3

SHA512
002df8cb35546fe5c73b864eecfdc078e3e368656f834271cd396e1697db317a9aaab4b50bb1e3a1f88a10e5b4ca905b01f618785e1bb9998ecce72640e9a2bb

Download Submit
C:\Windows\SysWOW64\Ndlnoelf.exe

Filesize
337KB

MD5
ecb5ebb39ea88858ae39bdaa0e4d2205

SHA1
e5308a3aabcdc1b76fa405539253a1bc1ff817bf

SHA256
17689a6df8521af5ef5bf1444dbdea2902e826cd89acf6ce2079b47ffe288045

SHA512
8e386bf84b52a1c883560d947626956bae70ba8a013661f5a9df1ea08b2fb7bb16d87524c9dbfba97997c117fc9e39d5dfdde1a8af9ad8491d00b9446c9d9225

Download Submit
C:\Windows\SysWOW64\Neialnfj.exe

Filesize
337KB

MD5
dc6ddd64d373c6ca6f29e350d4f2fdc9

SHA1
e8d4685eb3afa9af7fddeaac5b06d2b67d16c3c8

SHA256
af8ca9deab746a11815e88931381d1100d699bff5b3a322fe783c6f33343aa8e

SHA512
b22520ecfb7a7bc119e1d75de1f0966c6bb91fc6c84a7e89d3bd97cda5ac2560605a59d1b165ee01aea8feda8c89954bc219d1e9755419cdd614570daff8d11e

Download Submit
C:\Windows\SysWOW64\Nghmfqmm.exe

Filesize
337KB

MD5
a98d1db139fedf3e69ab43d0782ae922

SHA1
5f750bfb13fd84e7ff4fb63b6e9e43c309bae789

SHA256
8840351edebc0c7e1d16b07c3ad5ffaea3543f47c6f3027b99b26fd03d6af18e

SHA512
38c8e6e58d93860a0c6f46c65c474c57a3fdf23da7f12e9eb89f42fbf6e4db2e1cfed817e0e05e0bc358322b123d5c44eb2bf1be861bbc171b64f1a88b5c7525

Download Submit
C:\Windows\SysWOW64\Ngmgap32.exe

Filesize
337KB

MD5
83f433b546361e8ff9a7300fc7e496a3

SHA1
166faf1e2a985b436d65edc7a4eb5bd06676183b

SHA256
b4637354baff77fb0dc2df99dc92de2c454f3617043a7b387c696a4169771254

SHA512
3a67b9bce6f238a98708d2afbc15062fd8cfd3f680e1a4b53fc26c2ef60ff208eb772f25ccdc3fcaa1a9e0b124dc594ff6131a98f3d52e3099c23851a090cbf2

Download Submit
C:\Windows\SysWOW64\Nlciih32.exe

Filesize
337KB

MD5
1c14b044f62a2f62b423f79d4013bf87

SHA1
b4f20c84b4111b115bea80515fa54535baa94201

SHA256
c7dd6977ed5abadcb7e226cbfa621a97d3a0cbfc03465639613a1093ac1d6e4f

SHA512
7a475462e21c8ac6da4a0f19011d2b5a41dc7ff3a8b2329d9c73d99ce46b094845b76cc0474d7a31dcda1a7b80ff1d7e9a3d6d8bd148e09ce0306fb1def34760

Download Submit
C:\Windows\SysWOW64\Nlefngkd.exe

Filesize
337KB

MD5
c777718eb784f247df4081c1e7b6912d

SHA1
23052b0571488e933b4878a550554b56a721f5df

SHA256
26330a57c46f1f4356fad48f42b960a27ed9a2109a1af346370f3df11dae7b6c

SHA512
437b8e07a8dc889a2b6c484ae2dd16e199ca65a40e0b060c70ce2142d1fcc23675acfe98866cbd8a2bbb1af9d03056425bda77be0200bbf01747d195feb3d5bb

Download Submit
C:\Windows\SysWOW64\Ociaap32.exe

Filesize
337KB

MD5
5379da3563c2240fe5c91694e8295cc0

SHA1
2857c4eee39afe7320190f8cd043ab40b6039cb7

SHA256
81b64ac6d688cc2157341359b6409f3fe2121ac63031ae45de0c427e0153e42b

SHA512
16aba82bad61940d7768ce2eebe7c10a2d387a9bf462fcde33ba871bd554dab751ecfbb0cca09b58fce3c9f343c26f190b9ae7416a5c5cd8a6b3d9590c3e0abb

Download Submit
C:\Windows\SysWOW64\Ocmjlpfa.exe

Filesize
337KB

MD5
696bc107111a5dfe7a8ac729f50e22a8

SHA1
983ea60d0438e279b407a07cfd59f1a08647eb5f

SHA256
a956c09a7a1acdbab56cdc7693b8f98cd713f3d393051ad7da4d09cb14e262d8

SHA512
4157024b91caaed85d21b626b000eb9a1eabadd089b1ef01b1bd7359be59c97b60b7c26f8a86a6d8fd78633415e36b6b89a54246d18ababe4d5d95d851336614

Download Submit
C:\Windows\SysWOW64\Ofeqhl32.exe

Filesize
320KB

MD5
a81c515626fb0cc5c4ff36af8fb23f08

SHA1
373cdb17e0d74101f02aec102ac5935da88cf1d5

SHA256
c1bac206fbb502cd6c924f50a938842822ddcbb84bbe8648dfdceecdb89ddf9c

SHA512
99942416c7c158b2a36fd963a2299e8effb432e8268cf1c77032cd96057511cd7cfccf2548fcce54eda52450c930fafe9a9dc0a353148f78857d93569574ebbc

Download Submit
C:\Windows\SysWOW64\Ofeqhl32.exe

Filesize
337KB

MD5
afb6c290c6ceb35b44379581db295491

SHA1
2967b6009fbc6007585550d28153b75970556ebf

SHA256
074afd19b4890515c08cc695a492d2a001dc75da73aff8df51d2ac89fbb22b5c

SHA512
53bced4cb4c4179695167b41b86bb8640e1a4c2179e26c975ebb3b0a9645aa136cfbd09b4556e9807a91b6e0f03c804a964e06870b105b66b56ac661c330804e

Download Submit
C:\Windows\SysWOW64\Ojefcj32.exe

Filesize
337KB

MD5
ba83b5d2fa5757754276ac6b9d264d48

SHA1
c1933ea4eaaa09b3d03c506396b6ac4a06f243d1

SHA256
0408acaa12d11ab6865f62238beb69912d1e26fd73f2d275bd58799b3ff3449d

SHA512
646bfe524704bd15040ec92f26c5261d05e1b73247c0588aae8d04791ef0792e48887a49b3bf1ae6fd933d54748345c3e3798f22bcf045a775c77395378091dd

Download Submit
C:\Windows\SysWOW64\Ojjooilk.exe

Filesize
337KB

MD5
cb1859d212d6cbbb35c95e81fb432755

SHA1
96d7e46c66f5d4b733efdae1c0b15a938e20db68

SHA256
3caa068519312146b8a616c4b162b5c0adf169f55ef52a4e06ce8c973939d4bf

SHA512
2847a46005db736c7e2630a4eec6cb840e6fe4d0dcd8e51bec72bd8a2637d98a6bc9893c54b8f9a3babf1f5687ed907a483514297455ff5b4a4a5d977f410fde

Download Submit
C:\Windows\SysWOW64\Olaejfag.exe

Filesize
337KB

MD5
564606e45626c3a50bf9321d4e32b798

SHA1
cfc285b46be3e027656a070aa212db3881b671f9

SHA256
3129b7f557d68bdfbfe8b0646c8a9348ab56d9558c8efa5a0a10c07a0b31411d

SHA512
b28ef6d5e34827ef6c9649d107a4669aebf39077f99383ec3ba777ea992d167622a43e1262acf36d67be3dc7100b919bebb1040c7f09a658dcbc7631cb0a88f6

Download Submit
C:\Windows\SysWOW64\Oncoihfg.exe

Filesize
337KB

MD5
40cf77d6b1bc075733f7bd3eb1a0dac0

SHA1
cbd7a57a2961a753fd9803ec2f1b38207b02de52

SHA256
e49818b14fcad7413966dbba3861a59267a662ff1418f11b525996078fa31b5f

SHA512
1121d94af183cd9c80b1273e8454b0ba26613edf0b92abd84467c15c0b2baec8e182d02e0223f379e0b222fd3570ff1d0e517c76efdfa0bf5eef35e303846fc4

Download Submit
C:\Windows\SysWOW64\Pggbnlbj.exe

Filesize
337KB

MD5
705c46271c700658e0af0c0713a1860e

SHA1
98d180c4d1850a03c4c88e6d882c2c052bb06a0c

SHA256
6a6c3723c6eda3f6f260c31be9075deefeb00f91de4f0540ee7e4616219d3f32

SHA512
1d20946cf16cca4efd71f0626c3fdcaba53b558d39f11d48e49fb4fbc06686dae9546aad33a7e96925f2ebd2b33eca7e42abd029ea36d558df810d2c99f79771

Download Submit
C:\Windows\SysWOW64\Pjnijihf.exe

Filesize
337KB

MD5
1598fcf684c56240379156bc9aff7f3c

SHA1
538fe56f7daa1855d73a4b6f19398468142d6a40

SHA256
b3fcd634baf552b0704c88f381c43f1df6cdfbbdb702babeb55d94b254b7fa2a

SHA512
5686956bbe15c85ea969cd6803a2c38219e86bf81043ac71bfaf96c23e12d70cb78add1c98f337675e5a86e117a591f2700597a1b220c7647a8087d515047278

Download Submit
C:\Windows\SysWOW64\Pnlapgnl.exe

Filesize
337KB

MD5
6b39ebbbcb2cd7cbc0a109ea9271c26e

SHA1
20099755fb6869762ec5b305b1997dbb650aa7ac

SHA256
79e5720d0d4e134e8b47b1bf171dee1fa799cadbe194d2c0d48fcb0f3d8a3c87

SHA512
1af4300f9c46e0cc8e0f41edac3c238c913ec914864447e6b1663937a317ae8e3b681f6c1a3ba1bdfaa25df675235f178ab2b31fc46385a37a6edc7f7b5606b6

Download Submit
C:\Windows\SysWOW64\Pqfdac32.exe

Filesize
337KB

MD5
7e9ee9082f53e6e5ffe0f71eeeaa5662

SHA1
2200cea8a0f86d00ccbdf7bd063e7d1dd64ef1e2

SHA256
1e97449af8fd9ff128f8bc37938fc72eef80aa4a69e115726bb866c6ab03b5ad

SHA512
4f4ca6bb5e460bbbdcc39a5c4c50048d44182cd4895e6b8f41ddaabfa6b03c5e447e4f0bc4cbc7cba9ed4715289a5f45912ebffa49ec8497519d7bfa303d2ef3

Download Submit
C:\Windows\SysWOW64\Qflpoi32.exe

Filesize
337KB

MD5
7f23ab23052fc6e9449e86626b5ec20b

SHA1
5ec861a80d1c3ecb5873f0519323187af8fd6569

SHA256
53931f9f9b99e50f2282a9630a0d55d86c42640cef0c017716a6d55128d2b6ce

SHA512
9578c01e776d7c236f0db2ad7a3714b09945c2e871e7d82cdd24fbb98283bfc0ba9215074866829ca88ee9db69f89e6df66faabf7a2b339907200122d5d103f8

Download Submit
memory/244-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/464-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-720-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-719-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-668-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-663-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-723-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads