berbew | 2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558

Analysis

max time kernel
121s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25/unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe
Size

1.3MB
MD5

dcb495a0700ddc8b92f846df0b2686c0
SHA1

335148ad5327fbd1c49948d18f64c6573513c7d7
SHA256

e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b
SHA512

b666827defe8da98b6ea93ad8245da6d0f76162ab7ef24c3f41c7c929911237f07216e7e9a10efd96877b55a56c54473e1919913f3e4e9ac98d7c871e6f72e94
SSDEEP

12288:U0b1/Nblt01PBExKqClt01PBExKN4P6IfKTLR+6CwUkEoIQ:U0nlksklks/6HnEpQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhikci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbnkfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblmgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhikci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpdennml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppdbgncl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3088	Bklomh32.exe
4928	Bgbpaipl.exe
2784	Cdimqm32.exe
2924	Ckbemgcp.exe
4092	Cpdgqmnb.exe
2296	Cgqlcg32.exe
2724	Dgcihgaj.exe
4840	Dnajppda.exe
2320	Dhikci32.exe
1320	Egaejeej.exe
2616	Egcaod32.exe
3836	Enpfan32.exe
3152	Figgdg32.exe
4976	Feqeog32.exe
4196	Finnef32.exe
3300	Fbgbnkfm.exe
3576	Gnpphljo.exe
960	Gkdpbpih.exe
2744	Gpdennml.exe
2488	Gaebef32.exe
2972	Hpkknmgd.exe
3488	Hldiinke.exe
1440	Inebjihf.exe
4336	Ibegfglj.exe
2256	Ipkdek32.exe
512	Jblmgf32.exe
4952	Jihbip32.exe
4368	Jbccge32.exe
3732	Klndfj32.exe
4280	Kcjjhdjb.exe
3172	Kpnjah32.exe
4024	Kpqggh32.exe
1660	Lpepbgbd.exe
4788	Lebijnak.exe
2316	Lllagh32.exe
3652	Lojmcdgl.exe
456	Llnnmhfe.exe
4984	Lchfib32.exe
5000	Lhenai32.exe
1232	Loofnccf.exe
5036	Lhgkgijg.exe
1284	Lcmodajm.exe
3068	Mjggal32.exe
652	Mcoljagj.exe
1896	Mjidgkog.exe
1576	Mofmobmo.exe
540	Mjlalkmd.exe
2976	Mhoahh32.exe
220	Mbgeqmjp.exe
2748	Mlljnf32.exe
4736	Mjpjgj32.exe
2792	Mhckcgpj.exe
1928	Momcpa32.exe
4256	Nhegig32.exe
2160	Noppeaed.exe
4144	Nfihbk32.exe
3600	Noblkqca.exe
4352	Nfldgk32.exe
2820	Nmfmde32.exe
3028	Ncpeaoih.exe
2156	Nqcejcha.exe
856	Niojoeel.exe
3324	Ooibkpmi.exe
1076	Obgohklm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Bmgjnl32.dll	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Gkdpbpih.exe	Gnpphljo.exe
File opened for modification	C:\Windows\SysWOW64\Feqeog32.exe	Figgdg32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Noppeaed.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Oiccje32.exe
File created	C:\Windows\SysWOW64\Pbcncibp.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Pqolaipg.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Loofnccf.exe	Lhenai32.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Niojoeel.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Finnef32.exe	Feqeog32.exe
File created	C:\Windows\SysWOW64\Mdhbbnba.dll	Gnpphljo.exe
File created	C:\Windows\SysWOW64\Hbnckkha.dll	Egaejeej.exe
File created	C:\Windows\SysWOW64\Jihbip32.exe	Jblmgf32.exe
File created	C:\Windows\SysWOW64\Lllagh32.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Kpqggh32.exe	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Hiciojhd.dll	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Enpfan32.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Niojoeel.exe	Nqcejcha.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Gaebef32.exe
File opened for modification	C:\Windows\SysWOW64\Gnpphljo.exe	Fbgbnkfm.exe
File created	C:\Windows\SysWOW64\Njlmnj32.dll	Hldiinke.exe
File created	C:\Windows\SysWOW64\Oifoah32.dll	Dhikci32.exe
File created	C:\Windows\SysWOW64\Hgeqca32.dll	Enpfan32.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Pbjddh32.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Dhikci32.exe	Dnajppda.exe
File opened for modification	C:\Windows\SysWOW64\Ipkdek32.exe	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Bpfljc32.dll	Finnef32.exe
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mjpjgj32.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Momcpa32.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Bklomh32.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Fbgbnkfm.exe	Finnef32.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Oiccje32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Fegbnohh.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Oqhoeb32.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Lllagh32.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Cmgilf32.dll	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Oblhcj32.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mjlalkmd.exe
File opened for modification	C:\Windows\SysWOW64\Obqanjdb.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Mofmobmo.exe	Mjidgkog.exe
File opened for modification	C:\Windows\SysWOW64\Hldiinke.exe	Hpkknmgd.exe
File opened for modification	C:\Windows\SysWOW64\Lojmcdgl.exe	Lllagh32.exe
File created	C:\Windows\SysWOW64\Igkilc32.dll	Noblkqca.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1220	828	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooibkpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaebef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhegig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnpphljo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkdpbpih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpdennml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hldiinke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipkdek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jihbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbcncibp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnajppda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbgbnkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibegfglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhoeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egaejeej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enpfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feqeog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblmgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpnjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlalkmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjpjgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfihbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebijnak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noppeaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egcaod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oblhcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbgncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Finnef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjidgkog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Figgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebjihf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhikci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqggh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Hldiinke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll"	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll"	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll"	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flinad32.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fallih32.dll"	Gaebef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofljo32.dll"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feqeog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaebef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifoah32.dll"	Dhikci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Finnef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3088	4452	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe	84
PID 4452 wrote to memory of 3088	4452	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe	84
PID 4452 wrote to memory of 3088	4452	unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe	84
PID 3088 wrote to memory of 4928	3088	Bklomh32.exe	85
PID 3088 wrote to memory of 4928	3088	Bklomh32.exe	85
PID 3088 wrote to memory of 4928	3088	Bklomh32.exe	85
PID 4928 wrote to memory of 2784	4928	Bgbpaipl.exe	86
PID 4928 wrote to memory of 2784	4928	Bgbpaipl.exe	86
PID 4928 wrote to memory of 2784	4928	Bgbpaipl.exe	86
PID 2784 wrote to memory of 2924	2784	Cdimqm32.exe	87
PID 2784 wrote to memory of 2924	2784	Cdimqm32.exe	87
PID 2784 wrote to memory of 2924	2784	Cdimqm32.exe	87
PID 2924 wrote to memory of 4092	2924	Ckbemgcp.exe	88
PID 2924 wrote to memory of 4092	2924	Ckbemgcp.exe	88
PID 2924 wrote to memory of 4092	2924	Ckbemgcp.exe	88
PID 4092 wrote to memory of 2296	4092	Cpdgqmnb.exe	89
PID 4092 wrote to memory of 2296	4092	Cpdgqmnb.exe	89
PID 4092 wrote to memory of 2296	4092	Cpdgqmnb.exe	89
PID 2296 wrote to memory of 2724	2296	Cgqlcg32.exe	90
PID 2296 wrote to memory of 2724	2296	Cgqlcg32.exe	90
PID 2296 wrote to memory of 2724	2296	Cgqlcg32.exe	90
PID 2724 wrote to memory of 4840	2724	Dgcihgaj.exe	91
PID 2724 wrote to memory of 4840	2724	Dgcihgaj.exe	91
PID 2724 wrote to memory of 4840	2724	Dgcihgaj.exe	91
PID 4840 wrote to memory of 2320	4840	Dnajppda.exe	92
PID 4840 wrote to memory of 2320	4840	Dnajppda.exe	92
PID 4840 wrote to memory of 2320	4840	Dnajppda.exe	92
PID 2320 wrote to memory of 1320	2320	Dhikci32.exe	93
PID 2320 wrote to memory of 1320	2320	Dhikci32.exe	93
PID 2320 wrote to memory of 1320	2320	Dhikci32.exe	93
PID 1320 wrote to memory of 2616	1320	Egaejeej.exe	94
PID 1320 wrote to memory of 2616	1320	Egaejeej.exe	94
PID 1320 wrote to memory of 2616	1320	Egaejeej.exe	94
PID 2616 wrote to memory of 3836	2616	Egcaod32.exe	95
PID 2616 wrote to memory of 3836	2616	Egcaod32.exe	95
PID 2616 wrote to memory of 3836	2616	Egcaod32.exe	95
PID 3836 wrote to memory of 3152	3836	Enpfan32.exe	96
PID 3836 wrote to memory of 3152	3836	Enpfan32.exe	96
PID 3836 wrote to memory of 3152	3836	Enpfan32.exe	96
PID 3152 wrote to memory of 4976	3152	Figgdg32.exe	97
PID 3152 wrote to memory of 4976	3152	Figgdg32.exe	97
PID 3152 wrote to memory of 4976	3152	Figgdg32.exe	97
PID 4976 wrote to memory of 4196	4976	Feqeog32.exe	98
PID 4976 wrote to memory of 4196	4976	Feqeog32.exe	98
PID 4976 wrote to memory of 4196	4976	Feqeog32.exe	98
PID 4196 wrote to memory of 3300	4196	Finnef32.exe	99
PID 4196 wrote to memory of 3300	4196	Finnef32.exe	99
PID 4196 wrote to memory of 3300	4196	Finnef32.exe	99
PID 3300 wrote to memory of 3576	3300	Fbgbnkfm.exe	100
PID 3300 wrote to memory of 3576	3300	Fbgbnkfm.exe	100
PID 3300 wrote to memory of 3576	3300	Fbgbnkfm.exe	100
PID 3576 wrote to memory of 960	3576	Gnpphljo.exe	101
PID 3576 wrote to memory of 960	3576	Gnpphljo.exe	101
PID 3576 wrote to memory of 960	3576	Gnpphljo.exe	101
PID 960 wrote to memory of 2744	960	Gkdpbpih.exe	102
PID 960 wrote to memory of 2744	960	Gkdpbpih.exe	102
PID 960 wrote to memory of 2744	960	Gkdpbpih.exe	102
PID 2744 wrote to memory of 2488	2744	Gpdennml.exe	103
PID 2744 wrote to memory of 2488	2744	Gpdennml.exe	103
PID 2744 wrote to memory of 2488	2744	Gpdennml.exe	103
PID 2488 wrote to memory of 2972	2488	Gaebef32.exe	104
PID 2488 wrote to memory of 2972	2488	Gaebef32.exe	104
PID 2488 wrote to memory of 2972	2488	Gaebef32.exe	104
PID 2972 wrote to memory of 3488	2972	Hpkknmgd.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\Bklomh32.exe
  C:\Windows\system32\Bklomh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\Bgbpaipl.exe
    C:\Windows\system32\Bgbpaipl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\Cdimqm32.exe
      C:\Windows\system32\Cdimqm32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        45⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        68⤵
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1172
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        82⤵
        
        PID:828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 408
        83⤵
        Program crash
        
        PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 828 -ip 828
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
1.3MB

MD5
c0a6e5636bf32d4f623a551af9906d68

SHA1
b0938d42a6f406cea3199a96bfed3a30bb71cd89

SHA256
d891eff894452b9a6cdceb5fd7b85167563a7823ce0e31df336e5bef9b3a30ff

SHA512
b734ce60d27f62b4bad7ee64d075599b7e94fec35130437e4515ebe748bde0aacb64eae2ed575b79a04f038034f5164222d483abfd9bc618fb6b1a08679b4f4b

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
1.3MB

MD5
b04ce684a016f5539fefe75b40108660

SHA1
b3aba37e596bd3e90917d33b8799475807018860

SHA256
b5c3b484487aa73e5e6de7c921654871da7090fc87081e3d91a65f803f3577b9

SHA512
1ee83277072c5100056f759174136a0ac1393b5fc68c40b2728fc006320282032dab5588179dbd7e2f3b6eeaa7dc6b1067d1a7634ed579b654cad2ff426abc2d

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
1.3MB

MD5
e4f827f8e2796096bf5d8f2ea1b05798

SHA1
45ecd7d38e57ba145335b0a61febd36fdad9b25c

SHA256
67195c046c7df8e2989de4126c8a4d4262eb4c14bd909ad2f06f5ff02bb1f70f

SHA512
f722605775ad998b86be26659dbfc5e3cf3127bea73eae21a4569f061d961ac0b5c04c92d8f81ef5d79d5bb59f8b17ca2daa2035fe02df0bbe637e5ed32c4c02

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
1.3MB

MD5
30210801c5873d9dfed065469689fd08

SHA1
cc4d4484d3e5c6d8fa72d43c50005318d60ba220

SHA256
7035deaf40c57edb2030c69d60867abfb26734b3d04a2466e6d77afe9d73fc72

SHA512
f152d64e146b00fd2872666d4b5b1f299d2bcba8a40d19a53845dac33540122574a239900e0a7ce70a0239a0d39179deea33a04fce041bfc8d87737b01e53a23

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
1.3MB

MD5
77bcc3acb50ef8d8e6cc34f958ff3d08

SHA1
ffe3786ae3c485bee984457961c3c020a70eb31e

SHA256
461852c65296b8161b43904f988245db899b48935ee7979f3edbe92bb47838fc

SHA512
0642db0acc5b65a88bad22d9ca5b7d3f86ba563291a9754b644325e3621473a50423915d292a04628c9370a08a21c3134f9f6b458bd948d9143e444ebee1b705

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
1.3MB

MD5
f0f131a293d0ae3ef1c6ee4b52e57c99

SHA1
f5ef133819e31e4a2b7ce4f4b82095fdebc0b339

SHA256
99bf898dfe0b71fccb417dec925d3a98d23d58d426d5ae4d0a06babfefd9cfd5

SHA512
64b61474c9d1d64386a33835ed5a1703b64ab57052fd91d41e53e0c8e67319b9b9a7e905743581e91086f98076c613715306c3b6eddf9ae544c458faaca1b42f

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
1.3MB

MD5
b48352e0d65bf53df0542e66f7d37c09

SHA1
b0625197cb4b6f3426113f26c82207e7da8746b0

SHA256
d69587a963de12460b48e027fd8420fef3616b796d2a295b3baf77d510ec0e97

SHA512
c2ee304604ba28228c9fcd20d2df0de2cb1bfc41c401f279aa606762f6306914ba8e00b2995dd82ccfd09a6878c8d2da2ef88c0c1d0da9722074008c5dfd346b

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
1.3MB

MD5
a0af5af672d1f8a0bb110266a89483cf

SHA1
5643cda8c97e34deaeb5c4687841d5f1a7995911

SHA256
cedbc7d1f5beba525eb43d3ba34d295cc451d071bbe77019c8eeca6ccae3417a

SHA512
50cbee09f1ed557712f5b61cfbd1043add4299bc4dbada947887686dd808a68b9db015615d0e823a1424e2e42c31d02e4ed0a85a211c396beec2170e11ebf0c6

Download Submit
C:\Windows\SysWOW64\Dnajppda.exe

Filesize
1.3MB

MD5
8aac4b6f821341a5e3cbd2d6de050b1a

SHA1
b03684c3528cc57f27bdbf431cd84c27f2339555

SHA256
116112fd9e2eddc1cfa1da054370214afffb5de8329aa74d79909336b8bf2859

SHA512
03fd036da1e4f202fd1475e151ed7f837575f43f32aae1d1168e4a0df7c6b2d90321c12bab0877899f9fd7d9b6e346f5ff1bc35de5c4bbc04428ee7d331ae911

Download Submit
C:\Windows\SysWOW64\Egaejeej.exe

Filesize
1.3MB

MD5
b9fb6aee985f3b2a38564b24281d26da

SHA1
e9bee042f58f4cfd6b9b425e040d07e9d98fe25b

SHA256
60d74839fe14a04c090763357b6dd87cc866e7e901e7acf7bd834d5c735e5e44

SHA512
be6bb4495fd1f00617a6834bd6d00a6e49a61538764595f3ed0bd0c107f6d7896efab8219fe509ec074b702b9f18897794471be4ecc7af11af20fdf76fbdfa19

Download Submit
C:\Windows\SysWOW64\Egcaod32.exe

Filesize
1.3MB

MD5
99ed4fa8b5050c5b2c757dd81347a5ef

SHA1
c131e3681e7844538a40ab442b04143d7bafc088

SHA256
6d16f9d2535e8cf02d18f574cd0be888be6e95e0db8667f6d16e56eb8c4416f3

SHA512
1d9a138f3a561b08f94292fe9bea8bd08112ef1a7573dbdb9f89a7c4e5608d6afe0b896e7a5ecfa010784b6784814d4c1642792eb23507be8aa1919056fb5cc7

Download Submit
C:\Windows\SysWOW64\Enpfan32.exe

Filesize
1.3MB

MD5
5b1fdf0b4f93825b5504ecb1511c32d9

SHA1
e3a2ae1a9ebe95e8f887084df5316cceefef6118

SHA256
326759f3d57886f2f74c0449c22b7c17d53ebf581711723df857c71f38ce91c1

SHA512
e2b5fa5147168728a20bbb26960d3b12bca308cc0b17ed124effbbcb1a6f98cc569db48f9e38b4412a948e8b5b28010893abe0c683f7c62fe6af7f4c1b567f34

Download Submit
C:\Windows\SysWOW64\Fbgbnkfm.exe

Filesize
1.3MB

MD5
2c974c7a1f06f4ff212d80f37f7bdab1

SHA1
3ac32cbae8e22a7defad013d98b460e627601109

SHA256
8bc972a5e917e43df7b37b800cacd33676e7641865fc0ba5e60aaf4ee2e5cd9d

SHA512
4ba88e2bd5c34d687db157190e2a2cdef9a3413beb64a937016e82e6015ee6eb8263cafd3e78e0b28efe750be13cd98c7f7ccc50d88a357e80b89c7df2b403e4

Download Submit
C:\Windows\SysWOW64\Feqeog32.exe

Filesize
1.3MB

MD5
0537610bd7d211f171c67feb04771622

SHA1
faf3b22f3726061cc3d25edc15544a57441e2f98

SHA256
7f750e4be96c4b23bd21e65859d11d133d1f8b8231c44adbb7db8e67c138efe4

SHA512
95698256c18f57b4172c46d31aac7a9166989cbeeb4b69836d5a00400d3033220e8854631a93187012d33fec1f2787b147376637ef757127844d3822c497d907

Download Submit
C:\Windows\SysWOW64\Figgdg32.exe

Filesize
1.3MB

MD5
44ea1ffb283547f2beb850868df56375

SHA1
34321ce76eb037a53a422786e164b9f968f686e7

SHA256
3f24eee7173db0199624a93eec39a78e99bf3372fc36381d00f2a8fc17c18b07

SHA512
7ddf9207906f6c6d3fc76473026e219526b683f4ce2a5679a8b695bcc6b403fccf4699bc9f168e4d6117cf8b6eca0a318ab60114ba28ebd44bb4f22bf038474b

Download Submit
C:\Windows\SysWOW64\Finnef32.exe

Filesize
1.3MB

MD5
8ce9a6ea5f761824ddc6b8a5df3b2063

SHA1
06b415fde756566495b631d36ad1ffa029247e3a

SHA256
846dd0531afec9980d854ea9af7bae63883248a11ab367d4a9e84e2855de9e1a

SHA512
40d91c5023231b66d659b72b12d26c6dea368d9749f16277085eb1bf84bbc3ea26b2a9e40e540d270789a3605b9cac518ece6c992b77cf03fbbbea38fe0000da

Download Submit
C:\Windows\SysWOW64\Gaebef32.exe

Filesize
1.3MB

MD5
3d44175035ed31eddd187f05c479faef

SHA1
758d45f2766e382d8efcfd6f8595072db70ae513

SHA256
89562d85fb7e64bb735fcd317c07a2e954f374a6b1855128ffc8ec1830cbb1c3

SHA512
5f3681bcc8c8c949eb59ebc7403331ae06b2dc72bd0ba3910858f9c6e6f99c29a000ab6c542ab253af2a67433c758254c3331cddb4214509e1b919b7a2e1a5d3

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
1.3MB

MD5
bb147a6b3b9d13a7b32e6f558a8ca32b

SHA1
c36169260ed87d46953a8ffa2584cb8a94c83411

SHA256
ede9ab954dd014235bb021b1df76cf37db47b8ff0ea2f56b115d53b9a26e479d

SHA512
ec54bede3bc3f2e792d3a1442f94e3deace6b81d7f1815d88b032fe3f527719c88602d6b504c4cbe681506159a00a48bc4a69551dd71e176bd9d88f81270a1e9

Download Submit
C:\Windows\SysWOW64\Gnpphljo.exe

Filesize
1.3MB

MD5
39438ed340f438d84f639f8fd772d2f6

SHA1
6b35986b9e7bdbd5066cfcb1b3c08ffd32f09f38

SHA256
1dd7ebe63b394e6be2474df9bba25678acbf3952d815cb1b1a223a5810c0ad91

SHA512
8d28f39c0f99484ef0f039f0b0375e6c8afc7952aa6f66d2fbfc3363830e0911c3ef5512453eb61160d36da920c88c58f0e498d1934a6cbf806a8f29b82c647b

Download Submit
C:\Windows\SysWOW64\Gpdennml.exe

Filesize
1.3MB

MD5
ba2aef6b0a12c067fba13ce51631ab16

SHA1
e132ec228ae938a011f95f54455c7787a4161425

SHA256
c853702eefc9e83a7d5ddb4f38058844a73fd24e8bcccd9fa37954cf6af4b535

SHA512
2957d160c5e2eddc963d198260428568451090bc9317570e81a51218e79848889abd2f4cb888c9d29d56b9e3792b86a4273ccf29f9d54325ac20d089330ef810

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
1.3MB

MD5
f6ffbb7db408fb43e61caa5948800b8f

SHA1
df0adb5727e9523bda865476c6d614a934196f0c

SHA256
5e7ea135bd53df6fb4b7c159e0505ed415da2dbd81f2df60b664fa91d1f6cfbd

SHA512
f9b717a99446b2f8a699d9342fa960839727c159593706100fdb6a39b4e9648d5df29037fd7fe704a3a2d7a3a131f67a4f9091d9f0de8d8234c8ba96f29155fd

Download Submit
C:\Windows\SysWOW64\Hpkknmgd.exe

Filesize
1.3MB

MD5
d4c36aae3d249f632444bdf1e6b80cd3

SHA1
089860b2b790ce7f58908deeedfac3f3b96d9338

SHA256
3355bc493ada85a5197a9e0d4e9db3039b8630de431084e93e93280a02b90596

SHA512
f09f4eb0f89823445cdfd4309589418df9ebfb9d31ae45965bc27eea6723ee6f6a070ed0f5734f7baff1c42052f8c191e1726873a80e1d0983233e9d7baa7d71

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
1.3MB

MD5
873f5240c1e28b6d2c0470a2a6d4c4de

SHA1
334b18012721726507ddcdae877c0949dbd614e2

SHA256
0e669fc215cbc1436ab0687274ebb4042db9618beb91aba666acfce999de1c66

SHA512
6c0a6e2fd48821bb3e57f353acf85009a71405f96baf6f321968c03994fe6c65c2a25fe577107f929f83c45604a8f962414ddb1e5ee0554eca893da393fab5fa

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
1.3MB

MD5
11043001a6532bf595063d2bc40fc9fb

SHA1
1cc05ac899b879cf5ef017970dcddd33d995e824

SHA256
beb73ff6165c1da9e41fc04da794a8020af3febf2cadd94b4f127ed7724a23e2

SHA512
4e4a36c6a08f9e7cc06c8bcbcbca2bf9a5eac22b16bcbd03a166f6c972fe8033ba445d00b44aaa23ae0131a19041c4da8574f82682631543919b464572dc7fa8

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
1.3MB

MD5
c9dd82cdcf133b3d0914d787738556ce

SHA1
26433ae90086ddded0882c59da30d78af3c7d071

SHA256
af5290b855d7da9b0b5cb246ec8b938b5cc3e9d0ec98d48242cad73c9e26bfe1

SHA512
b514ae59dffe662ee778429031ac1be8a7d3a6fd7cddf1c47b20c4bc4edf238043d0ef3c99f55a05dc2350fa97131141438df81dfcf915cf3564f42689933a0a

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
1.3MB

MD5
20a5553be94efc1f7c8002e6d5575ebf

SHA1
d1c3b750a3a8a25e292eced5b814491af9974483

SHA256
af2966d8fce58ac66900e8d4d67a649561fd1bd1441eb04c112b1549a21d9899

SHA512
592a18e99b3678d5dad5ca90c85efd422fe16fbb6ca1ccb92d2feb7ca6e1bd98b026c909dbfe223bcb3153e641e3acf9744a3c322e3c157445ea4028211ade4e

Download Submit
C:\Windows\SysWOW64\Jblmgf32.exe

Filesize
1.3MB

MD5
9bab984243185eb413b5d20148170e14

SHA1
d1a47eb0a742f26af0a4e3040c60441375542d00

SHA256
e0a31a84e494750405c5fd4c0cd6fe685ea97cdcbeb997c022541597cfa82742

SHA512
874fa95b94243d8e1f798464f2ac5f335923abff2e19afe96e339a0a73400c0a1a237ebeb5667af1ee4721415630d539d2bcca9f002c02aa6d3f09d336ae4844

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
1.3MB

MD5
a75ca96fe89b7a4c34a2b493d5e0f09a

SHA1
6f0672259541d5fed73247c8c23dbfa3b29ed24c

SHA256
926f6e804809c54ce4975de2a85e83231887a4b894a88b72d7ce83cdf7067287

SHA512
66e4b138cf429c50768aa01f7a8dbb3caf9e03e4b1270f4fe581b4fec76e612178b6daf6c97285955ea8a4d0e146cf79342de4c78ad05c14d135618c0f8493f1

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
1.3MB

MD5
deccb6ff728893476c2c29dd1832b580

SHA1
065ccc7fcdce96d0dfe022c3a168db3dc22fa530

SHA256
e999f7ff7ef39dbdd292bacdf1168968905f43470d4f90aa59ada6a30235dbe3

SHA512
03baa372f2e3656abb1e16aa6ee037765e550c8fc6dba016f89de7f47a9d1bc76928cbbd1b9891aed6c2ff89f26dc3da6683bb53e3439cb161c76bc080287001

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
1.3MB

MD5
a21a026fdd6f52e66b4f485ccc87d0da

SHA1
ae6669898f5343adf6f69e1c629b3fcd0cfcb54c

SHA256
7cf12c77bace3ed206fada8bc7ed030801a17e871faed2e8825270ab1b1e2972

SHA512
9831e7345704fcf53265a886b5b772e938288be0da31a3e079535c780b9984e73bd1da288b54d9a8d6b0bc5c1df3252071e3ec84d7fcaaca48ab53a639b9a4d3

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
1.3MB

MD5
29cce2e8b33ca1ad431ba91898b1b48c

SHA1
01b56ced611ceb535569fa4183ebf856a13d8c01

SHA256
41fd15657d6f255f9a9e7f70b063e65d97b17a0e5e95399351db85edd965f2ba

SHA512
ce92bc947622c8ef7b73c0ef44f3f1f65400973c5ee9ff8fc319f6c67ee56f227492034043b2943f8ffd13967c52a0b366846c34812dc7efa95ef9bb1744d24a

Download Submit
C:\Windows\SysWOW64\Kpqggh32.exe

Filesize
1.3MB

MD5
ceaf195f4fae5ae1c5dbf3dc58d2d2ac

SHA1
04c71cab1ab8beff41c77713233a1de18365c3e5

SHA256
aca3dd859d11a26de98b52ae3c983eb7777bb7d8d74e3bb744f47555b2777ed2

SHA512
6e85969219efa6dcb3ec143866074d8592745f9fc17f5fd7dafee5cbcbd123c4cfba10c4995429db2473263ca1f0582325f37a204b2ad924545a8574268c8a8d

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
768KB

MD5
9c9f5695fc2381c144fbbe8462ba0dd8

SHA1
8084c722bc2b6bf54a7624c76b3a548d35bfb55b

SHA256
462e5f3908641ce2cb457e529bf79d681ba11fbfaf11168249a9f81eb38b6151

SHA512
8d7861b84acc1c4084014921b58401b15fe61fc50596854fc62ebb268246a2117f276d16ef48693ceb446ed092e840e88b77b737b1a71dc693720d417772ed8c

Download Submit
C:\Windows\SysWOW64\Lojmcdgl.exe

Filesize
1.3MB

MD5
4df05e2c0cb31b501a234da9885b11c1

SHA1
67d82f873e45715d1d173c0aa2b4a4132a503aad

SHA256
f865f23b5e080d65f0aa2c0e43b88abd8966ea7e66b76d31c543af4942fbbbac

SHA512
3dce0406194956e47aaddbd3ada6f3e59a78e1b2930158e97f8c96bc693eb67e2e258c76c0603b4e270c43013486d6f75a658457854d5acd07a5d8ca50f68208

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
1.3MB

MD5
8a89cc883beccd2ae5d2fc42d48d6edc

SHA1
ac6a35048438eab10488d385d627e3fe3651bd52

SHA256
6a2823d34d1a500a7076ddfe4852dc0c50db084bb612f0732b2639b3740bfb61

SHA512
b925ca5e761743b5b5a55f656a82db87cf7898e5756174b9a65762f3e92ba3fbaee7c316e08f7b3b2f7579dc3b186ffb8e4f27830aa94f264e9101ad4811b12f

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
1.3MB

MD5
b582e9b965b2d35d8cc5d12f1fd16fb9

SHA1
5c04e20d42d094f623a4e83c69b56e99bcc90a17

SHA256
3ad22337d657683d25318d4383399ed4d5fa13aa0c4aa22b549925482e172c5b

SHA512
8c9e703f96d267b566e98d2d51a62180afb66b166252b9afee70537ee362bc73f9ca966a0802c8917603d3239f38f2dca5708a5bb457b1f9536aa388defbfcc2

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
1.3MB

MD5
d161856166f0e0716efcf1d10a02f44c

SHA1
8ca21063f70e2e3a30ff2af263a51e944302f5d8

SHA256
03f9dbf4f16224abf403966301dd0f650228854c1f4668f8c2c7a31b3c807a6a

SHA512
073f5b983b94ef5b84f570e4dbd2e555331a327b0588637d130b274675a02cde5c982ce227c9e77b1e1c950c1b1a93b165c3b26b8df0fe177ec7ec134dfc82ae

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
1.3MB

MD5
b6a7504eb844a4aa84f52434c143103c

SHA1
697d0d16097fd999d895c07842f1da67bd1405b7

SHA256
9d11f0c5a8a686e96555004e601ba3388a9ca67d19671693361c08ba62e82bfe

SHA512
4529af9d350ea6f6aa31ff5980790331e19426a69917629cdfa8c51d25b62a3a41c039aa29c84e96bf50ef574840fe067570370520839cc2cbbc187152574ee0

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
1.3MB

MD5
0ddd96631a734a6ff220675565ef6335

SHA1
9fffe7e0c337a2a58671672c7df0e596f612721c

SHA256
49c7fbad011a1fd827512469ef269389c392af1765d66f87d136eb0502f6d89f

SHA512
4c33ae52de1ec05ad263aff182e637cbb85d29114532af1391b6d6033b05f0c91ed51e6f6734b5bab778a911b1e54762cb2534015cf25c4fa3698ff316118642

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
1.3MB

MD5
cde9a50b1dd3f0318c06de2447f3eb4e

SHA1
7e3a508f854dc4e3da7c03b8fb43f4b606a88208

SHA256
6465b24cfc28d8e9a34de2b70e708b50059342053eceae21f12f9b6f488ff520

SHA512
1a11624edf75f2a8fe178979cf6bccfb92279f0b8b00103f315c9d732dabb3107909381e96839a5b8542ba0622982d76445cecf5efcde15fc4d7fc15af1707bf

Download Submit
C:\Windows\SysWOW64\Obqanjdb.exe

Filesize
1.3MB

MD5
fa7f137c878a3f4217242bb01efedbaa

SHA1
0894525a3253c03798d39cff5c68f8a40bf5e4a2

SHA256
443ce7a44fded73f5bcec193235599b4ccb322fc4e8b3536534902ad6e629e8e

SHA512
caea8654a75722e4073d0bb4f55e80de99b3bdd878f1236ac07b86e3d0a6e3cdea958f788328d24ee8f59769d16f6829a9cb666934c3b3901634736c8ecac2a4

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
1.3MB

MD5
6e8743ffca8e6e2f19c4876864dc246d

SHA1
bede94c844a5a631f4f86e5a8b17e0479e562e0b

SHA256
bb8b855842afaa79422a3807e25fbefa81b850896980d5ba69e774d23a49f896

SHA512
228d1aba24469a1ebc9d58d0b8b86ef102dcbf0605e58e21b26a6d376c27910af48887623cb0251f7a85e9ee0458019a956bf037129568dc875de85a09e54c24

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
1.3MB

MD5
0d6c15a2328cd582598fb8c88b12b452

SHA1
d559b77e053acb2213b15987f8e433d1cc9a6ef8

SHA256
a068269c3f7a2e40f459849fe80a08a6a62b54be897139623f6235cb58e880a1

SHA512
198ac28662367723963efea95df79895ee9a30ddfb59fc69d756a99f91f1b67e89b4668709bdf104d4422fbc4f8d9800166aec375d50c1ceab84aa0c303b9614

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
1.3MB

MD5
d12e7104c4a43482c9d0618ebd007e60

SHA1
b480f3993fd6eb3986f836b41273d547a70cc151

SHA256
ddde5879d2504139c862c61f0adaf8e86e9cbcb578a73e9705b1c708a4d41b75

SHA512
dbf453f4b2553cad9ed42eb982014cdb7004bcf86c85c3c11f7f3a9022731e72664d60e0c111dc0f2f4d2a2b46d8de741af250b6cd951157cfb7df161120d4d8

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
1.3MB

MD5
35b55f845bf08383995deb9173a8dc19

SHA1
ae7e0311ce554a7f91f22556d847f9d8d443ba6b

SHA256
5ea96aeb4539dad1036ecfce7ce0b544f98f3fe72aff6a51723628658cd4fa01

SHA512
93078d7d9331d0958aed39d38e4a864a5ec53ec6cb4035735d40f7b0fa6068d69fc6e071c30b6cb46da04f8d8678948929c54ffba3b4d52b93db5ce43ffe43b0

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
1.3MB

MD5
0136655336074929daf3c04dff8713e5

SHA1
ff6e31d21e6b18d52dd89b7ae8c6fb42151585d9

SHA256
cebc3f0b8f85ae930d69fefce65d23d822b52603967e3e9762e9cc531c3e46ec

SHA512
69fdbc44065914537868c8688cb165fc0ab55e99647509e49600ab1ed15f4c00d955f59dec77e1efb46443129cd158b2b692c60a8a3a341406fd8331a14c417e

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
1.3MB

MD5
af2138083e96092cae82fa557b2d2f75

SHA1
3b8f08be76f37ff0005a9eddea42f13bfb49bfbf

SHA256
e4ce330da228d3a5c1cf93965f227fdbe5d57bce8e9123b3fbc203a792f52b1b

SHA512
3edf5a2f03471a85d09aebd345f756a610677631fa97dae7af39805060c39e5dfe55c554753c30822ab6d004d6963aeb48a5d15f8ce7e06b43f6fd91fb57ea4b

Download Submit
memory/220-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-624-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-675-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4736-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads