berbew | 7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe
Size

194KB
MD5

6eb4d49fd911e84d243075faa22315a0
SHA1

67484eba5b3611e44922abb457865c296486fe85
SHA256

7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265
SHA512

dcfad5302b78687d3d0651c8014a97ad80c8fcdef5bb8c4edbb90118649652d3c34ab07b85d4835105e52995d0ca751966db72a6e56192d366703ab5a4891b3d
SSDEEP

1536:8Zon+P3mJdUTxAE8SLvIumOZatMIM/5/KEatMIGuatMIc/zT4a5GV:80JalAE7vTmMIM/kEmMIGumMIc/1GV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2828	Kbceejpf.exe
4412	Klljnp32.exe
392	Kedoge32.exe
4864	Kipkhdeq.exe
4692	Kfckahdj.exe
1308	Klqcioba.exe
1364	Lbjlfi32.exe
3204	Liddbc32.exe
4044	Ldjhpl32.exe
4572	Lekehdgp.exe
4964	Llemdo32.exe
4716	Lboeaifi.exe
3284	Lenamdem.exe
2804	Llgjjnlj.exe
1192	Likjcbkc.exe
4680	Lpebpm32.exe
2772	Lgokmgjm.exe
3296	Lebkhc32.exe
1944	Lllcen32.exe
2492	Mdckfk32.exe
4260	Medgncoe.exe
2532	Mgddhf32.exe
2296	Mmnldp32.exe
3224	Mgfqmfde.exe
4040	Mpoefk32.exe
4848	Mgimcebb.exe
2184	Mmbfpp32.exe
2500	Mcpnhfhf.exe
3496	Mnebeogl.exe
2908	Ndokbi32.exe
4800	Nilcjp32.exe
4120	Npfkgjdn.exe
4828	Njnpppkn.exe
4000	Nlmllkja.exe
1692	Ndcdmikd.exe
4552	Ngbpidjh.exe
3252	Nnlhfn32.exe
624	Ndfqbhia.exe
1700	Ngdmod32.exe
2056	Nnneknob.exe
2072	Pgllfp32.exe
2096	Pjjhbl32.exe
4612	Pqdqof32.exe
2516	Pdpmpdbd.exe
4328	Pfaigm32.exe
4852	Qqfmde32.exe
4400	Qceiaa32.exe
4980	Qfcfml32.exe
2080	Qjoankoi.exe
3320	Qmmnjfnl.exe
3916	Qcgffqei.exe
1680	Qffbbldm.exe
1688	Adgbpc32.exe
2476	Afhohlbj.exe
4880	Anogiicl.exe
3200	Aclpap32.exe
1448	Ajfhnjhq.exe
3232	Anadoi32.exe
1728	Acnlgp32.exe
4060	Ajhddjfn.exe
3952	Aglemn32.exe
2684	Aepefb32.exe
4292	Bfabnjjp.exe
3644	Bmkjkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Lenamdem.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5592	2404	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2828	5076	7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe	85
PID 5076 wrote to memory of 2828	5076	7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe	85
PID 5076 wrote to memory of 2828	5076	7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe	85
PID 2828 wrote to memory of 4412	2828	Kbceejpf.exe	87
PID 2828 wrote to memory of 4412	2828	Kbceejpf.exe	87
PID 2828 wrote to memory of 4412	2828	Kbceejpf.exe	87
PID 4412 wrote to memory of 392	4412	Klljnp32.exe	88
PID 4412 wrote to memory of 392	4412	Klljnp32.exe	88
PID 4412 wrote to memory of 392	4412	Klljnp32.exe	88
PID 392 wrote to memory of 4864	392	Kedoge32.exe	89
PID 392 wrote to memory of 4864	392	Kedoge32.exe	89
PID 392 wrote to memory of 4864	392	Kedoge32.exe	89
PID 4864 wrote to memory of 4692	4864	Kipkhdeq.exe	90
PID 4864 wrote to memory of 4692	4864	Kipkhdeq.exe	90
PID 4864 wrote to memory of 4692	4864	Kipkhdeq.exe	90
PID 4692 wrote to memory of 1308	4692	Kfckahdj.exe	91
PID 4692 wrote to memory of 1308	4692	Kfckahdj.exe	91
PID 4692 wrote to memory of 1308	4692	Kfckahdj.exe	91
PID 1308 wrote to memory of 1364	1308	Klqcioba.exe	92
PID 1308 wrote to memory of 1364	1308	Klqcioba.exe	92
PID 1308 wrote to memory of 1364	1308	Klqcioba.exe	92
PID 1364 wrote to memory of 3204	1364	Lbjlfi32.exe	93
PID 1364 wrote to memory of 3204	1364	Lbjlfi32.exe	93
PID 1364 wrote to memory of 3204	1364	Lbjlfi32.exe	93
PID 3204 wrote to memory of 4044	3204	Liddbc32.exe	95
PID 3204 wrote to memory of 4044	3204	Liddbc32.exe	95
PID 3204 wrote to memory of 4044	3204	Liddbc32.exe	95
PID 4044 wrote to memory of 4572	4044	Ldjhpl32.exe	96
PID 4044 wrote to memory of 4572	4044	Ldjhpl32.exe	96
PID 4044 wrote to memory of 4572	4044	Ldjhpl32.exe	96
PID 4572 wrote to memory of 4964	4572	Lekehdgp.exe	97
PID 4572 wrote to memory of 4964	4572	Lekehdgp.exe	97
PID 4572 wrote to memory of 4964	4572	Lekehdgp.exe	97
PID 4964 wrote to memory of 4716	4964	Llemdo32.exe	98
PID 4964 wrote to memory of 4716	4964	Llemdo32.exe	98
PID 4964 wrote to memory of 4716	4964	Llemdo32.exe	98
PID 4716 wrote to memory of 3284	4716	Lboeaifi.exe	99
PID 4716 wrote to memory of 3284	4716	Lboeaifi.exe	99
PID 4716 wrote to memory of 3284	4716	Lboeaifi.exe	99
PID 3284 wrote to memory of 2804	3284	Lenamdem.exe	101
PID 3284 wrote to memory of 2804	3284	Lenamdem.exe	101
PID 3284 wrote to memory of 2804	3284	Lenamdem.exe	101
PID 2804 wrote to memory of 1192	2804	Llgjjnlj.exe	102
PID 2804 wrote to memory of 1192	2804	Llgjjnlj.exe	102
PID 2804 wrote to memory of 1192	2804	Llgjjnlj.exe	102
PID 1192 wrote to memory of 4680	1192	Likjcbkc.exe	103
PID 1192 wrote to memory of 4680	1192	Likjcbkc.exe	103
PID 1192 wrote to memory of 4680	1192	Likjcbkc.exe	103
PID 4680 wrote to memory of 2772	4680	Lpebpm32.exe	104
PID 4680 wrote to memory of 2772	4680	Lpebpm32.exe	104
PID 4680 wrote to memory of 2772	4680	Lpebpm32.exe	104
PID 2772 wrote to memory of 3296	2772	Lgokmgjm.exe	105
PID 2772 wrote to memory of 3296	2772	Lgokmgjm.exe	105
PID 2772 wrote to memory of 3296	2772	Lgokmgjm.exe	105
PID 3296 wrote to memory of 1944	3296	Lebkhc32.exe	106
PID 3296 wrote to memory of 1944	3296	Lebkhc32.exe	106
PID 3296 wrote to memory of 1944	3296	Lebkhc32.exe	106
PID 1944 wrote to memory of 2492	1944	Lllcen32.exe	107
PID 1944 wrote to memory of 2492	1944	Lllcen32.exe	107
PID 1944 wrote to memory of 2492	1944	Lllcen32.exe	107
PID 2492 wrote to memory of 4260	2492	Mdckfk32.exe	108
PID 2492 wrote to memory of 4260	2492	Mdckfk32.exe	108
PID 2492 wrote to memory of 4260	2492	Mdckfk32.exe	108
PID 4260 wrote to memory of 2532	4260	Medgncoe.exe	109

C:\Users\Admin\AppData\Local\Temp\7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe
"C:\Users\Admin\AppData\Local\Temp\7179cb7fdcedcddf1a6bd4f6644e2d6237a0049241937c5d79972809b55a1265.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Kbceejpf.exe
  C:\Windows\system32\Kbceejpf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Klljnp32.exe
    C:\Windows\system32\Klljnp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\Kedoge32.exe
      C:\Windows\system32\Kedoge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        30⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        33⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        63⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        68⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        86⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        92⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        95⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        103⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        105⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        107⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        110⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        114⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 396
        116⤵
        Program crash
        
        PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2404 -ip 2404
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
194KB

MD5
c0f13fa0dfa4bc7edae01be7eb36b186

SHA1
79d452a8fa4f2defb459df8f9e8b45246b7225b0

SHA256
5b788079003985ff65b3372b246cac42e2fb14ce96a11aea21ce0bcb5bf5a4db

SHA512
86ac426645f77800f98fab074d0fc631b4e6eea69136aa064e82d4d8e990dc60166a1cb8e06e0f7a3509602968a32a09d81722a0051b94f3f53511e95c4068f9

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
194KB

MD5
919adf86a89cdfe769285236ec380a06

SHA1
1f4979d048e127d7f3f94e643efcbdd3ccee9cf9

SHA256
fde497203a98541dfeca923f514f5011382f78cb2a531828753580f4bf55395b

SHA512
42e1b4d7cb8fa782e0b69389988df910af468b76dc1f7c25d57f33f34edae5cd6b2422f381941d44aa8de4675de7573fe8d04d7621da4c558a843708dcaa5151

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
194KB

MD5
1058dff8aff9f32ca6901f8b1fc15b57

SHA1
2b215a69401ae7c782ca1fbdc1a313d5966db3b3

SHA256
f48520612368d80bf731ebab59b245ed6e6772637453d7e7e7157485cd17bf6f

SHA512
4f7f32b4fcc2d6245bfd7cb75b95c99f12ba3e0e5fb7a70f140464047add66f1064d63586e3e054b5e9d3c6c411bfd69410b68ac6f0397e6d5d12010ff05bfb6

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
194KB

MD5
1a84f4a098672d2e67a7fd25cfdd5cfc

SHA1
8a6bb15571d3cf66ae17f42b32a4bda1d65a8ae1

SHA256
ad3f0d291d62c9df6de9d5a90a445e0cf713f0db9e33876ba510f0f99d7293c9

SHA512
eebdc1d5777314468013a87f1a3aa68e658a675e0546d1d16aca140a40ff5fec06aca4820f5ff038ed91a21f68ba163e371ba5dea8a12cf21dd6ef473cf6c936

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
194KB

MD5
8082b8b6c4bd5f74989b063c8b281a2b

SHA1
c28a1e84ac6b94b68057a2a5edb9cd6239da9472

SHA256
326eec654d115be8cfce219338d6f8814b29e2f1526945cfa96fe31b48fa862c

SHA512
e697e6d807cd290e271d5db498cc4c521cf41b0a1752a60e8fe39de50536ce6cb5fa6c30c5b3d920495bfe3c04e0bb939bd398703ea8452fc651db40879c46cf

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
194KB

MD5
7164bc1e6d2fbd5996df9b40b9777f96

SHA1
b2ad66864a0a3aa1f77882298a9e5f15b5f54d94

SHA256
659eefb28135a72c5c2b539ca35c433af611567bb66d67c5c7e32093302d3568

SHA512
a21910cef87d4c367d4a511676bfe0eec73b50ce2046e67bf7eba11b0ffec7b08a69f22b1c343f8cedd215028ff82fa9aa3e3dc81585532ea031969c25bfe43a

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
194KB

MD5
817307595da31019f1e8af7bc63e7571

SHA1
e117750b0cf2ae952dc43670b72aaf895966e23b

SHA256
7dcbb02997c0256de90f05235b7645b01a2267abf9b37a38425880483a986b96

SHA512
7003d72d72359a635cbb69349b0dd493d5b4e821aaff9d7be5d999bc53c781042e49f79e779411e570b2a60e2b7aeaabe594d3cf2324447c4a39d706b80434cf

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
194KB

MD5
8fcba85f1f804c55936cd51bf917689c

SHA1
cea1512fcefd3e03605b257b5a91a92fd6cba5a5

SHA256
8daf25f97997b91c52e9c8dbbba178d4d09ef6fd48f2bdd4e6d5c59d3b945416

SHA512
c082db1ae64d666a7a4bece1370648ff98dcea9e70ad5ed62cc9a40c4b1599c5827263ae3024117ba5a22662fcdabde7402cf85522abf7bb6e7400fe349042b4

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
194KB

MD5
49b55314ed159d6b6f7d3422cde713f1

SHA1
1076a875e9f5c26d86643cb65deb57c631cc03f8

SHA256
9286f9a121874edf6b401954752347909afa009a509f116f932602fc6c0dadf0

SHA512
225f91b54cce0156be87d33b7122895d7a016601a51d252579b5b0bd4956ebe4497b64c6d2cf827ebc253825469829136466195632ff24945816be7d3e8a1c80

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
194KB

MD5
97133feb8ba0ff63dc99068efa6ab0e7

SHA1
7f6e42c8cb568aae8a12b23e74ae3ebe20bec556

SHA256
ca8390c09fa13a7a40062d2303d109edbdb2aff2f2bcad37598cb16223f5d40d

SHA512
0fe47ab423d7e92c676fa1363c4ce20b59ffc31dbbb889d2b9bea5487da0954be3b0f876b8d2a08c37b537e1a87d09dcb0adc1d5abb1cc66d6a520a8ad1bbcb1

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
194KB

MD5
f9022b25c4b4621d2aacbc7c7d72b5ae

SHA1
9c68971c9eba58ced14a3f516fff41c0468e50bf

SHA256
ff24cf27cf45e5db907f3fae270d93797ecb28fedbe9db94418cce0a5910d30f

SHA512
9d8e47658668cb00cd95eff087c12be9fc7084b9d0ef2c9f34828829dd10fedcd98273e681bc4005838d5fffd93f1f879ac08de0795e22fa17edc3105331e434

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
194KB

MD5
9f4d0a9260857c9fb9efcec0760853ed

SHA1
2ca93484756af341462a2e5988d0e4ede31f3744

SHA256
2379260ffa1ef4c6beeda14682dac16103586be35d93364f32c5fab415b3d196

SHA512
ba1e5ccaa812fe6a1f860b93129cc7c87428abbd05e336daf0085c7090c0872800a6fd044e01d96d5a7ce2a761642ac7b08eb0c13d382ae6a2a66be4537c155c

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
194KB

MD5
4bedf14fc27c400efcc79b05020c50a4

SHA1
66daf5d237521421b23413b739f2db083a6c7fa5

SHA256
d418694cbc2600d82fc72a2836d90785eef8a4352394866477f7a059ee8e1097

SHA512
11c880e61f4d6cfbce84f10d47ffe27fb0e61682580597fb090fa5b2d30fc6970330fec40bc9dc02c212c3f74d0fc38aaf479e59d28da6abb880ee3461128d50

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
194KB

MD5
8e2d3a5ec3f00e8e39b5b24823ff67c1

SHA1
2813ea431c68ec80ab764e9e322efa124a3238f2

SHA256
7a3dc27515c533a4b2a3472c0c794dfcebac22c86abfcab1e27a60b8981363b6

SHA512
cd822af6363ba540f2f3268416e59059bc6aa7c786956831b4aada874981a13ac4d6f485abda1d77e28787e3cc41b36fc54a7f9148df415377217785fb5ca9c5

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
194KB

MD5
18762e905f0609616a7b1814e6a759b8

SHA1
59400561c8120062859956d6dec82187909cc73e

SHA256
4040220307861a37b89b8ba5d03924028ffae0c1fadc594c0a7aae5526163be8

SHA512
5ce8e50d7eae23b702f8781a86f814738757bc8670bcb65e3d66ea587c553926f6c18a44a102ce163b2ddb77daf1fb467e561061be699c4d627a85ccd3b2fcf5

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
194KB

MD5
f3730f3a06b2f4fcc5332103f4670e02

SHA1
77cd8faf32e0353a9d453f3d0c0da9a8a3015349

SHA256
f5e696311a502f5bfffece44af699a00c033a68f32d4511a091837a835295de0

SHA512
c5070dcb402837677b213fb74075f9f2c799701358464e1c6d8471d8a1dd850332e0f47032e01024479b5dac991bd75941952c173db2fd8d62362c39123282e9

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
194KB

MD5
8418ef91c5a0b074373c166c24f709ef

SHA1
78eb75dff52cacbb2fc52fb0595a8c59c113ed3d

SHA256
93b09d2f36f40aa51401313f827cd39991b4c896f89dc8be2556e42d416efa6b

SHA512
8220194fe23eacf5b60a2206f98b3df12b40a8a98d37d202b6835b9de5e9c7b176e57e646be62a994c5f42b891fce020246b9f082c79d7d1815e46619ae24413

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
194KB

MD5
4f5d4e3c11e45b0df15c45be40d93e22

SHA1
80bf20a1f7e57f9bd7999cd28742094dd6f75e2a

SHA256
999568b3827bcf48c992c4b260fb4ef5707553efdff1bfc5a615760c8f101834

SHA512
c2bf3eade77c591f1cc5bc199744be83006ed61d479e5fa786c141e68a5bf3a33b81765502ec4b8c30d9965d27d7b4a37be30aa5717159c6ff7ea548ccbbf838

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
194KB

MD5
d026f8bb0e03bbd0b3f4f0a4929e9d51

SHA1
d479543f9c8f42e587371d9c984b2e6f86f4f170

SHA256
ab36697a90cfcb73f6b2117a32d3b2676e7f8b26c0c4b301f2fb7e34cda4aff3

SHA512
fd57df17ea3c224579b7f8d05bc6827f89144a9b2fdc89c30da398e54edd427bda0c17904c14c36958992ec429cd532cdebb0a508217da329bbd305d0e7b6bc0

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
194KB

MD5
9270d8824e7c7b5a62a3cb554fe4cba5

SHA1
ff3e5698a2b9f7951692cd6721604437ffc58cfb

SHA256
c54875985f2a6181b9063adc5f2763c432f247c8b5bfd00abad01de00b1066dd

SHA512
9d61a16951fdccfa011a7bdef64cb616bc4d73f8b06d245ab4869db85f9c853c172fc0470c11f830ac3118bab059a2bd1d7afdb9f4e6a689c27675ccec4b5ca5

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
194KB

MD5
34045394c8a8972f2eb69302b9873b3d

SHA1
05272b0ab2a78b227c08a9de32b7335c95e88d6e

SHA256
cf164bc74326066c24b5bb11c853fe3a147035d80b5e9239b0bba2e930434554

SHA512
f9723ccf26a2420c61533676b90ea418a5d51688befaa26128f14772a40906c99291c5da7099dad8f9214808568a8a3b7303cba73c654a862cc477565f194bdf

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
194KB

MD5
02899de519ba5d2eb63cac76dc8cc062

SHA1
ef3ddac6173583ccbcf934b4a51ed8e6d13833da

SHA256
9afa701bf315141c7960e6bafa04de73839aee8f61a581e4af4194e5040be23f

SHA512
6d70c3ab95ee03b35306fa7f0c32766b09adfbdaa83c4dfb97fa74586dba249c14c09d91ba8431886c5cfbd70b0c9f2ee7b3d6fe4aa257c8d4067fe3cf637f8d

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
194KB

MD5
5206314b41daca5f9d11a165284643e2

SHA1
3243e3b120e21ce30ab3e976b8a1a051b512b3de

SHA256
e2923c6b78c4370134048435018bc6605eac8f10eb027520bb365b9bb27cf42c

SHA512
7f8293cb7dc22a0f1eddcf316537d26c675be69210323ec455777a7d665dfc8dadcfe9a9880830abec014b3b499b6e8a528b1d30713d8803ada72e852db1a9c4

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
194KB

MD5
100a9b5ac0796425fbfe2778c165b979

SHA1
96097f293b9d9210debee2e89ff2e59d45e56463

SHA256
60d2d46f6320d28ef8e6f86f59b898fb5f0a4110fca9a1a502abc1d41cf53dbd

SHA512
3caf422b8aeaf70ac1792ca6b5e95c14e84e7e8b40540fbefe67199fa7c324798aab6a6de40c6515f33294fd0707c435563cc55555395d46cce2186434d2be76

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
194KB

MD5
36952879a3608fbf031c07e72d7ad132

SHA1
8f1f610c1b4fead18178c539ecca533c5960ec14

SHA256
f1473f4c03e94dfbbdd3a809b247bc2598fc8365ee8aa60edad0b47088cc8143

SHA512
28f0a956665a8780c74559349b50d1b73a9c21a78094a2a8c0f0c22b84763eea9592cc54caf0eab2972f535abbbf4fac82005dc74ae637a37edb5bf5fe1b6155

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
194KB

MD5
12619c0bd518c72ec73810698ddda335

SHA1
1fbc5f22c533c0229336b5406ff5848156e21729

SHA256
d0e3ab6c32bfe2279b203153a4e241672ac7f74721b216094e5ca452039bebe7

SHA512
11530a39593c298d40196f49468931577908943983cbb49306c1e08e3623bec8a22689d633a9e127bb619e563575d1fdbc5d520fb288d989be0b969c7a0b39cc

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
194KB

MD5
13a91fe4e8187083ad4dd28a714fd2f5

SHA1
1f561acfa918fd7a8c17015e98dec79b176d5b5f

SHA256
2c98c33794a7649383c36dc932bab25f45cd4832f793d70db230078a6316c04b

SHA512
386238507e474f3acbd8dc3fa9fc8c3d9f60c4e8744751ddeb63620d166907338156b60c6cd2079445b15077e2257b69a92983909fc405fa433087e8c0a70a87

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
194KB

MD5
c3d275e99e599942543546121e31f631

SHA1
36fd649b395934fd05e2d1e26467113944f7a664

SHA256
a9aabf9365272231727a641aa97ecdb2b1f43dc1202bd900d6050ab074c0b21c

SHA512
823f8ef66dcb9bbc79ddc8976cac5a3af27b8d27e1b31306dbf10bb043386225f26fbc8e55d9002cef8ce0b1298c6f30ea6aafd4fedcbb981134d5b34225b39e

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
194KB

MD5
6ccea43325ca8a8a643debdb68c26cc7

SHA1
02a20a6cbb80b3ae404569eec38f269a1b8a91da

SHA256
091c20d731e317543ae3da1f416f01879287e6f4dcbaaf1e34fb1611cd3cb1e2

SHA512
45b93b573d8d3e4ce9f5623ba36720d27ce2ef5f405318420949188fba26dfbb20c8f34641cbbcbed3a0f47ecb05bb17f34d410b7e0ae8abd8925677c6b85dc2

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
194KB

MD5
a779bc769f8956519f5a9630a04e8d32

SHA1
7012f289b967edd45d0c8eab142ec8494b62f068

SHA256
e644f42d8fe587d6fc3700cdefb607a99646634fed67130d952d906faf96763f

SHA512
10c8874a8e4cab72b304c098de155eedd0e6d2a1dc6cfd2012c39272b9b8117bffe48f3ed770a381d572297bf135274bdfc9b808bec88e6aa3d0e2fc14973b0e

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
194KB

MD5
61ee27c09fdf6842589c008710f6848d

SHA1
ebfe049ecd53b8c20f24c90f431ff4a4ab38eba3

SHA256
a5f2fcf505126c5557a1542df603671853108aa561387103c30528edadcf11a4

SHA512
be507836357741115ede95e8a5d204153fae01aadc6aec1d81bad7ef3e7fe55b07920be38baa3bcfa146f49423b478bf70ef5eddb23ac4c5a8ab5f3484967a55

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
194KB

MD5
8c744aa33bfd94debce22cf80f7cc03a

SHA1
fefdc234c52932c4e687ca32c2236f36e7949862

SHA256
653c68e87658e935e9460f97f3f847b72fd44566eb3e189803c98c61b8af636f

SHA512
572e4e21beafe6a171fe22ac94fc05cd773785472dc44488a1ec1be8e505101bf02eadbef64b3c5350ef3044748fad37aa8f80e3a19e84591e13f2f4cf67894b

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
194KB

MD5
5b6b2b9266750164fc0cfb63582eb4c8

SHA1
b0f1923d212bb3df2b274016808f179e61f03033

SHA256
1e13f29fdf1a5c46f7666126386a0b4dd99a328d04642da461c6aa1b13d6ff72

SHA512
78d7c71848d559773ca54e76b3d7909d0dd2c905d519d4334575b844d6c8297e535142d2c47bec35a7ef8055616e9bb5c4811b376f1284729e0e5f71b0f41e94

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
194KB

MD5
7b78d037b071e7fc8dbb088e9bf8a7eb

SHA1
68cc6ba1feeee8f74532fd3b2b219d53811093b9

SHA256
8cb742829db64ed48dac034c3e245235b9acbb98d4045e2cbd2da7e4d81d1b76

SHA512
c0ec62c28745042a9b31cbc9b8a8241c50334f3c72d26e6855f007f84cd14e8eae31314b5f7cd75c88bf44120ad5855abf7f794c94c25dcbcae589c1c484b0e7

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
194KB

MD5
8acccb3fa16ac3c1844a2c725d15958a

SHA1
032795beebe2c86bb3b8b71a4d91143f92643fb4

SHA256
99f4bbc88f17f01e3a5297b0f9ae642abdc211bac02b9ee86a00945883c75bd6

SHA512
f65e7c5d3ca47655e583f232d73aa40a4d6f4428ce4b6f10e64adeb61ee144a2f1533ace7a72a41681c828c50735e4dac61e93155b93563485375d6d87bace75

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
194KB

MD5
d4ec0d4669ecef42e980cbaeb0ec7743

SHA1
0f0c5d0ff679c301c072f8fade6327e6802ecdbe

SHA256
f07c9054778bcd2ded3b2ef047e66387ff93f6b4717275b761057669d6ced8cf

SHA512
a44b81461cc23c4dd7603e85459f54cc465b4f155bc03ea00a489b029dc67f60ef6525ec2468cdf2f0dcf39667b11a58029e91759418224c9f88c5a8adffb731

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
194KB

MD5
8ec35dc58fa59e475c76985541aac876

SHA1
f67777531f5574f9ad5be4384aeaaf17bee3a413

SHA256
11ff7e0c40c6dd6bfab3a01e8445b46e602f169754f0ecc687c20796951b306f

SHA512
78cf58d4ec3194e7056ed19a6df26e9e7318a0a1cb5b983d4981ab9bbba2cf975d8a8aa49b54a66298b0239ae891aed6a1420087fcbb22a7e31c54f60ed4471b

Download Submit
memory/392-28-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/392-557-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/624-291-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/636-477-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1192-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1308-577-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1308-47-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1364-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1364-584-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1448-405-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1680-375-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1688-381-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1700-297-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1728-417-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1752-453-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1776-503-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1944-152-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1944-969-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2024-495-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2056-303-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2072-309-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2080-357-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2096-315-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2184-215-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2296-184-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2296-961-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2368-489-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2476-387-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2492-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2500-224-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2516-327-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2532-180-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2684-435-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2772-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2804-111-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-543-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2908-239-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2908-946-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3200-399-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3204-591-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3204-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3224-191-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3232-411-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3252-285-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3284-103-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3296-144-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3320-363-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3464-465-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3496-231-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3644-447-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3916-369-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3952-429-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4000-268-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4040-199-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4044-598-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4044-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4044-989-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4060-423-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4120-255-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4260-167-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4292-441-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4328-333-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4400-345-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4412-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4412-550-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4552-279-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4572-604-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4572-79-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4612-321-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4680-127-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4692-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4692-570-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4712-459-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4716-96-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4800-247-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4812-471-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4828-262-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4848-207-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4852-339-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4864-568-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4864-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4880-393-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4964-88-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4972-487-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4980-351-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5076-536-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5076-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5156-507-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5248-519-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5300-524-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5348-530-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5388-537-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5476-544-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5476-847-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5532-551-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5604-558-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5700-571-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5748-578-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5764-805-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5808-585-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5808-835-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5852-592-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads