berbew | 0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
Size

96KB
MD5

a316ce1ef2725734bbe8a862761e5fec
SHA1

979d98fa7dc336909e356db253d37191aa6c8d24
SHA256

0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f
SHA512

f52e80a721b6cc26acef9dacc14dcb347fa0b4ce787fece10871d06a36f4e6f354ee3f6bacc2e368f4a7088fa7b1ddb61f210ff54e40819ea45c182dd5065c3e
SSDEEP

3072:n+I6t7xfClH8ZAapSAnj4/VqZ2fQkbn1vVAva63HePH/RAPJD:T6tFfClgj4/g4fQkjxqvak+PH/RARD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbiipml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joaeeklp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbiipml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbiipml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knklagmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 51 IoCs

pid	Process
2528	Jgfqaiod.exe
2892	Jmbiipml.exe
2536	Jmbiipml.exe
2720	Jqnejn32.exe
2416	Joaeeklp.exe
2704	Kilfcpqm.exe
476	Kcakaipc.exe
1400	Kebgia32.exe
2788	Kklpekno.exe
2664	Knklagmb.exe
2168	Kbidgeci.exe
1640	Kegqdqbl.exe
2760	Leimip32.exe
1876	Llcefjgf.exe
3008	Lcojjmea.exe
2648	Ljibgg32.exe
3012	Lcagpl32.exe
408	Lfpclh32.exe
992	Lphhenhc.exe
540	Lfbpag32.exe
1604	Liplnc32.exe
1852	Lpjdjmfp.exe
2924	Lfdmggnm.exe
2300	Libicbma.exe
1104	Mooaljkh.exe
1524	Meijhc32.exe
2056	Mlcbenjb.exe
2740	Moanaiie.exe
2456	Mhjbjopf.exe
2460	Modkfi32.exe
2080	Mencccop.exe
768	Mhloponc.exe
1408	Mholen32.exe
2836	Mgalqkbk.exe
2804	Moidahcn.exe
1592	Mpjqiq32.exe
1596	Nhaikn32.exe
2676	Nmnace32.exe
1072	Naimccpo.exe
2964	Nckjkl32.exe
2980	Niebhf32.exe
2232	Nmpnhdfc.exe
2152	Ndjfeo32.exe
2160	Ngibaj32.exe
2268	Nekbmgcn.exe
1360	Nmbknddp.exe
1296	Npagjpcd.exe
340	Ncpcfkbg.exe
1500	Nenobfak.exe
544	Nhllob32.exe
1532	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2608	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
2608	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
2528	Jgfqaiod.exe
2528	Jgfqaiod.exe
2892	Jmbiipml.exe
2892	Jmbiipml.exe
2536	Jmbiipml.exe
2536	Jmbiipml.exe
2720	Jqnejn32.exe
2720	Jqnejn32.exe
2416	Joaeeklp.exe
2416	Joaeeklp.exe
2704	Kilfcpqm.exe
2704	Kilfcpqm.exe
476	Kcakaipc.exe
476	Kcakaipc.exe
1400	Kebgia32.exe
1400	Kebgia32.exe
2788	Kklpekno.exe
2788	Kklpekno.exe
2664	Knklagmb.exe
2664	Knklagmb.exe
2168	Kbidgeci.exe
2168	Kbidgeci.exe
1640	Kegqdqbl.exe
1640	Kegqdqbl.exe
2760	Leimip32.exe
2760	Leimip32.exe
1876	Llcefjgf.exe
1876	Llcefjgf.exe
3008	Lcojjmea.exe
3008	Lcojjmea.exe
2648	Ljibgg32.exe
2648	Ljibgg32.exe
3012	Lcagpl32.exe
3012	Lcagpl32.exe
408	Lfpclh32.exe
408	Lfpclh32.exe
992	Lphhenhc.exe
992	Lphhenhc.exe
540	Lfbpag32.exe
540	Lfbpag32.exe
1604	Liplnc32.exe
1604	Liplnc32.exe
1852	Lpjdjmfp.exe
1852	Lpjdjmfp.exe
2924	Lfdmggnm.exe
2924	Lfdmggnm.exe
2300	Libicbma.exe
2300	Libicbma.exe
1104	Mooaljkh.exe
1104	Mooaljkh.exe
1524	Meijhc32.exe
1524	Meijhc32.exe
2056	Mlcbenjb.exe
2056	Mlcbenjb.exe
2740	Moanaiie.exe
2740	Moanaiie.exe
2456	Mhjbjopf.exe
2456	Mhjbjopf.exe
2460	Modkfi32.exe
2460	Modkfi32.exe
2080	Mencccop.exe
2080	Mencccop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lfdmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Apbfblll.dll	Lcojjmea.exe
File opened for modification	C:\Windows\SysWOW64\Kebgia32.exe	Kcakaipc.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Ghbaee32.dll	Jqnejn32.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Mencccop.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Naimccpo.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Badffggh.dll	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
File opened for modification	C:\Windows\SysWOW64\Jmbiipml.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Mlcbenjb.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Bedolome.dll	Jmbiipml.exe
File created	C:\Windows\SysWOW64\Qjfhfnim.dll	Kklpekno.exe
File created	C:\Windows\SysWOW64\Jkfalhjp.dll	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Gnddig32.dll	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Ljibgg32.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Akbipbbd.dll	Jmbiipml.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	Llcefjgf.exe
File opened for modification	C:\Windows\SysWOW64\Ljibgg32.exe	Lcojjmea.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Jqnejn32.exe	Jmbiipml.exe
File opened for modification	C:\Windows\SysWOW64\Jqnejn32.exe	Jmbiipml.exe
File created	C:\Windows\SysWOW64\Kilfcpqm.exe	Joaeeklp.exe
File created	C:\Windows\SysWOW64\Kmcipd32.dll	Joaeeklp.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mooaljkh.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Iimckbco.dll	Leimip32.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lphhenhc.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Jmbiipml.exe	Jmbiipml.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Moidahcn.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Jgfqaiod.exe	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
File opened for modification	C:\Windows\SysWOW64\Kilfcpqm.exe	Joaeeklp.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Jcjbelmp.dll	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Kbidgeci.exe	Knklagmb.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Lphhenhc.exe	Lfpclh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	1532	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcbenjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljibgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kilfcpqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kegqdqbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liplnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbiipml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqnejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knklagmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhloponc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joaeeklp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcakaipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kklpekno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcefjgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcagpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphhenhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjbjopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgfqaiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbiipml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbidgeci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdmggnm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joaeeklp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbiipml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqnejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljibgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbaee32.dll"	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll"	Joaeeklp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knklagmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbiipml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knklagmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2528	2608	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe	28
PID 2608 wrote to memory of 2528	2608	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe	28
PID 2608 wrote to memory of 2528	2608	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe	28
PID 2608 wrote to memory of 2528	2608	0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe	28
PID 2528 wrote to memory of 2892	2528	Jgfqaiod.exe	29
PID 2528 wrote to memory of 2892	2528	Jgfqaiod.exe	29
PID 2528 wrote to memory of 2892	2528	Jgfqaiod.exe	29
PID 2528 wrote to memory of 2892	2528	Jgfqaiod.exe	29
PID 2892 wrote to memory of 2536	2892	Jmbiipml.exe	30
PID 2892 wrote to memory of 2536	2892	Jmbiipml.exe	30
PID 2892 wrote to memory of 2536	2892	Jmbiipml.exe	30
PID 2892 wrote to memory of 2536	2892	Jmbiipml.exe	30
PID 2536 wrote to memory of 2720	2536	Jmbiipml.exe	31
PID 2536 wrote to memory of 2720	2536	Jmbiipml.exe	31
PID 2536 wrote to memory of 2720	2536	Jmbiipml.exe	31
PID 2536 wrote to memory of 2720	2536	Jmbiipml.exe	31
PID 2720 wrote to memory of 2416	2720	Jqnejn32.exe	32
PID 2720 wrote to memory of 2416	2720	Jqnejn32.exe	32
PID 2720 wrote to memory of 2416	2720	Jqnejn32.exe	32
PID 2720 wrote to memory of 2416	2720	Jqnejn32.exe	32
PID 2416 wrote to memory of 2704	2416	Joaeeklp.exe	33
PID 2416 wrote to memory of 2704	2416	Joaeeklp.exe	33
PID 2416 wrote to memory of 2704	2416	Joaeeklp.exe	33
PID 2416 wrote to memory of 2704	2416	Joaeeklp.exe	33
PID 2704 wrote to memory of 476	2704	Kilfcpqm.exe	34
PID 2704 wrote to memory of 476	2704	Kilfcpqm.exe	34
PID 2704 wrote to memory of 476	2704	Kilfcpqm.exe	34
PID 2704 wrote to memory of 476	2704	Kilfcpqm.exe	34
PID 476 wrote to memory of 1400	476	Kcakaipc.exe	35
PID 476 wrote to memory of 1400	476	Kcakaipc.exe	35
PID 476 wrote to memory of 1400	476	Kcakaipc.exe	35
PID 476 wrote to memory of 1400	476	Kcakaipc.exe	35
PID 1400 wrote to memory of 2788	1400	Kebgia32.exe	36
PID 1400 wrote to memory of 2788	1400	Kebgia32.exe	36
PID 1400 wrote to memory of 2788	1400	Kebgia32.exe	36
PID 1400 wrote to memory of 2788	1400	Kebgia32.exe	36
PID 2788 wrote to memory of 2664	2788	Kklpekno.exe	37
PID 2788 wrote to memory of 2664	2788	Kklpekno.exe	37
PID 2788 wrote to memory of 2664	2788	Kklpekno.exe	37
PID 2788 wrote to memory of 2664	2788	Kklpekno.exe	37
PID 2664 wrote to memory of 2168	2664	Knklagmb.exe	38
PID 2664 wrote to memory of 2168	2664	Knklagmb.exe	38
PID 2664 wrote to memory of 2168	2664	Knklagmb.exe	38
PID 2664 wrote to memory of 2168	2664	Knklagmb.exe	38
PID 2168 wrote to memory of 1640	2168	Kbidgeci.exe	39
PID 2168 wrote to memory of 1640	2168	Kbidgeci.exe	39
PID 2168 wrote to memory of 1640	2168	Kbidgeci.exe	39
PID 2168 wrote to memory of 1640	2168	Kbidgeci.exe	39
PID 1640 wrote to memory of 2760	1640	Kegqdqbl.exe	40
PID 1640 wrote to memory of 2760	1640	Kegqdqbl.exe	40
PID 1640 wrote to memory of 2760	1640	Kegqdqbl.exe	40
PID 1640 wrote to memory of 2760	1640	Kegqdqbl.exe	40
PID 2760 wrote to memory of 1876	2760	Leimip32.exe	41
PID 2760 wrote to memory of 1876	2760	Leimip32.exe	41
PID 2760 wrote to memory of 1876	2760	Leimip32.exe	41
PID 2760 wrote to memory of 1876	2760	Leimip32.exe	41
PID 1876 wrote to memory of 3008	1876	Llcefjgf.exe	42
PID 1876 wrote to memory of 3008	1876	Llcefjgf.exe	42
PID 1876 wrote to memory of 3008	1876	Llcefjgf.exe	42
PID 1876 wrote to memory of 3008	1876	Llcefjgf.exe	42
PID 3008 wrote to memory of 2648	3008	Lcojjmea.exe	43
PID 3008 wrote to memory of 2648	3008	Lcojjmea.exe	43
PID 3008 wrote to memory of 2648	3008	Lcojjmea.exe	43
PID 3008 wrote to memory of 2648	3008	Lcojjmea.exe	43

C:\Users\Admin\AppData\Local\Temp\0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe
"C:\Users\Admin\AppData\Local\Temp\0793bfa8a9a3b7c5c507719950b27e508c6892ce5f16e8441050a71bd2e30c4f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\Jgfqaiod.exe
  C:\Windows\system32\Jgfqaiod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\Jmbiipml.exe
    C:\Windows\system32\Jmbiipml.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Jmbiipml.exe
      C:\Windows\system32\Jmbiipml.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Jqnejn32.exe
        
        C:\Windows\system32\Jqnejn32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Joaeeklp.exe
        
        C:\Windows\system32\Joaeeklp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Kilfcpqm.exe
        
        C:\Windows\system32\Kilfcpqm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Kcakaipc.exe
        
        C:\Windows\system32\Kcakaipc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Knklagmb.exe
        
        C:\Windows\system32\Knklagmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Kegqdqbl.exe
        
        C:\Windows\system32\Kegqdqbl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Llcefjgf.exe
        
        C:\Windows\system32\Llcefjgf.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ljibgg32.exe
        
        C:\Windows\system32\Ljibgg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Mlcbenjb.exe
        
        C:\Windows\system32\Mlcbenjb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 140
        53⤵
        Program crash
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bedolome.dll

Filesize
6KB

MD5
f17332ce46eb10d5e0e0f07195cb4e2b

SHA1
cc4a4cd1afa3235b548ca6abc833feabd8dded7d

SHA256
27e251f2259ade06a16e70851293d45d79ec4e6ee3d44afcfe82c176b82fdc5f

SHA512
a09436a88cd1baf58c9ce5c713f880a5040c8350d08c7b726d3bf358d3734c75a4764fc3f7aedbd44677b4de62e387271315541bbf1197fc2f73ac344c254868

Download Submit
C:\Windows\SysWOW64\Jgfqaiod.exe

Filesize
96KB

MD5
72873868d1cba5b34ce32d84ce9907c4

SHA1
dcf017036a47efe9d3f2c1d5ac3884c123a4751e

SHA256
d85ee2cf431d724dc7651fad07822965ad6e08531a0d873df1cf6b8a18e0a3a5

SHA512
27b2b0fdddaf6a4da5404ccbb6adaa2a13e999ece990fe1f79a2e0970c32ca0d664fa31bcbc6841f388eec1febf763b7b7b6a999ac379842615a61da116e9b84

Download Submit
C:\Windows\SysWOW64\Jqnejn32.exe

Filesize
96KB

MD5
0fcc68d739810b217f67844cb3caaecc

SHA1
22ca96817dbb1bba07501d583f50c523037e8e53

SHA256
7a2ea775815ddd104a6dd5bc0e28c9444f9e6b21f11e52940e091fbdada41a11

SHA512
8136edab170607486c75f723d786ced8dd25e5e55805ebe95decfdf488419dc7aadec51ed70d78f2b1dceefa1932b3f88c0efbdc9cd40392735faac7a3f101a6

Download Submit
C:\Windows\SysWOW64\Kebgia32.exe

Filesize
96KB

MD5
797270eab8a34060fbc35adaca846ded

SHA1
bb71390f29fca730f6509edddcef04c2bf3cf216

SHA256
3728cfbcf3c6edf1ca4afcc28d10aa98166332efba60f7f0a895a1496a315cd9

SHA512
8ace903e449224d0da3d1d0564dacbaf1d1ba15e909732ed5cb09cdba22caeb53734acbfd4e22be2f52ba6ebfdf0195d0b039077d1e473a31c2f3051301adac9

Download Submit
C:\Windows\SysWOW64\Kegqdqbl.exe

Filesize
96KB

MD5
cde1402ce3a491ca2e039eed46eea6a8

SHA1
3c397964872b7d6319474bace752615a0b515d27

SHA256
48d995ce62e05d7832937c75baefb79bd90e12d1fb760373ab09010e5b2b7f80

SHA512
23c65adb1e34e6dda59c9053651566709857676b15bc46bae7c3b01120337a047621dcbda22a36e32302ea5d9205e828e271ad30a991b998b267ba6b1eb37b94

Download Submit
C:\Windows\SysWOW64\Knklagmb.exe

Filesize
96KB

MD5
6d91cf20905634916c481bc37a56671b

SHA1
a59c8b15ff5c5abe8b46fea853980c24154fd3c6

SHA256
3da98d236a00e0c7cf018514eaf70fe5fd190b2929265409290aacafe91d6176

SHA512
d12df53efd961fd5b3605547bab84615c5aa9b393a688fcbe7601a9da3f4adcb40b390bd1abb9f04ec2dd9c77e5c49592463bd87ac0778c1884b911ff1c6c65d

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
96KB

MD5
c9020ec366421ed130665f6a3caabeba

SHA1
0fdfb91dc1b709faff0a49b4dcfb8d924499fd2e

SHA256
20437a290272d203bec1d6fdebb4481e22953b3d752c7edf2a61109092534c15

SHA512
b2f1f10b4ffb96de53308bd2f296e6cf2711d3b3801ac7ac240e90d976fc6bc09d1018f2757da0a017b5e593ef3684177a589b067c6c999ab7ee9516610ce0ff

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
96KB

MD5
aea8ea08e7e96a545c70293d14bf0135

SHA1
383c795773ce7132d88101af0eda40288ace403c

SHA256
14fa59283df04e5a8b54162ee869c86e9824b631fcfc7f3cf1940b9398254c87

SHA512
5a2223642150c4fc8c35523a9a0553ddaa2c7bf7d7df8fb3db9f77d4be26f167864183e012b276cc85c8ab9ae0df3e6d148817321688d73e4bd0bb480ac54ee3

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
96KB

MD5
b183484e31d56985a1756c850bcf60fd

SHA1
a167517fe5d4ab905c0c533bcd9f4c9b02ee7cbb

SHA256
49fb313ca0e5ab8fac66de9dbcaea897ba9d59fee5829aa08272dd094b5b0458

SHA512
bdfcae2c64df95b1b4ad820f770853660895f1794d770d8f8b8b6e811fd3bbac96fc6c9212ef53e4059e9255884d3f69f903622996897b7989d936b76f149a90

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
96KB

MD5
300790c07ea9270fd8d29f927099c3b6

SHA1
1a7dbc856e6f572815bb89dfa7ac66145426cf13

SHA256
938af8f3afb9362ecff2e3ae619e1f886e259e0d291e02e3c01bbb6eec8f0bd6

SHA512
bcc82d781ee54d2c9066750553a4216bc067f80fdd37ff89633b1e41ea8910acd615ef0adafa53610a45794679180dbe6a2d75db3a745dc7fe1f4397a0b60355

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
96KB

MD5
e65bdcadc0b23aac03d0d6bb1274bcb3

SHA1
982f5ea1c7d33dc9255f8b695f368ca1e12cd3a5

SHA256
b97e3160b8dba24aa48233f22b227f68ea8ae692f43a0c659b689ec7ed555453

SHA512
3da5f02fc52d57e95907c956d9b90ca30a446246c3dc0b68ce1ee90fb65f32794e34b2622040ae3d407d47ae97ee28e0875d9820bbd03d8bc9594495134e0168

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
96KB

MD5
19ed3ddbe2ac58ee8111e131a475011a

SHA1
cb266cf79f182ef4c9f312db4bb1928673805a41

SHA256
3f483d2b8d6abf04c2cac970bc35a82e57b4edd24a68ee9be11f8501ef37181f

SHA512
eebcefd48baaadfa22e95b5ed425ea56a8146d53d831a7e1c9431852359d361660266bdc0e196166a19165610b4dfa1ac7a900a49f31e5c24e9578465828feae

Download Submit
C:\Windows\SysWOW64\Ljibgg32.exe

Filesize
96KB

MD5
03ff8839c93206708d27ff6d85402ff0

SHA1
a4a93d0e6c646ac80a4ee84fe196cf1d9308d5ef

SHA256
97569ce628f3b423cd6bfccf925473a6dddc9a9a539f862ce90ff04b0e9f34df

SHA512
e01bd655c97ed611ab0d4320162c5b1cdd03196d17463e171b1521732fc64027b2c638355c4f9282f4499b3b0d163023ff521c096b3466aba4289a85404f4554

Download Submit
C:\Windows\SysWOW64\Llcefjgf.exe

Filesize
96KB

MD5
64ec26a0be3d7c9dd6b937eb5fbc2326

SHA1
9e75e823be798896ec2c549e8e1cec694b79f776

SHA256
25aebe8c782c3618c6a7e49d6aca6ca1b943b3a0ffc09ac50252fcf8134f12a0

SHA512
0a81ba071081613684ab0b9b92d41e968b71b07ed06d5879417d40092f28665d16f4288b9247a11cffcdc39e8f35e94763e8439342b5db8aa0716f11d1f8ced6

Download Submit
C:\Windows\SysWOW64\Lphhenhc.exe

Filesize
96KB

MD5
d5f60222ae44f81da951c0da819a79c1

SHA1
b409521f20e4e0d8292e6b1c9abaec76b4850802

SHA256
2d3a6fbacc3a8b7335e554def7183b7563781b086991e0c0ad97a0b04924ba11

SHA512
a9e06d7018e9f4a5a4b471f568f70ff706d217e59aae48bb31b505c0a8a002583f054c7cee7b254e9314efdee4cbcff8e9648072863bd0d0abb83c5a01808192

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
96KB

MD5
0b976e8534d720b1f96374941ecdbe0b

SHA1
6effa80cb93f707c3737e9674de80cf3c0dff84c

SHA256
91e6591cb8eaebecd25b8991e0a7e30bd87a08df68476cdbb4c5ba68b23f1c37

SHA512
c10a0461a4f9db112ebea028eba98b0329ac643f7a3ebec5fb81814203c220829a6d58668ba0e5a411696b5ea701b8603b843469742980883b74f89dd65fa95d

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
96KB

MD5
5b656884af342b850b4de4ddd5deb1b1

SHA1
97eb77d5728cf95948a1d657e1467a88ae283569

SHA256
4dccab8fbb3d0f7d04730639bf98f06f7723ef820684095029b1f4c32577975b

SHA512
2a871f8fa847589221dcdef53a82a8a1b53d76f253de99912768cdb8f4c5628428d683a421761cadd80a04584f0c07bb387286ab54a79286ba51731f94236ed8

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
96KB

MD5
ebb4fc0d575393deebcfd22a168d2116

SHA1
a3fd9f16330b654194e630734d83792f91e76d47

SHA256
12c4beb3539935b19cddac077418cf687d16a3894448c739c65a1d4d0eb9a372

SHA512
03be9f32ac9fbc3cfec1c8b2f4996df6e49107faf5a9ff3d24d1d0f996ba2054d5fa17e1b4dbfa2810c05a648fbac91613eba23faed29cf4fed1f4d39a5ad57b

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
96KB

MD5
df16a8a6b3277c549878ffd458ce991d

SHA1
2a96c049708b558895dc83e27daa1c88e497e9d5

SHA256
51b1d267c82f310986a64aee53af93809e7d43099f0bed9b818155d73ce2d10e

SHA512
eb4799c96ec96da48ac0488fc28040bcee557ed8607779c9296f8e047bbcbe8aa3c35315627259bf0adbe60bbf61c30ff612bd14ce016a75b111ed16e0dc79ec

Download Submit
C:\Windows\SysWOW64\Mhjbjopf.exe

Filesize
96KB

MD5
70c5afac6ed53624af8af747318e027a

SHA1
31affb5853e1d0a460b6f64240ae6bb541333b44

SHA256
25476f3d83d509abb74c70b1c160cb43937127a6a66f4c9d24e6910b97d07be3

SHA512
06b06197cd9da030bc0ae52cb92c7db7ca36d04b1cae47a069835787d69d6fddd9f8f5f730a9a65668382994365dceeb3903740e178ace3f888dbe0e34ffb24b

Download Submit
C:\Windows\SysWOW64\Mhloponc.exe

Filesize
96KB

MD5
7e0cc632a4b68abd1fa0e21ceb399e7a

SHA1
f239d5e9ed322c36516cc4c9583787365f06d552

SHA256
c06428ff2eda15ba68fd8ba65204a8ebd5384b671c926b7231655aadc788dbfa

SHA512
7e4ea5d85eedd12c1fcef3aad856913c6c08e9392c4c776702c8d2219035c9fda9c91919fc5e298f3225b9defcfa55696f713b1a00346bfb4bdeec1e1afe321a

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
96KB

MD5
6a94a8e39b8517ff1694f941d6429d05

SHA1
08209cc79c662757ec796f477e43980ca47c58d7

SHA256
112d77467884021be917888e9c68cd4d7eb15751b854e4f50ebc04cad5183104

SHA512
94bc47f16c82247fa74b54845a07278ff47df0166615db32d0303386e47a8c472809aaf3433b1bacc2cc8a261c9781a2850187c2a5323c249dd8b2c595107d66

Download Submit
C:\Windows\SysWOW64\Mlcbenjb.exe

Filesize
96KB

MD5
76797aa44fb7b2390779b0e025692c8b

SHA1
d9aadbee1760e5ac99e846426421e1e0e79f4972

SHA256
d06ed3d71ba9bb2e37ffbac9d4ba57370b9c21c79517d3bdd03d346bacefd41a

SHA512
664f9f9bcef265426100a3f98eb3dd859a5f79f07cf4ab296d62155c42732a4ee8ea2021403b3701a87c29f4a41713fe953d03cb66f87f1f0574ed01c4d868f5

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
96KB

MD5
b3bae0a527997e48cfe1459a440106a0

SHA1
5b9794de0bbeebd0d8114956e1e9d5b599fa4367

SHA256
0d93522d8a70efe76f43e6bdf4da8645b48ea023b69a38f227b14d8175ac5b23

SHA512
59c188bd79621fc15a621eda92ef8d23df364d97c2e45833bbeb38053e707d907accd99de8d920d5f76fd2cd909a0bf0f65e88a03b38d2cdea861b4ae7469d0f

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
96KB

MD5
7c3f6308b2a264df64c1dee88303224e

SHA1
053bfde9fa454f54eba9c38663d1e10dce8d7795

SHA256
6d2c44834510c78c381b0f915ac4316b84487a71c4b798f0dabb426304de9458

SHA512
78b92893146465b421f44962e887c9e20f48af8cab9df5c62e94eb0b2122647020185f7527de7bf09b18af31c2232fef1190b6d52a83831d91c17ecd9dfa532d

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
96KB

MD5
5211010bf9399a5799daf0a9a8892b8f

SHA1
216b0cfbbd503a2a9ef62bc346b2bc0982ad2d9f

SHA256
eddfd069d42bbf5915b2e63002fc78bcc8824cd9f55e5da688b3ae2bd555eafb

SHA512
ab4821fead78e7d99d7d9b72965f6d6096a917a5c9e89eadf63c6d5c7711d79277911e8dc971e08bd7ce6aed0b1d33eaab323d8d9f033ede1979c7e28b85caf5

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
96KB

MD5
79c113b2215108c70b13daba648f6599

SHA1
33ea07581acee31d9c36585b31c9006cf3fc5e33

SHA256
54f0876179e86bf374c3be4983c765c2010d83e0ebcfce118e950694f2cb17f4

SHA512
9b534d8ab6527e82b36612bb5fa75c20b335e46e94506650724a10ca0a5cfc056d3175ac0deb289a44f0ece27ede312fbf89d2fc81dbc511bec924a8fcb1a5a8

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
96KB

MD5
67aa066d143d0d90e1e04ef451b2c4f6

SHA1
fb4055aaa3be6270cb74d1d5c3daa4a8876bea7f

SHA256
8ba204ed7da0c1d34094f6843d69cf8f7f75a3ad40feb313a150529839a694c2

SHA512
56204ce36ab9e180ae10ac61ece4e67b860b1a5873fdb4599e090c8f8a723ebc2533397d0b335cca7d166ccdb8b3393a42f86ebf8eef1e002a78f8e86a2bb5af

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
96KB

MD5
03cb983a7b91f91e1c4582976ea7e0a6

SHA1
b626de55010e5dfff6c2337fcd06a5fbd9f7ed24

SHA256
d1d73ceec9af1cab7986f79d686e5439b69ad13e89bd938d8c44717072a312c5

SHA512
2d04b3feeedfd81d6e541950df7abdaeb8fdd0b95217c9e7b643683a8252334d5cc3cb09b29eb7a423f7910be36fc62b1a3473fe986075074819599dac2eabfb

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
96KB

MD5
0620e0e8f62a8e51c85e6bbeedb2f369

SHA1
db5562a8dbf64e0d0879b7e56d27dbac9acabb40

SHA256
db12b2aa26c9edf04799958be4d9948411f1425306bb35a06c155fed2a6fcf2c

SHA512
1460f5b3c4d332f293c91e989fc4766b6fc391de176af5bad97963c77b9b4a3f42610d33f5419f6a08caf0c23800689fb3cdd498d9df749ad22a22342fbe8dde

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
96KB

MD5
63167a048f50f0ad728c17fa5561f028

SHA1
70c5295533943f7747f94bbfc5fedd74fa2b750d

SHA256
aaa9ffcb7a853fb431bf17d10be31e68088282e58a3ce98a2ac12433777926f7

SHA512
354aa4742c2b85eec03bf4933f11f4b18941c93bcabf74d91fad5f3eed22052654ae7d36493650f7ff6582f85c263eb163d7990e2d226d03b91629efc675ace5

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
96KB

MD5
9225773105798c3e1b2f4be12c89d77f

SHA1
b7ffdd564916ea2425c1aeebbdc71bee92321437

SHA256
2110507ecd6f212968b0d3c704f28d309a33c76e91143b87ec8d977ba9cec147

SHA512
c43668d57b8c7d95afeab62c903f9cfbb6d9a6a98448d0e2ec9aa65a11ba1171e3556027d5e1ff6c019a2afb088669a2051f64c55452877c5a29d1eb705ac114

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
96KB

MD5
82e73bb2939faa078531fd491470ab50

SHA1
5dde3efa10ef4297860416621147a9f288dcd278

SHA256
9538c4c07289fa424a1cab92c9422eb80a4d61f32be1d8612ed502934c8e0ee5

SHA512
f9588af51abdf84d3d0667bb09245035e72fcb7f6778bc4be8878971dc73eb203ccee0766c5903c836e61aea39d8cd49d434e4b093f17cc190d92de5d3d0a35d

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
96KB

MD5
7e8af7559c9b6e4546b3ddba2897ae4a

SHA1
990b20cbb3a69d4b80f8e0b161b9344aaa535aaf

SHA256
7b959bf896db980d0370b91ab4f4ca7196c3ea19bf6cf5264b19eb96f9c1bd4a

SHA512
2f3b4bc2e4e5ede692f9881ad62ac5cf6b13019b209cf60389104061f0635fd2458e142c83bbe5f79dad8881f57cd12649d2411cd2d29c84bc73b911784afa4d

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
96KB

MD5
7f0229f81990de69d885cdf1cc61aa8d

SHA1
cf2f8b9c037bc2d396c1b0ce76e1b086b2dedc6f

SHA256
ed5840f51c801fd040cbcc0a52e631175d973aeb52d2b4e455ced54a6a0f792c

SHA512
c79bbeb9b32a26624953a03b6e5709c1e41e80b3de9686aad480ad894ab34cdcf9293808c8d9b26909f97b8625b3d7b7e07143ae9837cd080d55b9ec395f0e8b

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
96KB

MD5
b2b78ae2f724080b420818df719733b1

SHA1
6284173f8ba5a62ce62300b4e5632bfbd64c29f8

SHA256
18b3b1ab6572b7d9eab0cd207259d1705d0d6be071cb71ec3a63696fb8c3c46d

SHA512
6950be25ca6cec2d2c8c3553b4812ef22e8c6b6770c1df4c1a9b14ce095166bbb6c059153ffc3ca301ac53c09bf424b8323424867c89a1c3c313edd89f715114

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
96KB

MD5
ecc8e18235e1bbb89e16f62af3db724b

SHA1
98040b665e33ba208f5ffe638a7c75c0f1dd13e1

SHA256
2e34d3c6f436e86042ed8e414a94bd55163fa0bdca7dd76aa80594433dbb7ab8

SHA512
095eaa53790d59e7997b65e75a1a7137266d947785f5052aa47843cc42eb597155691f2ad4a368ae6c422c0ddb0a0640de1ac55d2780c0ef4ad2b6dd6c894fe6

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
96KB

MD5
48586a9211f61febefca55776b47d68d

SHA1
78e27ece050cf70eb5f7e6c98784fe666b0c7896

SHA256
1b819712e0e1eb504940dcf34f446579fc0d74a16f13326f6edaff4133cb0423

SHA512
93ec6e02e0ea3d10734c699dec44b4d298c55ccb9ee4b7f5c8bec534409ee059bd971019b6a658a60db8ac6912552e2f7ba9b6a993a59d84fa75ff2704570941

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
96KB

MD5
1e5bc83f9f1d7860e0df41f564b3405d

SHA1
a254c142d4eece629d6ab93f92526251686100f7

SHA256
b36b8564b81e2b67de97b4e9caf6367b3e76ef7039f0beae3ade3c795b997402

SHA512
3d5b5c3f9bcc87c9ebf9996246c94582b5549e6c3ed6a97ddeff2d9aa0059ae92efc4bc5582f05a2150096cc9b3f3c5592700578dcd649c736d7409cdbfcc2ca

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
96KB

MD5
4fd3c9def3675e97fbd404a9f9667b6b

SHA1
52c048c92df1bd40ba4dd18e16d706a470b7435f

SHA256
529d85541a21afb4a8530e0629f2a283f1475809787d5e72708051f869c2ec76

SHA512
0e78f62ee87958ce3e77df70a0c289da27c8715a5a7dc77b4eae8d4b2a3b7c4bbe822f0ad92dcadf44d919893ce817d21ab8b77aa3ae6f78e986aceb42262a0c

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
96KB

MD5
7483d6bcc627eb2e5b8ba5345b2e1e77

SHA1
38bd6c65bb755a22ceb8a0b3ae028b42b938d6be

SHA256
cdf152f3c5c51754162c5e0b83bafc6df23d9e8987881bb03ad7522896052604

SHA512
a112599d3465ee26f8a2ed9e1ff2c0509d011738b3c5ccbe9e1cef66a6d3d61d3bbdf1af3668e187c92cc2034b1b592b78a47505c9d465dedde42f5591bd640c

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
96KB

MD5
8fb2b6124e36ee449e184cbe769b1117

SHA1
f71e659e06ec03f77aff56d47b61cb9d768f1417

SHA256
e953a2d3525b96b02098991797024391cceca44b2533bb21764f76f57a0582ac

SHA512
de53effae2e3d1acbc6baf5399fda249fbb09a8d97492e1847a80997c90705af66e4e55f8763d8e0f102cc8b0f343ebf67e5d9cb97c032ef18fcf611ea6c5d99

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
96KB

MD5
3fac5b71a729c6e1b8682e208e15b6c9

SHA1
d22917d5ef37cb8c51ab5235c29c88fb26e5c2c8

SHA256
4325637b05c76e9afc43ff3ddfe5b7309a5d6b6845e0ec9ebf1448a06e678d9b

SHA512
10250e5627e1e0e7089a498fe6e6e36df1bd2e8047a678dedea2cbe9fc2b49511ea4e681a14d403ed7242db95f2a074c871072c9007b9ecdd3f2f0761754e616

Download Submit
\Windows\SysWOW64\Jmbiipml.exe

Filesize
96KB

MD5
ed17909675570191184d67ed852671e2

SHA1
657d2a757d609c1f3d81714f01ca7635b7795ef7

SHA256
fdb397235df40aac16dfc7f224d4d2fdd9ed6f93d8d6c9349a304d7f3bd3c19c

SHA512
6345d4fd040fce43e0134a9443e3e2cb6daaeac000d65c6390ac2177f6c586b0fc86f3271efc45e456f0cc3b612a815c0a2d860f35df37f9eb9465ba20ea546a

Download Submit
\Windows\SysWOW64\Joaeeklp.exe

Filesize
96KB

MD5
cf9c756ed7936a1e5b61b1a3892b9c93

SHA1
4818d8820a1b15ed96d8c8959289c9cb655a7f1d

SHA256
cf3346109b571d6f0781d19ce3c5c8513848b1d8432a9b80f7533926b3799cda

SHA512
01d85315bf8a643de134557b74866fb16e6b0161f96ca5cc438f637dc17388ac4e9565599e07b475450c9e1dedbc944d4af311eb144065ae4d5c79cae325d0d4

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
96KB

MD5
ed20b59424c9b8b0c699c139df84eb75

SHA1
f4aa1b34b76d588beb737d5c7520b830db1428de

SHA256
8eed7505d3943017b23d14c43e5faab5e981a09dd9e360797ce8940007f5ee56

SHA512
664b2a9d49b33e818470190afc25e72c9c5317cd48aa1d143e2d9abeef4b6434a94a99857faa84e081f6c786ee85985129170d8c52dc9cf88a97093a400ab679

Download Submit
\Windows\SysWOW64\Kcakaipc.exe

Filesize
96KB

MD5
4bf25536aa1022c65d7264d55cb10358

SHA1
00aaf3059952b95aed6c32152aec9a33115c49b0

SHA256
7696f351c1d07bdb08ea49539493b8812e71d37f801be07a3ae96e1a2af1a734

SHA512
b6c822ba2d30283bc55b20de9fba7c65151d60c3d5b3693b70f8443ce85fba740c71bbd312511574014ded34a3befbb57822d2b050094115c9570c5093cb2320

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
96KB

MD5
6b6fa68cb2106a9eebc49142e5372007

SHA1
266feff73c807a211259cbae8461df793172bd0c

SHA256
fb9b204af3ba0752dd5296b20fa84058df4c03f698fb3582527ae107c9176ff1

SHA512
db60747b38ba9f89dfe006ade3c22fae0c894756f9871279685df0609e6a336ab40c3ac45f462e1a09948097b17eb7d0a201fb1d39b3cef9c7ab851efd7697c0

Download Submit
\Windows\SysWOW64\Kklpekno.exe

Filesize
96KB

MD5
acb20799959cda6101737a01e6905893

SHA1
c5b462932c75eb289475ec28d8a56c67f6a2235a

SHA256
7220261de238e6ee7951719ea8c3e747dafe73dfa00268362cfc6e1ccc4ffd9b

SHA512
e0f86a2e9d1a99bceece9a86c3ffb656caec56397fb7dbc186fe4d5cabedf9b1a4fb254d3f4eaae492212d442e7d1cbabb1df81a2d7f2c93cf8301aeba1bea13

Download Submit
\Windows\SysWOW64\Lcojjmea.exe

Filesize
96KB

MD5
d7a372d17c4b5f8e98d2d793a3149d41

SHA1
c423b2b1bbe1e77f6779a2837a83f9b93c1296f1

SHA256
000fded748576915ae294b34ff1a7886d6bd5020a51410fa676b1d2c53204f8d

SHA512
6b8bb664145eac458f8a4a6bf72922dcf27df9fe2243ea139f168b8267d8ab0bf2422b2be71f245e9a91295ed000e7414dea7ef97bf7def47f253a91673866f1

Download Submit
\Windows\SysWOW64\Leimip32.exe

Filesize
96KB

MD5
e4968e34fbe1e20a7453f671c62b1dd7

SHA1
4695a4dcb8524f84681dbee835bd9f2c6f62988b

SHA256
72f03ec72f1c666697ccb5f63d688e5e71a3015c7a4d304d05c58c5121a945c5

SHA512
72081d21ba56a9f2d198d18b23281b4cda3c96be13c7c11866f68d1b377cf361c6c09d751b6c0d7a0f0a6e2712786e6634b8fd790d8ba844d3bf0c32244def5d

Download Submit
memory/408-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/408-251-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/408-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/476-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/476-109-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/476-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-272-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/768-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/768-400-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/768-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/992-262-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/992-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/992-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-322-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1104-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1524-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1524-334-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1524-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1524-370-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1592-444-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1604-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1640-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1640-172-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1640-178-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1640-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1852-292-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1852-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1852-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1876-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1876-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1876-201-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2056-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2056-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2080-426-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2080-391-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2080-392-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2080-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2168-162-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2168-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-348-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2300-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-312-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2416-131-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2416-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2456-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2456-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-385-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2460-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-415-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2528-22-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2528-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-12-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2608-15-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2648-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-229-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/2664-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-89-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2704-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-82-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2704-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-356-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2740-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-132-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2788-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2804-434-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2804-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2836-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2836-425-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2836-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2892-112-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/2892-50-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/2892-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads