berbew | 108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe
Size

84KB
MD5

332811ea5303193e6962e564e75d0cca
SHA1

b31a7093dc4ef48a2fae03cd1eef86f493d33c24
SHA256

108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66
SHA512

79bf5141717894964162e820ad7291ce08cdbf7b173747d82a95ccdefc24aa1ed245d3f0aff4085a8be45441eef48cc54bd94d931684cf95d1dd0a05baedf194
SSDEEP

1536:JQmASQBPJswti5/GrjkvAWjWXLPHq39KUIC0uGmVJHQj1BEsCOyiKg:OBPywtCGrVWjWXjH6KU90uGimj1ieybg

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klahfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbpjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1616	Jcfggkac.exe
3764	Jedccfqg.exe
5056	Komhll32.exe
3872	Kegpifod.exe
788	Klahfp32.exe
4480	Kgflcifg.exe
2144	Klcekpdo.exe
4428	Kgiiiidd.exe
1284	Kncaec32.exe
2636	Kodnmkap.exe
2220	Kfnfjehl.exe
4280	Kpcjgnhb.exe
2540	Kcbfcigf.exe
876	Kjlopc32.exe
3580	Loighj32.exe
2672	Lgpoihnl.exe
672	Lfbped32.exe
3000	Lqhdbm32.exe
1908	Ljqhkckn.exe
4836	Lqkqhm32.exe
432	Lfgipd32.exe
4784	Lmaamn32.exe
1132	Lggejg32.exe
3448	Lobjni32.exe
2376	Lgibpf32.exe
2768	Lncjlq32.exe
4296	Modgdicm.exe
3904	Mjjkaabc.exe
4764	Mqdcnl32.exe
4804	Mcbpjg32.exe
1688	Mjlhgaqp.exe
1036	Moipoh32.exe
436	Mfchlbfd.exe
4336	Mmmqhl32.exe
3664	Mfeeabda.exe
4680	Mnmmboed.exe
220	Monjjgkb.exe
4872	Mfhbga32.exe
1552	Nmbjcljl.exe
3900	Nclbpf32.exe
2084	Nggnadib.exe
2612	Njfkmphe.exe
60	Nmdgikhi.exe
1964	Npbceggm.exe
2148	Ngjkfd32.exe
4536	Njhgbp32.exe
468	Nqbpojnp.exe
2940	Npepkf32.exe
2088	Njjdho32.exe
4716	Nnfpinmi.exe
2784	Npgmpf32.exe
2380	Ngndaccj.exe
2544	Nnhmnn32.exe
2316	Nagiji32.exe
516	Nceefd32.exe
4556	Nfcabp32.exe
372	Onkidm32.exe
4732	Oaifpi32.exe
2448	Ogcnmc32.exe
4368	Onmfimga.exe
2728	Oakbehfe.exe
1416	Opnbae32.exe
676	Ojdgnn32.exe
4340	Oanokhdb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqbpojnp.exe	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Aknbkjfh.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Kodnmkap.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Ogcnmc32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dgeenfog.exe
File opened for modification	C:\Windows\SysWOW64\Kncaec32.exe	Kgiiiidd.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	Loighj32.exe
File opened for modification	C:\Windows\SysWOW64\Nggnadib.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Oclkgccf.exe	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Fgjimp32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Mfhbga32.exe	Monjjgkb.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Modgdicm.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Apaadpng.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Lobjni32.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Oclkgccf.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Aknbkjfh.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Moipoh32.exe	Mjlhgaqp.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Njjdho32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Nnhmnn32.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Jcknij32.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Ibcbfe32.dll	108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe
File created	C:\Windows\SysWOW64\Loighj32.exe	Kjlopc32.exe
File opened for modification	C:\Windows\SysWOW64\Lncjlq32.exe	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Hodbhp32.dll	Nfcabp32.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Aaldccip.exe
File opened for modification	C:\Windows\SysWOW64\Mfeeabda.exe	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Mfhbga32.exe
File opened for modification	C:\Windows\SysWOW64\Nmdgikhi.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Npbceggm.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Fenpmnno.dll	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Pjbcplpe.exe	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Kodnmkap.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Loighj32.exe	Kjlopc32.exe
File created	C:\Windows\SysWOW64\Qimkic32.dll	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Oaifpi32.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Phajna32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Agimkk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6516	6424	WerFault.exe	231

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcjgnhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lobjni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kegpifod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlhgaqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggejg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqkqhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmdgikhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcbfcigf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Komhll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcekpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfchlbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfkmphe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kodnmkap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npbceggm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcfggkac.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phajna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll"	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcjqc32.dll"	Kegpifod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modgdicm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 1616	3848	108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe	88
PID 3848 wrote to memory of 1616	3848	108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe	88
PID 3848 wrote to memory of 1616	3848	108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe	88
PID 1616 wrote to memory of 3764	1616	Jcfggkac.exe	89
PID 1616 wrote to memory of 3764	1616	Jcfggkac.exe	89
PID 1616 wrote to memory of 3764	1616	Jcfggkac.exe	89
PID 3764 wrote to memory of 5056	3764	Jedccfqg.exe	90
PID 3764 wrote to memory of 5056	3764	Jedccfqg.exe	90
PID 3764 wrote to memory of 5056	3764	Jedccfqg.exe	90
PID 5056 wrote to memory of 3872	5056	Komhll32.exe	91
PID 5056 wrote to memory of 3872	5056	Komhll32.exe	91
PID 5056 wrote to memory of 3872	5056	Komhll32.exe	91
PID 3872 wrote to memory of 788	3872	Kegpifod.exe	92
PID 3872 wrote to memory of 788	3872	Kegpifod.exe	92
PID 3872 wrote to memory of 788	3872	Kegpifod.exe	92
PID 788 wrote to memory of 4480	788	Klahfp32.exe	93
PID 788 wrote to memory of 4480	788	Klahfp32.exe	93
PID 788 wrote to memory of 4480	788	Klahfp32.exe	93
PID 4480 wrote to memory of 2144	4480	Kgflcifg.exe	94
PID 4480 wrote to memory of 2144	4480	Kgflcifg.exe	94
PID 4480 wrote to memory of 2144	4480	Kgflcifg.exe	94
PID 2144 wrote to memory of 4428	2144	Klcekpdo.exe	95
PID 2144 wrote to memory of 4428	2144	Klcekpdo.exe	95
PID 2144 wrote to memory of 4428	2144	Klcekpdo.exe	95
PID 4428 wrote to memory of 1284	4428	Kgiiiidd.exe	96
PID 4428 wrote to memory of 1284	4428	Kgiiiidd.exe	96
PID 4428 wrote to memory of 1284	4428	Kgiiiidd.exe	96
PID 1284 wrote to memory of 2636	1284	Kncaec32.exe	97
PID 1284 wrote to memory of 2636	1284	Kncaec32.exe	97
PID 1284 wrote to memory of 2636	1284	Kncaec32.exe	97
PID 2636 wrote to memory of 2220	2636	Kodnmkap.exe	98
PID 2636 wrote to memory of 2220	2636	Kodnmkap.exe	98
PID 2636 wrote to memory of 2220	2636	Kodnmkap.exe	98
PID 2220 wrote to memory of 4280	2220	Kfnfjehl.exe	99
PID 2220 wrote to memory of 4280	2220	Kfnfjehl.exe	99
PID 2220 wrote to memory of 4280	2220	Kfnfjehl.exe	99
PID 4280 wrote to memory of 2540	4280	Kpcjgnhb.exe	100
PID 4280 wrote to memory of 2540	4280	Kpcjgnhb.exe	100
PID 4280 wrote to memory of 2540	4280	Kpcjgnhb.exe	100
PID 2540 wrote to memory of 876	2540	Kcbfcigf.exe	101
PID 2540 wrote to memory of 876	2540	Kcbfcigf.exe	101
PID 2540 wrote to memory of 876	2540	Kcbfcigf.exe	101
PID 876 wrote to memory of 3580	876	Kjlopc32.exe	102
PID 876 wrote to memory of 3580	876	Kjlopc32.exe	102
PID 876 wrote to memory of 3580	876	Kjlopc32.exe	102
PID 3580 wrote to memory of 2672	3580	Loighj32.exe	103
PID 3580 wrote to memory of 2672	3580	Loighj32.exe	103
PID 3580 wrote to memory of 2672	3580	Loighj32.exe	103
PID 2672 wrote to memory of 672	2672	Lgpoihnl.exe	104
PID 2672 wrote to memory of 672	2672	Lgpoihnl.exe	104
PID 2672 wrote to memory of 672	2672	Lgpoihnl.exe	104
PID 672 wrote to memory of 3000	672	Lfbped32.exe	105
PID 672 wrote to memory of 3000	672	Lfbped32.exe	105
PID 672 wrote to memory of 3000	672	Lfbped32.exe	105
PID 3000 wrote to memory of 1908	3000	Lqhdbm32.exe	106
PID 3000 wrote to memory of 1908	3000	Lqhdbm32.exe	106
PID 3000 wrote to memory of 1908	3000	Lqhdbm32.exe	106
PID 1908 wrote to memory of 4836	1908	Ljqhkckn.exe	107
PID 1908 wrote to memory of 4836	1908	Ljqhkckn.exe	107
PID 1908 wrote to memory of 4836	1908	Ljqhkckn.exe	107
PID 4836 wrote to memory of 432	4836	Lqkqhm32.exe	108
PID 4836 wrote to memory of 432	4836	Lqkqhm32.exe	108
PID 4836 wrote to memory of 432	4836	Lqkqhm32.exe	108
PID 432 wrote to memory of 4784	432	Lfgipd32.exe	109

C:\Users\Admin\AppData\Local\Temp\108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe
"C:\Users\Admin\AppData\Local\Temp\108c3a2a14bd07df31ceafa9be404c893e066f81d7d019e02eb1539b83c00b66.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\Jcfggkac.exe
  C:\Windows\system32\Jcfggkac.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Jedccfqg.exe
    C:\Windows\system32\Jedccfqg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\Komhll32.exe
      C:\Windows\system32\Komhll32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        23⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        29⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        30⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        46⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        49⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        51⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        61⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        62⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        64⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        68⤵
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        69⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        71⤵
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        72⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        73⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        74⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3176
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        76⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        85⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        86⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        92⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        94⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        97⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        111⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        114⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        118⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        120⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        121⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        122⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        130⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        131⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6248
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 400
        142⤵
        Program crash
        
        PID:6516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6424 -ip 6424
1⤵
PID:6488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
84KB

MD5
196fee18fa559dd15517b1d16560c766

SHA1
9f9c2124330b274f66dddb76ed02d1b99d1626b7

SHA256
7168967216f37a63a6913a0f0a220ebf20d3ba4324c7cdc6a7d4520cbb3758cb

SHA512
4a9a9ca69c8425acae9048783f588188773ce7854bc381abf48c1da1f7f501e1d68d8eea9cd5f175f49e6138967acfe8598b50bd1b2a7d002e79103a95e3527f

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
84KB

MD5
a5c71cff4ce485fff5aec51f8d0bd525

SHA1
56cbf359ea587f5a8c7622a06be2781bd1a008f8

SHA256
df78f1a12988ef097f0475cb991e2d1ffadd060499eb8cf0d0d2e4de76d7da52

SHA512
20e85f8af0e3bc971ce8f53563fdeb18225c13b03cfe5fc060fdc36387f0f62f5aa9fabfe1b837262e0f54007f29391a9ac7c2b72ef6ff4879b5b198161b057f

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
84KB

MD5
adf086ee54e5fbccf46ce18abfe04e61

SHA1
de9abfe027730e6be25671affe05a851a4f3000c

SHA256
4246671cf20e29ecdf8a3de001105022c0fadb2ada0bc136651d266a0f367c7c

SHA512
876fca56b484f87893b63a44f6dc2cbfe053598758b4e08bea76652fca150f8abc0e3439484b5421f4b06eff3b0c5abb359b192de43c636c0ac67ea69777dd53

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe

Filesize
84KB

MD5
a9c94a6c3ef182f8ed0cc43b3371bb00

SHA1
0e7cc086084c4c6673e11c5f039b40b65661166d

SHA256
b501d9b17f671fc7796393d8d6ef92efcb696f0dc340988205009fe735fb36e5

SHA512
8175a41e3040614c74bca55ae0ef7b275e7ed303dbfe22422ce0c524473f274f54b0a4d4cddfeee0485f5849370e18cf4c78d7d805923eeae9c3d9341abbb880

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
84KB

MD5
db2e9ff17fea8e0f4ecdd88f6c90010d

SHA1
0b9bac3cebc4c7ac1d23e6c5083c4ee03c0edecc

SHA256
a652ab4f5f2151523724e1775ff5db53b57f4cee008fa50d80a175cb2a1dc59d

SHA512
ae3bafbea2e0b511cecdac3d6d528405e333fae5a1197685ed9cb45816cc62406086f0f47ea5937e989a39c0d750573787a259b65b89741ee984640c3569d7a5

Download Submit
C:\Windows\SysWOW64\Kgflcifg.exe

Filesize
84KB

MD5
94d3710c203a6510a7193cd9d3d82190

SHA1
73914756d2a0b7250c2cb7b95d9cb0fd9599665b

SHA256
0e1989111e380ed7da2352d631763c5b01bcf5dcb296f3cac3940b5b45b2c5d0

SHA512
9e0ecf0442f111ad278f6732e0e4b02f2ccb629ff13c03df2b6e708c95370019d82ee0ed93935e522e9eb79534b4793b3836665f9a77dffc08cea7e31a867840

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
84KB

MD5
987843ccfda9aa926f840514df9145ce

SHA1
58dcc3afc83adc3f8441c3f113ee63f41a597aef

SHA256
0dfb3b31f7d68edfdf31cb27349610f015db31ecf8e1edacf83116bf89683f56

SHA512
ee3c232315e95116859739c41093a142d3181e975e0cddc042e4c533d71765c78dd387735b0ab2114a2ade40166a35870d4f98a9e6657ea647e59ac525ab0357

Download Submit
C:\Windows\SysWOW64\Kjlopc32.exe

Filesize
84KB

MD5
f485fadf82a77cee76c3e6a56e09e5e0

SHA1
5b3c824afb5920d5cac4757fd8d04cbcb0d1e606

SHA256
a5d35ced6e0777718bb1d651841b068351b8b913459354e1ac94fb9263a0c58f

SHA512
a82ca210112003c39fbaf0b1b9669d6cabaf4266a0912bc2884dfbcac5d9c0a9272979aa332a522447ec1eafb6187b1a1c2b3bd244cb6feac140636cb53ca6d1

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
84KB

MD5
fc4c1e5ca817bb358a585c49efeed1e5

SHA1
e21ef1581b25a472794e60133236052eb6e9fb49

SHA256
8cc8ac107c160e254522c8e69893e730dfccb7e97fef1ba29b0dfcb432118971

SHA512
432b7c4f3f3b698887594fc46aef8ca9920dedf5d0460b9eb85b4b3962dbcd0e86928fd39b2a85e5cef750c60b823cccd3b2b59e5b975df23d78a04b83e0122f

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
84KB

MD5
2f52a9f5d10cc11402dd7319fae1b6ed

SHA1
0f2d8aa93f68a308d21016a587a626566a0205c1

SHA256
5a41fb3c0c2444d517c1ec2c4aab3e607d011a35ab64c9abcc093c966c216a76

SHA512
494ab96fac37b96d7ff614912a8ababdac11d92d64bbc3c5234b47ab57b43850523fa58d7708cb3f0bd50a5c836b03b5d0bc29f4446ec22ce494c96273cf8463

Download Submit
C:\Windows\SysWOW64\Kncaec32.exe

Filesize
84KB

MD5
4147d2e90342dabb5999fc1c28bac54d

SHA1
11a13ca79952c4bc35fa0ee0c33f6f06c2c6f038

SHA256
9fa71c37e2e6a59efbd5e51b254b5f090bf7347153366c2b9640e106db71d433

SHA512
0644cb1ff68e271e655849e4dd974cce082ed2d10da8b627dec21638eb6ed6df9a6835fe2076fa306724bac586ca53458c53d2d89e4ca37471853ee72dafe41d

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe

Filesize
84KB

MD5
ca61de84008afbb088b95a8649fdb043

SHA1
59275325b72cc937801a23471f41253fbf841a9b

SHA256
01830affbe99dbebce6eeb37c36c748bc82d5c5bdc023fb1f8883bba890cea73

SHA512
28fb1a3f1733a36bbcb424376aec11e6c4f649bfb68aef92858162524d3bd58b5f4f8b62cbe37e276c161e69367b95661ec918f913299aeaa73bfb173559860f

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
84KB

MD5
47b8c68c4ddf65d3ef279a5d88ebeddd

SHA1
b90fea665815961970e7f9354ee95a5f7fc33a9e

SHA256
0c77b4d0e9a37097e0671fb21d9fde9adae727fd50b924e1ca337d014eed9e29

SHA512
404af9495484ddba4fcbedf15f81d5db03eeb3b8f595866f03a53f5af219584050d6097667d5885e69097a6013f188092c533f934c9ae02b25c5437dae0d6197

Download Submit
C:\Windows\SysWOW64\Kpcjgnhb.exe

Filesize
84KB

MD5
532495c84ca2f02b1a4f4ef0d26a631f

SHA1
9f9ebf8778c71f5fea082ed0656ff0501a555c34

SHA256
8580ce69840490a4340994fafb9f09e1a02942f98c52bb08c0beb107c7c6f099

SHA512
f496e88a69982c466b617916a4e4d63912cd9ee76b0130e903ba43a0051c9a0e0c2e74109f87a5c42a47de6ea3c273c6ac9856156b43976060c515948f8e791e

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
84KB

MD5
755270ad97f56bd513a86b2478bf8137

SHA1
5ba43c5e08ba9548c25cf47e50e82e25aa352972

SHA256
903f90a7029a836bd1d5bb381bb7799fa960598246e59f3c076ba59619d7075b

SHA512
ec7c8f055a49813cad0012d2ac688bf4a87b35721733c3df13006649b54495bb086ffa207da921e7cb2eedd47988e7edb1a7e0b004774798751b1c955a298e76

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
84KB

MD5
bf6b4732c318e1ca46d39cae2df2ac58

SHA1
a66581469222fc3a7a7c0d0bdbbb809765527f40

SHA256
46264fd30e32d9aa1af30ae2f383bd7fab9eb16ba5ee8711c073f9810495c057

SHA512
05e870cd407b2b6cc306ddbbd54ffab9a512a1a0880091c7e58b7906fb219b1c27a5494aac125baf96889647ab79611ca8f6b83c5e8c8216ad6fed8524fd1875

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
84KB

MD5
bc376eaccd066a33338547f15fb4b5a1

SHA1
fea27d3d89c01923636d313987c73061ece8578d

SHA256
e97362f529097200b3882ef3c355bc0a67c6dae4f5171af1375427317f2e6fbd

SHA512
bfef83b2db163051898e0916c7db1807b55d312b9267e8db88ea8ac13fc888b96952a7b2ee2f74b8d972048ef3dd3e64b8730237c83c1e28a097113b5f6cc36e

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
84KB

MD5
6b7110d0e7ce0c5d7dac55be12a7ebfa

SHA1
a154bbe1e3639df46432a31db4caf03f1293e18b

SHA256
f15f83bc1fc37e7d2c25fc8f0eb458436d767ac6d0ebc9e85e7fe7280835d64e

SHA512
3cb146a6814ef723446897a633dcb85acdc39c847fe7659b368001be7085940b09af71f59d5f82fc45863fdebaa1f5bc9e34b16ec98f75547614643219d3a403

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
84KB

MD5
f2aa507fe36c97d92dca7d41f0513512

SHA1
40da4d58544ccb39d1fb899db53638d8a493f27e

SHA256
92728600fa5db629ef6903ad88092e1d286a29642e5eb59a012775535962315c

SHA512
aaffc75bb68e1929b62b5588dc761479df6850709ddd24f483596c4873aca69a7c6119f306634f405b23f0998838b62f58b6722ba221a3c0d2a401be802b1fa9

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
84KB

MD5
4d306e125675e69bdd6894c34c849c93

SHA1
2394b5048fb5ed5f9befb99aceff5ad7f054e839

SHA256
c1b0ca2b5af239ef7981fc30bf045dc92cde80c2ba2ab6cb77634ccfbf6cac67

SHA512
2ecc193b311d0c8dcfe560f46a52a9592f43582e64ccdf56249998bedeb1f7a8b074198c3c540fc1810a818afb6c3b68ecf0705aeb9b7ec36ea5aca56bd13b46

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
84KB

MD5
66afca6713603e1d36171640f58bc549

SHA1
dfb94da2b68463e15d63a553af9ad3fd55976d24

SHA256
f0b8a056f4068c10ddc87ec2881594abbf9236a13c682b40559af72cda9f45ff

SHA512
518c605e8fc2281dd6f8540f9b01bebc76dc4469fe0a74541864b7e334fdcb525c051dc65f269a5017193cac267c12a128989a4f1dd7253b9fce7bcb3fe70ef2

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
84KB

MD5
de45b658133e43bad723b8d860b137ec

SHA1
077f523b063559fdea2ff452c8f400bd2aacb1c2

SHA256
0900e9f240d0c4f914716ff9126aa4ee7f67b75d3f491eae47946a759e5037a0

SHA512
96431ab6c57bc4da7c52fa04ea5eb4895c46e445eea726767bb49602c6b5ccde29a25119d6c8424f7c984dfa6ff5d68265498a6fa9a905b10186e3616c3f4714

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
84KB

MD5
dc2270b58796e9264b8540709b4d1cea

SHA1
bd3fb3c76b36e23599cbc2c6f34c93fde90b2245

SHA256
6db4e74b825b2fa82ebf5358747e9edb235903f18e193f956c21eccd25696ac1

SHA512
cce67347879bc4696401334c5b9e826e934fd4b91d1869611b05c1895083d77ee61a3838fa27fbcfa840cd46ad8b474643712bf0dae677c32d22641ce8caa451

Download Submit
C:\Windows\SysWOW64\Loighj32.exe

Filesize
84KB

MD5
e36ff16fc8d6ae2f53ce81f532be6816

SHA1
e95108c57f04a08e975dc452e2ff79ab337af6ea

SHA256
7ba32aa3053bfc92308314f6d053c4f59bd640fe549fc6abafd6cbb9f727fce5

SHA512
72475c8d6cc4b7cf35fef1b567a3ae2cca81a1be7fe8a6e4059a612f76da7d3beb82d4687bda47749360c370d8f1e21d6fdc680b9e6dae845cf0dcb8e3086b79

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
84KB

MD5
326eb9196a344c5f51929fab6193eff3

SHA1
a7d5c86d9998e114a409367aa16504a179cdda90

SHA256
62100168ab4b2b210b251877ea5d27c99df54b365d2e2a3cfe504b3eb20c6711

SHA512
b8e2110a6890b5b091e953cc5db24fb96e97611a9d7071188b4c2f6f3990071da172adcc8e65f990c9cf8e93cb68fdc1fc1bc39da134206c070b612e907d260f

Download Submit
C:\Windows\SysWOW64\Lqkqhm32.exe

Filesize
84KB

MD5
e544da1091bb495a1baa464b255a07be

SHA1
9294765643d2790e7b3a5c16dabbbf09368a6572

SHA256
305a5dd0c9b4fe818b72ae6df9821380323766e30412307514a24dc63760ff5c

SHA512
cf0851e620acab7f5b5fcc3d52ecd7c0afe192ebc8aab65fa7432adc3b934dda65851dc5b88894b8f511cb3a7ebdd48746e19a577383102eb955b01f2f598454

Download Submit
C:\Windows\SysWOW64\Mcbpjg32.exe

Filesize
84KB

MD5
80df7de31a6cb52cbc1f8ccfd9492286

SHA1
5d6675e550bae7713fc61637131f7a38302f3dfc

SHA256
706b6a8bc4c39c9c0037e0fe5e9fa297c8e8c98510da7a8f01fe585a6c447c09

SHA512
ab23852456fbee0abe8b9cff6b1fb06795d72603685b0355063ab07612617faf09bcc5d913e38d7c3844a93e83c84e0447af72398b374e845edaf3133302deb6

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
84KB

MD5
a2c767a4044a70b3d0d6b28452e3dea1

SHA1
42f5e52a7aa091f96211550aa48a3b868235dc96

SHA256
05e50ad871b6f3e4da41729d73f1586bb975ccee563c3f871deb552c73c3556e

SHA512
df6fff3e9d6234363478e5d43a2d4e52be524bef84f3db774d23a61edace7b459e0f78e42b0b8ae822af51fa7a1741cae3c10b20a4ab21b123ecaa55d0a1350c

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
84KB

MD5
8ebb026ac0f91e407903d2959f3fc485

SHA1
ddfb508519e8a9d6977fa00050c9a059a1ad677a

SHA256
fae287299fd62aaaacaa778c00f561c1c4629bb4956f87a7828c6f9aac5d697f

SHA512
d87a332ce78a47840924300ca1a8f1cea2b2e39da468b44285c60e29031c45ce4ce0b0a9f6b8117f19c027c151ea44864f51b00f76bf859e35ffd1996cb60628

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
84KB

MD5
22c518563d3140ef4281ca082c465fd7

SHA1
65ee3561821670c5e5116870ff52ad1b3fdfd4b7

SHA256
d6448cad7988a7a3274fa5214c70b6c7127b53512f8dee6c547d822657af35d8

SHA512
caf6c2b7df6bc39adc865b9419c48b1d60a3d28df9fcab05d2bc43536c97873336dbd9797fbf33c0bdba0add2840f3b9f76c1f174082e8ad0ab6fcec670e4000

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
84KB

MD5
e08dd0cc3b4ead61e49b427c3e36200f

SHA1
89c99cdfb7d9db007d4e89b999264090679c9618

SHA256
2ea696a2ae0fc091873a5c16c4ec39c85a6abf3ec14229cd9ef8bc90eb1be44f

SHA512
f094064520a19340e276aa096e4c3d7eddf949120eabb369a6ffa376c08d4bb184511a82586d9f2f9af6dd3248356606b0b365275821bec63826369b6b99e034

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
84KB

MD5
8e982ef15265fa9cbc34817ba5f98e87

SHA1
e2f27d69e7647185d1fbdad28814d4377b758dae

SHA256
902dd4a00bcde7269694044eda2aa50ae430fcb9ba958c9543ad3de950275d9b

SHA512
38ec114e10d966ba2a210674e0157ec415ee9db69e5b2268bf2aecee31bb7ec223813036676a8884836ea0186dfa8bdfb6e77e0c5236ab582805d505792dcaf7

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
84KB

MD5
ac19b30ee13bd01b299d02bbef7d42a6

SHA1
2f386a03364b8264e901c82cb2aed1951d71b794

SHA256
436404790d861a8eea43531148557a17322410a8e4149299f38dac837a4ebabb

SHA512
31ea1265ee30d06efad09a0905ba5c2460bf11fb9cab19bfc5f7d391c1ae1709eec52f84e93d461ad4acc33213ef359d3c5a7e0a16a2954b99998cb31fd9652c

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
84KB

MD5
4ac7df4d6232445687404b49fd70084a

SHA1
a4f520ad9e8cdef468330baaa576dbcd4cd8d441

SHA256
68d5036e68fd4dc506fef447daf21e9f0faee16ffd459b2b785eaaf14b4921d0

SHA512
66fa29c70db93a079a63bdbadfea2f007355f47fa9420344fa101baf6ad73e7ac101d3d1613114a0716baffc4a0f1d82c57e0605b3db908ad8146b219f945bb5

Download Submit
memory/60-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/672-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/788-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/788-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3408-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3848-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-542-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3904-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-537-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5176-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5220-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5264-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5352-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads