berbew | 9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658

Analysis

max time kernel
122s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe
Size

69KB
MD5

ca6777fb22d0eb26b0a1e9ddbe622338
SHA1

679bde2db2b0ae1275f87f861ff372521d93bd5f
SHA256

9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658
SHA512

a11f98f3504202ed41222491113864d6d743b5b85ff7f76fdc046d64aaef0cf3bbb444eaad5140dcb2dadeb72f5aeb9356c14496c6f15a6b06771208a4de269d
SSDEEP

1536:WcDFVkoE1c6iS8XATMhCxK3BiNein/GFZCeDAyY:W4Vkokc+mRfBiNFn/GFZC1yY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbloglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmhgmmbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1992	Lcdciiec.exe
1196	Ljnlecmp.exe
1052	Lqhdbm32.exe
800	Lokdnjkg.exe
2700	Lgbloglj.exe
5020	Lnldla32.exe
1844	Lcimdh32.exe
1928	Lnoaaaad.exe
2596	Lqmmmmph.exe
1480	Lfjfecno.exe
344	Lmdnbn32.exe
2008	Lcnfohmi.exe
3736	Ljhnlb32.exe
4800	Mqafhl32.exe
996	Mcpcdg32.exe
5092	Mfnoqc32.exe
2948	Mmhgmmbf.exe
4936	Mogcihaj.exe
4516	Mjlhgaqp.exe
3136	Mnhdgpii.exe
4852	Mgphpe32.exe
3412	Mnjqmpgg.exe
856	Mokmdh32.exe
1600	Mfeeabda.exe
1000	Mqkiok32.exe
3968	Mgeakekd.exe
1484	Nnojho32.exe
4184	Nfjola32.exe
1044	Nnafno32.exe
1192	Npbceggm.exe
2144	Njhgbp32.exe
1580	Nqbpojnp.exe
2232	Ncqlkemc.exe
3508	Njjdho32.exe
1392	Nnfpinmi.exe
4152	Njmqnobn.exe
2592	Nagiji32.exe
2776	Nceefd32.exe
2116	Ojomcopk.exe
4252	Oplfkeob.exe
2752	Offnhpfo.exe
4932	Oakbehfe.exe
1960	Ocjoadei.exe
2408	Ofhknodl.exe
3792	Oanokhdb.exe
760	Oghghb32.exe
3180	Onapdl32.exe
4304	Oaplqh32.exe
3472	Ocohmc32.exe
3104	Ojhpimhp.exe
736	Opeiadfg.exe
2632	Ohlqcagj.exe
228	Paeelgnj.exe
2112	Ppjbmc32.exe
2012	Phajna32.exe
1712	Pmnbfhal.exe
3188	Paiogf32.exe
948	Phcgcqab.exe
732	Pffgom32.exe
2240	Qodeajbg.exe
3176	Qacameaj.exe
764	Ahmjjoig.exe
452	Amjbbfgo.exe
1224	Aphnnafb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ombnni32.dll	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Fboqkn32.dll	Lcnfohmi.exe
File opened for modification	C:\Windows\SysWOW64\Mmhgmmbf.exe	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Phajna32.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Hlohlk32.dll	Apaadpng.exe
File created	C:\Windows\SysWOW64\Lnldla32.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Mcpcdg32.exe	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Lokdnjkg.exe	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Gabfbmnl.dll	Mgphpe32.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Njjdho32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Lmdnbn32.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Nfjola32.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Paiogf32.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Kmkdjo32.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Nceefd32.exe	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Kpkbnj32.dll	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Lqhdbm32.exe	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Lnoaaaad.exe	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Aonhghjl.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Lcnfohmi.exe	Lmdnbn32.exe
File created	C:\Windows\SysWOW64\Npbceggm.exe	Nnafno32.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Lfjfecno.exe	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Mogcihaj.exe	Mmhgmmbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdgpii.exe	Mjlhgaqp.exe
File created	C:\Windows\SysWOW64\Njhgbp32.exe	Npbceggm.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5236	5800	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfeeabda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mokmdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmqnobn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhpimhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocjoadei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmhgmmbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpcdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcimdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oakbehfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnhdgpii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcdciiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnlecmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqhdbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nagiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnoaaaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqafhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomcopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqmmmmph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnojho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnfohmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgphpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombnni32.dll"	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcnfohmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akdilipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll"	9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkbnj32.dll"	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll"	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcleff32.dll"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbloglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonhghjl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 1992	3084	9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe	88
PID 3084 wrote to memory of 1992	3084	9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe	88
PID 3084 wrote to memory of 1992	3084	9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe	88
PID 1992 wrote to memory of 1196	1992	Lcdciiec.exe	89
PID 1992 wrote to memory of 1196	1992	Lcdciiec.exe	89
PID 1992 wrote to memory of 1196	1992	Lcdciiec.exe	89
PID 1196 wrote to memory of 1052	1196	Ljnlecmp.exe	90
PID 1196 wrote to memory of 1052	1196	Ljnlecmp.exe	90
PID 1196 wrote to memory of 1052	1196	Ljnlecmp.exe	90
PID 1052 wrote to memory of 800	1052	Lqhdbm32.exe	91
PID 1052 wrote to memory of 800	1052	Lqhdbm32.exe	91
PID 1052 wrote to memory of 800	1052	Lqhdbm32.exe	91
PID 800 wrote to memory of 2700	800	Lokdnjkg.exe	92
PID 800 wrote to memory of 2700	800	Lokdnjkg.exe	92
PID 800 wrote to memory of 2700	800	Lokdnjkg.exe	92
PID 2700 wrote to memory of 5020	2700	Lgbloglj.exe	93
PID 2700 wrote to memory of 5020	2700	Lgbloglj.exe	93
PID 2700 wrote to memory of 5020	2700	Lgbloglj.exe	93
PID 5020 wrote to memory of 1844	5020	Lnldla32.exe	94
PID 5020 wrote to memory of 1844	5020	Lnldla32.exe	94
PID 5020 wrote to memory of 1844	5020	Lnldla32.exe	94
PID 1844 wrote to memory of 1928	1844	Lcimdh32.exe	95
PID 1844 wrote to memory of 1928	1844	Lcimdh32.exe	95
PID 1844 wrote to memory of 1928	1844	Lcimdh32.exe	95
PID 1928 wrote to memory of 2596	1928	Lnoaaaad.exe	96
PID 1928 wrote to memory of 2596	1928	Lnoaaaad.exe	96
PID 1928 wrote to memory of 2596	1928	Lnoaaaad.exe	96
PID 2596 wrote to memory of 1480	2596	Lqmmmmph.exe	97
PID 2596 wrote to memory of 1480	2596	Lqmmmmph.exe	97
PID 2596 wrote to memory of 1480	2596	Lqmmmmph.exe	97
PID 1480 wrote to memory of 344	1480	Lfjfecno.exe	98
PID 1480 wrote to memory of 344	1480	Lfjfecno.exe	98
PID 1480 wrote to memory of 344	1480	Lfjfecno.exe	98
PID 344 wrote to memory of 2008	344	Lmdnbn32.exe	99
PID 344 wrote to memory of 2008	344	Lmdnbn32.exe	99
PID 344 wrote to memory of 2008	344	Lmdnbn32.exe	99
PID 2008 wrote to memory of 3736	2008	Lcnfohmi.exe	100
PID 2008 wrote to memory of 3736	2008	Lcnfohmi.exe	100
PID 2008 wrote to memory of 3736	2008	Lcnfohmi.exe	100
PID 3736 wrote to memory of 4800	3736	Ljhnlb32.exe	101
PID 3736 wrote to memory of 4800	3736	Ljhnlb32.exe	101
PID 3736 wrote to memory of 4800	3736	Ljhnlb32.exe	101
PID 4800 wrote to memory of 996	4800	Mqafhl32.exe	102
PID 4800 wrote to memory of 996	4800	Mqafhl32.exe	102
PID 4800 wrote to memory of 996	4800	Mqafhl32.exe	102
PID 996 wrote to memory of 5092	996	Mcpcdg32.exe	103
PID 996 wrote to memory of 5092	996	Mcpcdg32.exe	103
PID 996 wrote to memory of 5092	996	Mcpcdg32.exe	103
PID 5092 wrote to memory of 2948	5092	Mfnoqc32.exe	104
PID 5092 wrote to memory of 2948	5092	Mfnoqc32.exe	104
PID 5092 wrote to memory of 2948	5092	Mfnoqc32.exe	104
PID 2948 wrote to memory of 4936	2948	Mmhgmmbf.exe	105
PID 2948 wrote to memory of 4936	2948	Mmhgmmbf.exe	105
PID 2948 wrote to memory of 4936	2948	Mmhgmmbf.exe	105
PID 4936 wrote to memory of 4516	4936	Mogcihaj.exe	106
PID 4936 wrote to memory of 4516	4936	Mogcihaj.exe	106
PID 4936 wrote to memory of 4516	4936	Mogcihaj.exe	106
PID 4516 wrote to memory of 3136	4516	Mjlhgaqp.exe	107
PID 4516 wrote to memory of 3136	4516	Mjlhgaqp.exe	107
PID 4516 wrote to memory of 3136	4516	Mjlhgaqp.exe	107
PID 3136 wrote to memory of 4852	3136	Mnhdgpii.exe	108
PID 3136 wrote to memory of 4852	3136	Mnhdgpii.exe	108
PID 3136 wrote to memory of 4852	3136	Mnhdgpii.exe	108
PID 4852 wrote to memory of 3412	4852	Mgphpe32.exe	109

C:\Users\Admin\AppData\Local\Temp\9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe
"C:\Users\Admin\AppData\Local\Temp\9c87c565e2ae2d33c373d1e70fd1408b4b6d8407061b5ef3d747a174d49c1658.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SysWOW64\Lcdciiec.exe
  C:\Windows\system32\Lcdciiec.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\Ljnlecmp.exe
    C:\Windows\system32\Ljnlecmp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\Lqhdbm32.exe
      C:\Windows\system32\Lqhdbm32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
      - C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        23⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        26⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        27⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        51⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        77⤵
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        79⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        81⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        83⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        86⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        87⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        89⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        93⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        104⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        105⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        106⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        109⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        113⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        114⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        115⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 408
        122⤵
        Program crash
        
        PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5800 -ip 5800
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
69KB

MD5
d4e076db08ea76c2f350b594f8140461

SHA1
ad8fe899ba10fd4622c62a8883c5787187c05cf6

SHA256
450e1c52b343806bd550389e4e3f70ea6ce5b8fc9c00854179fb871d9a4cfa37

SHA512
b879b88faacb01e6c9c8c9ee1de4a7017bd0ac49eec1177e73a5b06e900b67060d43e67baca297d0fbdb55fc5fc62c61dadeed6ece6a67036f94bf8ff48fa9f4

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
69KB

MD5
cec5a0b798ecea6933d8b569dcadf36d

SHA1
e011001a60f5eaf4475cb5a0acf0790b614f8588

SHA256
0f91b0dd8cef15530227879f707b8e62ac49d606697769264c6de3a2ebcd6a35

SHA512
d58f4a41a39b98b1a6ffa66ea71424fd37d6662cf6e694668c2919b94c1fcfb400bd21f5085a442c2fe43f2411ebe36ba7e05402270e59658b38e5137e0b3c39

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
69KB

MD5
78b58b6c3d774d424cba0ea80d933add

SHA1
f3418afd9aa423c5c2e691c74a481860e6ef012c

SHA256
bee6be3f1f76c5b2f8b1583434c61b3090902e7ade92166141b1b85cbc4585b4

SHA512
3299b0d4d238d3925c106de2e32e3fd347833110b343d7e2663bf4c796e66af99fc69023aa1a173851433e4f78db6d0a32e5fe2eab47f89391d27991bb251f5c

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
69KB

MD5
f94c0e9e0548017b71a329fb20ec89e6

SHA1
32ecf89111eb3048b532a9ec5d530426e56ef07c

SHA256
93f32fc70d639fb40a98f4f358a9ce8d525e66275226c3165cc0e10dcb94f6e7

SHA512
55800e07b18cadf69e85eb64e4dfc808718a4c7f30062942ebc0060a7c79494ea9b3cdcdaef888724f8990bdd9bc9adb096c24574fb5adbd2f4014e77f5c3c20

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
69KB

MD5
6322cc7a88fa197ff34b61795425f95b

SHA1
5a91b9833fcb77440d2e0882bbff2e73379d4e02

SHA256
eb350797d2545fc8eace474eac5e764acfbf7675a8b7d25b63bcc33fabd8513e

SHA512
8126490ddce84fdc28612cd326695cc49457d79dd8d75865c2d56d7fdfde0f40a2f3a01f4ba04052b57f7aa2e8cf6025fa5c3c1acba51080a867482783583599

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
69KB

MD5
be3395fbc051cb55723b84056e909e27

SHA1
55b3dfeb8ce0b7a9c5584acf1db8ead7ee247a42

SHA256
1f63549a211c1cdb4f874da46300a64bed78709bde31a06281eca9a415982486

SHA512
36feecbbcd8cb1b6ae55fb47d4d0e4fcbf210574dd4d79fddbf511b776607269ccf1c5721ac457c01ac3c4b846dfb986d7fbaa58fb627ca9efee88a5b1c0a07c

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
69KB

MD5
c850b97d9cbaf1d96d7d0950227efce4

SHA1
8751992f0a782e98b26db5e996d44b55f225299e

SHA256
7c5284e80d447ecc7fd75f8992114d8fbc0eb1cc09a47df8a36bcac159ee1c29

SHA512
0e5103cdd44e011b65c528d600907373d8109c86266a5c4de900a90e4e1fc97a8e44e8c069e4d789d9e69fc6d2d04a41838c7ba8bac96b47388568df432ddce6

Download Submit
C:\Windows\SysWOW64\Lgbloglj.exe

Filesize
69KB

MD5
678dd9047532f0fbd3b9c7daa9457d5a

SHA1
3f30ab7e3d2e6df900d206ff83fa7f7c5ebd7935

SHA256
a767e3d1d6f8603026cca96c46188a7b61a55090b2dbbbab4210ba9ae336c4ce

SHA512
faaf41c5db60337b8be352cc31e902ccf829899e4714f8adb0589a5f81145d4152f9325c21442fb8ac2cb52ae06921130f5ff162d1fa6f3c2a0d214416ff0ed1

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe

Filesize
69KB

MD5
17e1ce6f5f4fe1c90527a8586df2a203

SHA1
0477de88a7b08a0304eb1d7a7253d498d76762e0

SHA256
cfe02c270d18fa9201ffed57fe3ca1f27f761a8d75315d8c674a79ea5efbba96

SHA512
e5d39a564d82229b7851413d1daed3f63d4937785b967a1d888a69afbc1adf02003d8f67f8bdf8378c7f2137e9f7035152168bd128a46f9b20f1d1332514d775

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
69KB

MD5
617e2ebac217f496220a04f8352908ba

SHA1
b984566bc52d935e460630784cbd73475f838b8c

SHA256
b17cc80eee25e745641259fba9018c0afd7d71fbbdc4f9ce552731b71ddb29ea

SHA512
fdae0a8b5304398ab89afb7747230955d70573d9efb4fe28abfb779a6437adc3a12607bfed457093870c1a02239bcae6afb8fcdd2cf13dfbf8523045552d9646

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
69KB

MD5
a2a1ada6bbf0fcc6823fac8a640c0a4c

SHA1
b53bc6fa3849571fcd968b34382b054ad7489663

SHA256
ef342be9fb46c83166315bbc5cde581bf075d31365595cf089b74d9d82ce43b8

SHA512
e63cf573420d7414cbe6dcef8d24cd78908f84ff661ff6375b0c6625b2eebaf47478487bb8a44c7695d48bc65b8c1d8de57d619798b6957d5de4238f592b2c70

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
69KB

MD5
5b99f3351f2899bb38e7b74e6147d5c0

SHA1
545f804e8f1f32942f0de37c41c0e56b4ae2beee

SHA256
1158e8ae740e2a1bc6a712f493cc2d8cb492ce9865f7a3f45b1cb8472492d16f

SHA512
874b3b3b8825ab009b31bc2c17947d302a86fdae51e9869d11d2155d9dc469cb5328869f9c27d7fc874d94331fc3e8847e4130123e7d511e6c0139ef51d3348f

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
69KB

MD5
a8d47a591525207325c48202d270cf02

SHA1
f555537dfbccf09ecce1c5e2d56a6e7e55a6d647

SHA256
45b0a5ae55e8932cfa45284cc058de5c99c3c1a54b3c7e23bc76fbeda7dc8f03

SHA512
607cd73393bba25d7108659b670a4c682810d095e581f26af303cc7db4a613e89c879be91dd7fadb321603ce50f8c9153b376bed92565d5c7f7d39c7e0bf53fe

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
69KB

MD5
18dacb66f72fa01bb2f1847aee75210f

SHA1
cf036a7828921d82e3017c3312a3ffd11b8c154f

SHA256
278e675551b837d31b3ecfcc4ce87592b627fc492eb20132f11f1ca9d58c57c6

SHA512
1ee4e3e6536a8f396844f4a00e0e09042583a1e43dbafca0b434c4a8d1b106a5fd28304d38609c40483a02ab3d31261b6fd12b07d1328fc11b6c1b42cde0e6f6

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
69KB

MD5
81b281f080069fc863d35f3ac4de15ff

SHA1
f23787610d407a28ca1a4e7adfa057e0ab74d547

SHA256
e82dfc8d49dd57b998392d0a9d4f33b055f8e5b4f1c2e0ffc991b8c31fea38c9

SHA512
5410edf46f6c3f028fb815d8ed04ea1fb1c3d710f0416de93d7104a03cd794c14d23a58a1ab49bddf603237a5a8b01cbbb180c1e7988c969559956ef3ccdde1c

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
69KB

MD5
5520864ccd084db53a2d3f088c5ff477

SHA1
3b9ee5e55b898a3ccd608cb81c6556a2993e552d

SHA256
215a4f89defe75f410f69c105d06b2ea3f23dbac4b8c78ba92370de6fcef5a26

SHA512
a104a9ca22739d14fe4967e3b4a0353ed3e54d9f84ecaf26208204580507107ad70d5f1e3ecaab2a0500fab91d66cb1032833a0fe7aa990806879c7d9f4189c1

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
69KB

MD5
9dce901c10d64ec0ff0644d1e35fad91

SHA1
709bb5032457a6dd700d88809e0d5490fb3a0d55

SHA256
98f4530ae70d3be91a670ee3e8cce6e70e18e694e9fac4ab67c7688c66279171

SHA512
6fda60d697e829c4ca7e42d47eae1beba5ff08c99d92a9f1098ec85c08146a5637f761cc4bac0836e55c8e4b442597b8cc485295bdbd7e04bd8e62b549525068

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
69KB

MD5
4eadcd8a06168dda5479a50080212c74

SHA1
cacc8f02939ff5f0cf8cb789cef994a4e67bb6ce

SHA256
bcd7cc796ddf8ba02b547748588a81533c5ec91a00161d2c71ffa7f0c4721be6

SHA512
8e445c06a2e008008240a57b30bedcdf06d3efa66da42cc756bc4a60732845e925dcf1ea4e5d21b90b1855aca09ac357276aea3cf58ac1fd6b289900f1ea2f42

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe

Filesize
69KB

MD5
0f2725da8dc125ac707a47848531704b

SHA1
c89ca1ca2436bf40e27b1f23557da661cc328ab2

SHA256
38087657903db3cfd9dabcbca96e8047f2caad9066b4b6ab01edb2ca49fa33bb

SHA512
18ecc6e65790edc98e2c7e42e3737b38d0298713c6548ccc1e6059595e4412cfb9ffdfe099cb5b6e8a6a57917bfaa3b6dfe32593daa5f0520228808b7ce5f261

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
69KB

MD5
50cf7f1f77f345d524a8ba1719e55f01

SHA1
4d789ca91807681efec417416178998f98f91d66

SHA256
9b79f18fcc33ab810b3ff17c27f0ae19379d31e89e31bcb1f40f094ae46211f0

SHA512
4351d434f106666a412970a1adc2ce92d80d61b8e98895551c843a70a913b28d8501b85f205e695b8f4f3aba87c94470bacbf8d797369ae422e4efc044511c45

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe

Filesize
69KB

MD5
e8f431c581478e6c2fb211c5c6eb48b5

SHA1
b3ca7994bd08f4a0a850b1329c56a91b49694522

SHA256
1bb9b35f8c2fb82daf52e1f8022e32812d5f110daf8366810d2882b56259f068

SHA512
6c994ebfd13e76c638ee5d7b1f040ef205fd42c9d0cfe043f0795b7e6431aa7f516be36b3e73ae561af613cba60a42238ea2905cd70ea170f491710ce6168372

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
69KB

MD5
988a67b783e81b65c1ebf4424c93f965

SHA1
1bd2d1a21ec1c85c362c3395d656c7ac6494add9

SHA256
dea12889284c1813e78f70f172c231e656d28571c87a26f33a32a29a87be4199

SHA512
4db7da24d055b6d93a159878d60105688ef41a36b5a4e619a01117115552e4d490d601a92558ce5b2509677acf45d02019c78b4f3d804ac7aa7822839bc83c5d

Download Submit
C:\Windows\SysWOW64\Mmhgmmbf.exe

Filesize
69KB

MD5
5f45d5f69db2dca87273e1ecf22f39c9

SHA1
2ea0f20015471cc98a9b25fd3d35d74bfa8bcbcd

SHA256
a82c4fd825169557316a505dab81f4d08998e08c2ed4523cf309ce81ddd45b84

SHA512
84183ad88cc1d7f6d8277b1d99948e5cd8f640ae844114e387afe7fd3b501712a7328c374a655e8ea4964f40b33142649ffc5a72fc9ad1114efde5571619e165

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
69KB

MD5
b2b77a7a85895b2377dd70d0fe3de478

SHA1
4b073bc7b5963e3ec6eddeb097cc461cbd43ac58

SHA256
bba78a709a1120151d816a25b5d7cb87e9f2f6239dcf1ad638611c999436cb85

SHA512
ca9da877234000577007309ffca6d982eb4747977011624bf91be4d39af4a85bbfcea65e9648be5f43255002e64725cde60a396e4c3d1c09ff2080e91cb681cd

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
69KB

MD5
a093f9b63bee355b925c1a1c58e4d67a

SHA1
5701e79f941565b902008776b6b96783301abe8b

SHA256
82a3ce60a8e7af50bb6705b93847b9df7b808ccf171496c484e6827bfe13d2cc

SHA512
d0333710cfd8ebc2e2987ed60fa86a5f497fa2224b0c11e1ad27fb2ac5ff5df8349d31564f82a28a3d8cb6d34ff06594eaaa7bdd82552fc55ca892288d19c756

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
69KB

MD5
e2b45bfaf81d52446955bd58ff415dee

SHA1
92ec8a72b17fe93b8b44316d11f7e61a12cd75c4

SHA256
d56119a3047d587c71ec4e8563e5b2ad2be1dde27ce3e2ae665f5cfc358edf4a

SHA512
b3f75fae65326573d66c86bd85df08d9104ed922eaa0177dde2622ea654248ddaa326e1cf8a1f96be543023038bb59f4453bd73eb67c5966977c926a8bacc2ee

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
69KB

MD5
4ae3203b32c357c32da6a8eb20cbe5d3

SHA1
7995e1989b44cc8383dae9dc14eae05d7b746f96

SHA256
50bf5ba9e57d457af91aca26783bdaf445c81c8e627ec28200889e815f0fbabc

SHA512
ff5a6356681a639a9d032156353e4e349b4daf824919e46a16842376d148a504fee8d7cc81c6e7a677f4a04474b58d085641d4ef9f01b15a09ce330d0466d274

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
69KB

MD5
640df44e5ba44cfd70b8b40c62157ec5

SHA1
3aaf5063595f9f8f916fb3a1b7fce58c89eac1cf

SHA256
b7d5ef921e8bbf6f48e0ff02fcef43b62044ae56e189d2bab61c52c0e6c7fabc

SHA512
1be22af56a3dde8920811dd8f86a1a47de62bbaa0f36e7814ef8ea56f98514317b08dd4b328aafbb4b5c2330d1e891e76a9b64d9bf9adb35e0f472d974dfab48

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
69KB

MD5
4aabec536b499d5df9e6627134b58a93

SHA1
ae9b781f1001351e4ca18e502ecf0d67fa39f8cc

SHA256
3695aafbdcb78991ae2be5e03935a9fb0e00953ee987ac40695cbb39e09fcf25

SHA512
5938ae358941c36b8b93a8b92e813e4aa4538a643277d7086efe14bf15fb69f8b963fadeabca1b6fbf30286444acc355a73ee0901ec6ee83aab2c60e00a870fa

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
69KB

MD5
5b664dfa2c51c50174cc0caa581160bb

SHA1
bcb55329ee510a0b4daf345b614a4c06cabd4605

SHA256
94505d1619f23240044211bfbb0a0c7e3900c7d9e758af70c48c7f51a771782a

SHA512
44f13bddc99020eea936479d8030fe9ecd80ba17a1bf7cea4d682aed7e6d106547cc0fecc866d0ae608239fa91dd0d0243c3b5d01d946be985ff0cdb425ce23f

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
69KB

MD5
e6aa2eff9d6c8ec337e6593f3136dcac

SHA1
b1c15151b76b8cc28995e6550b9a4a73282d6f7a

SHA256
09715a2c03c45a5eafbe3b5922fe37665a2d8d23046979571e36446176e71e86

SHA512
561f4f1052206fac5fa6cdc31fb397b754f470ad54af56208bbb0309ca67419ac4a52fa94c6847ca748cf9f7686e9098b280557265ea552451c6fab43501564a

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
69KB

MD5
c298f0867b3e3b5f910bc3ae439a1a88

SHA1
009d584b94ee2c207ec9f83dffcd87ce14d6f7e0

SHA256
1bf6ccdee53cefcd9c3a10c22ab30260cab1c9604255b61854a2570846e43ecd

SHA512
c30dafbeb64620b22b2e5074ad4ab6487f2657461d765634a70297b684206018ef210a346b2fd1d8ce72d68e4a8413c23111c318c96aac302f448251708ffdff

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
69KB

MD5
5b1860d7ee7488acde852acf0e7de044

SHA1
ffac2ed1df5e397d181f6f7acfb2670a26b8176e

SHA256
7ed7d7cf49db19a6da9a10be97c228ead017fadf86141e37c701a52b446d1153

SHA512
5a1a9d967ab2248466a627503dfda64899a20c266e0dacb43e764b5d63e74340f6817e98cd1e6b05f484f47c6b53268308fb2b327c7b7c76dd347979f653c67b

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
69KB

MD5
b014151acdf63331a8b60518e8352474

SHA1
961da1f95917c12b8ee7676fbeb5022e8cc8e6f3

SHA256
3c268296bb6845399eed6b75137ec8ade3fad9425a6c5d510699587ee57089fb

SHA512
90abc861ee4914d51078cb55c40ba57905b7d3c2d989f19f51a5d062018385bc48235e179697a04505b4388d528b522fa2d2284a939ac566d9b2a9ec9b2a063a

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
69KB

MD5
593ca8fe6f15d99dd4bc23f3e47fe644

SHA1
8da8e573a51e22136da868647ff98ec70c6f8ad2

SHA256
371177cc465a291b42d370f08850fde88c6ed43817b60c00344529e7bd2cb35f

SHA512
46598fc3381496eb838b1d10b6bf1ef8f28801f106da4307ba4e0662cc5600dc46e1f5d5b5c1be223e6ddbb5b9649fc34f82640314c7954ed39b0ef3b052b764

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
69KB

MD5
3f7fb3d8e2b9016696685905b44276b4

SHA1
4c04a4e6efc97da5f1c2ba47dc2f7a4716bbe52e

SHA256
48f1e630e27f999a32ae943c5b80b8125ba44eeac55db1752760bc00c6e25f63

SHA512
275519196829d3e034e7894077f6b50f5593bbbb67f4de530e4db1386d31676cea1db4ebf4a71f186a0d98cc94dce0b05519e142f7fb7b4b5c7ccbb5a46f181c

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
69KB

MD5
71a7fbf554d5ef25c6b4110a350fa7b1

SHA1
a072511c60b244cb291740ff20a05043ed7cbab3

SHA256
00dad4b7b2cff2f2cb052b5ab0eccdf54b075afde6cb67a137b18629ebb2ac97

SHA512
a8298d994ec3611233c059ff66c0b3dd439f8fce8f33cdef6c33bdf3f0f9d71e0e0f810ab32b424c048e8bd70dd45a208515a09c54a344b32069f9bd3f894949

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
69KB

MD5
026833ba0645902fa3a59ae64d706d1d

SHA1
93870916ed95a0c864e353853c6d860ed4acde25

SHA256
db6654879a568e5fe7a4986497ee27df537aebbdb1d37457d9e2582b660e6aad

SHA512
0eaeb4dfdc1a1cfd5ee2bb5a24a00e884ac56c546330febb11bdfe810b69d3f7e21ebe1c67fccde8c4116ae6a4c8cab6bcd387619cc98ba3a5b7dccafa9a89fe

Download Submit
memory/228-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/344-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/732-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/736-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-441-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/800-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/800-567-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/856-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/996-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1044-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-560-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1140-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1192-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1224-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1324-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1392-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-587-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1928-594-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1928-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-546-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2008-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-500-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2948-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-539-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3104-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3176-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3188-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-461-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3736-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-515-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4184-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4252-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4304-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4852-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-580-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5128-521-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5168-531-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5200-533-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5248-544-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5292-547-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5340-554-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5384-561-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5428-568-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5472-574-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5516-581-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5560-588-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads