berbew | 1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Size

96KB
MD5

6bc464f0f4ff8db914522e0c5685486f
SHA1

0538d58de550a4f3216ad2fd8319b0ccf5c32429
SHA256

1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0
SHA512

734075a4088f9db4d6e39e65fc77d6bb6dd6d32547758390fe63861503f078f086e35f055f693492ecb427efd482ad2afc8f2f91c2f65ed7e93fed60922f5f57
SSDEEP

1536:rcYZL3p6F24x6LNmr4AZSlh2LU7RZObZUUWaegPYAi:rcYZL3P4EgUClUUWae3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
2096	Jbkjjblm.exe
668	Jfffjqdf.exe
4644	Jmpngk32.exe
5848	Jaljgidl.exe
6008	Jfhbppbc.exe
3144	Jmbklj32.exe
2992	Jdmcidam.exe
5192	Jfkoeppq.exe
5772	Kmegbjgn.exe
6076	Kdopod32.exe
2080	Kkihknfg.exe
4988	Kacphh32.exe
836	Kbdmpqcb.exe
5144	Kbfiep32.exe
3828	Kipabjil.exe
4284	Kdffocib.exe
2728	Kkpnlm32.exe
4480	Kckbqpnj.exe
4732	Liekmj32.exe
4940	Lpocjdld.exe
4592	Lgikfn32.exe
5992	Laopdgcg.exe
5016	Lcpllo32.exe
2792	Lijdhiaa.exe
4784	Laalifad.exe
5060	Lcbiao32.exe
4904	Lnhmng32.exe
436	Ldaeka32.exe
1756	Ljnnch32.exe
2900	Laefdf32.exe
3640	Lgbnmm32.exe
4760	Mahbje32.exe
5728	Mciobn32.exe
5012	Mjcgohig.exe
5128	Majopeii.exe
5856	Mcklgm32.exe
1300	Mjeddggd.exe
1532	Mamleegg.exe
1884	Mcnhmm32.exe
3008	Mkepnjng.exe
3164	Maohkd32.exe
3496	Mdmegp32.exe
2384	Mglack32.exe
372	Mnfipekh.exe
540	Mpdelajl.exe
5840	Mgnnhk32.exe
4360	Nnhfee32.exe
4272	Nqfbaq32.exe
3328	Nceonl32.exe
6132	Njogjfoj.exe
5448	Nqiogp32.exe
740	Nqklmpdd.exe
3788	Ncihikcg.exe
3804	Njcpee32.exe
3632	Nqmhbpba.exe
3796	Ncldnkae.exe
2560	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	2560	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcnhmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkihknfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfiep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liekmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laalifad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncihikcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpngk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahbje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmohbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbnmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njcpee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcidam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnnch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmegp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhfee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqiogp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbkjjblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kacphh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdopod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcpllo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjeddggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgnnhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njogjfoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqklmpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maohkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipabjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfffjqdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcklgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Majopeii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepnjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldaeka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceonl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfkoeppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbdmpqcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgikfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfipekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmhbpba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljgidl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhbppbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbklj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffocib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laopdgcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnhmng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mciobn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmegbjgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcbiao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laefdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcgohig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mamleegg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mglack32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpdelajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncldnkae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kckbqpnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpocjdld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lijdhiaa.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5624 wrote to memory of 2096	5624	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe	82
PID 5624 wrote to memory of 2096	5624	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe	82
PID 5624 wrote to memory of 2096	5624	1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe	82
PID 2096 wrote to memory of 668	2096	Jbkjjblm.exe	83
PID 2096 wrote to memory of 668	2096	Jbkjjblm.exe	83
PID 2096 wrote to memory of 668	2096	Jbkjjblm.exe	83
PID 668 wrote to memory of 4644	668	Jfffjqdf.exe	84
PID 668 wrote to memory of 4644	668	Jfffjqdf.exe	84
PID 668 wrote to memory of 4644	668	Jfffjqdf.exe	84
PID 4644 wrote to memory of 5848	4644	Jmpngk32.exe	85
PID 4644 wrote to memory of 5848	4644	Jmpngk32.exe	85
PID 4644 wrote to memory of 5848	4644	Jmpngk32.exe	85
PID 5848 wrote to memory of 6008	5848	Jaljgidl.exe	86
PID 5848 wrote to memory of 6008	5848	Jaljgidl.exe	86
PID 5848 wrote to memory of 6008	5848	Jaljgidl.exe	86
PID 6008 wrote to memory of 3144	6008	Jfhbppbc.exe	87
PID 6008 wrote to memory of 3144	6008	Jfhbppbc.exe	87
PID 6008 wrote to memory of 3144	6008	Jfhbppbc.exe	87
PID 3144 wrote to memory of 2992	3144	Jmbklj32.exe	88
PID 3144 wrote to memory of 2992	3144	Jmbklj32.exe	88
PID 3144 wrote to memory of 2992	3144	Jmbklj32.exe	88
PID 2992 wrote to memory of 5192	2992	Jdmcidam.exe	89
PID 2992 wrote to memory of 5192	2992	Jdmcidam.exe	89
PID 2992 wrote to memory of 5192	2992	Jdmcidam.exe	89
PID 5192 wrote to memory of 5772	5192	Jfkoeppq.exe	90
PID 5192 wrote to memory of 5772	5192	Jfkoeppq.exe	90
PID 5192 wrote to memory of 5772	5192	Jfkoeppq.exe	90
PID 5772 wrote to memory of 6076	5772	Kmegbjgn.exe	91
PID 5772 wrote to memory of 6076	5772	Kmegbjgn.exe	91
PID 5772 wrote to memory of 6076	5772	Kmegbjgn.exe	91
PID 6076 wrote to memory of 2080	6076	Kdopod32.exe	92
PID 6076 wrote to memory of 2080	6076	Kdopod32.exe	92
PID 6076 wrote to memory of 2080	6076	Kdopod32.exe	92
PID 2080 wrote to memory of 4988	2080	Kkihknfg.exe	93
PID 2080 wrote to memory of 4988	2080	Kkihknfg.exe	93
PID 2080 wrote to memory of 4988	2080	Kkihknfg.exe	93
PID 4988 wrote to memory of 836	4988	Kacphh32.exe	94
PID 4988 wrote to memory of 836	4988	Kacphh32.exe	94
PID 4988 wrote to memory of 836	4988	Kacphh32.exe	94
PID 836 wrote to memory of 5144	836	Kbdmpqcb.exe	95
PID 836 wrote to memory of 5144	836	Kbdmpqcb.exe	95
PID 836 wrote to memory of 5144	836	Kbdmpqcb.exe	95
PID 5144 wrote to memory of 3828	5144	Kbfiep32.exe	96
PID 5144 wrote to memory of 3828	5144	Kbfiep32.exe	96
PID 5144 wrote to memory of 3828	5144	Kbfiep32.exe	96
PID 3828 wrote to memory of 4284	3828	Kipabjil.exe	97
PID 3828 wrote to memory of 4284	3828	Kipabjil.exe	97
PID 3828 wrote to memory of 4284	3828	Kipabjil.exe	97
PID 4284 wrote to memory of 2728	4284	Kdffocib.exe	98
PID 4284 wrote to memory of 2728	4284	Kdffocib.exe	98
PID 4284 wrote to memory of 2728	4284	Kdffocib.exe	98
PID 2728 wrote to memory of 4480	2728	Kkpnlm32.exe	99
PID 2728 wrote to memory of 4480	2728	Kkpnlm32.exe	99
PID 2728 wrote to memory of 4480	2728	Kkpnlm32.exe	99
PID 4480 wrote to memory of 4732	4480	Kckbqpnj.exe	100
PID 4480 wrote to memory of 4732	4480	Kckbqpnj.exe	100
PID 4480 wrote to memory of 4732	4480	Kckbqpnj.exe	100
PID 4732 wrote to memory of 4940	4732	Liekmj32.exe	101
PID 4732 wrote to memory of 4940	4732	Liekmj32.exe	101
PID 4732 wrote to memory of 4940	4732	Liekmj32.exe	101
PID 4940 wrote to memory of 4592	4940	Lpocjdld.exe	102
PID 4940 wrote to memory of 4592	4940	Lpocjdld.exe	102
PID 4940 wrote to memory of 4592	4940	Lpocjdld.exe	102
PID 4592 wrote to memory of 5992	4592	Lgikfn32.exe	103

C:\Users\Admin\AppData\Local\Temp\1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe
"C:\Users\Admin\AppData\Local\Temp\1819c6ac525a180514eaa12a08d640051d65fd7f3ed1a3ca561d2d99fdf0c7d0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5624
- C:\Windows\SysWOW64\Jbkjjblm.exe
  C:\Windows\system32\Jbkjjblm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\Jfffjqdf.exe
    C:\Windows\system32\Jfffjqdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\Jmpngk32.exe
      C:\Windows\system32\Jmpngk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5848
      - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6008
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5772
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5144
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 400
        59⤵
        Program crash
        
        PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2560 -ip 2560
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
96KB

MD5
670d2f53d8d985003ad6f0da21f7ac29

SHA1
af007a70a3ea622e6bb231da8923b427aa852daf

SHA256
63ce4749963ed93d36a6cfd777ad7ad40e5d8c59cb7024c83da6534ee91430d3

SHA512
8ffe85753aeb4687d0c9d2a44367ba93b542b5457718fc14476ce3c184d2c6b858208fac39ad30c9e6342fcb279f474769ec2b3f70fb386da024e3377d2da74c

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
96KB

MD5
afdc7171f9a6d492940543ef1099a1b0

SHA1
653f41f6ec148f83274075e0fb550254350b9a8d

SHA256
58ecee4f43b7649118e07b1b6e2694521b3cfcc59ab97313fc383205172b4e7c

SHA512
47a812c94c7dd0c2d8d5ddaa46258a47f561718fa0f2a51b6e98b9d1590a5cd8f54bfd851fb347a2bc00899733d1fc2a2a43a7a2c98bdf9819859997bd53a700

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
96KB

MD5
7dc1e21127be2550ed554df677a8262b

SHA1
ba0fc7c976b079bb6645b28244909cbe428de2d8

SHA256
3c3890c921a0966c5e8ed734a295a7ca9be3d8a6b9b6e962dbe08c83b706a134

SHA512
cc6a56e872fd104ee5bdd1edbf48746ad3cb85ae6c47821b5281d2cc7476bdc6ca598a98dc212230511e8207c6119055008be14b5c41b6d8c53dacee80d96096

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
96KB

MD5
1db700e11a101f239c6357eaeb1c5dd6

SHA1
8a7e6777a2beb78a3aeb0572db6d6aa3188877cf

SHA256
12746e647cfd30c7f3a7ed30f609b09c970b18e8bcd8360ec8e28e9afad148d2

SHA512
ac967083db9990b41c87b5e0e6bc96139fa6f23f13a1ab86a6655ec748bdf8b96c48894a44dae1eb9f11dc473f1284e58176ebfa56bda36a38c93c4c0381502b

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
96KB

MD5
efa880ec568f3267263b5378087faa09

SHA1
3165c188f191f4f419e3a8ac8884ea544d7c5629

SHA256
238a24a59569a078deb9ca384c7549cb7564455fb190e5f271b87a9cdfbada50

SHA512
0353a5ccf76670b9b07adc41daacf4f35188abc28b9c90e8f6f547ff130602820d63808781638bb0037c0e52a40f16f3eb06c2b57e62fc83c297d4575a997fa1

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
96KB

MD5
dae92e300159921dbed2f1512f96d00a

SHA1
fb6829bbf7d246378a8bd025116e60926a68d402

SHA256
188ae50797ed3962e1e3f07c45fcf715a8b9f4f07bdece6be74d7ed06a7d0035

SHA512
2b9343dc73e119ac6d9c6f29d853c88b1b623b914e3d4668e0c6fb40486b92c4f0cfc4f6b4966f9e61ace09938aca268f993a62a050281c304ac82512d6c0f16

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
96KB

MD5
f9e2b57e0fcfe28a7ad429606814c3d3

SHA1
7a6ec439932c6e6b30f5d1d9650b6d6995305697

SHA256
134b095d3bf8ce059b59af2cbbeb3db000b7181c3d1a564aed2787c895a664c1

SHA512
672f5520899204d61325db85b144306350b91fd1c32ce3f1df8a753b5ba8466e8cbd9a32713f38967b8841f433383e0592342e6a5a39ac957985b1f52a645c3f

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
96KB

MD5
c089f49cd75acf7303f53e54ee0b717d

SHA1
bba7d987ac3e46e298414dca4f5bb35bb234c3b6

SHA256
4f5b865155fa85e851aebdda578e1e3ac6b5bf5e43b60aa7c3fe2c556cfc7ea8

SHA512
2d9a8692e96c7e4e04db482804adef60739ddfc2dd309b7c120877bcf5d85f17f8b2081549f9c098a01ad26f4b1a0f34aa2546f763fd410ede554838d375c690

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
96KB

MD5
3b21cc1e06bfa1b3fd0b6ca1731abb39

SHA1
7ccbed7b5451a865d2cb616cca4aa45f84c83666

SHA256
7d4419451d15984a1a48daa575c4657112db96a2bb03ff66fa753bb11aa30048

SHA512
60734f9e4b46ae1fb87981496bb6e5960f521ff9d223f2e3fd2f944422098ad51c225725f6c03b1bdba56be289cf2ee4bdd1096f8393a41354f65005718a8c65

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
96KB

MD5
94461cba2797fe13888c03475f4426fe

SHA1
4e70b1a48fc5fdf79867932efb30f47eb3605455

SHA256
5a804748907a90cd9edd028e3026b5f296b84b26ef29471dfb4a2efbbafd25c1

SHA512
15229585110d6dc0952c34b246940db9c67d7097a5c593351e39d0e8ea6392c81c3c38bea71106a2833402d62767cff6332a725a3c845f44963145362c5820fe

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
96KB

MD5
07309fea9181d6e12423805e1e300b2d

SHA1
80657cf1bd4f271d856b2e29ac351a37d5ee10a2

SHA256
d81ac300f1aff03ea898346e6e6a5c3e0a950a89ee3e50b80a7c94e689cffe03

SHA512
1b0db7b8c7b5814c813748deb86d6b08fd4e14b2feed16385ddb675bd713747c5de7a7ed63785eca3f46d1cedaddc854f21d9b657e3d7526c2ccf4b07821ac5a

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
96KB

MD5
5eeba2ce22f3aa992c7161b19469a411

SHA1
9de4b719ff3082555f3e56d5634b84d480cff7ea

SHA256
690ef13352aa9c169270b3fef38478ba872981fc4ae42ebb5f968eca3557f80b

SHA512
587c742cf24d9a4dbc4b0361f6a568c7989d756bdd97b49f73e82dea6a4904552626f6e45c051233ea49ad2b9a924733ae5afd086a1da455fc148a154f2b971e

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
96KB

MD5
df1959ea30377662714969c53a49d5be

SHA1
58a97095d2b98f9b2ef1c56ec634276204ec41fd

SHA256
607d63fc4ce54179fb17c4d4266cc5d1fd70780773f949220c9c2e2ba4fbb83a

SHA512
c04a1e8276a17f574b105bdd09a6740a1abace8ac8ff8ef37e80c95cd4f1be02e37b7c494368d85365719f4d730105eb30c71682114f2f424119eea3a535b944

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
96KB

MD5
d78cef15346451dd34a3f3b689e00c97

SHA1
30b76b8657a0abbf95489191242b3f03e5e69067

SHA256
c8cb63b7ce56cd5262df5da34422306f65de64a3bba396b23c094843eb0e51d5

SHA512
9e94eae038201942bb94dec6c1a006df5f7188bea434908054e586ffededb5bb92fbd17024f88d6890d324b0f7c58a4c0c68dd969deacd550f44d9c03391b1e6

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
96KB

MD5
c5b5ffefb2f249d2d2bdc713e00c8e22

SHA1
a51d59281dfba406c31b3bdd0dcb416b08e51c9a

SHA256
792437fe60a950c6a11e0f791eecab75a5a1be9356d7a24455b44e83c999eb45

SHA512
1b885d0a9335048923c352b1331860021d2ed2be0ae6d11f21770a49097a1bb64c7ec2425499d5d197b4d02f947425ab45159cbf2f618377524ba3406e3004d1

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
96KB

MD5
596af1c21a9cd9562871534211eea1b1

SHA1
0894168f40b11b1f5b2a6fb32a928a65c2f0066c

SHA256
599643923eeddbc0ee2b9de345bb14fd346b8ef0bf952478cc0dc47aba6ee69e

SHA512
dee017ac9e6af3dbab237eb5569e1f65d423b01d0952befb37c8b2b5c357307a2a6783aab1be7a9b3817b28e0f8477f0a5ae117f15d1caa837647c1a315b4e0d

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
96KB

MD5
5329291cbaf25df1bc277b97a4742b35

SHA1
2912e3b7b2f9e0efc2d2bcae56596c5ab7daf0e9

SHA256
bc9a7fe6ca3c21bc5d933e5b8034b868d7c76e14de25b730952dcc38abbdeaae

SHA512
0984dd64f508e09a22078a9c5bcfc769caced9b1c09dbae1a8fdf9aea05ff88395004a666e7d444e54a09c3991115ae0e759fd70bee28d2054ce4c004018d795

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
96KB

MD5
ee064700f1bd2a5c274dfcaa1306b976

SHA1
c73f0a19d070084fc9aa779ddd92c4ea0d2445e9

SHA256
b6b1b0468448e84f969036612d91896670b27bc23a8c0281f81c4e47eb38f4f1

SHA512
d2012f87e1039f25a3d63c750fc3ce9dbc2b903b40a846747ec6f2ae2b9cf1519993f9c54711360c8ff315a8f440cfad0a82662b09768bf43b907695aea27c0e

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
96KB

MD5
2024d3d9ad4e384ca5b5207ee5a21c5c

SHA1
57fa7f7a1e09cd5952bb180492bada9a34732b4c

SHA256
e9cae705e18b63938cc90715f0647da31b7d0f6e5b3c0a89526cca38ddc15f9e

SHA512
6d6e3750c624531ef6499a9eea912172704783d66cd48ae85e6b740867f3fc6fa15b23c556f7b5634e13a073eee71a3d78dfec3e5614a896c22aa7b154ecec2c

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
96KB

MD5
b798a4b19109f36335c81be5cc59cc0b

SHA1
9d7e859ed190c6d2dcf975dd3a1a19dd6e4cc2d6

SHA256
48b1d19c931e3034f0a46e7748bc759a9995dd19c528eadc344d7a765f1f0e67

SHA512
3b2e0d4b5ff0dbc1d45d86c0d3913254776b650650b68c3ddc2ed80e1c0cb41af0a87a93a1546fa072cb1a8bbd6b42342fdb57d0dcf5c2d5448505bee899e02e

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
96KB

MD5
877eef16fe1acb4c587e5f983da935ad

SHA1
e025886abb5d0880e173548a031d01e8b9eaae19

SHA256
48d7a7dda1f23f80c46a1436a58506df507affbbc358766df0b4feb68e9c01cf

SHA512
c431a324c5db5a68315588e56ff2b0bd42488ccadd333b76c406536844a0b0f1942e0b9465fb36189662cca8990e653805005144a13b15fffc1311174940aada

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
96KB

MD5
0f42748d9c07d355f006efd5f59dff0a

SHA1
f46302847d19eb62296eed0484b20472d6333b70

SHA256
c40bea9c0f2d49f48a2a09a7c7d16b8f86d047b80906a81bd03ee90392297d27

SHA512
6c1cf43ce8db6d6917ba7d67bbd3e1f82a838ac49a4678e5214ef0820675a5abc20da5dbf332eb917ba69678174760a82a28fd55b81a93984b4c88c7e47660cf

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
96KB

MD5
d671ae29466e66dc3aacf9586c8cbfbe

SHA1
dd89dc5a315e1b75f2265f5a2c6c2ada7310687a

SHA256
579039d46a98acc2216e637ee809ef8b8331e9541bfe16a7f36706dfe92df4b1

SHA512
a29985968f784c824e471d981f6cc922a7b6cb4d97abbd2f58559fec78326793a5f57547771bf268e69e56b719d61d1eebb15b32d8c22748e7064811af5158b9

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
96KB

MD5
c5e23a510254d8339b2595d1faa86049

SHA1
51cea639ca7eb6fe3fa7c3ff4b3bfec2a7bf6145

SHA256
50f5874f321b04c455490abde64b2faf63719a08410cb4cbca57331765dbf2a9

SHA512
a0d31663f62e994081efc262fab206ab1709e4546674e7479190f5b7bbf19b7f5c44783b5dc74dcf02ded3b7bd978f35650f2dc68180b44529ee51d85401c9b8

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
96KB

MD5
20a9f7b44efa37042f3b6e926e3efe8a

SHA1
074574ca7be5ae0921d5b810cd2e9fe39ef9fe9b

SHA256
431f8931c9d470cc4e634b14ddec22fa39f76189e8145d301a96c6bf6e880003

SHA512
e4019283b4501c7a66033d1072adaaea2d6d2304d555b5db766618560370eca9204a9418f89abda072d4ff4c3f7892b6f0d1a7e61e87d40f647df6b806168664

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
96KB

MD5
510c7d359735e202b232297bf39198f9

SHA1
7dfdf84ed78b7c9b44dbe189e0e5cfaf96d0f4c5

SHA256
bc9870cac86dd230b6a3d621c0bcd8201d52ab7b5d361466ffb7fa5cf8bceb35

SHA512
3032895529fb61d28feea8c392851f5c845d9750834b841d174b58b49624d20034c1cbc5569f585bda755287e39e9514bfff1e3b98b3290268b132bdbbc313cd

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
96KB

MD5
e79d93579a2b1edd8bf48711f09f3128

SHA1
a2a34625d961fca20882999f9d3f78cbcac77e7f

SHA256
c89cdade362b3b87c71e707fc333bb4fd90b6af1a2e3b0dfebca43f153fff76b

SHA512
8d743152d4c6ec876d0fe1d972679f51693c6f7accfeebd0636392c6a634be874505b89f4191a873188b53ff06309be11b6e11902d551ad9f08b530f358cc9f6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
96KB

MD5
1d25f39cffcb6f244dae1eb23c7ebd37

SHA1
25382a35ae29e76c8cc1ef722bbba01a4692cba2

SHA256
23dbb878f5c53306fdee7fdc9e8ecef2802c47f54f94c464dbb39f3f417b210d

SHA512
19fdf36bea06938076e560f7517710cd2f4cd530f3bf1798a981887e2a33d897bf72fa1d6399ca9fdb85cf4b306a03ad42564a723da3f2d2b7f048cde04a5eab

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
96KB

MD5
a5586259fdeb3e6c02bec089964c4633

SHA1
f29cfcd99a29cbc01fb4c76ed8e95eee741d0937

SHA256
31c4970ec8b6f353c94505238b5e37fd0852630f0155b804574d69e412790985

SHA512
0816edb9662ec929ba13aa1a9d1a3ae34490798001ef143e57353a8ae131018e776a01051b050f43fc19a1da3858c7a0c135f130e0253d8f0baaf7835f2ec780

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
96KB

MD5
2827274da63bf49c156d9cc0c01e1a4f

SHA1
227108f4c4d8c4bf552508e587b1ee3c7a065f30

SHA256
0fbe583d397378cdba03813d127a3965f8f1b1b9cd1d10bcd19fa4afd12b370e

SHA512
9f25226b836705379ca6a10412dedcda7e66a732857990ca9ac51d3444e3334767f18c278f80de1a99b72e22a837c29a418e821aaf89503d7f51b80b058b5a84

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
96KB

MD5
33e7ad204986accf4d24e7cac6de0bf1

SHA1
1dcf959f82af9338e30b3f53fdd6d2e9c6d8f070

SHA256
2d7d63128f4e335e087c552cba42836b3fc692d408b4cc32562c3b49b35ea633

SHA512
65a7b5ce14659c222edca6517ee06546b213810357dd95ca952807db75fffaca7180c16a5167cf6b03a62b40d3404888917720e0870c8a6d6ce39a53efa8eb65

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
96KB

MD5
657f1b1162786978944213a8f406a4eb

SHA1
ce026d6c95372d4c1dd620a230d4cb0d9d1dc4f9

SHA256
debbf666d735720dd512c585324fb2699ff13702e5955e47bd9b1e8c25f849f0

SHA512
f95d25583ced8158fbc6f55bfda01c490c843d8ef5d854b45c73079b70738dd0379405590a99b8710cd8e92f45bb8215c24043be8346f3cc6d01ca03a17621e0

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
f73490281cb3559aa68103ddfd7f3650

SHA1
883d38101ed6c4a1c742c2e0f92f7dfaf02fa680

SHA256
91444d5f0e214bb91c2dd33e7c4a3523e9dde65ede49932ce801264436947914

SHA512
4591f59d2349198a342a581982b5c2644885a923893faaceb868f5eaa64f275f1531882a3c0e74dd60a2c5b513d87d6c4c1cab5b2d5d95c18afeaa4f41772c07

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
96KB

MD5
21d03b476c29d4882f5bebbaab302d1c

SHA1
aa0818067e0a1ae03e0e8b2efc9e6214ecfcdfdf

SHA256
dd4bb9465947ef276f58d3e467c58fafeb1edc69b864d98399506cbfa6f58ea4

SHA512
c947681a5d140c699e5103912478b9e645a20c4224279931e5f3577be9f6c7fd553bdb1503313892995258bc1eb16d8cec25132bc3cc0220a84a6fef562c4c7c

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
96KB

MD5
efa2b0f2f11dcf58ab3ba75c3f0470b3

SHA1
c4b67be18b95e0eee9ac9b7784ef27310302c07d

SHA256
d64aa4b9039a48a1013fe5d1c248f650f7a2520007639c5af0340277797bb105

SHA512
5e02ce6fbb35d707268e0f08b42d4185184616c99c270e56535f67f6d7ab0679b5a68ca5420e12eb62c02916e95034e060576fb087178ac6cc015d8bea6213b2

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
96KB

MD5
c4925b4eaa41ee258f7763cc327725f5

SHA1
e8b6e244b231f3d0c36574b60ce05f7802790f31

SHA256
880dc8a71a51c046ea6d3bfedeaeefcda3b34c07c0b97235657c12f4d8094022

SHA512
cc692af404e00bde7f9276ed4a4780a6f9b08945595d76a294cde646244117489bd9c739a6f44d9a05c39054871401bfdab9ab95ec8a795a3e452fedbcab8511

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
96KB

MD5
dc1d8f0377e66311487065b191c187b5

SHA1
91ab203ad993013e0f27d616872fc5dde2411d36

SHA256
9b4d340f02a26973e7e9bc7e6d2fd5448be66d2d7f3340fc28479191126efac1

SHA512
e7178af820efe2d4d93abb276fe79efac5bb528a8ebef1bec7537160e09c54744a9897fac7cf1c56fbac9f068d19fac99576e8b191445c91fdc4cbed914f2cda

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
64KB

MD5
f50e5bc794018c9946fb59dace7e6eb9

SHA1
66cac7c3656d51fcc8722f001798a44675e82e03

SHA256
e5f5b55c0e69656e90ca843b4c73bd2913a90cc263c3ec3fea688966c59c10a9

SHA512
c8b67928a33833a0e3cec3d036561a490e550a9a0a00f82c3f90bd1639bae227fea35a4d8a0c9b3d48acea5d98c3a5332b3957d2d24a546fe1aa2ff95fc2d9e8

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
96KB

MD5
31397eb40a20b8c9b5300058c402bc88

SHA1
aaa12a8709993f3dc589e40b04645565a64a7b26

SHA256
d714c54b9551436fcff5c0338d2719790a156d70e30e7520bace46a801a99072

SHA512
9ff615f0ccb39a73af3858d7f0408b9da3152da796059ba677a3c188688be70a2c9fc1aef867eef9598bd6073093a23cc21152d6a34cff320645d6e8eb5c2566

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
96KB

MD5
0b9fdb755630d6b75f0b27defee30ead

SHA1
4675db88e04e3d040c3a5dbd8e280079f503a01a

SHA256
0db792b04ae88cd2ec478a11a3ba63fb35163abf6965fa48bf077c449cd08476

SHA512
1847980992bfc8e143ebdfac44358ea47a46c8aacffc9451bdb384b5e5de81b071ad5a234330c5346feb0f2f4aa06c6dc749f41d6cb904099231eb4fb880eda6

Download Submit
memory/372-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5624-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5728-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5728-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5772-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5840-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5840-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5848-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5856-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5856-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6008-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6076-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6132-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6132-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads