berbew | 08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe
Size

74KB
MD5

f4101723d4a4c98cf9ab6258c9ffa200
SHA1

149369a612a10d0334ce3209897720c91b73348d
SHA256

08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17
SHA512

6527d0ae830dd6eef5a4e4d5e7c0797274f471391fcb706a51f5c873cf70908285dcac5a46d08a9bd1c9b2fcf5d1b838a0ad74648274fd9c82e438a009b84a90
SSDEEP

1536:ws0PkacjJCBCY3gyGDlpbpvpY2JdNpXHkxmWH:payUI7pJJJF3kxmWH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1068	Lmiciaaj.exe
4836	Mdckfk32.exe
5076	Medgncoe.exe
1328	Mpjlklok.exe
896	Mchhggno.exe
3004	Mibpda32.exe
1432	Mplhql32.exe
2540	Mgfqmfde.exe
1700	Miemjaci.exe
320	Mdjagjco.exe
4572	Mgimcebb.exe
448	Migjoaaf.exe
4444	Mdmnlj32.exe
1604	Mgkjhe32.exe
3096	Mnebeogl.exe
4964	Ncbknfed.exe
2992	Nepgjaeg.exe
4480	Nljofl32.exe
4676	Npfkgjdn.exe
3528	Ndaggimg.exe
4624	Nebdoa32.exe
2804	Njnpppkn.exe
1692	Ncfdie32.exe
3620	Njqmepik.exe
2284	Npjebj32.exe
1480	Ncianepl.exe
3020	Njciko32.exe
3980	Nggjdc32.exe
3480	Nnqbanmo.exe
1348	Ocnjidkf.exe
3224	Oflgep32.exe
552	Opakbi32.exe
2776	Ofnckp32.exe
4916	Opdghh32.exe
4340	Onhhamgg.exe
3344	Ogpmjb32.exe
788	Ojoign32.exe
1568	Pdfjifjo.exe
1440	Pqmjog32.exe
3332	Pclgkb32.exe
4416	Pfjcgn32.exe
5072	Pqpgdfnp.exe
516	Pdkcde32.exe
4880	Pgioqq32.exe
884	Pjhlml32.exe
4376	Pmfhig32.exe
4440	Pjjhbl32.exe
1804	Pcbmka32.exe
2348	Qnhahj32.exe
540	Qdbiedpa.exe
2476	Qgqeappe.exe
5032	Qmmnjfnl.exe
1284	Qgcbgo32.exe
3472	Ampkof32.exe
2448	Acjclpcf.exe
2468	Ajckij32.exe
2524	Aqncedbp.exe
1492	Aeiofcji.exe
1572	Afjlnk32.exe
3984	Aqppkd32.exe
1268	Agjhgngj.exe
5116	Andqdh32.exe
1620	Aabmqd32.exe
2252	Aglemn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ncbknfed.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5576	5484	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1068	3676	08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe	82
PID 3676 wrote to memory of 1068	3676	08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe	82
PID 3676 wrote to memory of 1068	3676	08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe	82
PID 1068 wrote to memory of 4836	1068	Lmiciaaj.exe	83
PID 1068 wrote to memory of 4836	1068	Lmiciaaj.exe	83
PID 1068 wrote to memory of 4836	1068	Lmiciaaj.exe	83
PID 4836 wrote to memory of 5076	4836	Mdckfk32.exe	84
PID 4836 wrote to memory of 5076	4836	Mdckfk32.exe	84
PID 4836 wrote to memory of 5076	4836	Mdckfk32.exe	84
PID 5076 wrote to memory of 1328	5076	Medgncoe.exe	85
PID 5076 wrote to memory of 1328	5076	Medgncoe.exe	85
PID 5076 wrote to memory of 1328	5076	Medgncoe.exe	85
PID 1328 wrote to memory of 896	1328	Mpjlklok.exe	86
PID 1328 wrote to memory of 896	1328	Mpjlklok.exe	86
PID 1328 wrote to memory of 896	1328	Mpjlklok.exe	86
PID 896 wrote to memory of 3004	896	Mchhggno.exe	87
PID 896 wrote to memory of 3004	896	Mchhggno.exe	87
PID 896 wrote to memory of 3004	896	Mchhggno.exe	87
PID 3004 wrote to memory of 1432	3004	Mibpda32.exe	88
PID 3004 wrote to memory of 1432	3004	Mibpda32.exe	88
PID 3004 wrote to memory of 1432	3004	Mibpda32.exe	88
PID 1432 wrote to memory of 2540	1432	Mplhql32.exe	89
PID 1432 wrote to memory of 2540	1432	Mplhql32.exe	89
PID 1432 wrote to memory of 2540	1432	Mplhql32.exe	89
PID 2540 wrote to memory of 1700	2540	Mgfqmfde.exe	90
PID 2540 wrote to memory of 1700	2540	Mgfqmfde.exe	90
PID 2540 wrote to memory of 1700	2540	Mgfqmfde.exe	90
PID 1700 wrote to memory of 320	1700	Miemjaci.exe	91
PID 1700 wrote to memory of 320	1700	Miemjaci.exe	91
PID 1700 wrote to memory of 320	1700	Miemjaci.exe	91
PID 320 wrote to memory of 4572	320	Mdjagjco.exe	92
PID 320 wrote to memory of 4572	320	Mdjagjco.exe	92
PID 320 wrote to memory of 4572	320	Mdjagjco.exe	92
PID 4572 wrote to memory of 448	4572	Mgimcebb.exe	93
PID 4572 wrote to memory of 448	4572	Mgimcebb.exe	93
PID 4572 wrote to memory of 448	4572	Mgimcebb.exe	93
PID 448 wrote to memory of 4444	448	Migjoaaf.exe	94
PID 448 wrote to memory of 4444	448	Migjoaaf.exe	94
PID 448 wrote to memory of 4444	448	Migjoaaf.exe	94
PID 4444 wrote to memory of 1604	4444	Mdmnlj32.exe	95
PID 4444 wrote to memory of 1604	4444	Mdmnlj32.exe	95
PID 4444 wrote to memory of 1604	4444	Mdmnlj32.exe	95
PID 1604 wrote to memory of 3096	1604	Mgkjhe32.exe	96
PID 1604 wrote to memory of 3096	1604	Mgkjhe32.exe	96
PID 1604 wrote to memory of 3096	1604	Mgkjhe32.exe	96
PID 3096 wrote to memory of 4964	3096	Mnebeogl.exe	97
PID 3096 wrote to memory of 4964	3096	Mnebeogl.exe	97
PID 3096 wrote to memory of 4964	3096	Mnebeogl.exe	97
PID 4964 wrote to memory of 2992	4964	Ncbknfed.exe	98
PID 4964 wrote to memory of 2992	4964	Ncbknfed.exe	98
PID 4964 wrote to memory of 2992	4964	Ncbknfed.exe	98
PID 2992 wrote to memory of 4480	2992	Nepgjaeg.exe	99
PID 2992 wrote to memory of 4480	2992	Nepgjaeg.exe	99
PID 2992 wrote to memory of 4480	2992	Nepgjaeg.exe	99
PID 4480 wrote to memory of 4676	4480	Nljofl32.exe	100
PID 4480 wrote to memory of 4676	4480	Nljofl32.exe	100
PID 4480 wrote to memory of 4676	4480	Nljofl32.exe	100
PID 4676 wrote to memory of 3528	4676	Npfkgjdn.exe	101
PID 4676 wrote to memory of 3528	4676	Npfkgjdn.exe	101
PID 4676 wrote to memory of 3528	4676	Npfkgjdn.exe	101
PID 3528 wrote to memory of 4624	3528	Ndaggimg.exe	102
PID 3528 wrote to memory of 4624	3528	Ndaggimg.exe	102
PID 3528 wrote to memory of 4624	3528	Ndaggimg.exe	102
PID 4624 wrote to memory of 2804	4624	Nebdoa32.exe	103

C:\Users\Admin\AppData\Local\Temp\08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe
"C:\Users\Admin\AppData\Local\Temp\08036e997a65dad0318ceb1638d0b8c2ceddff8a9aadf66ce21d4e0023038b17N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\Lmiciaaj.exe
  C:\Windows\system32\Lmiciaaj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\Mdckfk32.exe
    C:\Windows\system32\Mdckfk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\Medgncoe.exe
      C:\Windows\system32\Medgncoe.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        71⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        77⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        78⤵
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        83⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:744
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        86⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 424
        104⤵
        Program crash
        
        PID:5576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5484 -ip 5484
1⤵
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
74KB

MD5
17534d156be390dca732f81a2772f185

SHA1
78b3226b4841d0c201c0eadfbf6c8cd6a08cb54e

SHA256
70d0dd09c208aa47cf6bb92faf848ea3900eecf2da21687b6cb2118432761cde

SHA512
527c6737dd0062f1232ca6d04d1e36359166ee9610a8d2246eaea6d7ac6245be4e9301bea0124c6a45648350c9ba7362e693652cca723e5200d52fe4315a3923

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
74KB

MD5
ddc4815f2521d3d4790bf793d9f2bdd8

SHA1
b6d4671a9b1693187dcbb443341c0618ace71943

SHA256
84485a22e22844250f00e47f89db698ce28dafd2327e014254c1056b44ac809f

SHA512
929c48d79faf3763507774ce11ec85ca980f7271a76f68a07c4cb8c09450863294c0402c50ad54e292155115fd4d28f9d7c772733e538f105d1de45fd29f7d44

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
64KB

MD5
5df3a8314cf4d72c2e9191f83f869a69

SHA1
530784d2e91f945e88ec0a119f0b5bd0d0155daa

SHA256
0552392a17db35869da013cc0bd827d69f8000da6004b0f231ee25afb5bff314

SHA512
1f64da7cf165ea63a0715241fab16c57af07856057dbb73fa8dbc574937cec1b0a0967b23d49d97982e4fa05abfc8b644280248cc4dc0e663a9bb9137d26121c

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
74KB

MD5
d0393c82b5019b6fe72e1cad8a843964

SHA1
4257dc54277030d3b36bb47b3d7394ad2d3ceaf3

SHA256
1ae2fd2b527b1650eaa3da50532bad4b6c1297b068b57bc13cd2e238b233f600

SHA512
fdbf67f240ec806e3872f0a811bc31111a55197ffe274279565a8f1b6f1545f699728d3530b22b07c1f1e9b15a0ad0e98bc393683f7a3fe11a114d1baf534e50

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
74KB

MD5
1e8194c5c97e9779f2ab5f2ad8c8e826

SHA1
78a876c5feec1e0f2225eaf74bed8f2fdccfb676

SHA256
69ff66bd01a60d2d9b7041eb9dac2d6565c102af174bc5952873ba92bc3a7b66

SHA512
0b0ac45cd89d79de2ab17bbcccb2819479b3e5a4f9cbbcf08b76404a242ffd513f8be6dc186c25e079d5b5a8ee133245866087fa05c3236408be7aac85f310aa

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
74KB

MD5
d97b97535ee781ffd689d42084aec6f2

SHA1
969d395114295f65fab81c12418a7f4b84d80ef4

SHA256
d58f6818dc0dda3ae65f2f45856cbeb25dd9693b652d68cddbc84cba4b5c6e33

SHA512
71e0bcae0acb44a06a25312fccc8f7225f5b24828d97559fe7672b3e5474c33a0ce7ae12039200b173dbc1d58ff4c294add905aa98bed9b35af2620bf880a8e1

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
74KB

MD5
f113ea4a7c520fa7c3fc69b6f4cfb5c5

SHA1
de1dc05f5e9684b311b1f92ac205a18bb671554f

SHA256
c06ebd2de3a3fbf9a9b332aec21c082624ea70a0220271d2fddba80d1f490af6

SHA512
f8ca2cfe99e706717ac73a5db79a3d848383dff78e375bed362bbdfc056aa58dc13b0776d35b9a6fd3d62c9263a3a2276a2a91a2b09300d03f8a9eb68a2fcc41

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
74KB

MD5
8ad71964441cf6c0386b16adb1bef26d

SHA1
689c067a682979fd0d088bbf9fada790a26a2cbe

SHA256
feb1477bc66f40af31a143ea777deb7b2909885f5ee7fec0b75d8f1b0c64a801

SHA512
3f2d9b432e4995eb15d5153f82ecab776dc27d305443308565e891d68c086b5163752357b03335e40565af6558365da40a02bf95ab886f58b050171e8aa417ab

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
74KB

MD5
6db8834d4f38fe172caf536cce2887e2

SHA1
26a8c4cb780344606c21b988dc6b36d31efa9499

SHA256
5a79cb719e2ed39ea4f2d33b6dfec0265712c290c66c64da6de8c701157b4eb4

SHA512
2b1c288f4e2f4f861d81af09506b43a406021ce7b48a288eb5367860dc4c7ce340d16031cdeb7535f6f35f9d98bc257678e03073dfac86bc1d2146f73add68b3

Download Submit
C:\Windows\SysWOW64\Hhmkaf32.dll

Filesize
7KB

MD5
24c09ccdda4cf8fe702aed39ab7c7a4b

SHA1
ac947b510a9616ddec7b7e55ddb27d839e55d5c5

SHA256
087a5b14201de2474ac0c94a9145448df8b2de046feb5a3c026a832261eb7179

SHA512
74b3d5fc492c7fd7623d701b1a9151a1284037126e8f69dd056ce066e4bef0e25545b6948867f639ebe09c0ddb0fabf986c21effd4940d1be7ce962d25dc43ba

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
74KB

MD5
77876c16778f66b5d63a1dfd38581a6e

SHA1
384308b07cfe824c5f9ce4280ccd871177755202

SHA256
d2df300912c4b625d25eeaf2a8d5f532bdb89603f2b16438c1efc7ae4751695d

SHA512
6c1ef8e20f17835c581e1ee01a405984c5f0dde1d20d0cf2472bd361a188a6480db53ff37676d4d98b6fd9e87e4b1190f21b7caa1ef6824570c4435c11b064ba

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
74KB

MD5
41f0ea4663c09c9fbb8a35ea38722059

SHA1
18406422720d1d72e25b982e51a10a8d3332fd51

SHA256
a8c34ffb318e19d61e15f1819d5fe62bdf42420b39e84f83706c24f4d2e0780a

SHA512
78dcf8d80bc113b6fcea877981dead372480e826b2a92d1c96401861202202d6969442c769dc24bf5d7b247b9176e34f54d8ba0839be4eef404b85411be08c20

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
74KB

MD5
7de0024d6832ac1c6f7b3ae60fab8eaa

SHA1
c9ae280ee7f0a0a56fe9689fbcb26f70c24a2d20

SHA256
4e001f2b034cd7f5cf61299931d4431b6cbd3cdecaf85e88f5db405bd4c10f55

SHA512
a14b48b4401f0e36642cc54a15320b06a2f061af72886471247591a26f6c68c494f8b0ea78af37aabab7698adfb57ebe79a63341bad654b6e059a14c3ca774c8

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
74KB

MD5
20254169c4e505197fbfd96cf13f33a3

SHA1
8d819d19f36fd799b67ca1c3886565dede7d1b59

SHA256
31ab34f8e9e6da03670fdd7327de00286a4031895475fca39bb179c4671e367d

SHA512
a84fcc3ea6cddb35792b264728ab3c95a3a2ffc9ac1b2a318a56eb9a313a127fc91d483b5b3bb70ff695c64943ee6eed679058bbace5a1648f1da8cb8d3bbc76

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
74KB

MD5
604a59c2248d6134567844cad93b6cbf

SHA1
2c509962460e14dc0eb4cfd420581b7a63b1daf8

SHA256
584b6ababa2eebc28af2b906464be18328709575b642c895cda1747ee91a6177

SHA512
ef0165dcf4e2704a84f61eaaf4793a9b4874c2aaded8a6a1164d3bb003000f48f55bbac89c0f9ab5327aab8b80b062cfa5f89808110a0aeab3f3dc7319481901

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
74KB

MD5
2b2a6d3b2f27e39a742d99bf6c28fd82

SHA1
109f19d2fd3eddef4e5a78d4a0f37264064d508a

SHA256
b1aed1dadea41699e527217c034674160fe60cb2f29508a1a713c855438234b7

SHA512
eb03d9467daf14907864139834131e8ace6fbd3f94b010a96f232234e5b914bfd9778440689d575098715fa5cac8a8626af74bd58797dcbea7152882469797f0

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
74KB

MD5
3867a6a9d018e2185f85335fc304a2be

SHA1
f65a7d29290ebd31397bf242a90de5c0fc1b9b3f

SHA256
870a9c05aeb1a33ca07cecd3e7060c31eb889a03d69391be6c71bdbdbd50c1a1

SHA512
71d9a1e657658d88282dcde94fddea820f4e7ad1dded63e4f2542fcd21e1956f098dd3aa6351eebd29ff67e497cc9cfa18089e10c6579b4412ce45a79619b351

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
74KB

MD5
16676dec1b7481804481d660f8a10833

SHA1
03710fe6b94a35054668a513fc64c336a81e96f8

SHA256
72c6f86dc09ee6827c75cdc30d6d6ae659e11a010ea70e4f4350d55ceebad1d0

SHA512
728dc0254789b0346df127e058b1c3dcabf6d4ca67388538cc804dc5c9a92c02907c241fe8472811f96e7e8e5666c34a3475e51acae00654f28a2d478ee99bea

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
74KB

MD5
2c0a1e81653303a6a2f55724c840ebc3

SHA1
e9f4505b9cc54cdcd3e6f571e3c6a5f2942fe290

SHA256
8c345d5f473bc786932bc1c2f93662fd8909ef72e3cf5c2e4e4caffb96684102

SHA512
de59e13b54027775e33a7efe59946a5ca29b120500d1c2d3b133df920bdb328dbb51b8c39315d8fe7f9053c37e84b24969ce1bc847f5ecccf8cb9e685fd3f269

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
74KB

MD5
c113df5468ce3a0360bbe23db9b81ef7

SHA1
80381b0c103e73a6f872dc0c3148addc18dbaee5

SHA256
2c213039d688a34da5848ffa63e14386d96df5b68b771e95f108f7e016fcdacf

SHA512
1745d019035e884b4fbcd2547a3d75c4abe531c88316cbc3b19a5fe6abe2b8fe04ec42dfef822506ab1997a0029cd478bb20622b86f88c5d45ec15f787bf9a9f

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
74KB

MD5
8f39d10442bf4f85f08a41fabc996395

SHA1
5f87211d5b1da1fc45b22e44e5907ee290c62f03

SHA256
ee5c3c01fd32b484a4d729a79115e8083d6618641e3d252b8c0a03c611704813

SHA512
deee6a664e8397175f0e7b82b55fc89a04fec52706f761dd4c1379166811b49ff98c30b479c413c13553b53854fc128a95f0a53018e51c6a298db4e2c434dd64

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
74KB

MD5
a2b98d0033b97745d68884ae09c66147

SHA1
1d90ae61c6056c15a41b5996f2c0eedc196371b9

SHA256
a23ef5e02f5895911dcefa41803ba2ab2f43573f045a6bbc6b9f4f35258b10dc

SHA512
2dfda666989bed2f7833960d8da40ab8acc058e6aeb25925b31dd1342e2666e8462d740a9d5bb1cd108c66c93d291dd122f5262a5766ff20bb994b7de52fc948

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
74KB

MD5
b562e856db123f936b4b3b4a6f1c9e90

SHA1
c19c14a9c04b66e7b774bccdbbff165a95b50803

SHA256
2a164f78937e8bdb714286873097ea92b2a9f48a69b2ee8aca2fa273fe9cff3a

SHA512
3ad5011215b919b17ce5ce816ace18298e0a25cdd281bf233968e0e9e604982a57d6069a192e06c41df50ac17c7e6a337173227aad963102f4c4139b2838a4e2

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
74KB

MD5
13b5eed8cd7154bbdee7f2677ba1b78a

SHA1
6f407bc87704f068d8005b4baa2ee4f1d1f5d2e9

SHA256
277ef7d26e85e61a6be7274da3cd1a1ad3eb81bc82252e4a8534c316e3b6164b

SHA512
68d0bf12f8a6a215b4e6d7c18b7134f5b1da22d729365975e395653fec5913fd5cec7920365ea0548ce2b7efbc7a6ac39750f7efe8ba40809d8d582ca5b1d044

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
74KB

MD5
17be6e05b3c5acae78f863bb793f412f

SHA1
ef41c509294958c7b4eb0b950fd11cadb3dc2f4d

SHA256
17144abc8411c98f32f9b7a0ef93f146c7b5dc3d57314f33a6a803b866f6d9b8

SHA512
730c0ce7ae494745af4fbad1dc3de11190f78ed999d7ebef9d1ad4417bb2fbc9f1c188e6c0806a34732f23a35843f189fd20b798a84175094c134521db2f22af

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
74KB

MD5
1595af4d0f39d7d65a1bb3d978e0a8e4

SHA1
085e4544e4593ec961930525ed02a604489f4db3

SHA256
3684873fa4e071fa3ff40c45011f22d331f76e7425203ee41e5714ab433aa114

SHA512
daf90d35800aec99ca3fc26876452dae0ae3c1eb0a2d213e4f7d726648f8af802cc03a15e8cbcae1df88279d0b0ef8bc763e6267ef6cecc9196bc304963c26e2

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
74KB

MD5
1c23f6ee1b1356437cf6c85294b6d653

SHA1
b988a6a6516f838d63f20d9829400400f83d08a3

SHA256
869e0fc726aafe6d8ddc40ebf009c2f0f94a6bdd04ad9539236aaa3082128827

SHA512
ac4318be2bdb61f0401042644140cb1b39433f6ab750ed421e350142a224bc03ae9754d1ebe6db049ae324b1f81de33dccb26e84debc8c4d041ee3f16eafbeea

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
74KB

MD5
643a7b440aa98c2c1c6993b3c0ca1e4f

SHA1
a8c5abd90491efcb63df1456aab193797d100e66

SHA256
97bf096f3199f4002a1053e4147f44761a555b0529a8bea1be3cc1a19d4bcdc3

SHA512
d786a5b0e4c07300acf76957943c40b552bd10d86e595ab7bd828c380d544eb5d44279139bd2065414f9ec65506dfb4e24764c253fceb3b0b619835037e2844a

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
74KB

MD5
8bf7e7679697cf4f8d57d84eb051d6d1

SHA1
34fb3ccdb177757dd4a2b95b18d3d1934a78fc9c

SHA256
1627011b6cd4ae3b9d4732af92feb770ceeda50562adc0a4ba3f85d6e4f6faaa

SHA512
237d3f801df8723bda2f83891579872a7b60875eea3a1ca8b0a8ab58ff113fbf3116868cce4bfed158abe155b228b0fb855bd9bab8bcc124c58a8b9f7f05628f

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
74KB

MD5
62513cfd4a0e5cffb53fff41edebff62

SHA1
622586e7f68f71d4401b6f64a0bc4182995b05a1

SHA256
1c436d03b0a36f8452f7e0e4489d1555452631d9a5385564d88672b5b83e3f48

SHA512
662a1d9107865fca5f578235b47039786d75adc5777ec7d729f8dd7e2f8f0b8073cc34140d57916bead8f9b80bfff781b69642cb36bb1ff0ba66b79c88be0f32

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
74KB

MD5
ed9001ac91c7f254631740dd2dd4ce40

SHA1
ba8167a0d0511eab9dbc55e4d65fae911dbadc05

SHA256
66188613efea66c4d0b5724eac7852b630bf13ce83474aa5012df77e43f11e3d

SHA512
f8a3bf700060b5a9bd1df79197ccc44a6de24c8fc874b6a3b52ff778fa611b9c6e9e2226805be1bba7adf160530745a2b63c2c2d0d280640cf9940033e645c4d

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
74KB

MD5
e5e10e8461e9383a3a55a7781716bc6b

SHA1
54ce04f5b7c70a6b462ef84289fc6f7d8ee74d31

SHA256
ebe67ac4f7d780a9d68b0de82553ecf7392c8e1ac6f7c65a544cc6b28872d271

SHA512
4fd3ab3c1b6ed064032f6f93df0a350eefbf9fe6a1e8f764cb0aeb0fd5b2c0b61b13faca5724d7e7e26a40d88b6b3f354a34ade544abb01c8e9e751f9efcc82b

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
74KB

MD5
edfe46fd1abcc7a374b923d097d8742f

SHA1
341b01773f887e46f8c66e98c95c6c1c5a8b693c

SHA256
bcb1c9891d2fc82b02b7b5b72878cf832fe7d218e816ffc98e4a29868c815a90

SHA512
7a526c73c2416f96dbb23cb98188bf842e7f48d684ee8ca1076f92f2faf48dbecc94b281e31f8d8f4cb12f1f9f6b356b32b92309e1c2d3a02046daac724d1d0b

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
74KB

MD5
046b3e7e49d675254c8e2043b87c23e5

SHA1
d5a219580781e47ed9ff42b9dec79a8849ec08cd

SHA256
23bd70b7b5343cfba17e5521e4ffe2e1f803b407a038b360c7beb065a4ced75d

SHA512
dc2ad1b2537554509dc1129be0db2bc98a218e13a3deedcdfbb8bf352f10c14b13073fe7316be249130b46de58af94b99a516b760ae7d5d218c6eb8e37e195a1

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
74KB

MD5
60235444390f4a9094fc080f194c1d97

SHA1
7afb7826bbf2c431e9a28a1f264d121a97850a6e

SHA256
4b8739c56b0e8cbe744c82a15c46b800652523736f32be5fadf7422a38c6c21d

SHA512
dcae6d0292fa769ec6bdf90f8af063ed4a055467708c69194e34ea228d742ae399e3939217020583056fb8fe2129ef2a378b9f5232725b53249ea49980ba9e9d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
74KB

MD5
21bd003c174ef9f969436f777e8cee42

SHA1
c82ffbfb656c0955199e784cc808d1866f4f0854

SHA256
c14d15be370e01a1752b1c90d838ebf4541c4d2c44595deecd1df4ebacba51b4

SHA512
b474b26ff90987b1320be7fdfee12a5a2eaeaf771f6a62a03271f59f5312c1b761d3522cb53f3abfe5d6d63cdfaa6d2367ffe63dc7d6b544002761cbd3798bf0

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
74KB

MD5
dd8ab8ce4d3043c459ba6f316947ac3b

SHA1
8ddc3847a85cbda3ef26a0a61574dc63c9165925

SHA256
49972ff978f13e6aa2f48c4c9f895fd23a9dae8a434b4b4fe2e6e11287e54219

SHA512
feb5346226cde47a03120b6dfdc82e4792c8067327770e1e776ec8fd76af4e8e89d0e83b972ab026295d2410dac630d24b3c94d5299477878fece5a23d2a87b6

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
74KB

MD5
2161af3af57c71e81a8cbaccbc7397cd

SHA1
229838a2c7dc7a6ebe57f6a3aa5ead068a65ddcf

SHA256
bd8417f363a1b083b540c0bfa03c7cf34d30c12076e61b63889ae863e95253a8

SHA512
14b6c9c8c6f45b4e248874dde606b138efae2820821ee8c67a25dd13a01437429316e0a264cc722a641df392061cf3ee3cb61c2e674dbc7f2175ce6357d18709

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
74KB

MD5
57bf38695a295f5f4ac3db020b4135c8

SHA1
67aa1ecefb454bd3bed2526d8911e2ef27c4cd5a

SHA256
7382682e0f6199556a00c7b4e486123d1d1233b2ac77891b41b197e641ada22e

SHA512
38f129349092a449afdca130494c267e5913324505f474c30ef2bcd5845474a6e1c1f0fa0941453827bf787ec5b2691750b2e7ea8919501767a9d880d1f861eb

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
74KB

MD5
74e8a2abb68646889c675d12fe101bd6

SHA1
1b03d5bf218804b83347030bee0369a4184256bc

SHA256
682af1354b74856058314d5db51879081732648013ab9d4f19cb85917869b7c1

SHA512
a100c0dff06e09f797a02baaf93ca1a219af6f1b195acc3af0628f61085fb73ac9c2b50da5155dce64d45184ce733023f9a2b7ecf17e4d9854112aa90a89b82d

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
74KB

MD5
677dee143c7c6707345d0247d76a4a8f

SHA1
03b5ff19c52a40beeb56a669705cd09ee8735d72

SHA256
a596c317850b3904e1daba72a8a7ca1a94a64d5ef37f0265834bb2c39e5cb17c

SHA512
d6127a22e3224be84516bf1f9280537d3510879d4085c9569af7233cf72bea98c3bd3d49f9c622b40bec71ebd01b7b651ccaab5742452bae6821fef3be6f40cd

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
74KB

MD5
1b551be3591a3f027b397c5e2dc702ac

SHA1
ebabf43898cbfdec81fb2ee47f6daca6f8558ad6

SHA256
8eb23ca062b79dc45c4cf7db323e69ec830abdf43468b9b50111aba648915049

SHA512
d8d9e00b74de9f35ee1e811fbe070729b042636bc5775eb7d827c8ee8b67a7b9aafdba9ff7db3bc24ac1e94d19867d3b978749890488084d6f1ab2497998ea2b

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
74KB

MD5
94b65bdc83310e8109081c3222fc32cc

SHA1
dcf5b0db7717548d051dcdfb40acbe052794c465

SHA256
3bec8e079fa60397ad1cb2ce82b2abd58fcc0a0544d80816e4427815b82e8ba7

SHA512
a091995d59c13c76f6ccb373b7de464ca0f8f37982856aed9bcb6d4620e10d7e976c7196ea38b2c9f8a222109e9f34c66685b2765e8c9cb094e5e0a04849c03c

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
871647faef098ccfae8f286a35b1b32e

SHA1
c2af8cc966a7bc5e0ac5e2a8cb757f3073c83ca9

SHA256
187e42b645e6690a57f8d9fcbcab06dc1afa1966258696532bcad0e9ec1a40aa

SHA512
3acd214302e8f8c7df3cddfe2d056b96e12d1adcd74ac3fde82aab15d81cc14f735b9e5d26a730571c7e05a17861b69875a0a55d0a42e62b26110cf26423c8cd

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
52c0a2e39b9cc9042cc467677ccbbbbc

SHA1
86a3e8a270bbce87249293be6e1cecf242806a8c

SHA256
acd04c55e2fef7df351d5c0205f9cca6f29997c6136fdd69f942756c19865e2d

SHA512
229bc14e95a22acfd84533b102b5752f99e6e6e272de0ef73959b89538976397b32d402d6fa2e8170fbb49891af4d6dcf6ee70e6c8ce0a66a714913b0059fbb9

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
74KB

MD5
cd951930d8ca0a7704913aeb817ac2b8

SHA1
31d0b58aa3950152c9007fc8c67ecf1e7d035c9f

SHA256
e8000bb220fdc5b0c4ab38dfa3dbb1ae81c6652b52272dfc82f48d3c1c4be8f7

SHA512
bb0dd91e55ce809a5e848d84fc2ee10e0c6af84613f50a86d6ccf2b63b4297d5db7e9c906a848961a5d1e61dcaffff75e9aefb8de96d9d3b054735ce21926abd

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
74KB

MD5
565af3f046fc140975d2a2d55f96cf5c

SHA1
dfab0d05fbc5103f92c0a15dde2dd3ce88b8935f

SHA256
3ded64876056b4fee6688f0b135ac6afd05b08c8534124530b06b62866614bc2

SHA512
96fb58c13e85b30ae61dd365991e06ca0f94dc221ca0b86c281135d066f57a2849a8cfc64ef779c25d9163f74ade6df899849dc9da7e1d08048fcf2c0ab46fdb

Download Submit
memory/320-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/448-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/516-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/552-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/744-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/788-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/884-338-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/896-574-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/896-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1068-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1068-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1208-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1268-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1328-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1328-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1348-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1432-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1432-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1440-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1452-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1480-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1492-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1568-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1572-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1604-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1620-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1692-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1700-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1804-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1880-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1884-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2120-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2252-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2284-204-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2348-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2428-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2448-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2476-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2524-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2992-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3012-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3096-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3224-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3320-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3332-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3344-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3352-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3472-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3480-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3528-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3532-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3620-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3644-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3676-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3676-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3980-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3984-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4056-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4340-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4416-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4420-575-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4436-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4440-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4444-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4480-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4572-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4624-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4628-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4672-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4676-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4772-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4964-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4968-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4992-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5032-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5116-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads