berbew | b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe
Size

337KB
MD5

fcf990ea065daa6b57ef6cc637810e2e
SHA1

216cd4611823db54b1650986ddef22bd581d73f1
SHA256

b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8
SHA512

c3c8c252104791c2af575d6c5efb959ecc9186359f9cb49896d97f7447212ac6e6444236a4877facf32cac215dc1ceff65eacecf342e5bae94cb1fc1c6df34e6
SSDEEP

3072:ZABAB/GkGWEgVgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:ZAOBxV1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
4568	Mdhdajea.exe
2224	Mlcifmbl.exe
3848	Mgimcebb.exe
2228	Mmbfpp32.exe
4780	Mdmnlj32.exe
3372	Miifeq32.exe
2100	Ndokbi32.exe
1496	Nepgjaeg.exe
5052	Nilcjp32.exe
1484	Ncdgcf32.exe
632	Nebdoa32.exe
3432	Nphhmj32.exe
4240	Ncfdie32.exe
920	Nnlhfn32.exe
3164	Ngdmod32.exe
2512	Nlaegk32.exe
2912	Ndhmhh32.exe
2324	Njefqo32.exe
4336	Nnqbanmo.exe
4124	Odkjng32.exe
2648	Ocnjidkf.exe
4388	Oflgep32.exe
3240	Ofnckp32.exe
428	Olhlhjpd.exe
3032	Ocbddc32.exe
1076	Onhhamgg.exe
4880	Ocdqjceo.exe
788	Onjegled.exe
1064	Ocgmpccl.exe
640	Ojaelm32.exe
1364	Pcijeb32.exe
4148	Pjcbbmif.exe
2744	Pclgkb32.exe
1240	Pfjcgn32.exe
2012	Pnakhkol.exe
2284	Pdkcde32.exe
4220	Pflplnlg.exe
5024	Pncgmkmj.exe
1456	Pgllfp32.exe
4024	Pfolbmje.exe
2276	Pnfdcjkg.exe
1980	Pqdqof32.exe
1920	Pgnilpah.exe
936	Pfaigm32.exe
4884	Qnhahj32.exe
1268	Qdbiedpa.exe
4048	Qgqeappe.exe
4576	Qnjnnj32.exe
2792	Qmmnjfnl.exe
4144	Qddfkd32.exe
4268	Qffbbldm.exe
2884	Ampkof32.exe
2272	Acjclpcf.exe
2180	Ajckij32.exe
2696	Ambgef32.exe
3216	Aclpap32.exe
4404	Afjlnk32.exe
3700	Amddjegd.exe
2704	Acnlgp32.exe
4784	Ajhddjfn.exe
4896	Amgapeea.exe
3220	Acqimo32.exe
3932	Ajkaii32.exe
4120	Anfmjhmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5228	6136	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 4568	2092	b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe	83
PID 2092 wrote to memory of 4568	2092	b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe	83
PID 2092 wrote to memory of 4568	2092	b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe	83
PID 4568 wrote to memory of 2224	4568	Mdhdajea.exe	84
PID 4568 wrote to memory of 2224	4568	Mdhdajea.exe	84
PID 4568 wrote to memory of 2224	4568	Mdhdajea.exe	84
PID 2224 wrote to memory of 3848	2224	Mlcifmbl.exe	85
PID 2224 wrote to memory of 3848	2224	Mlcifmbl.exe	85
PID 2224 wrote to memory of 3848	2224	Mlcifmbl.exe	85
PID 3848 wrote to memory of 2228	3848	Mgimcebb.exe	86
PID 3848 wrote to memory of 2228	3848	Mgimcebb.exe	86
PID 3848 wrote to memory of 2228	3848	Mgimcebb.exe	86
PID 2228 wrote to memory of 4780	2228	Mmbfpp32.exe	87
PID 2228 wrote to memory of 4780	2228	Mmbfpp32.exe	87
PID 2228 wrote to memory of 4780	2228	Mmbfpp32.exe	87
PID 4780 wrote to memory of 3372	4780	Mdmnlj32.exe	88
PID 4780 wrote to memory of 3372	4780	Mdmnlj32.exe	88
PID 4780 wrote to memory of 3372	4780	Mdmnlj32.exe	88
PID 3372 wrote to memory of 2100	3372	Miifeq32.exe	90
PID 3372 wrote to memory of 2100	3372	Miifeq32.exe	90
PID 3372 wrote to memory of 2100	3372	Miifeq32.exe	90
PID 2100 wrote to memory of 1496	2100	Ndokbi32.exe	91
PID 2100 wrote to memory of 1496	2100	Ndokbi32.exe	91
PID 2100 wrote to memory of 1496	2100	Ndokbi32.exe	91
PID 1496 wrote to memory of 5052	1496	Nepgjaeg.exe	92
PID 1496 wrote to memory of 5052	1496	Nepgjaeg.exe	92
PID 1496 wrote to memory of 5052	1496	Nepgjaeg.exe	92
PID 5052 wrote to memory of 1484	5052	Nilcjp32.exe	93
PID 5052 wrote to memory of 1484	5052	Nilcjp32.exe	93
PID 5052 wrote to memory of 1484	5052	Nilcjp32.exe	93
PID 1484 wrote to memory of 632	1484	Ncdgcf32.exe	95
PID 1484 wrote to memory of 632	1484	Ncdgcf32.exe	95
PID 1484 wrote to memory of 632	1484	Ncdgcf32.exe	95
PID 632 wrote to memory of 3432	632	Nebdoa32.exe	96
PID 632 wrote to memory of 3432	632	Nebdoa32.exe	96
PID 632 wrote to memory of 3432	632	Nebdoa32.exe	96
PID 3432 wrote to memory of 4240	3432	Nphhmj32.exe	98
PID 3432 wrote to memory of 4240	3432	Nphhmj32.exe	98
PID 3432 wrote to memory of 4240	3432	Nphhmj32.exe	98
PID 4240 wrote to memory of 920	4240	Ncfdie32.exe	99
PID 4240 wrote to memory of 920	4240	Ncfdie32.exe	99
PID 4240 wrote to memory of 920	4240	Ncfdie32.exe	99
PID 920 wrote to memory of 3164	920	Nnlhfn32.exe	100
PID 920 wrote to memory of 3164	920	Nnlhfn32.exe	100
PID 920 wrote to memory of 3164	920	Nnlhfn32.exe	100
PID 3164 wrote to memory of 2512	3164	Ngdmod32.exe	101
PID 3164 wrote to memory of 2512	3164	Ngdmod32.exe	101
PID 3164 wrote to memory of 2512	3164	Ngdmod32.exe	101
PID 2512 wrote to memory of 2912	2512	Nlaegk32.exe	102
PID 2512 wrote to memory of 2912	2512	Nlaegk32.exe	102
PID 2512 wrote to memory of 2912	2512	Nlaegk32.exe	102
PID 2912 wrote to memory of 2324	2912	Ndhmhh32.exe	103
PID 2912 wrote to memory of 2324	2912	Ndhmhh32.exe	103
PID 2912 wrote to memory of 2324	2912	Ndhmhh32.exe	103
PID 2324 wrote to memory of 4336	2324	Njefqo32.exe	104
PID 2324 wrote to memory of 4336	2324	Njefqo32.exe	104
PID 2324 wrote to memory of 4336	2324	Njefqo32.exe	104
PID 4336 wrote to memory of 4124	4336	Nnqbanmo.exe	105
PID 4336 wrote to memory of 4124	4336	Nnqbanmo.exe	105
PID 4336 wrote to memory of 4124	4336	Nnqbanmo.exe	105
PID 4124 wrote to memory of 2648	4124	Odkjng32.exe	106
PID 4124 wrote to memory of 2648	4124	Odkjng32.exe	106
PID 4124 wrote to memory of 2648	4124	Odkjng32.exe	106
PID 2648 wrote to memory of 4388	2648	Ocnjidkf.exe	107

C:\Users\Admin\AppData\Local\Temp\b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe
"C:\Users\Admin\AppData\Local\Temp\b3c67e9746a508a40b93a67db7d22acf23b67b6bc87c9cb6f87c46d6e228cbe8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\Mdhdajea.exe
  C:\Windows\system32\Mdhdajea.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Mlcifmbl.exe
    C:\Windows\system32\Mlcifmbl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\Mgimcebb.exe
      C:\Windows\system32\Mgimcebb.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        63⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        68⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        69⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        82⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        84⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        85⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        86⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        88⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        97⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        101⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        102⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        115⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 396
        116⤵
        Program crash
        
        PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6136 -ip 6136
1⤵
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
337KB

MD5
f00a5c2ef5efe030f389e8e8c4764aa9

SHA1
0797df5daa0c09c886c36d3fc899e30e5e25ecf0

SHA256
b673da6a265bdebffe5203bf480d8bcf9f8c83c98afcc7607dba10a07f48c8c0

SHA512
ee585ac9a5b0982dcacdce167afc58612f31d84b52bbfcd3c38c8f98cd3050af156406f65e6fe70252d9149f92c293551952975f153caba52b36a47b5676b977

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
337KB

MD5
66de2408a150c418ba5d94ce9036b821

SHA1
706009fd2b3b52657d4b231c19f2c9b25a53e71c

SHA256
00966577fd3734f3de2933ddcad42e2c912a3afb3f145e2962f003a9316d552c

SHA512
c7984a45e44dad13b63ffbc4f69d0b32bdba2a6387d8f4ea9c5d4fc4f90569f314e655b7131359ba44821a8506446f54f7db41e1cee92264135acaf577120102

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
337KB

MD5
e1b60f3af79fd4619cffe1ed497c91b1

SHA1
63fd4a826c7d6ffad5b16a388d3a513bf802ea81

SHA256
be7f311227570bbfb0d90b5968a3b84a0c772cc07274680f3bfa6abf1939e790

SHA512
e16a7e6286648bb012f6cde1da412da2bbf25ca6c22fd109883df86b71082ab4a7ba978b89e1dda2821bf15bd77801fd7e045f2e6c641c759385473021358241

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
337KB

MD5
88a5ac6ebdc7d2c6cc718305b4ad0352

SHA1
caf8f36c8216a8faab22b4b06d13a85911e58daf

SHA256
3c3635b6cccdaceb22372765897062b33c7de617fb38cb240d37492c343b0706

SHA512
9bd40a175a06ee05d8e367e681abcceaca0d83b1e43b9b5b240dbe877cb742edc0f2939fa2acace17eef164e30d6dfdc5d2fd0dca26a945ad135908b45e34ab1

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
337KB

MD5
c10f24966a3bde476bab7cbcd167ebf5

SHA1
b95715bd81126dd9f56e800e0b1998bf7a005851

SHA256
19ad701e68a70e61a406572a539c7328a99b283b80003e16bd9a084c1e970b9c

SHA512
83182dd9d707804a0eaee87a13b00786ce5d40492bb3fe09818030cc12847243b2d590060691f440f4915effd31b0bdc41e32a3c1de6a8c05c100591f301fd4f

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
337KB

MD5
ff0ca38f56b1281353bce3009dbb3cf5

SHA1
f838eaf9864192d21c7dc9549a2ad4bb750618d9

SHA256
c5657523c1fcf4d74d31f72612d60224d2008a918f9bdfe695c733e37b235144

SHA512
1e62371fdf202e6e15e4ed09e4f1e51e4060b1955d3e164599e201992a2e3b3ce19d68d2b73f03d4c23c6eb5463f878183799a2360e52e76e3497e5fc5755d49

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
337KB

MD5
8f38fccacb333a3c74cfbc2f487ded52

SHA1
142fa2f85a1130f9ec5503a155ab659ce5d6fa57

SHA256
2e53274d27a51d3fa12fa020d1ad047fd2e9dea72a8a02b5b4128f833a95fb9a

SHA512
db58a0b3b3506b7753a443bc5e21f638bd93509432c786336de23ba773bbb01c03783490eef6d109e81ae28b91d0b02dcf9dac5dc6ba5a8888dc2b8124716566

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
4964dc976aa32e1e77a534b3253ae222

SHA1
40bb722d67afcdcd288b5ccf4a15948993d71afe

SHA256
1b2c986d655e54ddb1ce5b57604455eae57869a01eb19cf01157cfdb1904231b

SHA512
597ffe5b649a4c584359cf5728ac5d97c68fa27c7fdf8f05bfa827b57a58dac9ddf8b477b06ae2b6407495125b81428b7132b270a716021d556ec0da0c2d2b16

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
337KB

MD5
ec0e282a1e439d09e707faf223871812

SHA1
18a1c207e886421f45b83219be8a99b1234be6d4

SHA256
26db84658ac0aa4a25419b7b4c3f198b2a5457d09b9e713ac512448f42b774c5

SHA512
19d1b3427de53eb9f15b907ba7a0f7d031c003ea5a0a7ff3245fe2f28ed1de205f6bb5b361c5467c58fabb332a93df620052732af45602b1f9e03aa71808d5fc

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
337KB

MD5
23304a5ceb49d99154df4d43e54b64b4

SHA1
4decaa1e25e5b0c5f4f17c5a96becfbcf90182b6

SHA256
856421dceab21c9cb6187dd75707895f2a34d8c7e05b6355d5c764fb258d9819

SHA512
df2413a8fa7af78f671d1b4734b8a4c0df094893782464d9597c5686888d10d2859851dfd5d11ea46c75867c9da24cd07b660b4b7e0457f3a18b64796bcb0018

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
337KB

MD5
50b2390402359db6bcc85e82a386834b

SHA1
acb1cdc7b98d9da4229f2cbfb0c908e6b2c96ca5

SHA256
fa2aa27b2009440fe05982f9c658cf5d1156366e6907ac5fdf3360e166c518d7

SHA512
ba78cc4ef975d22af13ae4cc6a606c8443ccc983d871256635485bab7dab1c132556e70b52d4b0b2d1f0ff382e3c0c1b9ff88bed933e4e822a54942f21d3a55e

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
337KB

MD5
5067714075c9b73a856d407c086dfff2

SHA1
ccc9299e8e75d8b590e838e055d82cc697683f7d

SHA256
11dac2d585fa48f581bf90c335e2d163270945e53477f7f84f7805eb99e5dadf

SHA512
2b548e9aed5851ae59a2907e94589d1de0c8d5051c24d1a6d8827e62fafb2cda66c65585727b7b5525c2714b1eedc238943907355036affc22f6bcc13aafbb29

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
337KB

MD5
c7f234f0b4e3666fe58023debf755bf3

SHA1
f5a6ed7ed04121a30dad8210047cfb1dbf33429c

SHA256
f20b0696fc7d3cfef9350eff61fb8bf30d346f1f7419991921bb047c2c891f62

SHA512
2ae7319bc3249c9c10a668f73b1cc991d0334b13d6ead5808fc45383fd6e3001b0d6756382ed4129c8142c4c1224ab1d29b2ef845b906715a78a073932a5b58e

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
337KB

MD5
617ead6047d5c2248dcd0f43ae8e5fd9

SHA1
25779142e4791ce7c2ea2510806629ad869d7c8d

SHA256
74602990b2a461df650f67a7de8f8f456e86337fad1bed6c1d30cac11f72c7f1

SHA512
e074942c231f213cb7bc776a93e129c473969f1cd3f83153550c53bb3269d8b1eb77afa26c67da2d6878c9de4caa9ca4e6def0a1938f1ef7d9b112e65affd095

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
337KB

MD5
696218b82b1ef513fc3977735473c320

SHA1
4a0f60a4c6b9b265322186e38d3c7128cbecb1f8

SHA256
c59824467284988f426049c19aad818b8516b26be03728e8e4c71923b4d4d904

SHA512
f09a15afab4e30136a2cc65263a97898e28acf531ddd879d552948b10bc6c3de8be5f156c431e038792b07f14df1b81eb88607e58ee4ea61430844034b457f2e

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
337KB

MD5
ad36788772911c2ae70c881b95c7194e

SHA1
009f0d7d166de377830eda9a4f4690a000ef29db

SHA256
9a10bde4f53d6ffd7a32b3f9a66c89703123fe0d0ce1555382d6486fe725b5ab

SHA512
7ac876102d620d00e59442c1975310990e835ad6f93327d3b4af8c0c038bd309f8acdf40b102d603a4b4a6d102b413189ab4e4cc035cd364143032a9de70caf1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
337KB

MD5
c2e80fa9d271a062a3962c60b7a1bd4c

SHA1
8277f015381792bc93a37843b21608e4fba63bdb

SHA256
50280df207ada877dfb19abb30b068ef2fa82fc5f1af1fe4b216d1f4b0a5ebaf

SHA512
0f0a1f0a586babad8e704dc44e9f9cad411e78ffb75b3ec45e3b6a94b71e21ee6a967f05962d63858afed79bd5338d0e145bf001807ad8a6d4c69254a14411a1

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
337KB

MD5
388ff2a6c01309b068a075b06576a2b7

SHA1
c683feaa4ffc0ef4d0a4ff43877082b715c6e799

SHA256
72538c4b079cac8a3cf9ce51a864d2479d6005fe7f3cd3e95af4a638a9b8535d

SHA512
107706d082075ff30f3bd9e137426c1915d306ff089c95ec4280fbeb9de40f9086440a5a3614d49b947f5285b4bd6074b40eaa7b4c97caf2d207306d4cd74568

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
337KB

MD5
2bc6aaa40946b68ed3d5b3f12660857d

SHA1
fd7cf61edce3d09bd4aaa6053c9f3155103dcf99

SHA256
d72335cc043a392e4fe1b95a2ce94a7d5e17306934991d5b298278270d4f2eab

SHA512
3cecfa2e56640078bf3f79df47ea49fb7c4d36fe04c986891516876b37d60a9cc2de3409f90eb69aa14c949092ae1ac1139e7e4ccb89b77a266bed8fdc59806f

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
337KB

MD5
4a03b834f0a489f612a3b53d7abff7e7

SHA1
2e587b8872f362ea9041547e908f0faba6793896

SHA256
a24263006d0ffd5a0956e1f41b57ccb4f5a6ea30230e605052524b631069c4a1

SHA512
b9748562933be4c97f56835e2dce59ebca53275021374e385eb6d92e79e81640daded10e2210e0e56c785fc0c09959d9b22452cb28a34e4bf032e88baca65f36

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
337KB

MD5
511c25f411e4a05e501bcd82f1b18c08

SHA1
a0f88e0a18422952064bf8fb20ff67e45e6cfba4

SHA256
bce491719356ad989570728d8f6499ee38c541e541d410444f7bba7f06ae85ff

SHA512
a244c0b84cd43ef819a88c26340bf26f48e77b573c8fc2ec6dea5365351c39af583faf0668bbd03e23acbf0aee12daff6e30d76e61a43da71bbfd9d439b6dba9

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
337KB

MD5
eb202ab0fb5b0a05d9c4e99cc9f74318

SHA1
c61ab1352a35157196dc71e3c175305d016b4a2b

SHA256
680a959fe723f91585c9884663ac78b1ad345e9dbc97a2f2eaeef514895938fb

SHA512
082597118ecb93badb083ac47c5882e5088ff3e2d5abb492a9cab2e4aed6b1bad88d1f667699d4e3d1a50b72da9ecbfa29343d6479d08d993f60b1ab1847a826

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
337KB

MD5
ae9eb5e90dd0a7e89f1d35f3d6b93bec

SHA1
0c97cc12601ead3779f6eefa15cddfd526d48cf2

SHA256
9ba744892fef41d7dd467c957a9dd284d8c3eda34ad75de1dde152f02324b924

SHA512
4a13a69fa4b426672a893b480b0e424f2752a801e5517597d57211636a5d624ff2f86abb2296d065dc737ed2c128c34ecb8ae6363cc298d66bb6c074a31edcce

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
337KB

MD5
531e5d3d96fd53c5093677df3eb4bb29

SHA1
0cae926fde476d631ce522995b24e34abe5951f2

SHA256
cc5be61e0bbea93c8567d6d30dcc39194db7b557d4799794b436fa93eac4f72e

SHA512
5c94fee40c81d1a2b40800b01a3ac79416fa9b7e3d9864e13ff187f4d0f3856c9e57ca47c760eeb500987d84286c8baa68d06bfd2e5d6fc5a96303d224def4fb

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
337KB

MD5
318ca33f53918036d3154ec8bc1c982c

SHA1
a8a0cfbb6edf993d0542d4638e421b83a1d6cae3

SHA256
216cf30a2e688ea434929138ceb0e3b77cf1780a248f84a6bda2ab69564ade37

SHA512
56b1b0566aac06bb6513c73fb78654604ae92de53c643f2389bfa95f24b749dc20bbe262b33e0abf5dbe314e1e8885c46a1cb7eadf7b46ed0b017f97f9edb789

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
337KB

MD5
b313a4d617fdc885b112469fef91572c

SHA1
0661dbfe1316ea7a9d90d41c07c75d7b1c6cde97

SHA256
b51798c5eb61b1f5376049ba8b7eb08be51107c694b5f1d6fdbf649b8a660a39

SHA512
441fbc24f53f764329f1a9e605885a902888a31ba5c1984f7a4cad4ff359bf016ba971bd51d47a667a17c8b321eec6104d41e95bc2fe68027b15989fd1a578f6

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
337KB

MD5
aa2ce3abb3fc8c6ce94da9148dad740c

SHA1
4d9b2680a29bf4eee472ebb1757bee11b7c246bb

SHA256
8223fe5465a13deeeb1cb9d1319d737b597d4ce7a304cf2d17aa39fc7ba0b88f

SHA512
629a272d9119d2b6d6e5e47b0569d59982abc6c1900ad6b47181d6fb0c0b15138126d7ef9e1175ac6ed1edfde1a3aacfa8b1f3e34ffec6b8df27f4b3f1b1fa52

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
337KB

MD5
1f775c06180b8bd3939f143438212ee1

SHA1
1fe6c3300883d73d2683d341cbbb31d6a90bdb3c

SHA256
479eeda597dc21132df42d7f7464c9900f55ebb3677b2edd6dd3d8981b8024ef

SHA512
8dd7166fcb0aa32232cb17cfc1ea9dc8243b61c2902fb5030ae6bf05617e4c579088afccfcd7a4e25720ea7e8f1d4e5a74ab003b4fa6cc5c13f79ae8f17a317b

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
337KB

MD5
630c4bb2e6e63f46eb96606810d893eb

SHA1
f0656de39d6135fde3cb9fe0b330b59f78731834

SHA256
d81e3541194967484fa3faa81476c2cc4a01e2b627fa82e6846e46648693ae0c

SHA512
813653761af580b1ef7852a00d5bd6e29b2341109da712bd19bb9fc1633e0e0f01cb67c03e6a6ab962bb79c6a583f2dd90421cc65aa8fbb1d00b6ecd0c31bce9

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
337KB

MD5
e28f77262defc76d00d61d9fcfa5c181

SHA1
4660cdcded5329dbb27bf0bfe3ae043df180584a

SHA256
7c6e39d06abc8ec821ee6f255a0a482a683e2a38aa6d6d52fa3ab1e208c8de01

SHA512
effe7bf4b4d8a0577527b96501dc9d7676eacd95d2de1502514c7d03cd363d768d1ff1d3205dcf30183671c844b5c7437f9e33952bc68eb508acdb409a5970d2

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
337KB

MD5
44ba797054e70308e7aa839cc9e7461f

SHA1
c439087d0d9990ace49519b9518dadc198c4da3b

SHA256
02fcb7917d74a548f8de09b6ff95b0dd2740a128253ccba733e59b1695f8896f

SHA512
7280a14fedb223dc8bd571fc90aa6b451a3cfaccd1fb029405c34f4bf6644c6d4a924f4508b5e5b84ff33dabb676235362dff452747284c505a7f320d7e5afe3

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
337KB

MD5
13f441f384a5d539a59de64687527c2d

SHA1
cca5976017b4a905b85f0d0c853d416a665440bc

SHA256
105729876cfc078e7a1bc54456b27e9dea4caa9ad97fe676f6deb70458a7972f

SHA512
ba9d7d1811543293a850ca0a484b9b28c5234015f51a9ef1797a5c6c84a60ecca4c68f95fc344ea5e0d8db0cefdacecf4f651298511cffc8646b71e365e0546f

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
337KB

MD5
6aaff40fc21596563cba22371dc93236

SHA1
d4a88518328f5c68255418df94cfcfda0d510e8f

SHA256
e58f1cc4f219888d1e3c30062c7c0fc8ffe04217b3612ab379b1330f2603d945

SHA512
86db9bc16e25a0fec6163ac6e8711a18bd39e6042df4539416778c275ce59b44e4d6096bc559ad479d66a91f4a339166c093b8eb24352129f693b8c2aa69c485

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
337KB

MD5
5a5dc000460e058a8df01bee291cab2e

SHA1
76e3d56f08f3ccedfbda92e282df27adf50d1204

SHA256
4ddab0bc304e0b908ee984d2e12de7b2a73092511797135b98c7aa67cdf0e612

SHA512
f7ee98385259f7bbb5298b58780e023755f1ab6bcdf565df6f688325d1f8aa88211eab24270c0532184690bff03e260be0d421d28d84ad73c2f0af05672f8b0d

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
337KB

MD5
f50004aaf353e8875ea6d0c80bf6871f

SHA1
088a716114aecdb022a6bcb829af429125be40e9

SHA256
df9e9cdf9801de248a7694113f9ad7be5b9682a65e68b46482d5ecbc157f5a8f

SHA512
e40025e58400d09afe2c23a32ff7fe898bf832aa3a7ebf80226720dec78666ab9e019523557c7769309422ee94319fa2923bd2aa95c42c3fc536a759d401b833

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
337KB

MD5
64432a128d87d687b421e0268ab9fd4b

SHA1
fc3f48ff31380f092e8b4cbb8ac8a10f9a7d5d50

SHA256
8f45960882532656aaed2b389020d99de16c9756fb6c5d1d7bd37a7d92aca7a7

SHA512
6d375ec2c23e427a31dd603268bc093965c16ce48b1f9533c5d2041f5affe39b43e8ddb4aa5facf1eb1f9d08963efad004608ae7d7a103d2e78f4bc294a9ffa6

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
337KB

MD5
144de239543b4e574ee2994eb6e4cf40

SHA1
026f2ed008cf67389916ce71c87c5e512f6d10bf

SHA256
44740ef7dbbb9e9f96ec17a54b28f7bd7b3e9cfbb731b13a1fe80fd796748abf

SHA512
f0f7c0dc9f03b74e9eda7f89a0529c1cc31eafdc3c3b280ebca542df281f79b69db182131a6aae686c3beadcbc08e5621d324fc193acfee9f461c1577e329abd

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
337KB

MD5
964d1a8e399c3027f0e0df5297ff3226

SHA1
2cb03f68f79c13b98a4c8cfe3227059a0654c0da

SHA256
3e614e23992b11f5352f9f4e12a453ba1469632efb7462542e555c718defa28d

SHA512
6cb9343df69543802d2fb91fb99e040ceb34cef1c0859560d2917d13621528e9ad20d35c35237e215ebc46b7ff74697c8260cb0f2ba8a1a734b2468689000230

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
337KB

MD5
e5f1b72e81b80846e69eb8e1aeda166a

SHA1
8637366212b8e5eb9af03c3f55c39b8d6335ea9e

SHA256
2b2aa878dbb3893d8dab45a036d775b6699ad43eee6824cea15aed23226f1b04

SHA512
d0ef60eee94370d57c948f00e0aa5cf17e13c1585be4fd1e801feb4aeb2b1e4a71e9d9467316ca84225ef11687b7a556d5ef256a75393934d1bc350c5fd75f2a

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
337KB

MD5
a103c48de768040ae2ec02627fd0dc2b

SHA1
ac67b459fdd7e2d60837e9c8579e47127f5cc7fa

SHA256
0d6371fb391d14ced9cd0b6e9629ee22a2e2c9a8366a8dbc331a292be2a49f4b

SHA512
1d319fafb00c388e5e91aa55dd574d2a7ab11e977b72b509a073adb7b4b30035e85a70b130f9246c3e43304d9f93b94cc89fb9243f71d8e8287110dbaa5c882f

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
337KB

MD5
91dd5fca9386bc4afdcf66e1372a60cd

SHA1
0aa580d936337067e32fd3cbf013ee4c984e5e0b

SHA256
e55e0f7cf5fff352c88261fec89b0d37d94d6ec17860d1002872b6e817f4c1cc

SHA512
84054e75349b95f987959e38599cb600c39a472992a6b66e3b2802a1a9de31f0fef07e7d55dc1ec253c641c7873f709a9906c557f640f4a53878217f05b26cef

Download Submit
memory/368-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-888-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5740-801-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6004-790-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6048-789-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads