berbew | fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6

Analysis

max time kernel
95s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe
Size

93KB
MD5

9841de46d5d33b0e56661338c9484840
SHA1

6f898b8a310de5692595a85419d45babc51dfabe
SHA256

fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6
SHA512

daa984c9f738dd0a527d582b54c0ecfa0b1749023988fe3647648ea8d3730d8152de9f5bc2e9c30c671ea2968c587b9fadca5e0cd1d292f2b42d59eedf128557
SSDEEP

1536:QGiaicfVbqpYc392KgTRh+1DaYfMZRWuLsV+15:wRNpc5T7+gYfc0DV+15

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1984	Menjdbgj.exe
3556	Mlhbal32.exe
2208	Ndokbi32.exe
1484	Nilcjp32.exe
2520	Nngokoej.exe
4804	Ndaggimg.exe
3284	Ncdgcf32.exe
4492	Nnjlpo32.exe
3956	Ndcdmikd.exe
1568	Neeqea32.exe
540	Nloiakho.exe
684	Ncianepl.exe
2724	Nfgmjqop.exe
1312	Npmagine.exe
3520	Nggjdc32.exe
1892	Nnqbanmo.exe
1852	Ocnjidkf.exe
1408	Olfobjbg.exe
2728	Ogkcpbam.exe
3924	Opdghh32.exe
1200	Ofqpqo32.exe
3484	Olkhmi32.exe
1456	Ogpmjb32.exe
3860	Olmeci32.exe
3692	Ocgmpccl.exe
852	Pmoahijl.exe
744	Pnonbk32.exe
808	Pclgkb32.exe
3292	Pmdkch32.exe
2868	Pcncpbmd.exe
4992	Pncgmkmj.exe
4260	Pdmpje32.exe
3720	Pgllfp32.exe
2152	Pdpmpdbd.exe
4532	Pgnilpah.exe
5020	Qnhahj32.exe
2408	Qdbiedpa.exe
4796	Qgqeappe.exe
4036	Qjoankoi.exe
1036	Qddfkd32.exe
4748	Qffbbldm.exe
2464	Ampkof32.exe
620	Adgbpc32.exe
4268	Ajckij32.exe
2380	Anogiicl.exe
432	Afjlnk32.exe
4372	Amddjegd.exe
4016	Aeklkchg.exe
2932	Ajhddjfn.exe
1336	Aabmqd32.exe
2424	Aglemn32.exe
3756	Ajkaii32.exe
2336	Aepefb32.exe
4212	Agoabn32.exe
4276	Bnhjohkb.exe
4544	Bagflcje.exe
1748	Bcebhoii.exe
2452	Bnkgeg32.exe
1752	Baicac32.exe
3624	Bjagjhnc.exe
2616	Balpgb32.exe
3036	Beglgani.exe
4648	Bjddphlq.exe
2332	Bmbplc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4812	3236	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 1984	4472	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe	83
PID 4472 wrote to memory of 1984	4472	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe	83
PID 4472 wrote to memory of 1984	4472	fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe	83
PID 1984 wrote to memory of 3556	1984	Menjdbgj.exe	84
PID 1984 wrote to memory of 3556	1984	Menjdbgj.exe	84
PID 1984 wrote to memory of 3556	1984	Menjdbgj.exe	84
PID 3556 wrote to memory of 2208	3556	Mlhbal32.exe	85
PID 3556 wrote to memory of 2208	3556	Mlhbal32.exe	85
PID 3556 wrote to memory of 2208	3556	Mlhbal32.exe	85
PID 2208 wrote to memory of 1484	2208	Ndokbi32.exe	86
PID 2208 wrote to memory of 1484	2208	Ndokbi32.exe	86
PID 2208 wrote to memory of 1484	2208	Ndokbi32.exe	86
PID 1484 wrote to memory of 2520	1484	Nilcjp32.exe	87
PID 1484 wrote to memory of 2520	1484	Nilcjp32.exe	87
PID 1484 wrote to memory of 2520	1484	Nilcjp32.exe	87
PID 2520 wrote to memory of 4804	2520	Nngokoej.exe	88
PID 2520 wrote to memory of 4804	2520	Nngokoej.exe	88
PID 2520 wrote to memory of 4804	2520	Nngokoej.exe	88
PID 4804 wrote to memory of 3284	4804	Ndaggimg.exe	89
PID 4804 wrote to memory of 3284	4804	Ndaggimg.exe	89
PID 4804 wrote to memory of 3284	4804	Ndaggimg.exe	89
PID 3284 wrote to memory of 4492	3284	Ncdgcf32.exe	90
PID 3284 wrote to memory of 4492	3284	Ncdgcf32.exe	90
PID 3284 wrote to memory of 4492	3284	Ncdgcf32.exe	90
PID 4492 wrote to memory of 3956	4492	Nnjlpo32.exe	91
PID 4492 wrote to memory of 3956	4492	Nnjlpo32.exe	91
PID 4492 wrote to memory of 3956	4492	Nnjlpo32.exe	91
PID 3956 wrote to memory of 1568	3956	Ndcdmikd.exe	92
PID 3956 wrote to memory of 1568	3956	Ndcdmikd.exe	92
PID 3956 wrote to memory of 1568	3956	Ndcdmikd.exe	92
PID 1568 wrote to memory of 540	1568	Neeqea32.exe	93
PID 1568 wrote to memory of 540	1568	Neeqea32.exe	93
PID 1568 wrote to memory of 540	1568	Neeqea32.exe	93
PID 540 wrote to memory of 684	540	Nloiakho.exe	94
PID 540 wrote to memory of 684	540	Nloiakho.exe	94
PID 540 wrote to memory of 684	540	Nloiakho.exe	94
PID 684 wrote to memory of 2724	684	Ncianepl.exe	95
PID 684 wrote to memory of 2724	684	Ncianepl.exe	95
PID 684 wrote to memory of 2724	684	Ncianepl.exe	95
PID 2724 wrote to memory of 1312	2724	Nfgmjqop.exe	96
PID 2724 wrote to memory of 1312	2724	Nfgmjqop.exe	96
PID 2724 wrote to memory of 1312	2724	Nfgmjqop.exe	96
PID 1312 wrote to memory of 3520	1312	Npmagine.exe	97
PID 1312 wrote to memory of 3520	1312	Npmagine.exe	97
PID 1312 wrote to memory of 3520	1312	Npmagine.exe	97
PID 3520 wrote to memory of 1892	3520	Nggjdc32.exe	98
PID 3520 wrote to memory of 1892	3520	Nggjdc32.exe	98
PID 3520 wrote to memory of 1892	3520	Nggjdc32.exe	98
PID 1892 wrote to memory of 1852	1892	Nnqbanmo.exe	99
PID 1892 wrote to memory of 1852	1892	Nnqbanmo.exe	99
PID 1892 wrote to memory of 1852	1892	Nnqbanmo.exe	99
PID 1852 wrote to memory of 1408	1852	Ocnjidkf.exe	100
PID 1852 wrote to memory of 1408	1852	Ocnjidkf.exe	100
PID 1852 wrote to memory of 1408	1852	Ocnjidkf.exe	100
PID 1408 wrote to memory of 2728	1408	Olfobjbg.exe	101
PID 1408 wrote to memory of 2728	1408	Olfobjbg.exe	101
PID 1408 wrote to memory of 2728	1408	Olfobjbg.exe	101
PID 2728 wrote to memory of 3924	2728	Ogkcpbam.exe	102
PID 2728 wrote to memory of 3924	2728	Ogkcpbam.exe	102
PID 2728 wrote to memory of 3924	2728	Ogkcpbam.exe	102
PID 3924 wrote to memory of 1200	3924	Opdghh32.exe	103
PID 3924 wrote to memory of 1200	3924	Opdghh32.exe	103
PID 3924 wrote to memory of 1200	3924	Opdghh32.exe	103
PID 1200 wrote to memory of 3484	1200	Ofqpqo32.exe	104

C:\Users\Admin\AppData\Local\Temp\fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe
"C:\Users\Admin\AppData\Local\Temp\fb713f7d9b5c0a2ca0980e67876fd39943398c66c75b9f86c71490f4541b6bf6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\Mlhbal32.exe
    C:\Windows\system32\Mlhbal32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\Ndokbi32.exe
      C:\Windows\system32\Ndokbi32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        68⤵
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4692
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        88⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        92⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        95⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        98⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 396
        99⤵
        Program crash
        
        PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3236 -ip 3236
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
ac18242f8170052e9d02729eb63aca4f

SHA1
597fd6f9a65d695dcda1df28e1e6e82957edeba3

SHA256
dd16cf220afb01c80d941ed23afc2dd8949a585270f40c21c9a80393241ebc58

SHA512
f834910ed6d72b4597c1b9feb636e9e90bea8732ca75538bfdd08bb3923c4d9c539fdcf9ff3d88cf696dbdea1ded4411eb0711fa833fe1293b430cc25be7f2e2

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
93KB

MD5
aaf756e3b73b09641bb40658984f723f

SHA1
215dfc3828c94fc059ef59a9ae20f1f523b967d6

SHA256
b64b94c08748201c43c00a787bb2eca63409b9f9a13f01e6eae493c8af558316

SHA512
3b900f57d8cac04997e2a69835f2d477c0076c689a6b5a7605bad2e03a674b0da74024ecfe436adb59d5692ab1df31893a8fc6dd6c7d30092a0a49f2459a8bc8

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
93KB

MD5
2c258da14ae674c6f63d2a9d3e399fe5

SHA1
149dd951bb43b83961d0b4269f57764f0dcfe343

SHA256
959312d6a22a5a3cf6588dbbed2c440428c51d74944fa9234e5ae2bc1d9b0bda

SHA512
85e60acb9364ad67f2acc9cd3c0b147228a2ae8211bb3d2cee275dd45fad16b29386ebcefdc5a413cc65a4bec8a448568652cb9be7573106cfc1e69bcde8d744

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
64KB

MD5
92c7e7421688e904699a00f266a2dd30

SHA1
3cdab98dd620168ef0528336c2136f472cbb3281

SHA256
2b56737802d80006c6f9d86d636ee68c3982f37ed949e2147c72a70c606d1b92

SHA512
630d1e929b510d03845bfa3d63fd675fbbbafb425876e235b31d01d9ee8e5e579cb4045375c3c31896c3a02aed2477ce83c6fa7d3769393168d60add09c9fe4d

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
3b171d3d2a3a3cb7e3608488865f6f35

SHA1
41bd3c529fbbbdeed9d84fdbea4748b7543ee68d

SHA256
7c7507897fec40a4056fc7aa091965948b5ab64d2fcdb584efdb8cec221ee6e3

SHA512
f6b0d31fbd94c1ac8015c2bc08cbd2f9958277dfd66d3afda3a7f911a5e429808aac01d015f8d27eb2d5f7db25c75aeb7e0dfeaa9f2ba4d83d4eb118b0a8b265

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
93KB

MD5
d2b3efabb0505572246a33c6259fa385

SHA1
af2bb903c3e0a6f7ebeddc88da6ffc5b3a1f702c

SHA256
80fabb999c46c57ea8a8834f890fb31f283d148a34c7946d99d2c3a813daf432

SHA512
ad53924a3076a8153888a5237e1b6c64d849d5344501500b700100ee7062e32b82905e5287eae3ae9fd40d72c7c353c41d1729139bc908eae7ec8e676214e9b6

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
93KB

MD5
14b17f6b93780f96ceedb40e6e116319

SHA1
c2f1ff43b524780cef0dca0a80f553521ccf4f25

SHA256
4a03324fe30a6da87aee42ad1057d33ce562ae17e25b466bd9e0bb00d281646e

SHA512
28fcac5419645520142a0d7665db928538a5a357a9aab54a67792cc449e04c78ae1712f07d1162b9078fdeeff05c6c330167ddaff5c8f780c769097170ef0f9a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
e004ad17b43782754c0b634889e9f631

SHA1
d23c6f2821772b1ae51256f79126b4160cd9abbb

SHA256
7d08384c73855378e21aa91a2d303fdd197b68b15aeffe20f4d63b441ed6d9f1

SHA512
74210bef71b1f5c42b8924aa31bc5a257314a128f7a86daae8d6d0913543a2f2c73f240bc52a7eb8c583de86a8c7e98ab7bbbde226cd504bcd2e86736c9d2b98

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
0780de22098399014b71e1e0484f8e73

SHA1
0a8f23e6614f747568e9da4b5785af91c0f930ac

SHA256
c4b79bc82a66fa32e67e7daaf80bcf5ba7ea0189a79e5d5beed853bf739b4871

SHA512
b87fbe74a2816ddb659b81bf239b78967086b0a41e6a71174af742521f04e21a02bc05bf63247f10bd52c8037395287ce5a42e0508efe69dc280aab78dbed184

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
863113523b60040ce8a71745a88756c3

SHA1
fe99bc10059e9aad879365ef2daab306aab8ab1f

SHA256
0871f5cbdea0192be9a514569d48fdb6de9d1c95965b9943b6389e42f6fe7474

SHA512
59db32c4198cb8183deb8a80bc28917a5e09f33d983896b8b4db1181a4182aab1cb9e86be0a35031ccf36c4d97fc88aa7f4cffa8dfe84d70967dfab20882c0e4

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
4fc06be3051562b8a840804815334dc1

SHA1
c019cb6966f19931caf2198d8d5584d9e17b955d

SHA256
389618c0ac2461382a1521d18c2bb62666ecb84845361517d5ddf1750bacb74b

SHA512
ff63f5371624d8ff644541a3222c6e2dd89431128f3d3881614f8474512f3689702eed79cc6ee97280176f7a6c657bf8ae63f09b86bb5ab4630832fd2a65f20f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
e8a73d2f072584d7877554e3eca271ca

SHA1
7508c64f4681678df7bb75ad72a3d0e7caa4f93d

SHA256
04fe0e7498370debddc35d9d4531c8e19e1554d5d9b367e88890a5c52ab0ef53

SHA512
79614965122c2d40e14c1043486448fc3d81262a4d5076d75e6b9076338434c251cca70a62e33fcf89d6968ec2f5cc509d5e13449b6aa2b17dda2e2b23dad2c8

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
fa0a977c59473c52e3a502da1a62bdaf

SHA1
e15586825e9aa4741819d03a29fdfc164deffee8

SHA256
b9ed830cafcbb3475e1b28f4898f890ffe7e7ba415db9ee895dac88a4aca957e

SHA512
f3562d34dd815c4b13cba1e0c9abb4b3c3da2dee98617e9e0f4693191c020f15af2a6cc9558b92523a538463f2e79f8dadd879439cf139a2f00dc8ec4acd452e

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
93KB

MD5
44bf14104b3cdb75d66ae2b4670cf5a9

SHA1
3a0ade5aa1155f75e0c1f3e17dba7a22f987a5f2

SHA256
e256ecb4bf4f0ce7785f3e9e4a7ebffe88fd0e39c773951dd1ab915adbba331b

SHA512
706de37260c7f3f5080fe3e5cf74b3d7a7c810df8d5e80765a2f9c112660ec303c64a8f6ae6792297595ea78c50653acd94f1feab72291f4a5daf8c7bc16d0b2

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
93KB

MD5
268b4250b5636688c271efcdabc3e529

SHA1
c2a377537cc6205395bef774fc9132c285d81f77

SHA256
0882dbc29d900237befdf0dfa69af615961b1a4f33b8478c758dc50c1152a6ba

SHA512
b2e332ccbb69595d01089f7b00fca3f2193322a3a8c68299de50c79640900b99776eaa3b3077ab4f11768fda5025eb8f9fd1980ab10bbc7dfbb34e5e4f85a342

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
93KB

MD5
01f33952b46292232f2a1001847afa42

SHA1
d3b3ec7e25674554dc29d80bde862c4d5b8f9e86

SHA256
77b593183264164c9907a7b2494b1cf9f0b20c72c1be755e44199b70489e13c3

SHA512
8fc6eec101b352d80181440625f0ab1932fb0beff39684db0f634a1e41130bdafdd4720018c529c7d87525a88daaa2cf9e604d5d29f21d0be20e338a7e36a8e5

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
93KB

MD5
5f3b5d099125a5c888f66530369fca0a

SHA1
be34d146de026fc567a042a54ae0b8959f965428

SHA256
c330726ac1f5dcd7b4dbda537ccd92c7817a5bb44bbf0c35662a9b24f9edcea6

SHA512
0fc911b90e5e98046942a182294b3e92f6ae93046ff98952bee8b91885b6fca2cdadc99c43a12f8dc6a66fe8e03cf126d6b1de03b01e6c3ec338f6f7019d8fb1

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
93KB

MD5
868e12683ef0402d0b05f526c511fa55

SHA1
f2ccb19488cd576c5cb3e43d9ec50eee664bb358

SHA256
be4acac795dc25e0fea36814eeb2c713c974b642cc9a44de8c0613d7ed637453

SHA512
58d300688d0de5dcd59abff731823005bc858edee400808565e80e6749888e9cabd57a3b9513cdd0d9a159ea4d834282ea6cb6b3086089b9e29ab02a7619b010

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
93KB

MD5
271b7445fee7dd0af90bdb688830b849

SHA1
69e5641da7ac524f8ed9a8a0e1ae180cc36b9268

SHA256
633d1b5a825fd2f08da6e2084f89bbca5475daaa8601b5a119f83fc4e348af46

SHA512
c2d6126e5b549dd20b42cd67eaa002361eae14dd86379db4c510ca0e706fb25ebd977c05e769944b44f29ee9666797ec7191187bcf099069a3d0b33421654932

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
dcffdd6fe4f6aa41a4cdaa29ce0acdd6

SHA1
5cdd0dffdc96734fe69e33328dfd167ae9189d32

SHA256
2bffc631e2ca423e0ba360096822c04f7a64ead32e4c28f518dbd10bcdc68d1d

SHA512
0718255e05a9c5f1150c40ef9013fccfffc83a9aab30cf7e0f07297916d39421c746d1e0304d55554f11feeb148fb097c75f6ea87872e79d01e90dc296e61a91

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
0ed4c7e2d4547c28ae375a5dbc8a12d4

SHA1
c8b9f499e20779fd51a8b4bc612018e65035c455

SHA256
0f0c1161ddf005038c563f176028e457974035c91fd51108199ba09c7be7f53b

SHA512
e24809ebe76207589b4df1dc7ca0f530c6821ff0a08416f63bc345fadc87593e6156cd218bcbf42873b34dd40ec4312f6242317fa21abcdca2188b88e346de27

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
0b2234f674e537dc0d9927cf67023f55

SHA1
18f4bb234506cf193fd5842c7bddde035a4c3d6f

SHA256
ea37b897ab783cf89b2603a63ba31a38fb832fa26b5cb8179bf498f116c4ad55

SHA512
0b8324f1c72b8cb08c8dccf9a4296ab0890176c097f3b57b3e427964cdd75094915c9dc154d38a903deadb1fd07cdac2935088cd738d5b5f29cb468c600cc0aa

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
93KB

MD5
5fc1423331de01d44b0b9c4debea0e5e

SHA1
7bea9495f35d370687a656208a1e5d7cb56c398f

SHA256
0a1653d9a8ecc303b89f228463bc519782ba40f6136cb2692090c8224fe33437

SHA512
b1c3624b35b4d429df45826038cfdbbb036db5c4d3548f00ca0c2bac83d4a13c7f988ea26e48ee35141cf54d09ceb91937cf40e0a110cfbdf280c36bc0060210

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
93KB

MD5
2a5930fd6b684c63bb9624de79706b99

SHA1
b11262221454eaae9ab28d099a63484e747b38c4

SHA256
6afb7066647e48f953c0acd82ca33ff2c718144d3e3e3e5ed4ffb2c345a0d7c7

SHA512
d86623c5c1333cab5e99e324c8d9e1a1409393c3a7644e92e2da443da707a36e96e0cea97987a76139935b290e672fcf8b8a32d79b8de5ae8e285344a110e0f4

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
93KB

MD5
54bace39125d2be4c3bc094c81072314

SHA1
cc84b9436d967487885269f2405d350f778a0054

SHA256
d94cf729ea81d7061b46aedabe53ea9e6f299fca5ca29b105c38d1822a6f6902

SHA512
f3a51ac7bb8ccf1049622308a40a16896bcfd2a09cd6d8242a01e46902af27ebc8b989e49ce315c975ff25aa0014260ec7a5755bdfcfbe12f4eb7c57328e332e

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
73828fc3d9a2a6a58aabcf3dfa058c8e

SHA1
5fb9e2440ccf56785c19e48b6f1c25fd0d26b355

SHA256
1e646020391d87422eb8340ca9021453b58b162a133ce2e564cb3620c94454bb

SHA512
d2a05d3437b71627d7fd7c6fd2ab5ec457bfc0213266b4cbab84e88cb572aa2eae5daf8b2377acaaddd598da403fff04f2386ab26dc2e76ba7e3a8a7d5022698

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
93KB

MD5
8db39b085ac4754e1109867bce31d93d

SHA1
5aaff3af20a90adbdb29a73abccd0b7a25b82563

SHA256
97b7c90dc25f656cb6668258a8d87b03369501592453fd95a08c3fc618540734

SHA512
4bb17f2182038628113a24c245c53193c4dd996ead844484164960e4c29b564572f531e18a1090530b31a0a3895c3556b372614570444d13c115a0dd390b1e72

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
93KB

MD5
973756b2b06b74c1656aa2dadba85f02

SHA1
156eb66a349d6bbbaf754e2596572092942e5e2e

SHA256
4bf1b86d69befee161d70813944faeb7fa2a0d710dbdb4cfe9351bce5876c01a

SHA512
817182f2c9d35a358770eb1a15368d83475e1e6e760a85b2ce05a017cf1203dea9eeaf2a8bc3c3e2e4a462cb5fa695439c4a07329821a63480daa1b5e31b2e5f

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
93KB

MD5
ba5f388a72afd3d1eb8237b689d0ddf1

SHA1
120b8d1cc72e6b6dc849de1c7c97b51f6a69f093

SHA256
84405d160a672d448531fabadf6f6ea3ac63276d933688a0b5248b29b151e87f

SHA512
3c118415a502ebbc565e83594c12e2beecfd4aa87f570d6ca83ca1a2f4bf1177a859cdd5a9a64e3d7084812b249771f6cd3c7cd7299f79ee4f3b6ecc771bdb5a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
e2625fbbba0f3f69f1422c1bc671d6c2

SHA1
39b95c33a045d15214c698079f75b22a687596ac

SHA256
617553543c2914d058737d7d84caa4e8b26837129f9a5a44463cccae8c08f1fa

SHA512
9c83709420e00123894418aee396315ca8f6dc23a86e142b9af33c8d63eced4862dd45f8f4ba0738101597b7e4c963c2fae399ad869db2232063b0081fb2eaf0

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
93KB

MD5
c2696fd6e71707d5379e159fe46fc353

SHA1
857575d090cafca8cd06dfe3805a53447e38e103

SHA256
9246c7a492d27cecde0d3401cfc6fc94e034215752f3d0af94868b9ddc536ed0

SHA512
5ecbff1be1dd4997c2b52f2612a9d30ab5235a6c1fabff683aa2a81ec58687c0954a3b447693d604bc634d60ba5f13b0deb8f501cbfefbf46296b0fc6a4f3956

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
93KB

MD5
36cdc6aa526ec0c96a799306bdc49f73

SHA1
c0d626fb21bc982ece443f57bfd6dbdbe992e6ec

SHA256
b25232368af7e15436a367071585286087cd6b147bd9be66077abdc370cfc9af

SHA512
792f0493f6be9edc5163fd69ea9359bb49ebd04aba89a6dc34ba8e2b9fdd059b73563043831f50ac286d4e0c89607c10d52b67d147e96e4b5d925b1bc6f79ba9

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
93KB

MD5
80090e2621b9f9622b9bc69c5706bc3f

SHA1
b7259d76f60a1cd398b193b0a86296e6d16b8c84

SHA256
e193807fe2ae0f9a2915d7c810d564f6db7218c63008e8fcb4f75ccca81733cd

SHA512
f57a9980c482ed0c336d88080c155e801b36384430828dd90f1f497c495906445020e7e1971654a0e169605bd0059488ef8c4d88dd56dfc72bdc6191fad5eacd

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
93KB

MD5
0bda305bfd5cda4e97a85ba20fc261d5

SHA1
c44726ac2953a79090de84a520e069086a5b8d77

SHA256
233baf3fd8ac180e71a85209d83d9964d9c2a8556d1a838fe6fa86ab88fca50b

SHA512
aba6ce1a151a0c88d79b94415fe7f76e66936595afaac89da7f4ff9e6f3b16457e9d828d983170314a1470b4046d8733fc6e6f8d4ca75a79b82f82f9733e22a4

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
93KB

MD5
cbc9223e7ca698dbaea905738a6343b2

SHA1
f5911bff874cc0e82f1a034b3822e1bc8f3215be

SHA256
9ab942449d71b65058c5745fb4969dc9aeade60849f8a43502ac034599ebc47b

SHA512
296fe8b82ee8d7bd47af3ee642174286ba0a57338d9b15c5d0d588d5d7456353764e35c012f58fa825317e514e3f6159b28e73641c2eca7e5aae0b81b9b458e4

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
93KB

MD5
a9e70bee91cf71bbb2cf26d3b6627799

SHA1
b7281f44369225f6cd731efe7ea0792a47e7d580

SHA256
4f46ff6c453642f0a455fca4241a348ffda94b69bd0552342a6753b7db3a3110

SHA512
e5e84a1300c9545f5e69303d3b72aba51bdffb7df7edca3bc0b1fca5cc7d16fe5d5ab69fabe24fb855a32d5af464ded3c16e8dc454b6869d366f6d0a84673dfa

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
93KB

MD5
caf3069711bb29b5f4597d55e15008c1

SHA1
dc61cb0339a2faa7cd883517b1be9386104b403e

SHA256
2cefcbad8272f2c614f17d9c9ea6ed16313da849f2f97744b874bdc2bb3a177d

SHA512
ab5cf4fc83ca8b2d2ac9913bffecb31343b3aca09ad57e40b86bcd24b7ba7bddfc7eea84912b115f53235fea205dce85215d2e08556925ae937d7ace488d277c

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
448acebd9d265075b53ef87addea2faa

SHA1
a93c639843e41452946b4d1ea9b447dafbed6876

SHA256
99ebacb30977b261d8f5f4e72b4fa4afc4bb1c88e08118c33ab1360c5cc659c3

SHA512
22f439726ed3e337ff2c57910a98b3fe66d0350b57694a25c3d4c8eb215d6bb716929a3165e1a452bd698066d0d0928e608780307e57ff361af3d4b0c27eeb5c

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
93KB

MD5
3a4574e6f3a4853ea54c584416bb864e

SHA1
d8831a7508c03812d152e59277908dfca89da563

SHA256
7329e36ab32a966102a90dd870479476ec7ace645278f826058d8df086f741cd

SHA512
b8b04d020b0316db9dd526d71712afa2a4d3d3f1786958b7787921380ce5959c9e5d97e1f89e5aecfdd5f901cbc68371517b3b66552f161457add8ba5c1f793b

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
93KB

MD5
3eb1c9c8de80b444fee6f7544c71a836

SHA1
943e2789efe6451ae5aba8524f424f1f17ab7764

SHA256
7411656de0d4ef007df7304fe9fb0d4a2b2c0ddd0abad7374b3538a867f5338a

SHA512
fa6d5d2e12880a75a74c8a3cc53f9706e3dd8de51bca1514d278b6e2fe27710ef47618dce98778b31563e8c49ea8b00626d8cb813ea661709cca6c1fae6b87ee

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
68f684d71ff417b72f2f5e9c4477f162

SHA1
66842f1f848d6d13caf0ab0ac7c9b77214bb622c

SHA256
668142c722ee7244a0a48427a192d35c826fb645ff1953c974176993472e1ac5

SHA512
ece48a9999862a6c85f903588e9111975dcc2777e9ca4b668cb4c9de06a11f536c4fd31e0678efc303a356924a1b7d978bb0b1b28b27065b641f1ef8417ef9fc

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
93KB

MD5
a0f9e471cbc2fea29d2a91a5961e8dc1

SHA1
bc7c7fc4dd123dcdd167ee4ba64f0e5a6f8d48c9

SHA256
2104eb9bf3dafd97466abc861db992d3a29d03cff8c5658a1466db3e6200881b

SHA512
8152db7365b419aca1c561b4eededd5261341eeff92bd2f8de36e911cead664965f434807ca46e95f301e676f54541a9f04b4387779d990e1aafea4385add778

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
93KB

MD5
c37c167e4d8403f46451e8a355e2dd5c

SHA1
78edde9930ff29924e5ce32d08e4182f7d1cb725

SHA256
b5cb9fa003f87fd122883c8e1c0b080f1290ff90a7708c91d7b280fe6d37656d

SHA512
d4157a8aa3be9aaa4f3fa9e436a1ecf19c964afbb58baf4f608729aec6eadf8e6ef1d0a94c5d0160d82ba7e6d26cf501048c6287f94587d3ea88ff5d384706fe

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
93KB

MD5
ffd83b439d0d03be40fb74a1bb0d6112

SHA1
cd06d2d192ba6584b13fcc4aefcdc8793d919101

SHA256
80c0ffde586b5cc05451520e8d46029985eec329f21e2dc0adfd56d4a294607e

SHA512
fe49fa2c266c213442b88741eb497d997ee983f1248d2f888aee5a7ea3ca9a4efb89b3e45a1d3d05616481616fbef57399625404e03750849d5455b15c69e26d

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
93KB

MD5
ab1e91aa73703ba7c570a890f19d4442

SHA1
5e338daeb08b440843d944bf73970258d697bdb0

SHA256
44f8df07d36fb0fcb9038b77f34cce351bb018e85e3e9ae336fa7608fc141467

SHA512
0581af267efd21bcb82ff5d8b03426d625f8b936a6416840d48c6dddc5ab9bf255aa0fcb098520edfef4b9b51b04feccb309b349250b385cefc7987baa24704b

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
d31679ffcb5ba1547a465fcc7c1edad2

SHA1
2737069b77b14bb2fe88f95432fdf8eaec25d3dc

SHA256
e0e8c526dad4e1ae4040955472d176066f6ad8a672343373149c30b0e7d6d25d

SHA512
8d07ad3397f08499a8fb8bae4e567551eb759fffcf4c3db563c7018aba6443f98eaca914393f496b540abaf3903270b1132fa4c504c899104db940a6f9dac2e7

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
93KB

MD5
e530aeedf784456483d1bcea3a451025

SHA1
549540066540536dd938d357277c34d46361d906

SHA256
48e4fffb70adf3a8c27374b754554e226d14af6c78059e7c6e4c85ede447c2ad

SHA512
69bcf96bc23bb03e2ccfa55ab44d50d6908dd3324ed7a4df27b1eb1525f4c737241d40ac33fb9cf74d5cd50dddf30b2ab09c8e82da1f981a1ddbf5bb125df578

Download Submit
memory/432-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4472-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads