berbew | 9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe
Size

93KB
MD5

c3b17cc5373bfe0325878204185fade4
SHA1

e80c1f269e72bef26b28b1c412bb9c07adf2bca4
SHA256

9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467
SHA512

ca94384cc9da8d6ce9f7f807c1f1dc9b63b17c0e2f1963acfea2b488bff17a01477bcb3b68f61d24e8cfe70fdb9b0ae716ad564e3e253fde4ff23be1cc191983
SSDEEP

1536:ns6ZirKRFKBE5Bj2X1DaYfMZRWuLsV+1z:nsSTRQuB6XgYfc0DV+1z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2920	Mlhbal32.exe
876	Ndokbi32.exe
2020	Ncbknfed.exe
756	Nilcjp32.exe
32	Npfkgjdn.exe
4560	Ncdgcf32.exe
4812	Njnpppkn.exe
1388	Nlmllkja.exe
3812	Ndcdmikd.exe
4932	Njqmepik.exe
3940	Nloiakho.exe
1468	Ndfqbhia.exe
3956	Nfgmjqop.exe
4176	Nlaegk32.exe
4924	Nckndeni.exe
3224	Njefqo32.exe
960	Olcbmj32.exe
4884	Ocnjidkf.exe
3240	Ojgbfocc.exe
3936	Oncofm32.exe
2252	Odmgcgbi.exe
856	Oneklm32.exe
1488	Olhlhjpd.exe
1268	Ocbddc32.exe
3480	Olkhmi32.exe
3424	Ocdqjceo.exe
2824	Ojoign32.exe
1064	Ogbipa32.exe
4840	Pmoahijl.exe
5076	Pgefeajb.exe
2564	Pjcbbmif.exe
1720	Pfjcgn32.exe
636	Pcncpbmd.exe
4332	Pncgmkmj.exe
2944	Pfolbmje.exe
4880	Pqdqof32.exe
1936	Pgnilpah.exe
4752	Qmkadgpo.exe
1136	Qgqeappe.exe
2968	Qqijje32.exe
2376	Ajanck32.exe
2320	Anmjcieo.exe
2040	Adgbpc32.exe
2236	Afhohlbj.exe
2332	Ambgef32.exe
2316	Aeiofcji.exe
4232	Anadoi32.exe
2072	Aqppkd32.exe
3928	Afmhck32.exe
1792	Andqdh32.exe
1036	Aabmqd32.exe
1532	Acqimo32.exe
4352	Anfmjhmd.exe
888	Aepefb32.exe
2324	Agoabn32.exe
940	Bjmnoi32.exe
2224	Bagflcje.exe
1964	Bganhm32.exe
3724	Bnkgeg32.exe
4640	Baicac32.exe
3544	Bffkij32.exe
2776	Bjagjhnc.exe
3388	Beglgani.exe
2108	Bgehcmmm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	4160	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 2920	324	9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe	82
PID 324 wrote to memory of 2920	324	9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe	82
PID 324 wrote to memory of 2920	324	9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe	82
PID 2920 wrote to memory of 876	2920	Mlhbal32.exe	83
PID 2920 wrote to memory of 876	2920	Mlhbal32.exe	83
PID 2920 wrote to memory of 876	2920	Mlhbal32.exe	83
PID 876 wrote to memory of 2020	876	Ndokbi32.exe	84
PID 876 wrote to memory of 2020	876	Ndokbi32.exe	84
PID 876 wrote to memory of 2020	876	Ndokbi32.exe	84
PID 2020 wrote to memory of 756	2020	Ncbknfed.exe	85
PID 2020 wrote to memory of 756	2020	Ncbknfed.exe	85
PID 2020 wrote to memory of 756	2020	Ncbknfed.exe	85
PID 756 wrote to memory of 32	756	Nilcjp32.exe	86
PID 756 wrote to memory of 32	756	Nilcjp32.exe	86
PID 756 wrote to memory of 32	756	Nilcjp32.exe	86
PID 32 wrote to memory of 4560	32	Npfkgjdn.exe	87
PID 32 wrote to memory of 4560	32	Npfkgjdn.exe	87
PID 32 wrote to memory of 4560	32	Npfkgjdn.exe	87
PID 4560 wrote to memory of 4812	4560	Ncdgcf32.exe	88
PID 4560 wrote to memory of 4812	4560	Ncdgcf32.exe	88
PID 4560 wrote to memory of 4812	4560	Ncdgcf32.exe	88
PID 4812 wrote to memory of 1388	4812	Njnpppkn.exe	89
PID 4812 wrote to memory of 1388	4812	Njnpppkn.exe	89
PID 4812 wrote to memory of 1388	4812	Njnpppkn.exe	89
PID 1388 wrote to memory of 3812	1388	Nlmllkja.exe	90
PID 1388 wrote to memory of 3812	1388	Nlmllkja.exe	90
PID 1388 wrote to memory of 3812	1388	Nlmllkja.exe	90
PID 3812 wrote to memory of 4932	3812	Ndcdmikd.exe	91
PID 3812 wrote to memory of 4932	3812	Ndcdmikd.exe	91
PID 3812 wrote to memory of 4932	3812	Ndcdmikd.exe	91
PID 4932 wrote to memory of 3940	4932	Njqmepik.exe	92
PID 4932 wrote to memory of 3940	4932	Njqmepik.exe	92
PID 4932 wrote to memory of 3940	4932	Njqmepik.exe	92
PID 3940 wrote to memory of 1468	3940	Nloiakho.exe	93
PID 3940 wrote to memory of 1468	3940	Nloiakho.exe	93
PID 3940 wrote to memory of 1468	3940	Nloiakho.exe	93
PID 1468 wrote to memory of 3956	1468	Ndfqbhia.exe	94
PID 1468 wrote to memory of 3956	1468	Ndfqbhia.exe	94
PID 1468 wrote to memory of 3956	1468	Ndfqbhia.exe	94
PID 3956 wrote to memory of 4176	3956	Nfgmjqop.exe	95
PID 3956 wrote to memory of 4176	3956	Nfgmjqop.exe	95
PID 3956 wrote to memory of 4176	3956	Nfgmjqop.exe	95
PID 4176 wrote to memory of 4924	4176	Nlaegk32.exe	96
PID 4176 wrote to memory of 4924	4176	Nlaegk32.exe	96
PID 4176 wrote to memory of 4924	4176	Nlaegk32.exe	96
PID 4924 wrote to memory of 3224	4924	Nckndeni.exe	97
PID 4924 wrote to memory of 3224	4924	Nckndeni.exe	97
PID 4924 wrote to memory of 3224	4924	Nckndeni.exe	97
PID 3224 wrote to memory of 960	3224	Njefqo32.exe	98
PID 3224 wrote to memory of 960	3224	Njefqo32.exe	98
PID 3224 wrote to memory of 960	3224	Njefqo32.exe	98
PID 960 wrote to memory of 4884	960	Olcbmj32.exe	99
PID 960 wrote to memory of 4884	960	Olcbmj32.exe	99
PID 960 wrote to memory of 4884	960	Olcbmj32.exe	99
PID 4884 wrote to memory of 3240	4884	Ocnjidkf.exe	100
PID 4884 wrote to memory of 3240	4884	Ocnjidkf.exe	100
PID 4884 wrote to memory of 3240	4884	Ocnjidkf.exe	100
PID 3240 wrote to memory of 3936	3240	Ojgbfocc.exe	101
PID 3240 wrote to memory of 3936	3240	Ojgbfocc.exe	101
PID 3240 wrote to memory of 3936	3240	Ojgbfocc.exe	101
PID 3936 wrote to memory of 2252	3936	Oncofm32.exe	102
PID 3936 wrote to memory of 2252	3936	Oncofm32.exe	102
PID 3936 wrote to memory of 2252	3936	Oncofm32.exe	102
PID 2252 wrote to memory of 856	2252	Odmgcgbi.exe	103

C:\Users\Admin\AppData\Local\Temp\9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe
"C:\Users\Admin\AppData\Local\Temp\9db5fbcf07728ece0b3768f0a2c63900ce2a0c1e985984bbc4b4d12bb16d8467.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\Mlhbal32.exe
  C:\Windows\system32\Mlhbal32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Ndokbi32.exe
    C:\Windows\system32\Ndokbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\Ncbknfed.exe
      C:\Windows\system32\Ncbknfed.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        32⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        41⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:364
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        83⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        86⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        95⤵
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 404
        98⤵
        Program crash
        
        PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4160 -ip 4160
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
93KB

MD5
e5fb5c5f1dc7f10c99c1de7d8eaccf4f

SHA1
09194de0824fd20b282ac8c48d9c5b9110ca9851

SHA256
0d859b0e431f125fa5034e07b97c6aa7a2375958eaa78083fa99b6dab1eab039

SHA512
2f87368aab4b5f9821c136855a69c0cc963143e6d6208cd1d5bdbb2d2bf60f7793d0a0628d7baf7786c7cc9532ee7de06a90924e97eca9baa228afa70c0c10c6

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
93KB

MD5
dab3df4bccb2afcdf883b21324406089

SHA1
2acd4b5ba52095a4123a2592d45d2aae6fc3dc6a

SHA256
65db1a2d210a6c24015364606cd5bf96c0c27dc8065915fb5aca3979b54b0ab8

SHA512
b3c585ed700408224671f1052e1f2071affeb16cec29e5db532a5a4c6fb3e909bb3504f266a1f1b9c96ae2a582b6af0a150eefec451be09d0a13ac27ff804297

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
93KB

MD5
b7021866c4c3b1cec0fb8d0ad8469767

SHA1
410dc6674418a1474c08a12935b3a6605b8501e8

SHA256
b85c9113a9ae38dae969198665b9f238855586151153e977cc5bc9e0553ab0bf

SHA512
d91505faa8016c9ee5ab5bb2753cf5b3a31e5c1f8f4c4799dcd1cf4123697d78c44642e14ecd81e561eef19e19c6cb32e87ed13b28802c5ef53c97d68f2d5326

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
93KB

MD5
20f86c201e08af6d34ffe9ec09fd579c

SHA1
72127bcd2c3a35ecf493f5c8415b5ddabf0e563e

SHA256
ac4d713541ee7667b247f6a45918048cbe81f1a2202b7ffca3d92a8144a6b699

SHA512
51c3d443b2605aa964fc092fa4878ed86ee85d340182b8da31868dba5b85fea1f142ee28c901036b9401d59d8eae61488256a0b4dc8865f96efe4ab3b1313320

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
aa39ed8b3c564b93da96cdd9a6042525

SHA1
79740d23e5b57ccc349f7a3bdc696df1f307bf6b

SHA256
15623fde4e4a22e2a68d5f3211ccfb182e9bb2bec116dcd62d6333be23e1fa35

SHA512
7bae67fb5278880273d99b7e9032aeb4eac5aacf748bbf7448185fbff646f3837a7d3c54f1eea8ca4af077247687b7dc1a2ac7cabf9fa134d9f4e4fb8255da94

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
93KB

MD5
2ed44a38fc5b40e5208acc9cfcf5907b

SHA1
60ead51b37ddcf820a1e25a84981a8e7169fe1f0

SHA256
808654ca8e3ff20d846d1c9d538eff13b202eb0880db40ff672eb254efb4c2f1

SHA512
acef8f75f0ce066f9e1ee43c629d51f52419a89ad84f18c296f5f1f0ec9cdcbbd858871a0e45c993f77bfc0c94cad9a3176cfaa80b81c006ee2ae3203c63f132

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
93KB

MD5
a7be4e5f0a5bc2a5a589b2ba2cd531f2

SHA1
e54203b532c985870e1eed7177a8d58d357da619

SHA256
a19e182dc0c7ece1363c33336f0ed89bb8c14e4bd558469df4c7b08cca6b9680

SHA512
63fea6ef937ec5b5e45955f9e74ca952e4100fc64205998ce9e3868b98e122c279ce9cb4255e5b7a9537d10588711ad41b24149857d56d9fd011b34f353ee295

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
724075d17d0a2d498f3c61ccd5585366

SHA1
7e1c4a4ecafe3921e0016456958f1e78ef0d84d5

SHA256
529c8aa58b1529a5d80723b3dc8c4e5db186783c2a578a2ad5edcc2c84640877

SHA512
3823535ec13a6fa8ee178851333d1dfa203277f67d7d7274eaaede66ab800989434b4adfe0fbfe08ec0190a35dccde3b860715cae94b245b7da64f5f2e8778f4

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
93KB

MD5
d9cd0e87cf72d628f4ed1397e300e1b8

SHA1
fd55372518591a134ee3f23d77329ea4623be07e

SHA256
86caaa5edc43ea30490b15cb81e7f3f479fc98f4fdcab908ac0dc0b341d60750

SHA512
44f35293d70f7ce84c7c8cfb562efbe7fab104671e29f3ba02b5d36f694358c59b10b69f2095480092e746264397cd06b57b0f0ae07dde443c6dbb59e4a79580

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
93KB

MD5
7008feda15ac8915c4f074faf6fd1c41

SHA1
e5ea2c238b9c96c24a455ab32d0cde0a8b8a2003

SHA256
2914d94a73c367ce3e7d94d6aae2f3bffa1b6e69238e373fbbfb191915055f49

SHA512
1cea55b1da243449058f96a7a749ec94030f6951107006d132240af110da760e7bde2df6308f99a9d51e2221031f38c89a5ecab94cb7d3bd05046fe3ab17a97e

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
f7d0416f6ec2b49c16bf05fafa02e79c

SHA1
2305dae43877fe833108cb0b2c89e5781ecb1f3a

SHA256
8ba57aa2196cb94b5f38fda5fa1e6fcbadb39eda21a4287181abb316a9e57d69

SHA512
b10311ee4e9f62a9539fad2d57966cd5375f8431dd43771075b100498414d79dccbb92d334b8ffb2b54e2e507f25d9f1b6e46f45705b4e921d0f1e025453be52

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
93KB

MD5
209eaac049e9c3fc15901af639d91a2d

SHA1
11790bee54ff4855bc1241731fe006cf009414ad

SHA256
d282ad6be8e0c9438c79696ba645fe82645adec515c7aff4fa955bb2ed164836

SHA512
8e9d597d101f02e19d7dacd398873518efeaa06e68d33fbd9ca5e182aec128d813f40bf16ac1961087324e47ce59388eed1e2cb61ffff55b9e2ed44d40244368

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
93KB

MD5
3ec59e776e483b1cda3e5e5d33397139

SHA1
93b5e0eadb7ceaed79f7295ca2c0296651089ac0

SHA256
4635ecd74c7f871c7ea7b51fa78899f3fbbbd104d951f0751d6f555483d6f28d

SHA512
3edc1e97394e262f46a3e9a7f3a202e6edac55490d6a820d5f405f7854e857fd11e6c305ff7666e21ffffdaf25f16d8545e6d05b388df51aa861244ff98fa4ec

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
93KB

MD5
37578350c4041778bbb251bf6c1beafb

SHA1
3b335b8bc117046763b0aaee25490b885375b4c7

SHA256
5deba091cb1ecdb2f98712b94fa66bad4127a79c23d699e4182068c285fc9bb1

SHA512
f3ecdd02c61918e65369d18cdfd10c99ea17c5d6a415e973185abb98b75ee7e04a0308c33873b0f43f2bf9df308f71d8548cd5164fc97f00d92bdb425cb7d932

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
93KB

MD5
ff01c1f99b936181ed8f9d7626d5f913

SHA1
76bcd583e2800ce4d292e86a9e23621ae4d6cba4

SHA256
2c479ce01113f197bef2a3f16dcd62fa55ac7063db542483cef7984c12fe522f

SHA512
641780d3152482d1f6240565708ede60732d88aa3184d0c5c2022d47f10b45d50b4ffeca367b8a4566b49cf02a8c3afc4b09b534da1fb3ecb599e45263174b4e

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
93KB

MD5
99066dba32ccbe675d681c80c1b2cb7f

SHA1
01ae6dd1b5930bb86ba60830f489f326c3e36c03

SHA256
6045b829497c6c598513eb7642480d5f9f7516312c320e26d0509ad01c338218

SHA512
d0ee471434ed5ad09909040acb8ae93393adcf4f01a7d13e73aa005d9f760c6ba2caf1b388381865ee251dcd2a3cc49fe63d459bc458b803a46b34a04ada3e48

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
93KB

MD5
bf92d97af0b9b5ea95059b1f57308bd9

SHA1
5dadb40ee8189bf7b3cefc0c3fda2dde52befac2

SHA256
6cbbf5be629ca5c5c762d3e5b99b84ff8e17b9cebe863dd8299e372b50b75fba

SHA512
aa1bb35b6a26e91b18058195d4e2d39667284be88e0c83afedc8a9f813fb52cb66b95dee2d5242262e5dbdf0400cf60ee49a249bcc78b198aba83d3d23b9f8eb

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
93KB

MD5
0f9ab3b60ba6982dc573ec99bf1e4519

SHA1
a2cfb0828a448503938bc17fecd731405a7ac041

SHA256
523af0bf1ef8aeb2c00f3c842bf420a5532a57c61ce938368f6952c5a37f8caf

SHA512
17aeee4b08572680ae5f4e129df0558f4c2f6bcd86dce8d47390c4d056a2319dcce34731a6305b4c38ddecb95583e7b6789392ee0247a2fe33a15280090d2ac3

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
93KB

MD5
4c32ed00887d4cfc2c88397228ab1a82

SHA1
d6890de8e3640f27d6826701e65278a2c0209f05

SHA256
acd9ef36ef3f228d2ac272a5fd36407aa47f84e2906faed5bbde6a693bbf88de

SHA512
05b433940f0617141eba90d0ce1d809d1515a2a6683101ef83a7b14684f5bd9c26d600a9ecb185c8536f0a46728ce44659efab751f6fda0a6f83dfbde82c14ff

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
fd4da64df714f248a40d796e8805eaf4

SHA1
da0e4b5b642267c39a0306d01c935cf4fe58547c

SHA256
7e9efb99c19370f5ca24c22d9c91176898bab77cc932c027e97fe85bbbeae66f

SHA512
fc4e1e9c8f4171c503e8098efa1d2f9379ff7bab1189e8f5f26eb442ad211cf6ce175e9451bb38387be8b8c006cb2f6cf663e42a58a91297823699a55190efaa

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
3fb0f261d19e40a0d01d8f518ac66805

SHA1
7cfae492e84a09b3ae94254df0e94ae61b7fd09f

SHA256
db7f3b7f0623193468b202906eaa9f411b269a8774b10159bd94c0dbb69ef557

SHA512
8c05960ebc6d852f1e3ac28b64707dbe4acd8cd9a02f5a8f86eb54e2b013efd72d1700474cbfb34cdf2ff9fb342442d2739b9a5c9f24d67a83f4ce2f0363d39b

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
15dfa43ba55acef061ec153b726a597b

SHA1
b45b7aa2a1380672a311ec309ae3dc284e785962

SHA256
8f5615a9c354debb05599ab0e605e3326155d9a82d17a241515f04b71cf12494

SHA512
18726c16bee001eb60c8a4cc23a1a16e670d42b51682409088e473cb2918071b28f69d2e22ff7e538de4f9e03189f25378d0b13a02265a27a73c77371283ba71

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
93KB

MD5
1b4ac73b3735323d65332cdda1aa17ab

SHA1
ac32adafe612e47a08e46d60ca0d21aed0bafddd

SHA256
d9b373bc2b19fdb5f38f33e44e1cdc1b839f620607705bb79f328a1faa52787e

SHA512
c1ae3915eb954c4f112b217c03a2392386f46bf2f4fa189db8827d385672f59283c0f1bb8c87104666c4fd63fa89ac0b74fcfd17ac6cc3477760d44d751375ed

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
60bb9c2ac95cf6fdd59a300056a9b241

SHA1
5e3c2ac429c8bd4ae8706eb40add4f9673108e89

SHA256
22f005601e5a2dd18c672266c9f3226d2f9633f4a93fee81aa73f8e628f8ed14

SHA512
9c8668641a63f609b636e51d2249a92c17287773fa7a81b4d9ef86f68f9bc103d55673681091a92607f18723e3864348840c323e692d549b86c423848546f490

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
47c18d7662aa486908d5acffb0ffe62c

SHA1
07e2ba8a1935caa250fdf2dcdaa4af2e5edc5cf9

SHA256
764c2fdda2ad519d388bfe1a98630c30fa392af120c00e2c7f706f93ca71e3f1

SHA512
696002fb03cd7cdab60a8b814301ff5ecc406e1324c3fd44448c559e98d029697a8c2e3298af49dcd9928db0cf7f5397404b25ee3e2a1a4427663b10671e13bd

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
c84b35c8b37d663071af09b5b2f2e1d0

SHA1
16168699d74f3e486ceee203a2409d195fe1bd5a

SHA256
e52ae5064d5c95c9e1bb6abc3a3dc2a3b497eb1febcda93e7163d8f9db008429

SHA512
6bd1c42592481fcd4a228222d31eb31deeca1440fecf9f12a98e3dc0ced88b8f14447f58c865ddd9b1a70dbf7b557a4f18ae28b5eced4ac91f67ea11a40f5525

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
93KB

MD5
e3b85ecd4b9d76332499d84a632a29c4

SHA1
79f8b61accb2ed62b63b2cf4a52dd68fa9d45634

SHA256
828044db2458a2dbea0178dc17eb2458bfb2ba4f970b0e730fa7d69f9ffd2865

SHA512
9ebbb23b1b1732619e7b22ec21f8032bd1fea3f8c14ea00e10fb85e90161bfae7935d8c8ff171521f5978abc071300217421ca705f860e0396104465f89a009d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
e253b1d4561ddba62b2f4b3b86769e8b

SHA1
cb385fb145afdcbedd406fc0fd66abb6582c233a

SHA256
552679c69498694b5c7c344c609cba67c5af523ae00339620808302134408b09

SHA512
1d2625a98592ae7362f4a468d85de7f6565feb6f693b4432ff1104289f6ad188a9f93c1dd03d1c0a404628258fc3675e3c84bff5ab3ea92f37a78d15fbc0d408

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
93KB

MD5
59be6d41480dcc70903840f1c99e6295

SHA1
23b19ecc81eb462459a64c7f88c75883df0f2727

SHA256
74a23f47d9d44a420cc3fe335a27c2b266e5762ce78bd1c82b4395374d9b15d1

SHA512
f9d87ad1f13f557be8a99e0fcee455fdc642384447dfceb3d4d1716785ddd1ac9949fa995c2535fc6fa81a65a37cc6b246b6b0403838ee008eb860f1669696bd

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
93KB

MD5
2e28b7758d839b2e1d5a15b5849ef1ae

SHA1
8de8c6cefeb73947bb73a34a486ee50f638d3974

SHA256
52dbb69f447fe52841f10a2dd1039d700b49abf784ad76418c18825ce6a2d6b0

SHA512
4e5a6f0248810129304d03c7d9d342016be8338288acea577d059cec4a8c912f7b9d309cf69058b7cea241d7c92deda7a3f23bc89360ebfa59fdd57578718667

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
93KB

MD5
49db058787422b8699cc94125f8e47d9

SHA1
df38a0349c4872540be436131590730ff1e8b2bd

SHA256
b1f36008b135714d248a2b0f3850868088a57415c4b6b69af05002d3c5968091

SHA512
85379dcae5e286bcf08509912bab46ffb6f40f2a375201a8030c4badec74fb42d8e17ebcee0833f21d8554c91866f954ac2c562f29915259d46219a39518f40f

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
93KB

MD5
7b41554cfe429dbef18c5fab119bd21e

SHA1
6c950cbca8c940922e19a777d60f155f4fa54bcf

SHA256
3dc48ae0728164cbd2183d5ea09b5f9248fd70f0c0dceab918cccb7e0ce9f5f3

SHA512
769130ac83a713815a6cf2001c48fca5e6e3f5e15f6e5933143b97361773452add312a185adf235dfd718440bd547fc204b957f6f9aeeda46329a312f90f9834

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
93KB

MD5
94845fb06e202be641eed7a4ab76b5ad

SHA1
9b5934fee713caf37fc2619b6539b8e6a0127b2b

SHA256
e3f4ca8c4c8d9abae17946ffde5792ed91a04833bbe2be7a2cca0c85f49d9b1e

SHA512
dcd980095616e896019de83069050e7dafa80abf6fe2679bc5ac88f23160506a39e1437d00075626c269cf3c967eaf1645392e02fc817a6c4bec52d490822d44

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
93KB

MD5
8e8eb8958a8e0e6d24a7b7613b773606

SHA1
3e97fe5a8d71b0c34c1ee8f7079d1229c026243e

SHA256
d602c54bd44f35729a8f39356774158d13f010838a3a5ff4f9ff438ff3ea28e1

SHA512
b1ffb5bf989d5ab73caf63fe94570aade4848762d8d390748d98198eb92982fca1bd26588de69b9e66f00b5e317102f152bccfca78e2508c4e042539e9522ee1

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
93KB

MD5
cddd2545bb8fef0c633b3e2155199ada

SHA1
6b862de96013b51aa4dfa72800fab634b4e10c7b

SHA256
1d62a554b9ee5adfb22a527d7e3f86599214134c5462faecde519071873e2f0e

SHA512
e86e705cf377582efd59dbbfc2b933f4c581c85179584e0b758ebf5bc313fd20d4c5dbcf99c2add473b385421906a31879c15626215cb1c8e9bb1131937f399b

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
93KB

MD5
ac20a69cbf547591fb29c476f4f50c6f

SHA1
414f76913ec04f827bc2f571049ee258cbc967c6

SHA256
22a84be5b8e1ed076607b540c89a79c022318f458f387e1325b8dcfe7fdb1169

SHA512
fd5e65eb8e6408d72391b5e164e43457a309418d47c81590ca064e37c82d1e2154ccbb5cac28698fdaee8bc4625c3a076535e2e7b145d2a59810d66057142c77

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
29ac2f8502a6cd1368a03228b5cac1a6

SHA1
3538f6a915170ca22660be2798100a56d7fa381c

SHA256
e2407593ff43590b32d1dc8da2ad1b99dab4644d8bc25af10851dd7d12ed1fd3

SHA512
efd55a303b96ec5c11635fc8ba4a47e9323e39918a56164c499607b871e790fa76ad9100b6268c61a9f80d8aa578a8a3a1278940c1fe09a2a5a99b5f1405a9ba

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
93KB

MD5
eb4dd1118016eed309b54a13f9e7e93b

SHA1
4ecb210cfca13b63fe7cd527bfbb79bf34b96035

SHA256
5cfd6729f8800b2ec23ea26f3a6d819fc1670dce184f2e6a2fae72166a426159

SHA512
ec0c120f509f4e6a55657ec6908c2cbd0de266473ebc26c5fd1277e9df7c7dd951fd2630606042d2aab45b6c775f55750e8986ac0aeeff15da7ea1b48769aec6

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
93KB

MD5
47ae0b5c03801b664f851a67ab9a00bd

SHA1
2e061581c3a01e4673bd3ce3cd70c17cd7fbee17

SHA256
2fc3dcdd1674c31438d7c366a61697c5cf279554ea8c6223f74df6bfa06cd37d

SHA512
726d5734c72b3cd7cd04825901fe3d2b718d4b1cbf33d77f83a2be5513bc57fcb67f892a3d2c87ecc400ebf94998e1fb0dfb3bd5e7d5d42893587d6f850c05ea

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
93KB

MD5
6e108bd41c1d531b29b1daec510b759f

SHA1
b61b3af5f0280499f2475b75c80b014e2d71c543

SHA256
6437fe0c1edfe9ec67b7c93d5aff358c94a8cd35b60002693c5bb1a2265df9ca

SHA512
fa897e10b78062812e2f31def071ea3a4a7d829b0fa35cb9bb46c68042b8d9767b2d88e716cd0c46565e54d50533f920d4c611cc32a1ea5bba28df97583b3547

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
93KB

MD5
f345cb2cb79944381c9ab4fd964abcf4

SHA1
f41e471a226fa3df288ae76c8c816870c925c7ce

SHA256
e9a3660f3460584e948319055922a85faaec79b00ec2ad8133e2730ec7530909

SHA512
4928bcacc466dfe8343a4996f4933dcd850cfa901243e0d42771e7c18d5e934f0307994464b592938cfecbbdf430bbfbe50c58e16975c36f70deca7e014517f2

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
93KB

MD5
bc7c0066c870758807f9a4ddb04d1963

SHA1
4a433ec6a23a96c655c29b28e40a79180ce03413

SHA256
b63f3b575df20411deb85c13c9ddd6bc32563e2666b82e8a8d0dadb6eaacb8f9

SHA512
a168c991c9cfe682c34bcbcd767d46b1fc3b898de714a05139381abfa08c8975e9f85d79cbc117e75e02cc5224af95c5f46a3637bbbc2e56fd3046eed9c013fc

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
93KB

MD5
2d82cbf4026c8783f9959a32309c7d53

SHA1
38a0dbd9b41b0a26082d7269039d9c9c0a2f56b2

SHA256
38f381373ee820725a1035ba19cdf6d17a07f357d76d0e474bb31df2a49c2a64

SHA512
0f9ec23c32b21725fab684edf405c25914684e69d63d72ab46f0fabd8940ffe731eecbad6b673dfd3720d27b2475633c5d67ddf577a008885478318e4ba98077

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
9707d3cd9d47dba45badf299d9cf2a2a

SHA1
955c49ee8dbdf0d1fb5340f5b4f5cd27c4dd8f22

SHA256
546df5612f3b55e6173c0e0d92757ef1e1084f2cad511f5f6ea54840f3324699

SHA512
78a9e4d50cc6bb0cc2fb8860477288b5980c28f65a61b4dd59b7c64e259dd04738aa40d3c5e74231e0343e4c0feb7efdea65d7dbe18f499d4fd40476ae92a496

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
93KB

MD5
497c7d5f7b88f2cb64b6fa799ee74150

SHA1
5b5f95a901e7e7415a571233490285dd0d46e027

SHA256
1804fb411f52d0bb7499aa6c01cd4f248b2d61f12c06dfceca69aadc72848fa8

SHA512
a25fc363d8c633dc2775717cb93afd669dbc2649cb61a55f5900857843dede4e548804981b5a4070d17976281d781d8196db283fec29708f6f9f39a81ffc9c35

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
93KB

MD5
361a67887cc3a0ef0d51495dde7397e4

SHA1
5c8eca27b3d75f6c4e7232f68c6ee2cfad1cec9c

SHA256
7ff5d8438f090da32e6fab8060a4e55d61c8c05ce8256475d0676ca5e79f1bc3

SHA512
f46b98b6084f65e4c3718a0d8e797e7189ed61e8708d3421b68a46663fa199fd07b1d84859d8d2bd6a441d5eba7201e74b5e3ed8d91a2eb40b2fdb069f88b2e8

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
93KB

MD5
71b48fc5a518cc9149131adb726aa2e8

SHA1
32801b931e7ed4ccca26a21c685ec430c5f1e68c

SHA256
c03c0a10b3f3252360b4c7042cd44e137405df19c92c57d824e47bab93d4e8b9

SHA512
a100abdc38f770fba1f657373e1c1371f4f509a2ceafa0b1a7bbb69f4f356d2a8e2d435cf34f80281ae9b6a055e2c2e9b1c8b205a8b5bdf40802492e67ec34a1

Download Submit
memory/32-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/324-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/364-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-760-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads