berbew | 0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21b

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe
Size

81KB
MD5

f68a6cdf72736437b81078c0985b7fe0
SHA1

bbbb104eae7b2f03b098e2aca3349d7eef2655bf
SHA256

0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21b
SHA512

2d217ab88e03a881bbe580b5067db2c53eb6c628a7147cb8aacaad457fb8b494f2e54fe0c6fe00252a9f38ced904407e12cca3e3753c90c4bbe26b10bcce052f
SSDEEP

1536:BvEe08RcF639uEpCJc+TfrqLN6bSMU0TsSMaM7m4LO++/+1m6KadhYxU33HX0o:+eZZ9FSqLgGssSMP/LrCimBaH8UH30o

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1940	Npfkgjdn.exe
3584	Ndaggimg.exe
4596	Ngpccdlj.exe
2552	Nlmllkja.exe
1648	Neeqea32.exe
3652	Nnlhfn32.exe
3728	Ncianepl.exe
852	Njciko32.exe
3712	Ndhmhh32.exe
2744	Nfjjppmm.exe
5024	Nnqbanmo.exe
788	Ocnjidkf.exe
1744	Ojgbfocc.exe
1564	Odmgcgbi.exe
5060	Ogkcpbam.exe
4104	Opdghh32.exe
4152	Ofqpqo32.exe
4964	Olkhmi32.exe
4808	Ogpmjb32.exe
3388	Onjegled.exe
4856	Oddmdf32.exe
1184	Ofeilobp.exe
2268	Pnlaml32.exe
1656	Pqknig32.exe
2260	Pgefeajb.exe
3964	Pjcbbmif.exe
1384	Pdifoehl.exe
1588	Pdkcde32.exe
4524	Pgioqq32.exe
2020	Pjhlml32.exe
1236	Pmfhig32.exe
2820	Pdmpje32.exe
3972	Pfolbmje.exe
1084	Pfaigm32.exe
2620	Qqfmde32.exe
2952	Qnjnnj32.exe
4608	Aqkgpedc.exe
376	Ajckij32.exe
2380	Agglboim.exe
2272	Ajhddjfn.exe
628	Acqimo32.exe
4868	Ajkaii32.exe
2340	Bjmnoi32.exe
2412	Bnkgeg32.exe
1388	Bnmcjg32.exe
4584	Bgehcmmm.exe
1304	Bhhdil32.exe
2384	Bnbmefbg.exe
4560	Belebq32.exe
2280	Cfmajipb.exe
4428	Cabfga32.exe
1444	Cagobalc.exe
1140	Cffdpghg.exe
1204	Calhnpgn.exe
3524	Ddjejl32.exe
3116	Dmcibama.exe
4824	Dhhnpjmh.exe
3904	Djgjlelk.exe
1196	Daqbip32.exe
2344	Daconoae.exe
2012	Ddakjkqi.exe
2612	Dmjocp32.exe
3956	Deagdn32.exe
3724	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4676	3724	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1940	1884	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe	82
PID 1884 wrote to memory of 1940	1884	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe	82
PID 1884 wrote to memory of 1940	1884	0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe	82
PID 1940 wrote to memory of 3584	1940	Npfkgjdn.exe	83
PID 1940 wrote to memory of 3584	1940	Npfkgjdn.exe	83
PID 1940 wrote to memory of 3584	1940	Npfkgjdn.exe	83
PID 3584 wrote to memory of 4596	3584	Ndaggimg.exe	84
PID 3584 wrote to memory of 4596	3584	Ndaggimg.exe	84
PID 3584 wrote to memory of 4596	3584	Ndaggimg.exe	84
PID 4596 wrote to memory of 2552	4596	Ngpccdlj.exe	85
PID 4596 wrote to memory of 2552	4596	Ngpccdlj.exe	85
PID 4596 wrote to memory of 2552	4596	Ngpccdlj.exe	85
PID 2552 wrote to memory of 1648	2552	Nlmllkja.exe	86
PID 2552 wrote to memory of 1648	2552	Nlmllkja.exe	86
PID 2552 wrote to memory of 1648	2552	Nlmllkja.exe	86
PID 1648 wrote to memory of 3652	1648	Neeqea32.exe	87
PID 1648 wrote to memory of 3652	1648	Neeqea32.exe	87
PID 1648 wrote to memory of 3652	1648	Neeqea32.exe	87
PID 3652 wrote to memory of 3728	3652	Nnlhfn32.exe	88
PID 3652 wrote to memory of 3728	3652	Nnlhfn32.exe	88
PID 3652 wrote to memory of 3728	3652	Nnlhfn32.exe	88
PID 3728 wrote to memory of 852	3728	Ncianepl.exe	89
PID 3728 wrote to memory of 852	3728	Ncianepl.exe	89
PID 3728 wrote to memory of 852	3728	Ncianepl.exe	89
PID 852 wrote to memory of 3712	852	Njciko32.exe	90
PID 852 wrote to memory of 3712	852	Njciko32.exe	90
PID 852 wrote to memory of 3712	852	Njciko32.exe	90
PID 3712 wrote to memory of 2744	3712	Ndhmhh32.exe	91
PID 3712 wrote to memory of 2744	3712	Ndhmhh32.exe	91
PID 3712 wrote to memory of 2744	3712	Ndhmhh32.exe	91
PID 2744 wrote to memory of 5024	2744	Nfjjppmm.exe	92
PID 2744 wrote to memory of 5024	2744	Nfjjppmm.exe	92
PID 2744 wrote to memory of 5024	2744	Nfjjppmm.exe	92
PID 5024 wrote to memory of 788	5024	Nnqbanmo.exe	93
PID 5024 wrote to memory of 788	5024	Nnqbanmo.exe	93
PID 5024 wrote to memory of 788	5024	Nnqbanmo.exe	93
PID 788 wrote to memory of 1744	788	Ocnjidkf.exe	94
PID 788 wrote to memory of 1744	788	Ocnjidkf.exe	94
PID 788 wrote to memory of 1744	788	Ocnjidkf.exe	94
PID 1744 wrote to memory of 1564	1744	Ojgbfocc.exe	95
PID 1744 wrote to memory of 1564	1744	Ojgbfocc.exe	95
PID 1744 wrote to memory of 1564	1744	Ojgbfocc.exe	95
PID 1564 wrote to memory of 5060	1564	Odmgcgbi.exe	96
PID 1564 wrote to memory of 5060	1564	Odmgcgbi.exe	96
PID 1564 wrote to memory of 5060	1564	Odmgcgbi.exe	96
PID 5060 wrote to memory of 4104	5060	Ogkcpbam.exe	97
PID 5060 wrote to memory of 4104	5060	Ogkcpbam.exe	97
PID 5060 wrote to memory of 4104	5060	Ogkcpbam.exe	97
PID 4104 wrote to memory of 4152	4104	Opdghh32.exe	98
PID 4104 wrote to memory of 4152	4104	Opdghh32.exe	98
PID 4104 wrote to memory of 4152	4104	Opdghh32.exe	98
PID 4152 wrote to memory of 4964	4152	Ofqpqo32.exe	99
PID 4152 wrote to memory of 4964	4152	Ofqpqo32.exe	99
PID 4152 wrote to memory of 4964	4152	Ofqpqo32.exe	99
PID 4964 wrote to memory of 4808	4964	Olkhmi32.exe	100
PID 4964 wrote to memory of 4808	4964	Olkhmi32.exe	100
PID 4964 wrote to memory of 4808	4964	Olkhmi32.exe	100
PID 4808 wrote to memory of 3388	4808	Ogpmjb32.exe	101
PID 4808 wrote to memory of 3388	4808	Ogpmjb32.exe	101
PID 4808 wrote to memory of 3388	4808	Ogpmjb32.exe	101
PID 3388 wrote to memory of 4856	3388	Onjegled.exe	102
PID 3388 wrote to memory of 4856	3388	Onjegled.exe	102
PID 3388 wrote to memory of 4856	3388	Onjegled.exe	102
PID 4856 wrote to memory of 1184	4856	Oddmdf32.exe	103

C:\Users\Admin\AppData\Local\Temp\0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe
"C:\Users\Admin\AppData\Local\Temp\0d21a9ad70228872766e53e4b908acb83298140707eced38b8bcfb023803d21bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\Npfkgjdn.exe
  C:\Windows\system32\Npfkgjdn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\Ndaggimg.exe
    C:\Windows\system32\Ndaggimg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\Ngpccdlj.exe
      C:\Windows\system32\Ngpccdlj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 216
        66⤵
        Program crash
        
        PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3724 -ip 3724
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
81KB

MD5
f02c5495928195bd9489723bd94dba85

SHA1
8458e2bd63b2f2e9233534782231f90898665bcb

SHA256
c86d5be1e7252421cfedff7000e5c32f9af10a6d94473cc75cf273ef9d450e72

SHA512
2fb4952dac78311946b6d07aba67ad0206ac16d6961e3a42d2d867d3c836fadcedb6136068d92ee3c5b44976c7a35f883ebebfbb9eeaa41d103ef52cf625548f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
81KB

MD5
15013cb5f45bd19fda8f9b52f67e7925

SHA1
c24910ab5910cc43acfa842dba0c5182e316abe6

SHA256
6cc81fe65ccc37da60153e87b73c3c69e518988bfa6f2ac23b71a360543552aa

SHA512
62ca901e9a9be15b3f899865a8cf88c8cc48679a6b074d86d1ea54da362232155cbcc16a39b5d4bc34ff3704a53edcba370147bed401a151a961c890f28349dd

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
81KB

MD5
c962495169076a67ed5d2e30d65f9a84

SHA1
b2b577556659e7b76e2e3bae47aa0208f213557c

SHA256
4508571e0273428e514865b28de4761aefb9fe5aa6a6b333106957d04a449dc0

SHA512
de684eca76ab78d2cecaaa023ee8724cef37733171aef1eedbb10e3dfcf86372e5a71e8587337a9e4bdd9d1de740e306890c36356c15985dd216d5d0d568ea3f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
81KB

MD5
dee83499f5a3e17fb15cdc83e56aa80e

SHA1
97b91b76e70ea557e0ea0f90c210ffcb0e175e06

SHA256
baacb56da3af527570c33c6691c211cde479da6cea0ef48cd31c479d8f57a1d7

SHA512
0a36f6ef36eca76dfea61a6adadc61860aa11497f0a9f6db552bf5c894aed269b1fa0e2a0cfd7a37d00caf70f7695bdc275f4f6d6a5b608027c4dc541031896c

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
81KB

MD5
987ad262e4c5c0114459b3047a9abe20

SHA1
9a120dbb0afca650a39e7832d114fa1572132bd3

SHA256
c2fe2669e7e4f80e9ff3b9dd7f61229f2e7b744d1c539a99d83803d1d248282e

SHA512
e7e28fde2d2ad34dde19233aa0b175c3598d9986278ecb83cca208f89897b97d24e95da1b583dbd43fcbd4c89a6a4501dd247aef01b47556b36d98e00d7108ec

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
81KB

MD5
170bbd37c9c014cb05260516b8af01d3

SHA1
4d98627dfa431c17e5aa4fc1b450498f7799ba36

SHA256
c8ee533d7eee5675301f6ea76c74455fb2b6a340c2a390ec6c89e002528b5a85

SHA512
2cc8cafebcfbb7cc775968727846832fff7b389582e15dded2fc0c8ca7aa154e473e3097587d809077c531d4f711e5fbb7a6cc7a8ffaa03437334d3a6d8bbf39

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
81KB

MD5
4b348dd48df7cd2d62a41ec9c7b1e04e

SHA1
80d25b1206cfad6a16ba90d0541a160aa30be6dd

SHA256
0a34596dcf60c3977ae532f1cf56ed574ab3e59a15ef16ea88dd770ad5dc6ff4

SHA512
a9a85add57a362d02c8e5a3c4ba1d24e6d492f2c95c7773f4544758086052de81640d1c77ccb9cafa46e9e2154a9a6deaf839bb9c30e8abe91d4db3c58995df1

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
81KB

MD5
9c150c60891db841c75a6d2cf9b3660f

SHA1
b66e0151107ab9dbca258696904078b17b9238de

SHA256
40da61d1387111e39f80c148cabd81dad3979be984e8aa46f31448a780764118

SHA512
a90b5c7ada8b3dce695bce15f4a49ac300445096a2ce476bedea1c22ef6a38d3abcfa8e9d725aefa55b5d778a1147c8ffd825a6f24fac0325101d021ddbedf91

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
81KB

MD5
d538061110907259f7d70fd569bad510

SHA1
69c52e0741fc7bf6225dacfebc818420d9abaf7b

SHA256
6f339384e65e0aa5d875d86497f4da1aca375a5500ac6cb86603f4443b5723eb

SHA512
2b1faad4d97df0e3d969c2abe0fa7b63cb1d896de302dc11009c2bd0c84df10c55b0d57ce9e09856988479f116daa4ce22a911b962e0f18b84efa11d14a513c5

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
81KB

MD5
db69af37826e01f96b8afd5ff913f09c

SHA1
2310f2232acaf1c749b56c0aa6143c4099241baa

SHA256
7dc70a3332763e689b2c73249dc675995d2f44d3074861cc8f5f57663cf6cde2

SHA512
c98a74f160a9572212ebc0b2c67da8a6011f6bd50bfb03b2c570d7e9cfe12e4e0149bf2d55e22764c14138f17f9762ddd20322e4bc568a91d747545740aa8800

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
81KB

MD5
ca8c1d5bf6aa897449cf4d17ea839c18

SHA1
8d0869ff1194fc1cc4c16e6326307ec6696d1bcc

SHA256
e5b00afd4c5f525522e3f374b7c2f863c979c390c573e294b7344e601aafdceb

SHA512
3176e9f5a194983778a8f50405ebc9e97d9acd23fdf08992fc1cedb2a18f6e5de6200fa6982fa7b40f63f1f0022bb35dfc8a718920b3051226d3a99ad2f8ca73

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
81KB

MD5
d0130e7bbe6f3af26ce966d66b4155fc

SHA1
abcb80881e3ccb51245f188e556bb1058555a033

SHA256
c259f200518a1f2ccc7513e1523eadd49f8deb3c31868f21746dd4634c0ded10

SHA512
af07838814e55f46c52ee579183620e8cf26f639f7ded2766eded9de3b91bfe1f30936ae6073a00a45463fb0c7ce91964fbe7d5497cfea31352ed51f43d57818

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
81KB

MD5
788da292bfa58cce86cffcfaf9efe119

SHA1
379a3ed30cd7e019d4b4b827d161a636d85a226a

SHA256
1c41ec6ffbce8297e402a8c6f483853d9621058ee4b38cebe24934be9a37777b

SHA512
289ea2d2a15151ae803197f9a3b6d85f7d1baa095e546d3a73ddd7e5820e53bae12a0399e852b4a728276560f73091d570e0fca51025afb2f084350bcfd0131f

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
81KB

MD5
d334673b942bc35d079dc2bb019b5de7

SHA1
4260a8632db327666c2c1493866e5c8006978f0e

SHA256
5614155f3f47354999a7cb971fc9660e285100af20c8dab09d421c931776fe12

SHA512
9ad0d3d8688dd7a16ccf21f395f4eb977b56602009358150d13b3f088954b5e02b65b8d74e4151a33d998d85de68eb13e58f1d2a40d689c94c212d3e209a9e55

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
81KB

MD5
0cb3d0b9a46600898915f3866a14dc2f

SHA1
d8b1e78c98a6ad36c44ce5ddd21347e2f646b29a

SHA256
71810208bf125a5e59607d50ad1ac1ad76e42f4256d35d302f2606c71893efe9

SHA512
dc406083797477cb0979c0527b9a9792ae586c607a3a12f6614439e454dd3e6051b6037969280d8dc64a8ee14f2198025fc543ccbaef3f288d41058a998268e7

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
81KB

MD5
7661023e38ccf101f5b93c60282d0047

SHA1
5affd1e25df7cfe818df8eb2a0d8a0c64c5117bb

SHA256
d3a637e8756e41c83506bbfb596a60d1486e905fd4f5721c40b8d0dea34394f3

SHA512
a9d577149c36d612ad4caf2cb4132e93ebb80f4571af8548aa7e2fd9f1d98592879c681f614e5a1644ccbdcd7a44747edb76486246f9ca7a642819585bc45708

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
81KB

MD5
f681de5f1bb95eca9122f106c3130110

SHA1
c51bf18aefb914cdbaa32231f5e4d2acf78ecc06

SHA256
e50f9c45a9495a390fe59a5abeb83dfb90a8e3cca395b4786ff3c17ca3e48a16

SHA512
e1b868bd2ed29271e0b3ee3e3f6348a8f78ae75e38f7ee84435f6f47047ef638bce08f0409d7a59e03694e092ef011f5ea42fe6996c716f079da808fc3027b62

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
81KB

MD5
e2ff28f69652eddb06685f7e3f5a1399

SHA1
5ebe6ab4ba25a66b710a222b3c84035caf9028d4

SHA256
e450d716be74dae9fa305339e0702071e887efceeee9216da030601173a239df

SHA512
5f211c73de6cba34fb44606cfd090d86276ad29da6f8def47e44cd4711e976624ac16c178dc5e43e0de98961e7863359ccd5013505bb271fcc2a2f9bd92bc7ea

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
81KB

MD5
4128fe9e2bb060c1f57318e7e2225b5d

SHA1
e1b21744bd2c200f51e3c631c22dc1bb2b8cfdeb

SHA256
3bf9a8f0cec4bf587c1028f44e46ab845f2210f2e79f98a552e3354a79212dbb

SHA512
b3eba79097156806d6b4b065dbc8e784664152c99d11d7223669f65c10cb373b812cd349172aa2aec2a50f8a7f84f43e92c07a9e7ba87d85a22d455d5d706bec

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
81KB

MD5
844ea318726a90080fedcdd0c6878da2

SHA1
6a00429d0e067de3e68cfc1f597a75c7eb682b7d

SHA256
4c2a2091a18fe0b6af91809c58577919adc0743aae6e5cb0318e728ae2fed465

SHA512
0d40b499c04c41ad26ba404ed33300342fa82473dae37f89d4bce72806a4a355914b238797aec0b2441cfd3389b6ddcc1dff457f6decc5722d4274db3d353794

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
81KB

MD5
dcaabdcf74d31cbb4a2f6fb24aca0b44

SHA1
d3ddae51b66c293f1d1fe7363642184e4fa70117

SHA256
cde0804e7ab87352fc09270d3ebab95fc2cdfd8e88e8d59f553fe7959fb002a5

SHA512
72ce4df29080b840d7765dfabd64788f33d819f1f8dd44ffaed1ae1fd3d72c0b60f3c1acfe21412d56a81d85b15c5eb73a5c005cd91df51fadd1bf0aa7c3a63c

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
81KB

MD5
3c512daab0813d226429f3dbb92043b3

SHA1
a7bf3f2daa828483b6313f085388cb5c03fa6837

SHA256
9328578c709c39111557a9e811a8ae00d21addd71017502a36601fec57f97d5d

SHA512
f935b07560d822e6f187f2480c4ac23a79e42330e4e64624dcaf3981935db01b121f0e87dd2fcc574bd486376196c760dcda4f9becdd10d772fae938afe97ed8

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
81KB

MD5
c3103b1a8fbd91c9271bd36472fd14c1

SHA1
0fcf9c2d5135a66390e92215b516004f77d843d9

SHA256
67174a7b322a595d3dc6189d04a6e1a0561b5a142811728920bf8f624618434b

SHA512
77f8e9c78947a7114b6025263ea4475987761aaf5cb429b450bc3ca0e2c8abc78b56afde27000763bc6a8eaa074b1f5658c1e544ed700e6c7a165d85caed03bb

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
81KB

MD5
343ab62c37277f3a9483379346e48c98

SHA1
12338d748158d2811300c4b2b3ea6922b470d3e6

SHA256
e635f8c8ffdfa6876a31f3d982581e76cec301930001ba755d38b393b578f04d

SHA512
72d2b801e21169b074207904aaf111c9768fecffbd7797065897579873f90989658c1f255a9e30bbaf2bfb69914f8b28b3f08cb6be6bf0d46761d055329cac11

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
81KB

MD5
5f6ddab1e33b3557fd9b060000c92b58

SHA1
2dd3836a566cecbe221d1c7e5c41ce8eb8f30a34

SHA256
05c7bfd691400b01c2aac1498bd5695592ff5e7b405d951dbbea7c6b07b08ac1

SHA512
b4cb23ebdd95787b63f112afd69b67431c0db69c4f8f8b297f04366edb92fd5e7cfbebc94bd70b8f9ecce9a958233f35ed2f9b113da6c167867ec527fdbfdd0c

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
81KB

MD5
856319d49b8b02345f9aa623c0a4ec81

SHA1
8bef8c4d1c860682c9f38ccbddd7d5713c55e599

SHA256
23bc5824dc19fead0eb901b8d7086f506410cdc028d9f78442bb9f45d15a9c37

SHA512
6eede92f71ac0454f68b865752b06fc9a4de4ed04546ae8efa167aacfab23afca52e64084e978a40d3295633a3b48c3d2e89fef8dcaf2ba016b5ecad4a06828e

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
81KB

MD5
13ce304d54d318ba55ec2422b89d0fb2

SHA1
3013011c4310818e3c6598ef32bdb3e01b73f96c

SHA256
853167bbf97c1a07e6565dec647cec9de7c806d0ae838f7d671347eabd3b038a

SHA512
d387407a5be4efe7b4b5791e8b804bd8c1825d53d7838f98265d5afcc795a36b7360d5ddf9b511aad1dfe1f4ea36e4322314888d12f1e427a473e1b9b699ab54

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
81KB

MD5
7e90d290eb7e20454ee02bc32a244f81

SHA1
3db84a7ced00ed27cf5421ebfcf85bb08f4e4abc

SHA256
e61ff05d7ac74e1011df310f7b77e82dec4647d08051e0c036a3c2bafc43fea1

SHA512
51b01ae06250a7dfbdb91d5f537dd0984d94d191374bac40d98e8e7035a98bd5c95bb46de29cd817f0c52f0ee62a93c319523c113400714571108e768f1c4f56

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
81KB

MD5
d4300aa210d147221ed26fe8ff3cafa7

SHA1
8de24a7df9d6c3188a3c5b3bf618ed7494c93ee6

SHA256
e4cd30ad684e7a8ef3c30e160d7399d6eade361e7e057244142b88ab3bb70a09

SHA512
e5bbb8826425d724a0812ca6e66f31238156eb46c647298b74141cce49a1269849ac29ef1b35b18830c2da186a017237bba40e19fabf82ff9ff232c1446fa380

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
81KB

MD5
bd89e809a386a8e42f4bc8d7322bd60e

SHA1
2babde57f0810352830085c4293f75a926badbac

SHA256
d420b9e065327893a85dde01ce5b0d3b2574826def8742b3eaf6cb450d28d21e

SHA512
27e63b3ff25fc338e647f9dda721c7e39543782d5df07103e4d34376c0c38de63aedd098b07d822f86b642dac706aed907dfdae2e0c7b35af718ff8ff140ac60

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
81KB

MD5
570d321bc7c1e14bbb2f3dfbda706014

SHA1
737db8c0ccd880d3c3225f9e66475bcbdb200546

SHA256
bfb36d47677feefa48db350157b8a33139e7d9e3087feff9759ef2404718a308

SHA512
342f810004931a143a80a0743196e85265912c73923eafe5bff4de8f35ffb1fd3727bc439b62c34e6f3c0812a8abef91320910d4fb1a1efbec5416ca1e5e8c0c

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
81KB

MD5
a88411e9368480b3c994ebeed695bb98

SHA1
3a7bacf0a23743c463c6862995952471c16b6058

SHA256
2f03094ace6ea865055e2d321e4d78c060a60d6be1d80ad94e8ce6c07f18180d

SHA512
bdd6878d78cd4be68e7db2c79e9a7545caed165ca9ce9b5a169e43ccff0a24a8d96aa36135daf92a9008c14ddc30e79a9d2cf0199319cb341d44566f8d002456

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
81KB

MD5
37ab544f71d4214db6bdbc42f5a7aa3b

SHA1
a7fac51749b802debb1d975439fd8763248d3919

SHA256
37c04b04f5dc684f03a9c2a823bb35329652809e9b7bf1e459f113172a664854

SHA512
e31c3f7c2fa199af6df20693a6af707896257dca0c07b11df98979e753393dc8c4d3c0374ce1c4bb353fe246094ca8fba6656851badb19bdca448bb778541462

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
81KB

MD5
57de040463f24340dbbf78c6e5534d1a

SHA1
78537f80d528f771a27334e9f3ffe770b6a96be2

SHA256
42fda9314233d3afa19a5ba4e60cb83a8453ec9ddc1d417e43e42c4382d5ff3c

SHA512
99016405a07c9d015ff0ea1d03980cb4955abe799f1636092bddba1929775f0610cd97f4c600fbbab5a01b0f9f1c8658b6b06f47e110624f67754f305675690a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
81KB

MD5
4592a4ab715438de8dd42d3e7ccbbc2c

SHA1
49d9f4d476135bf5e2cd28d0e25ef99b41c16b43

SHA256
1d321ea1a858e4cd6815f3bb0166a5dfc1677bacae23acb365af59d9a35352ed

SHA512
bca7c2f0b58b8435fb8880c7b2ba41d1927575229360f68ca6ea16f4235c5b4352e2aedfc6241ee365f33123469b451ecd7203796c79d4fc4bd915d0acfd661d

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
81KB

MD5
77c7612c0a76a7cefafaee9fb0b0eeaa

SHA1
75dd769276ac0681733887c98c2ee4ecdcd5d55d

SHA256
d9445aa8f77647b7cccaf26f5b7cfc46d9e44096fedce5b4f899264a5fd0c7ea

SHA512
424af18c59e992c9373072b763a962cb0a06458a755f729212d5633485b4a93952700edf3aa348f6803bdc7197b915c59b97ec13b024e256f7c429a9ceb7aedf

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
81KB

MD5
5d24adad4ac76ac574b596e68d5ae2d6

SHA1
a5936319977d26412e7b68b3be04deec114ba479

SHA256
ae10bc054dabdc98dc0fdfb8d607659c692e22c8488123ecb33b383e6ee17a5c

SHA512
13f0b0dc4e7281af7a02fc13b4c325ca4a8c1a34c257eb4db6f774b7d2982800587298f94e77076482ac120e2a4474cc0014c403ee256335e1ddb771ae60ada9

Download Submit
memory/376-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/788-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1884-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads