berbew | 4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe
Size

93KB
MD5

a1b40f244db1c5f9748ebc4332a756b0
SHA1

546ffeae9eb537dfa1b6888b45d00767a464f711
SHA256

4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52
SHA512

89022785af79fff41e4fdc94358dbf3be6b68be82e82bd14613f588d29710997e0f4a70ae7e1d576f1d1ac6a596f46d8392a069baf6f257ff0a9ed895d22a459
SSDEEP

1536:R0X5c6sXF6evFCT6+tK73Ka9hAV+bd+98cTlsBxG/lyeCVTyjiwg58w:6X5cvF9F73k+bdEPT2B8/lydViY58w

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3684	Mdmnlj32.exe
4384	Mgkjhe32.exe
2972	Miifeq32.exe
1600	Mnebeogl.exe
4648	Ncbknfed.exe
1216	Nilcjp32.exe
4156	Ndaggimg.exe
4448	Ngpccdlj.exe
2244	Nnjlpo32.exe
1016	Nphhmj32.exe
1704	Ncfdie32.exe
2468	Njqmepik.exe
4560	Npjebj32.exe
3540	Ncianepl.exe
4548	Nfgmjqop.exe
4372	Nnneknob.exe
700	Npmagine.exe
1332	Ndhmhh32.exe
2412	Nggjdc32.exe
4908	Njefqo32.exe
3260	Oponmilc.exe
1364	Oncofm32.exe
2572	Odmgcgbi.exe
4776	Ofnckp32.exe
544	Odocigqg.exe
1472	Ojllan32.exe
3992	Odapnf32.exe
3824	Ofcmfodb.exe
1944	Olmeci32.exe
1468	Ogbipa32.exe
628	Pnlaml32.exe
1752	Pdfjifjo.exe
3752	Pqmjog32.exe
4352	Pclgkb32.exe
1676	Pjeoglgc.exe
4532	Pgioqq32.exe
2068	Pmfhig32.exe
4972	Pcppfaka.exe
2272	Pjjhbl32.exe
2196	Pdpmpdbd.exe
1784	Pfaigm32.exe
1036	Qmkadgpo.exe
3428	Qdbiedpa.exe
3248	Qfcfml32.exe
2228	Qnjnnj32.exe
4456	Qddfkd32.exe
1616	Qgcbgo32.exe
4128	Anmjcieo.exe
1328	Aqkgpedc.exe
3272	Adgbpc32.exe
5096	Ajckij32.exe
4724	Aqncedbp.exe
1584	Ajfhnjhq.exe
2352	Anadoi32.exe
4588	Aqppkd32.exe
5112	Agjhgngj.exe
3128	Afmhck32.exe
4500	Andqdh32.exe
3464	Aabmqd32.exe
1968	Aglemn32.exe
1680	Aminee32.exe
5104	Aepefb32.exe
3432	Bfabnjjp.exe
4976	Bmkjkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5200	1508	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3684	1260	4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe	83
PID 1260 wrote to memory of 3684	1260	4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe	83
PID 1260 wrote to memory of 3684	1260	4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe	83
PID 3684 wrote to memory of 4384	3684	Mdmnlj32.exe	84
PID 3684 wrote to memory of 4384	3684	Mdmnlj32.exe	84
PID 3684 wrote to memory of 4384	3684	Mdmnlj32.exe	84
PID 4384 wrote to memory of 2972	4384	Mgkjhe32.exe	85
PID 4384 wrote to memory of 2972	4384	Mgkjhe32.exe	85
PID 4384 wrote to memory of 2972	4384	Mgkjhe32.exe	85
PID 2972 wrote to memory of 1600	2972	Miifeq32.exe	86
PID 2972 wrote to memory of 1600	2972	Miifeq32.exe	86
PID 2972 wrote to memory of 1600	2972	Miifeq32.exe	86
PID 1600 wrote to memory of 4648	1600	Mnebeogl.exe	87
PID 1600 wrote to memory of 4648	1600	Mnebeogl.exe	87
PID 1600 wrote to memory of 4648	1600	Mnebeogl.exe	87
PID 4648 wrote to memory of 1216	4648	Ncbknfed.exe	88
PID 4648 wrote to memory of 1216	4648	Ncbknfed.exe	88
PID 4648 wrote to memory of 1216	4648	Ncbknfed.exe	88
PID 1216 wrote to memory of 4156	1216	Nilcjp32.exe	89
PID 1216 wrote to memory of 4156	1216	Nilcjp32.exe	89
PID 1216 wrote to memory of 4156	1216	Nilcjp32.exe	89
PID 4156 wrote to memory of 4448	4156	Ndaggimg.exe	90
PID 4156 wrote to memory of 4448	4156	Ndaggimg.exe	90
PID 4156 wrote to memory of 4448	4156	Ndaggimg.exe	90
PID 4448 wrote to memory of 2244	4448	Ngpccdlj.exe	91
PID 4448 wrote to memory of 2244	4448	Ngpccdlj.exe	91
PID 4448 wrote to memory of 2244	4448	Ngpccdlj.exe	91
PID 2244 wrote to memory of 1016	2244	Nnjlpo32.exe	92
PID 2244 wrote to memory of 1016	2244	Nnjlpo32.exe	92
PID 2244 wrote to memory of 1016	2244	Nnjlpo32.exe	92
PID 1016 wrote to memory of 1704	1016	Nphhmj32.exe	93
PID 1016 wrote to memory of 1704	1016	Nphhmj32.exe	93
PID 1016 wrote to memory of 1704	1016	Nphhmj32.exe	93
PID 1704 wrote to memory of 2468	1704	Ncfdie32.exe	94
PID 1704 wrote to memory of 2468	1704	Ncfdie32.exe	94
PID 1704 wrote to memory of 2468	1704	Ncfdie32.exe	94
PID 2468 wrote to memory of 4560	2468	Njqmepik.exe	95
PID 2468 wrote to memory of 4560	2468	Njqmepik.exe	95
PID 2468 wrote to memory of 4560	2468	Njqmepik.exe	95
PID 4560 wrote to memory of 3540	4560	Npjebj32.exe	96
PID 4560 wrote to memory of 3540	4560	Npjebj32.exe	96
PID 4560 wrote to memory of 3540	4560	Npjebj32.exe	96
PID 3540 wrote to memory of 4548	3540	Ncianepl.exe	97
PID 3540 wrote to memory of 4548	3540	Ncianepl.exe	97
PID 3540 wrote to memory of 4548	3540	Ncianepl.exe	97
PID 4548 wrote to memory of 4372	4548	Nfgmjqop.exe	98
PID 4548 wrote to memory of 4372	4548	Nfgmjqop.exe	98
PID 4548 wrote to memory of 4372	4548	Nfgmjqop.exe	98
PID 4372 wrote to memory of 700	4372	Nnneknob.exe	99
PID 4372 wrote to memory of 700	4372	Nnneknob.exe	99
PID 4372 wrote to memory of 700	4372	Nnneknob.exe	99
PID 700 wrote to memory of 1332	700	Npmagine.exe	100
PID 700 wrote to memory of 1332	700	Npmagine.exe	100
PID 700 wrote to memory of 1332	700	Npmagine.exe	100
PID 1332 wrote to memory of 2412	1332	Ndhmhh32.exe	101
PID 1332 wrote to memory of 2412	1332	Ndhmhh32.exe	101
PID 1332 wrote to memory of 2412	1332	Ndhmhh32.exe	101
PID 2412 wrote to memory of 4908	2412	Nggjdc32.exe	102
PID 2412 wrote to memory of 4908	2412	Nggjdc32.exe	102
PID 2412 wrote to memory of 4908	2412	Nggjdc32.exe	102
PID 4908 wrote to memory of 3260	4908	Njefqo32.exe	103
PID 4908 wrote to memory of 3260	4908	Njefqo32.exe	103
PID 4908 wrote to memory of 3260	4908	Njefqo32.exe	103
PID 3260 wrote to memory of 1364	3260	Oponmilc.exe	104

C:\Users\Admin\AppData\Local\Temp\4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe
"C:\Users\Admin\AppData\Local\Temp\4a736403de827188804ef9889385de3745e4fe110113697004ee0d12e7328c52.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\Mdmnlj32.exe
  C:\Windows\system32\Mdmnlj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\Miifeq32.exe
      C:\Windows\system32\Miifeq32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        24⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        73⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        75⤵
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2948
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        80⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        88⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        93⤵
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        94⤵
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1672
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        101⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 416
        106⤵
        Program crash
        
        PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1508 -ip 1508
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
348fe3cc73b7448fdec3855e44f4eb35

SHA1
5c6b45d7ee322a5f5c0c9232388a690becdb0cdf

SHA256
0e4e7a07fe7a01f1fcac17af512c76409787cbad470160b2b7992c1a01da1007

SHA512
e4aec21f19262e0f307c2c83d3ef9773e29107801e762aadc7cc03d7c4e1e0a752c59d82d36456ec66a9481e6ffd56dca72cc2466df9ec53f226b233fde0c9d4

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
93KB

MD5
ab4b365ecb8dd05a35d83f3b7bfef1e0

SHA1
7c0abc20ba0e4fe4582457cad8cf41dd9364ac38

SHA256
56d95a88205c3cd6961c1199cfb2edbf870652204c525a74d4f7fe9438da8404

SHA512
243cde2cbeffbe294377979aea9622c3cb72446ad2199584077ea9cd2640f50b43c952ce592e3348b86551259583cda5b833cedc02686dc890c295b670a8b474

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
93KB

MD5
69d32650c149ca9cf470a906f29c04cf

SHA1
0b24cb0c3062e59df68256218902b2eee6255c7f

SHA256
7d824c4dbecd67eca90462fafdb5081916f505aa9d33ffb331f723fbd7ea121e

SHA512
f548bf9d279d31e3d1f385f1fa4a3819a30ad694002f4cb77cf02dcf492a2ecd8e02d377b028ce5c48bee781e8d0d46d8090d490efdaff73835507019f9158a8

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
accaf08d66123c15763c57685d98f588

SHA1
1fcaeb5eddbbcf3cfa44179a3f84dd6bad1a8c9d

SHA256
b2c18475e108fbbf559325211792dafe30d901238a98feb936e29ffd85831174

SHA512
4db48f445231d37ca61450b723919e7d93e1444e5afe30143378deb704b112ab057fdc8b7a9c6db5542a9dea95a4f2eef612b2eafb70be0efaaffb7bd661e792

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
484914bc4d9b91870710dd688c508392

SHA1
49c472426c9638f47b75d78d7ff79ec167f30863

SHA256
375f96e0cc1bb6faccdc42a01a8ee4ce77bd7d988afabca8df8721c5c08dc751

SHA512
372c5fb84c38128ee40550e110751513af8cb78b57e640e3ed46bcc59a5617180e35a3bced4266e6829a968f4e0b0ea3692f1b5883b71a3ef948b488578d7d75

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
93KB

MD5
51168b7b6535f660c044edf093d88fb1

SHA1
b98c7da283157eaae94992ed460a01c9e109dbe6

SHA256
c6646d4d91e8952c57d4cb6dba2f6f4ed7d1cdde3d7353310d8b58c26ba4faf5

SHA512
dd76aa958e28f629bfa78993ab09624581e0479a213c495d385804e5b73221fb3b652afe7d6cff35f7bdbac78e3d4ccfefb38f50e9ab586fd387b0598b1f0cc7

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
03c988e91f6e8275d83397fa120427df

SHA1
ac8bb5c0caf07dcdd24645300a8839cc52697c3a

SHA256
0b30b51e3130663a6e4cbab4a0d153c049729f04ecfaa8a01a43cf8aa03773e8

SHA512
012db4787a87d7644172e8b5f7ca05a4d8ade4ef1bf37a101af2f182f1bc7cadabf23e6b932a75ebc545fcd22669eaa9a28bfb439b3e4c154fe76f6dff4fb494

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
93KB

MD5
61980bb86fd3eea0da9936314b143dfe

SHA1
c508dd57b939580527336ce0803eb01e36299694

SHA256
19f7920eaa0be671c4f55537736a107af5fca5335d39da0c7b6fb51d9f694c2c

SHA512
620345c1694a7a21cb6798034f01e8374415b2a06cad7b5a47ed433c843c61d3ecaffce08692f3fcb3a5580ff4018b41085afe58a121cc40b69aaf64efe54494

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
18b74d897529091fe48fd2069d08639b

SHA1
2195573528151fef72cad64767fd38add5da5d77

SHA256
e60add899cf6adf5c6da94f0ac5039cf6f332fc6ba284b2aa3952b39a3606831

SHA512
1a504051041f34401c4370cf82140484cbfe3d3a1fa0f3c3b3c6ad8ab5e62f43d9e07cea9093d4c8cedf13164b6c8c0ed40a550c3649ea004878d336272be039

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
0a117fe5429d575fe602cc32534d83cb

SHA1
985b2fa11a0bed50ba36d57abcd43fd265bddc80

SHA256
4583d00333896824983f5ce99510b3188540189105b5ff9047d7a1ae64303892

SHA512
9efee75a6845247ba7965160ef91b9da4b1080743770b2367e445f5561e231d37a578ee332ce402a78faf71761a3f84b39db0a90e260d2dbd51186ce733a510b

Download Submit
C:\Windows\SysWOW64\Knkkfojb.dll

Filesize
7KB

MD5
ba83e65341c611172a862c2158e7a02c

SHA1
eee681b5738639be1b81cb73a65e06012133fe24

SHA256
362bb515c9425b8a52420a5b5f3ff68de59d72c9e927aef84c250929229149ba

SHA512
c3042a6ca5baba6771e67bcf638f6988f209a0cea55c44bc2b8fbf34015010ef834df2e9f298103c69c5ae0392472f4f658f61a5d6cf709608b319a208c97511

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
93KB

MD5
0144ec93f341c76d1ce2a8d8617a0e92

SHA1
eb637552378602553d006f16b0064770a9f1a455

SHA256
e10e8d05d4fb9dbc7ddd8bc69d332e6bf40347bb10e3fa19f653bc367083cdd1

SHA512
ea517f5d3b655ab48803ed1f3b0d5a7d387bc73f3c6e4615bbf11570d3dad18cc5a35886ad538b43a09650053ed0bc029d3f2977cd67f25262ba822ecfa15f08

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
93KB

MD5
131fd13591ac1b11e141c51bbfa77aaa

SHA1
be78cdfad741b541981bc92acb43baaa7d6068aa

SHA256
1b0f9a42fea5302c43dde909cf3f6b4eaf1a3c1c8abe26ba996ae0d483807ce7

SHA512
6a1046997ca6acad921ca9eb0b7e79ce024a9572ac2c82dfdd10cf9b052eefb88e030c16e0706444117c11445c6d2c37f10fd28f0a2052bf58a8ee07ba7005f7

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
8ea21e53bfaabfbf5f12793060dbff1f

SHA1
5a8310db02d717ddd6600fe6365e69a3e585c4f7

SHA256
e04c8dbbf68008db556c493e00d381235f33f04f79f8513a634b5e2f81b79705

SHA512
81baad17a55adb6591fcbc3e665c6bbb20d9b8c114f084a25e93726f1de783c6f83b43d597f1eb7f4311dc490f5dc740d6ef5e202ffe9753dbfd78fdf0cce4b1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
93KB

MD5
cd006b8aa5c66e6db41348bb5443f28f

SHA1
7d7050175328df770efda07cd55da0737a8f0ab7

SHA256
9863926c499cf216805723b5af49958c75ea265173d4a548c2c1b3a19160b580

SHA512
9174f74ccaa8dfac2312cfc0435625b2dee0acebee0b4388b969dd6f8221fdd8f4717e2920f4b6bf8ec72023498eb99fb6974a51ace5a40b8d54f64a3ec4ba64

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
93KB

MD5
a9edb8003b970daf6b5b2a27601d71c7

SHA1
c40e05c59ec6bfeaf7b051dd258376d9dc9c16be

SHA256
3e4bb92272815a0b6995ff5f46784c0c7b89a877f1f1b15a4a54370f154e6a24

SHA512
43fa69da7e0ad7dfd35b65898d319f35ddb779f053d8939d136e21882c52e1d0978d5d5be9a1e8228d6c2748a4c4aa7b402269a2a2a9d00752d7cebe32709295

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
93KB

MD5
989ea0259934fc88bbbb68051eb58352

SHA1
ffc1c635f68b68cd83d32c2f1dea82be77d0cc77

SHA256
0a7a696d08b02490c199cadfbfb1c6389dbeaa22da15020a30d98c2e81d4cb1d

SHA512
c93810fde6759ab3c7efabbed6ea89832f9eaffaacb834373c7a59f1fe5396c53515907c1827fa8b697ffa37427c937d17af58f78f1afe45f5553d80d65e20db

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
93KB

MD5
5bb1c6b5f771185b1d94ab94f170fc26

SHA1
737ff5f40f7b83575c8eab3ba83e03c0f7a0b5a8

SHA256
868ed5bdca0dcacd7d33c25925f36c1cf42c02d10ea0fc498a866da9630b68d6

SHA512
8011ffa6560618fd4198766017d4c58cc75f5ed4541190a74be225d4328ff6068336878daf1d2285410c8c047681a8cc83ae8f24e7c4f797c242747aa63404cc

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
93KB

MD5
cfbcc22ebc970dc65315c45d0aafb844

SHA1
8392412da3fa90b02ce4ffc5db0f08fc98e40536

SHA256
c9d78656ca63fe78bd93d797ba11a39bd7dedceb86eac9b3c28213817099818b

SHA512
5dcb9fd652cbc8f3e9aaa174e718fe9fb18db3ee1f7e1a75e5ba5445967d767bf056b71904525108b00c7d9479a62dedfea2f0d3653813c4df72f138bbcf9bfa

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
93KB

MD5
b39782ad063af3618ed01b867e124930

SHA1
00b922d2c8db31a9058a87d60da31f504bcb03ba

SHA256
c4aa641333eceb3cdff00a47c3b4e6c10110de30b05c4368f346e324b88caad2

SHA512
9ae25b48d5e39be01ab2e784b4b83264beae61989e05e8730646a4ac1a9e556cfbb1336f7658f4a7ca82200af2683d771975e69d31b3dfcad04289698e9c2c0d

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
a4f80fa2e6c1bd3278422416d62294b1

SHA1
1871e18f167a86b3d42ffae927a7d57458746bdb

SHA256
323c1de3bfa1848b76d0723a3968371a9dddae0c4b6987b433e30df5c8d655c3

SHA512
0228f9a1faca7dd9bd36cdea8561a60f68f249b1d4fc12fd8ed05ba7829248bc5908e1f90ff4e9efba4ea987a216e405aa198480186435b4690389d5e53fe9e4

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
93KB

MD5
906b9024a76390469c3fa7c27f95a076

SHA1
04ccf49d4fa96905cd5dc6312e56ceb695aff8e4

SHA256
fd6cb6bc1d4a9b5f771766ad48bcb18e1cdc5ad9584c09337a1943a47e3711dc

SHA512
93385b43f4e711a5d4a8523e1a653833f0f3495f9323fc46729167f6bf1e0b02f5c3b406fdc5e64ec2562fae601e33788fa232cb4fcca49743fee499066ea365

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
93KB

MD5
5c307c0f37115a1b4d2187a90b0dbea2

SHA1
d76f2510ba2063281de611cc44e2948500000eee

SHA256
557289b9b76ff7f80f2e5d042abe6d6fc763b4a561dbc8d855a6d0a27e633845

SHA512
34ef557b5c2678fa44b9a65078afcc14a5526136892f45a72ed71a8718e040922bfffefc98bbdaecd53c21c4335a71dc1e6b83c0231630d34683e328155b431b

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
93KB

MD5
b79b357e50533a26f5b65dafca1fe492

SHA1
462f74f65053f147f00876b7091d31dbc5955067

SHA256
68dd3676e77888807ea53c2bd1537594a765853172453a2cfa9ad13019b4663a

SHA512
1042925052b34f18508fa4116b13f867f112c887872bf3e9dad2f04d941e6038731e07071555ad8728634be2fc937fd8c0256aad92a0f8fd914840ca1f04bbac

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
8c4958e854a518bcb1054867c07a54d8

SHA1
9bcbf1cbc3050582233f1e84887aab035183b5fd

SHA256
5d7969cf50e296c80ab52f6e8b758966b7500dfa3ab022a5e6d183f5b1b5fb4b

SHA512
977da8894a344f76f754659646a337a5212d597bd9036bc78a33e2c35506ffeb972b16b2673bef29972693e09ebe8c610b0d34db6ecfec592930ffbe0f72ee50

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
849d14913276f8238738bdafefd3fe7c

SHA1
f8fa4676b9d23fe3ef9ed3ac96c16e40a9771eaa

SHA256
4a4dd4017e434aa61fa8537ffb5d92ea9c9e20831535103832510b3a894b96da

SHA512
87b0a565bde3f2a3c0acdf963a8efb3222e530cf3f142ad7a5c8bda3cacd428b081c6dccafea53218f360ef159473c823de1d38df220f34a030411a91564eeb4

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
93KB

MD5
baaa93210b24cf977746f14fef4081bd

SHA1
f81899351b4a5a5f3b3aef94cac7386c0fe77d4b

SHA256
b817ad92528b4a304298c89b36b8aac9857a1cc3d1af3ae2db8c54a822045a3a

SHA512
32dde445ff19982b15d328e76359de4b562a793be049b66ac0a0372aaa5bcc8f89d0344ab8f4ba2abed670e7cbd2db6a093d193655827af0f067aa7137fe5bfc

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
93KB

MD5
f3d5e86b7e3b9dd466f28f4c77cee301

SHA1
31913bb2b4e19a4974ddd11c7e345671d4a5d9e8

SHA256
823098121b2bd70ef4eb798fceaabe244ef0923b6a114d237229fe2860e3cc9c

SHA512
ae5e0ff7fafbda2e056c87bc416b97debb9a629736c3e0a30b6bbf1d2c82f7c6f81bf5ee897b6028280b4d13a787193c2bb1a2f3963bcc2d67b990afdebaf904

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
93KB

MD5
888d69dac9a9e3263b999cfdb86af91d

SHA1
190bfb07373e2e834cc0b04220e758ba7b99b86d

SHA256
89c2ca32d8fa9df211fc4390692b6fd24ff44283311125c38a0c4bdb8c284d32

SHA512
a1932a799ea5b2dc2b6fedf935a5a9be459e1a3ba2ca397352a7f625de79b95fb3f88cd520f641e4e8c2e1cadfb03fa70b286501ab2e3cd0be7ba6a92e53e722

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
93KB

MD5
b6ede6c40eb8c1eb86d45f5076802698

SHA1
c595f67d87aa7a4366e79303f090279daf0c7869

SHA256
1ff5cbd8749c1dbfef9597db8aa87b3cad725d467dfeda6c9715b5e2d36a30d4

SHA512
90cf90b563dd8eb2981b263189855ba0194b002d4f37eb4755a3ff2ce7b71270683b0bae9d0d7c811ec0338434e16b63cfd30eaa960c1361b3d0ea1919e46ff1

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
93KB

MD5
83247096e7f51cd458ea672de51f3e5f

SHA1
90f681bf608ef85c850ce330251c0010273059ba

SHA256
ee23de97d6792ed5d2dffa64d57218dd20ee0e8f8a93d6fad24b0780f5a0506a

SHA512
fd7e4a6e250cbbc1f0f617b8072fd3c158ce20e343aba0d45e527211a91b4110c3db9f20f72a6c9a309819732c554e306017ff6bb2a3eb390573933a4b0dff21

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
93KB

MD5
c3b222edcba373e7001f3b7694e6bff7

SHA1
2496534222d270048ae565135c70e07decbc6f74

SHA256
e933ffecc100d6ed4515070216a2268b44bba92e59b03c01d29ad1c1a9858aa0

SHA512
fa616724246adfac919ea44f737795d8c4dcf7747e975b71d61696cfb39cacacc40b9c6ac1d95fcd6149fe00768f45eaca6e74aae796eb14d6898b18a18ed1c4

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
93KB

MD5
22a4dc4bd9b619035083e195ea696925

SHA1
8a153abce80cd2efca2f4d1dcb164b558c47dc85

SHA256
a48207e68f9fafb8505c79d5f517ca45ecfca06592b7b54c5286161b99bf5950

SHA512
ca06076d1cd3cf408421ceb4c648158138e78201fb4976fd5b467b2599c5274aa84d3d69a30e686175536346224dd6f7b6ee4945e3915a3f4931b9641b9e3633

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
93KB

MD5
ad6ea888c9104c549e19298eeece1d3e

SHA1
bc27306b06e8e57bfac47b7b5ad13cd8b93d53d4

SHA256
6ba55a01a3353d7acfe08b9d70ac5a7f72cda1c7b0b1e4106d65467c449710eb

SHA512
c1889483339e0e4882147d68efe65e3d06ef2bf222ce437b91688d0653341f39b1f0d71f2ca85dfde6413280f6a8d4a0428ad0438fcf9252124ea5eec93c7dfb

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
93KB

MD5
68f5a122c0c9cbf06675793436a93382

SHA1
6f963e4b8ede1e377c10f76f179d6100f001cda3

SHA256
3f1d32aec968101a9f0e4c5bccb9ceae5fae51478d41f9f40728d711f19e7e41

SHA512
e53de2e465d0f7ff646da17d6fe00264430fd5bc7aebdd72ff0ed4499073fb394869e5375bf3b6603d66cdf711e157aabe2700e5e67d28d67a028c2332a6ec3d

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
93KB

MD5
cc186897de4a1f9abcb4735c913d4a4b

SHA1
1f1059d2b5e9e3a8f27fb7eda22230bcdb208e23

SHA256
fb50e7e73fdd3675cae29fae7c450d97a4a7ac709fbd7e12d77ed22106b2f4b0

SHA512
ca7406b7cd6ad9fde74bcc0b0d597202a6bc5fb78b51687fd7ba11294fb7ff5ac5b65047f3451d73c02aafd8b66aba27840585cc47fe4f8c8cbf190b0c441e53

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
93KB

MD5
aa52db63d1ae5679aa9dd0845487ce0e

SHA1
3f397c81cf85bedda45f6646c9b9dba171db752a

SHA256
142963b71c7b2a34b375ea12e157077d080d4b0a37fb9a70ad59153cf77ea107

SHA512
862de438aef0a1662e708d7d5b82762f4eb24f02055bbf57a738f69f67cd0f1cdc5b1aabc54cb48c5f45cdb50b111d2bd94edc2cc7b47ebb22bd1800e3d3422a

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
93KB

MD5
602540da73b6412d2f559c9c6d44e3f4

SHA1
c22ac99f20260b4de59823df7b4a0612d34e062c

SHA256
7920c429dcb5777ce9d7ee8fbc00559e4e8dcc692d750d24b828135549fae604

SHA512
e056d5f04efa87e1e607b5a70f76b4532904dbc29b1290bb062da170101012ae545e3587c397197f2b4fd7a5b0b9758ff0754573ee655cca06698a7577f951c3

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
93KB

MD5
8a473bc76935ccc621f807a0ffdb092f

SHA1
f5777c70ce4f690b419b29d487b195e53875ee02

SHA256
960c5fc0dd645793fe1d0d11f252264632238f81c6d90767a77b883481fd60cf

SHA512
42814896951d20da0eb423ac3c8d90037716795fdd3f1c3738807696a1cafb24a97e9728fcfb174c55975a8f30f7b5d442e46c2ae69fb882a51feb60d6941ba8

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
93KB

MD5
107281412a3044e7735b244620925ad3

SHA1
1573c7951c4a10094ea1fdf4359cedf659843d46

SHA256
f09afb2b8c033811fe91c0f2ab0763713635d9ccee9452bdfd14d8841259dd24

SHA512
221aaae71a141c15a9731d008ac3994ae707d02e85920c82a0114a4a2afa184ab7d535752ecce8a0549641165e19ef0871feaf9dab0722e9564db64c154e8ea3

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
93KB

MD5
d5c59eb996e642a750bde62de151c614

SHA1
8c768f5014a455218f461c98f5df80300add9005

SHA256
56990e5b5b423e06b3b42531a76246efbdc614238f0ae9f18cf481891e7c85f3

SHA512
6ad59b2e96eddd5d29c06786f11fc0962c27391e445ee5f8bf7d82fc092d476d354476b2f92322b1eb91b48b7bf7146cb895c9a79289ee17c9be9b39f3aba281

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
93KB

MD5
0b278a6cb801e5e559f9e4cbf79a79dc

SHA1
8bf659a564178a7127f0d3a9e113366e658716a7

SHA256
9af89a8a5990723290159f3996b3c51b351afb58ba56fd9ca177592928071b2d

SHA512
1549aab3a89fb17c86dac594dba362d86b2b01671ea8717320677ac1c4e4a35c343f9115544260428fa884e3a61012978f590b920649a73ed139ef92f6ee6ee4

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
93KB

MD5
7b93910acb305b9816837c11d0135a1d

SHA1
989f29459fb2a4a25f5ca6b308c679404606aa84

SHA256
13fd18c70ad0fbbea59874a0bfea6dd4a7c00a58dd6c354b3230d408fa17cf04

SHA512
08a1cbbe916047ce5ca71d812afb2914d8034633637404848dde5d47f7d57ff3622d52997981166b52ae84ae39144f820cccba894b8b6561bdb5a05ba2967ada

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
93KB

MD5
094880c7fba24ee30399c84d8d0acd51

SHA1
096589fca81a2f31e4308c9b9245b555beddd3b5

SHA256
2412d67f1cc344bf3ffbe8b3cbbc163d0f5f1e39daf54306108d8dbad653615f

SHA512
8dc0105b205760a01a03181c93b2a32785e9d9fc42b7cce1d5955e46f3d1807bf5ee873072ed1e544e6c2108a5b2c869ec0071aa9ac05c33144333fd80afc722

Download Submit
memory/544-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/628-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/700-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1260-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1260-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1328-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1440-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-556-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1584-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1680-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2272-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2948-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3248-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3260-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3752-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3824-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4724-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4776-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5112-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads