berbew | a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe
Size

90KB
MD5

5979a8aa41648f88a55e09275b6fa8a1
SHA1

191e9b6669d64f39ab8528f91485c0b8bb40e3c0
SHA256

a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700
SHA512

f1b3857f4534ee747913b6ab47ce71b0143ce8c74c3b66cada284303293375389eb4325b46ebdfe347e32aad31607bf26e5ff9dd81a57953744acd9df97ad214
SSDEEP

1536:ImnnhJw6cyXYLGUT3thLwL3qXhvGmWqlg+AlrH1sdLUAmC9YCZ2MAgPEUbY3fGiy:ImKE0xE2gxC1UAmCZRbEHeihbGcu/Ubi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4884	Mcpnhfhf.exe
1076	Miifeq32.exe
3052	Mlhbal32.exe
1068	Npcoakfp.exe
3280	Ndokbi32.exe
4976	Ngmgne32.exe
1388	Nepgjaeg.exe
4596	Nilcjp32.exe
1784	Nngokoej.exe
2388	Nljofl32.exe
3988	Npfkgjdn.exe
3248	Ndaggimg.exe
3040	Ncdgcf32.exe
4456	Nebdoa32.exe
2900	Nnjlpo32.exe
4196	Nlmllkja.exe
1720	Ndcdmikd.exe
5004	Nnlhfn32.exe
5048	Npjebj32.exe
444	Ngdmod32.exe
4724	Nnneknob.exe
1396	Npmagine.exe
588	Nckndeni.exe
4776	Nfjjppmm.exe
4864	Nnqbanmo.exe
5112	Olcbmj32.exe
1564	Ocnjidkf.exe
4964	Ojgbfocc.exe
4380	Opakbi32.exe
5084	Ogkcpbam.exe
3796	Ojjolnaq.exe
4668	Opdghh32.exe
448	Onhhamgg.exe
3660	Ocdqjceo.exe
3556	Ojoign32.exe
4408	Olmeci32.exe
2408	Oddmdf32.exe
1484	Ogbipa32.exe
4036	Ojaelm32.exe
1764	Pmoahijl.exe
1016	Pdfjifjo.exe
4740	Pfhfan32.exe
2464	Pmannhhj.exe
1704	Pdifoehl.exe
4460	Pfjcgn32.exe
1428	Pnakhkol.exe
1372	Pqpgdfnp.exe
1592	Pgioqq32.exe
2616	Pncgmkmj.exe
2456	Pdmpje32.exe
4040	Pfolbmje.exe
2892	Pnfdcjkg.exe
2660	Pdpmpdbd.exe
1508	Pjmehkqk.exe
4136	Qqfmde32.exe
3992	Qfcfml32.exe
3476	Qnjnnj32.exe
4744	Qcgffqei.exe
3596	Anmjcieo.exe
4436	Acjclpcf.exe
4104	Ajckij32.exe
3500	Aeiofcji.exe
2080	Ajfhnjhq.exe
4208	Amddjegd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3160	3756	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4884	4452	a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe	83
PID 4452 wrote to memory of 4884	4452	a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe	83
PID 4452 wrote to memory of 4884	4452	a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe	83
PID 4884 wrote to memory of 1076	4884	Mcpnhfhf.exe	84
PID 4884 wrote to memory of 1076	4884	Mcpnhfhf.exe	84
PID 4884 wrote to memory of 1076	4884	Mcpnhfhf.exe	84
PID 1076 wrote to memory of 3052	1076	Miifeq32.exe	85
PID 1076 wrote to memory of 3052	1076	Miifeq32.exe	85
PID 1076 wrote to memory of 3052	1076	Miifeq32.exe	85
PID 3052 wrote to memory of 1068	3052	Mlhbal32.exe	86
PID 3052 wrote to memory of 1068	3052	Mlhbal32.exe	86
PID 3052 wrote to memory of 1068	3052	Mlhbal32.exe	86
PID 1068 wrote to memory of 3280	1068	Npcoakfp.exe	87
PID 1068 wrote to memory of 3280	1068	Npcoakfp.exe	87
PID 1068 wrote to memory of 3280	1068	Npcoakfp.exe	87
PID 3280 wrote to memory of 4976	3280	Ndokbi32.exe	88
PID 3280 wrote to memory of 4976	3280	Ndokbi32.exe	88
PID 3280 wrote to memory of 4976	3280	Ndokbi32.exe	88
PID 4976 wrote to memory of 1388	4976	Ngmgne32.exe	89
PID 4976 wrote to memory of 1388	4976	Ngmgne32.exe	89
PID 4976 wrote to memory of 1388	4976	Ngmgne32.exe	89
PID 1388 wrote to memory of 4596	1388	Nepgjaeg.exe	90
PID 1388 wrote to memory of 4596	1388	Nepgjaeg.exe	90
PID 1388 wrote to memory of 4596	1388	Nepgjaeg.exe	90
PID 4596 wrote to memory of 1784	4596	Nilcjp32.exe	91
PID 4596 wrote to memory of 1784	4596	Nilcjp32.exe	91
PID 4596 wrote to memory of 1784	4596	Nilcjp32.exe	91
PID 1784 wrote to memory of 2388	1784	Nngokoej.exe	92
PID 1784 wrote to memory of 2388	1784	Nngokoej.exe	92
PID 1784 wrote to memory of 2388	1784	Nngokoej.exe	92
PID 2388 wrote to memory of 3988	2388	Nljofl32.exe	93
PID 2388 wrote to memory of 3988	2388	Nljofl32.exe	93
PID 2388 wrote to memory of 3988	2388	Nljofl32.exe	93
PID 3988 wrote to memory of 3248	3988	Npfkgjdn.exe	94
PID 3988 wrote to memory of 3248	3988	Npfkgjdn.exe	94
PID 3988 wrote to memory of 3248	3988	Npfkgjdn.exe	94
PID 3248 wrote to memory of 3040	3248	Ndaggimg.exe	95
PID 3248 wrote to memory of 3040	3248	Ndaggimg.exe	95
PID 3248 wrote to memory of 3040	3248	Ndaggimg.exe	95
PID 3040 wrote to memory of 4456	3040	Ncdgcf32.exe	96
PID 3040 wrote to memory of 4456	3040	Ncdgcf32.exe	96
PID 3040 wrote to memory of 4456	3040	Ncdgcf32.exe	96
PID 4456 wrote to memory of 2900	4456	Nebdoa32.exe	97
PID 4456 wrote to memory of 2900	4456	Nebdoa32.exe	97
PID 4456 wrote to memory of 2900	4456	Nebdoa32.exe	97
PID 2900 wrote to memory of 4196	2900	Nnjlpo32.exe	98
PID 2900 wrote to memory of 4196	2900	Nnjlpo32.exe	98
PID 2900 wrote to memory of 4196	2900	Nnjlpo32.exe	98
PID 4196 wrote to memory of 1720	4196	Nlmllkja.exe	99
PID 4196 wrote to memory of 1720	4196	Nlmllkja.exe	99
PID 4196 wrote to memory of 1720	4196	Nlmllkja.exe	99
PID 1720 wrote to memory of 5004	1720	Ndcdmikd.exe	100
PID 1720 wrote to memory of 5004	1720	Ndcdmikd.exe	100
PID 1720 wrote to memory of 5004	1720	Ndcdmikd.exe	100
PID 5004 wrote to memory of 5048	5004	Nnlhfn32.exe	101
PID 5004 wrote to memory of 5048	5004	Nnlhfn32.exe	101
PID 5004 wrote to memory of 5048	5004	Nnlhfn32.exe	101
PID 5048 wrote to memory of 444	5048	Npjebj32.exe	102
PID 5048 wrote to memory of 444	5048	Npjebj32.exe	102
PID 5048 wrote to memory of 444	5048	Npjebj32.exe	102
PID 444 wrote to memory of 4724	444	Ngdmod32.exe	103
PID 444 wrote to memory of 4724	444	Ngdmod32.exe	103
PID 444 wrote to memory of 4724	444	Ngdmod32.exe	103
PID 4724 wrote to memory of 1396	4724	Nnneknob.exe	104

C:\Users\Admin\AppData\Local\Temp\a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe
"C:\Users\Admin\AppData\Local\Temp\a4b75ecbbc1e283b3b610b27ecfd3369e9bdddbd792f6b97e16276f1c1900700.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\Mcpnhfhf.exe
  C:\Windows\system32\Mcpnhfhf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\Miifeq32.exe
    C:\Windows\system32\Miifeq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\Mlhbal32.exe
      C:\Windows\system32\Mlhbal32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        71⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        82⤵
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1084
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        90⤵
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 408
        101⤵
        Program crash
        
        PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3756 -ip 3756
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
90KB

MD5
d970e9edd043cd2d4c1748239942d036

SHA1
f6e876703407b2db5b08a6ddb00eac2b8524b35a

SHA256
d1321c7a7e5121eba5eda5177b780b470741fef9153a186b3da5f312302af707

SHA512
c099804109d28d2b984b8d1eb3170af4bcd903bc6d9160561f65d8e183b3a916d432c27bc4442f64d751746cd957ed874296130327a0bf620f3d6703dc531221

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
90KB

MD5
6634467a998a0e81ae020ae09896fb43

SHA1
70612befb89808fa9646bc9a7253261ee2d171aa

SHA256
162b0f55ca1198ee0ec2ba7f75347472832445debe76dd450983a72a82f56834

SHA512
9ac3124abaf8249f19b5d251dbc5c7468b8e0b18c3c1a4cb8e568e4bee178755428264785adf62986a67e1046f44a6592ecab736bc4c7497ded9f2abc7732808

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
90KB

MD5
fd08f19a581a6ab3a95c3a4afe20677a

SHA1
4c0359f4feb3fd2c423c4baac35ce311094416ae

SHA256
9a3c30f16ae91a3e3ff1bdcbf8eb2db6da78672a43a75035f8a9774228a06468

SHA512
1ba7f1b450f92ab6e630dc4a77dfbb3f91f838776e5210163b7ed4ef1d914329eb4cc645a66326c6ca1f9fd8d81a9a2c57634fb28690757d8fb2359e8d839d96

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
90KB

MD5
c05215b6d452d189a32debb353054d04

SHA1
e57b7ca533b4bd1b36157dfaa2c07acd6129e8c7

SHA256
5fda407c1bd711c1305acd2acc3288918addb94bb4476a3a9346e0ca13839736

SHA512
1327401213824564a7f29fb02da5f2de4350d195f3293ac7d948f0f7fe9cb7a2f832985227a534efe6f0b02df1d48415149e569301abff3e78dc157f014b81b2

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
90KB

MD5
846c517bb1207d7d418fe8706f99cbf4

SHA1
1457f466c44a3f9dd6605226983263f7aee233f8

SHA256
fdc68e246153b471a20279a8aae4abbd7d1d364ec17f6c4eaba5ac1e91cccf17

SHA512
589ebab88024d7a29f507b270e1469e7ed1e500f6f53c20f882820c9ff9c0fc03593a2e64448aa08d3473995dac1221ad9841a1087a5f02ef5770ec304429958

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
90KB

MD5
588d62246401a8c1b6a0dd1cb7ab42cf

SHA1
bb6d0455a1f0706c9aeff7efe89ab0e9f8c1c726

SHA256
6c125b939aa9b467d37ac3b6177c3f323767afd49b578184d4f0c40f0f66e1c6

SHA512
b062db3e87423b277c383209f9c85a0de48996e6733b92c8770dc80a54e155f031da71facadb8de151ad962c954353f154ac3e26b063df3c0a679d48054d92c3

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
90KB

MD5
60e167bf54e33986fc9f35de2ee90ad6

SHA1
8004398027d01d170d1060d29390359f351904ad

SHA256
20b32ef429c0011f4cb8dfab64ce3d4b14d6df8b7685c2a730e32d0a15d592ba

SHA512
1d8c0e086bad9a5898bf5d6d3442acc138fe4270f72dc13efaa10e7a1a317f4e270e24abf944e20af98492e5c9a2eae6a9106d99409e3a9d65adeaaf7e565163

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
90KB

MD5
258787abee6f195a93785b305bfcd8ed

SHA1
0664a4f6736eb7d941b22ea718b0853ca0ca5c46

SHA256
8be870bebeaf8ba910447e4cc5ce80c25e59508ad9c21feaf7d81f4c5a31ddfb

SHA512
1cd9e30fd81e52b4edd714f11212d98ad991f1814daa286eaccef89bbafa27cf03d8a67d4a1980f174755c93d8bad13eb327204d134bb782e6f100ecf553324b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
90KB

MD5
dab4856f3b18fa880cb13154ff6ed4ae

SHA1
eedecc90fc490530b0d4ff799359afabddccb8a0

SHA256
e0e524d14b320eed122a9c7d7b5071987bfdefdb4dbf91116627f1c251f9024c

SHA512
a62c8a8f8098efab4bdfe2f4da9a9e25d1b03a7b11b3b1f570899703f6b02d6bd0c4218401435c2f372ecc1678173a583302996bee46f655329091dc549eb60f

Download Submit
C:\Windows\SysWOW64\Idodkeom.dll

Filesize
7KB

MD5
481b4bca0d1d35151b0732e57c56916c

SHA1
9fce142dc47aabeac2c070365c0aa87f66d0c574

SHA256
36289b56296589f781947ab7702c2571b922c47800599d1dea7829ea0d966742

SHA512
6a9c702945301e24371da57e4b62656bdb9602491a8f46af73c2371adf3479f4d88c6432eff825602fc054af1648d5c246314c8213ef85c85338b1e9ccd0c001

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
90KB

MD5
2117cb8e509ac79b5463de41d5d157ca

SHA1
afe23f904fa2e0ac7774dbfd11c8c67c97a3fa4d

SHA256
b7d25ccc25f66d6a7d9f246288b9853ba77fecd51fc3d67b6ce884df1ea17131

SHA512
adbd547f87e47acf863c70fb8f8fc14673583720cd67e191caa163876eb916f533b28f75ade2cf8e7313c860b10f3843e58bdba0f1bc1cbdb9c290361cbe70fa

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
90KB

MD5
5ba16e0405bb668c364b9b861fb84d70

SHA1
440280f0941bb81510f4b5203ed180065779bb27

SHA256
1f419754589442d2cdcf0083a4082a74fff78808a8e166b4924fba28070652ed

SHA512
b2416bca1c7320f023bf765392662eef4c7c6b38e7d7a0fe1f61fd7b5fdc8a79eba54022bb3965cac68f92a725bcca94c0b520104917db95bf77360f2b8fcd82

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
90KB

MD5
6e8c579abb84c13c64b8dbf562fe33c0

SHA1
f5694e07916b0ffe1575a961bbeb6df705433603

SHA256
d4e6a4b623560d57d555b9052a36c6491dec58efb6b6f7d1e52dd4d9665c10b1

SHA512
eec5ea4943621e1269ca8b786094d74f9ecaa9327313b6957dc775b9f9f0a0a2f8fa9e352f7c7fbe9d112744008a14eb038673438b1a1a5bc34403cbb2ae98ec

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
90KB

MD5
f1972ec8035462ae4b29431f6a0b5c90

SHA1
090115c486d48eb4748225588877afb31bb2cd8a

SHA256
0534e14f9327ddf93f43f2c9621623b2fea7acbd656a4d61e7fcd843fd8030f7

SHA512
279726ff9cea2a76ca3eb1269d6a9c6b31cb99355e5eae85ca5209c1e2d0ea72ea7c2b22fa5304184b14504046f7a1026dccb381cb686d48012f9e804e1c5e32

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
90KB

MD5
6c2d96c48b43ccea4ac624ad0ac9a2b2

SHA1
6eb0bc598fc7e0c4ce05cd4136e88ab1096a2c61

SHA256
560d6546fc81bb8502807471dfb8b14171c4eaeb13ad7d2eec0f40bb3e48adba

SHA512
cc1eab5ed118fe18e200d8899e72d726cb338223cf3788f1ee972edde2253f2311635e402d441699289e25fba7fefd0839fa3a34e0cd3108af590999af5111e0

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
90KB

MD5
79bef4141e605a84671f7bf2a4943583

SHA1
46505d4320e4ecb5cdd03fe9b5c3380a781c8540

SHA256
60a6245a66d9d203d5fef6003e6bef2b2d92770417c656db14c358aacb88b03e

SHA512
ef1c7407a9e622ec24c0d680cbf446eadae30cd2f47b4d15b913da856193c73dfc3a95efd272fb7098109ff876162b0a0a5db7b2e667005426c02903b0734f29

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
90KB

MD5
7432d3cf47fa98033a6686b27f0f67e3

SHA1
62e6554436dbbdef46da96db281a3835fd113fc3

SHA256
0a5715a619d698b2f6951f958897499008e6232ef26d14c2a8d2101b55374e72

SHA512
208dc394c5519bf5527abd80255d45bbdfc56b2672f003d645e37a9cbfb754e0e6261bd2d66859de5fbb1b296b6b89c8f5d3ecb07d460dde34f7aebcccdf43fe

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
90KB

MD5
98d1c347a850c20188b5dd88482a108d

SHA1
92bf9f8d506b169fd94af3875f356fa53e2f88f0

SHA256
54a8eaefc31da53944d76969cca8f57c9d07aa5259677e5f6ec8f5ee5284ba89

SHA512
606189fff1278643b7ae111fc8a310b95ee066173013d00fb5b83a74d188e8e9bdbad90f82fbced7578926118b5d13787c07ce7234774f39865f94a5f41c75a7

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
90KB

MD5
93bfc75f0963ce59932256e452ccf553

SHA1
580d96d4b34a41dea7c9344fd86873dfb31bc676

SHA256
91f14c3906aaec8ac72a0b210f016311e6e5542a543f897f129de9fb72df5e15

SHA512
2a9c815293cc2a724e9ac99fdba38c1b0b82a095281fb3c4045268305c502340100316c6817ea64b0450bef1eb986b32188fcdf45fc7fce31685a86749f6b108

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
90KB

MD5
9b1b67347f921b5fa706fee703e534f2

SHA1
f1d39b9c5ac636a811448e13800af71bb64886ff

SHA256
262559a240916d81cbcd462116b48e2e9e32deb3661969a589680f1bca1eb3d1

SHA512
c00a469cc1bf6210465e6e125b0c84e690d91662212d19fd5788095b572e2115b7f28ce99cd2f51a3abe233c4406fe54947e48dd6305173cc58f2b0c0979429e

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
90KB

MD5
18cdc09fc74e8c0411e462a701095057

SHA1
42c8a8ebcc624d65f229c7a0d846dbcbfa0e9e91

SHA256
2c73f1d9997b0bc6574e874ab8316eb707afb069a755c9bad972258d0f067029

SHA512
daa265c0924ba6c0e1341b2f89ffda64911e0613cc3003552da5f4358eb73aa9058971c52a3e17964e4e870c5a28d6c94aeda35293886e7d73d93f1463b0387a

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
90KB

MD5
fa809b7fb9880eac1ab3fc939baaba19

SHA1
b337ccdcbfcf15edf3d48f41d2d4a175a36b26be

SHA256
54f9fe444feb62a9b59eea2a47066f07a013d7b09040faa95309b5a7499e90c3

SHA512
b1131472c754cab84c20a8cf600d962013b85cd03b71b2a6032a5e14a8381eb220e3f1e8f09a4d2c4de75a1da7a429337cd90c94b53023ef08e87ea224e6ddfa

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
90KB

MD5
cee958a7c9c478e948ef6627681d2696

SHA1
db1e9e3004df7ed445026f4b820b877e548d384f

SHA256
e6603d37a3075643e454e574d72539481ce6a6a0efdc04b210bd474f78bb3c13

SHA512
d7c4e7ed1587abd5295eca0a5e3815be08890fd02b4cc5f65862649ced969a8332263ca819a88ac91d87bf3d9b992158345eb6bb4ac6f1028ced5ce5736e102d

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
90KB

MD5
2396fa0b67b7aca557d8fbcec7eef36d

SHA1
d1a0438eab89ff9d1af3a25cd25be21e99c31637

SHA256
5d659bd823af30f4c439dd81b88955e5a3c8cb2be8bf55dffe5f8440ae51290e

SHA512
9b9e4a0e754a4f0f8c99bd04ef20422db1d9c7baf4edb577f0ae7d8b828ee1c72d8b14d4b8206b35827d240f06f4dc0608838300c04223ba1f9a32d5a10daa2a

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
90KB

MD5
5c7ff4ee01938987e4c5d90a44d87d97

SHA1
12b156bcd3f0b94ce7a47518236778946272b0c5

SHA256
12cca32fdcb3911af81d67acfee4269d052e73bfd445f0b87fdd03b16abdaaef

SHA512
b7c6e3999ba8c56d5da2c97f49233ef7e78c042f8faa65da631273804f2ebd891eafdbb9c9bc7c9e5351e8f0d0d3f27c783f1b88dfd7b41cd393becb96a1f2ef

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
90KB

MD5
1a39b368baea81a54446a5980b391abf

SHA1
30ce71f6f79525baa204e91025a4f3551c724341

SHA256
ef3cc838ebe44af6d83fe55f8582d343f0f993c6de20caa3e7bdac9bc4a7a920

SHA512
47cf0cbb8c578eef4f6321aa236d50c2905777ba8b09a65bf83ee68a8b7d82b483442de4cb0c882b5e7cdcf4be116ba3e69f958a5235b286e4aa945f76ccd04b

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
90KB

MD5
fbba675ce8be02f08f7bfa9feed2419d

SHA1
112aeee0ea253d2088ecc9517c004ad63c6b9f1b

SHA256
9c6b230ee2200fe6d56f0c076d22bf4c4bcf2abc7543e5b76cb9f0c003b8235c

SHA512
df2b74c54759c068d97dca8bf8ec54d0ee70a2574c9b8fec23896e03cdd9843fee42805a29a0ea84fb998b15c00cf3acfeac90f9455f67cba65d7ce75f9d2aa1

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
90KB

MD5
88b499b4f9a43be6dc25e40065577157

SHA1
a827ccc27aa7774039af6591fc50bb409e01264c

SHA256
c9202acb752db576243c58ada930427e04f40f2e48d62b801b7d3e85363c43d6

SHA512
3298240fa2bb569e7664e091288a21c5b5fdef62ad1d37e008e5683bbcd6cf96527bf11e63274af21c97da5bd971800c45251b4acb26dc41dd5f921cb9a4ac7a

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
90KB

MD5
3f8bf8ca20390e55a62006a3f23b6de6

SHA1
b5e4f3ea680a07c55b6818a110f6c0f5ce0c9475

SHA256
39fb8810742671bcbc094501e0a7faec589120404cdba7ffdf1e3133c3a4c8b7

SHA512
b8faa47664a33b172c41b05114e93a0589a3fc56738ba96e436cf4f08c9ac03b6b6bda134b78c1c401b86bb4dbebaa66faa74a45091e3cb557a7cbb90616ac42

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
90KB

MD5
d70f112ad84ac8cd5c6f7b55d64d8987

SHA1
f7fd193c7922fb1fa33a67f3d776561e234d6d76

SHA256
784cbc92b424b356c13f136eb162afc6aecc5cc9b973c9963be7c64734a43d44

SHA512
6506bd0994e7cde661c510b00abf869c2307eaf18bfdd6f5f408e3a30198844aaa37e18475821b519f578bfe0fe3536136aeea71f9021e42891c96ea6a034a47

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
90KB

MD5
e3532d6090908f78ead5a7b4cc6ba191

SHA1
9b3139c5d7655410fc37ce0ef6bb5c753ff1f864

SHA256
1ec08998444a8c40a9deefd5306e6bf29bc3464621be850d8ecf73a0d90b110d

SHA512
58c1e55edbab5d4492d3fb5b1bdef3a2cb557a3a6a1ad31ed4912f102fb3f8f87929c9c1599b642f8952ea656573f2ecbfa5b2c1fe83b51ca5f65d1ba396036e

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
90KB

MD5
2330a776503fde1e8c827d9fd4cfddd7

SHA1
71952852c62fbba5519a528dc62f1a387720fb4e

SHA256
a4a0d4eb6b2fe2d15cd7aa665685cf7402d78d7748e42e922db781879e78f6ca

SHA512
2b5e17d18f39199b70708016d7622d1f7e4ea03118a22b82fd3d2949e3e060510a3ad8979a79fd1f3ea26eef14eb813d535e82fb31a6664700236a411b58b304

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
90KB

MD5
ae26b906b24aca24a895abf9d5fc73ae

SHA1
f9ca2e2e82f0e61a8e2a6893c02185ebb98671d4

SHA256
18be3d659d31382311ba24aee82bbbca052422553134896e2268a478a169da01

SHA512
42f8034d1bc914e997f94e2c98a0d97383a494ce4959598a4179a7d3fa63fddb4100d23babba6a6b73528b977b30de1987c9a25c97192af52ec5d5e93381366c

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
90KB

MD5
ed96b33370a98cfa776d6bf62ebed31c

SHA1
e7c8c327eef15f27ea157f8a4e715d575d0e652e

SHA256
d8b619d8513a52c2ae2d050fd32b3b8666928e329b14366d082cac6bf5bb1e7b

SHA512
96bfcff83df8cccbf0358500b2a6ab98fd6a747f1540e446e8c9b21766a0ef000f386dc49748f29e212b90530b6a694c7f440c7c03e4acc5e74138a28ca1b948

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
90KB

MD5
de850295e1ea169e27d9ba92398b72b6

SHA1
ff017f01b4a2bf39fa2698da6dc658e174610e22

SHA256
9a440e328e7a859d06cb46517ec2efbc427666220031e860b8ace72aaaa8c17b

SHA512
5c1f182b7ff6d55f380bc340ee1bb720c2bcf54c1df1637d973f3683946c2069bdb8c0f7733ecefba667a639e7f1fd2f378dbc87598aa9c65d8a66b5abbd11d1

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
90KB

MD5
1c9825bb4cf902d3d0245c855ffd6210

SHA1
dfa0f0346bf22b838f6af5c694fb846388c4de4c

SHA256
bcbee191cb85d64cef5edcd014533290f8ba3323077e718945d141ceb272fa18

SHA512
a1ce1cd35a136588eb4e39ba8632bb1c55e45f4572ab38f411900363a2feb881bd0f4fa23e88564539dc6b33f3b29f533550c669270f78679c2ea5d62e2f3f7f

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
90KB

MD5
d7b134126c5af8cf9c8bc4b22dca7c38

SHA1
083a19659e5ba6b525293985e761752c4d9a0191

SHA256
6e3fbd650a7fb9809a70c5b283803a0f708a20caf99c39fc1f918e079172cb3d

SHA512
cba463e27afdf5befa32cba540128d5e87b67fd4223f029651a7e59cd5df98be96f55400a86c64dc37a96273c4d8570a9fb5386982f8740930ece9c6e1c9fa7c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
90KB

MD5
100697c5446ca26de80f435a1cf185b0

SHA1
3eccdf83979fa5a4e56374e05a7e0b2dc0c1d557

SHA256
3a2755974ebcd81b1ed0ae8b79009ef3a1fb4a4b0e646ed0718191920cfc99a2

SHA512
81927f526a71f45d7141e85d451461dcbd491e9dfab2da68d499798231b970633e48edddc40a3d1d9fdab3863fb1afe89fd1b05ea23dbd89e4caf52e6809ca30

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
90KB

MD5
e834ad3ced22f61d5a3b4e8c5fb144a7

SHA1
0d0d085a74b4acd8f01495e507fb2b2c50989022

SHA256
039138e96a6d579d657ab943225e9cac63cb5835037b005f8926b9ce15c0b64b

SHA512
8889c277fd84616e702fd7bc29086b3664109e1432f3168e95da6a59ac5b1e1a0330a11aebaeec9ae9b4027e30134b13c0c28fe5939a94adc792b139456c0717

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
90KB

MD5
ca31739b064ec2deb46774565f42e642

SHA1
3b7121fa47ad27d201b88724f226f8c8e5573113

SHA256
bf2cd0f4482cdc09ff269f3a7ac9f28693f9f9adaa678824df2d4d6014a4838c

SHA512
cb0e5fa6a83fd421883efcdbdc4542eea2e754fac20447368a6c84b1967fe83b8af4d37316df964125f4fdb9595f594973d1d9ae5dab829c7235469707ab7a70

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
90KB

MD5
414be4f34c67b85e9a8493e02e3c2e3e

SHA1
51c88dde9f79bf814b892a16190302edbf20d845

SHA256
0be158bb035fa121972ad4dd987fb183dd8335aa9a3a6e61fa2dc71bc865c006

SHA512
1ce6839303d73b504ddb560833fe50a690ad7ab9b63384f12047c09c97ed03ea87c89caa3afaaac5ebae255eaee055f4994c59acf5f7d78ac17718f08e3e4aba

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
90KB

MD5
b2df4f192ec2d0597620e3966c4133e9

SHA1
9f904bbed9c9c1f1c98ec82f1830b506d98b48a6

SHA256
7baa06aa3a1d7b307883df6c94511f836245212232f359058790e26f7d4db0d2

SHA512
d43e106d3008114e7150ab7e1532f5d0a639d4533b0a552df310da1ec2e235fcfdd8a4e57f8574d1bdcda7436409ee540ec04df448f9a4a8ca72ae7f63e0f81a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
90KB

MD5
d786654b515e46ef0f5b80d0456be54e

SHA1
6ae88e890f2df36f5ca40f4e9b5f07ccba8f7c6e

SHA256
3f5565423d98d08a826ed471350503dc352be8389da621b7a4967d8f1f8a4e17

SHA512
a78653b0baeca42cd4b9776083456e693f3a751ac1041dcf3ca63150d565df396432b1ae24b9aebb36d8aecf1b46fdef1db56be086a599debc4d931e7b34d598

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
90KB

MD5
33ff0091028257554ac9cd67ab2c2d08

SHA1
6ed28455134e1a2daaf23d5b2f6bfd1ff5567331

SHA256
f0d674ea034f5c9a81ea705db7fc0fff2c9230bca1643c3f02c282e367dc5d16

SHA512
16ea483f0cf7fbcd99a2f0b9349636e3a694031390871f409d916c618ce3f49d31d13e53ea20b6a8c512dac4ce06e021ae9e3f30dad10c93385b65b80012a672

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
90KB

MD5
ae3c595b940b21f8225f257f9b0830f2

SHA1
2277e4b919a80b65a4eb49b24fc22716f22280c2

SHA256
c154ed6b155d8f73afe6f2d0b398b444495b8f7b432427565d0c04b23617d039

SHA512
427dea72576ba834e926442cacd62c76fc43612945de443190cd5d2b7d5ea6a62ea3277e06d3a40346b8e8a801eb55147147a1962dec684424c7670d384638cb

Download Submit
memory/436-583-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/444-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/448-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/588-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/636-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/840-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1016-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1068-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1076-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1076-576-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1084-556-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1372-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1388-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1396-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1428-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1444-532-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1484-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1564-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1592-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1628-607-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-617-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1704-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1764-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1784-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1788-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2080-442-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2132-564-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2228-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-83-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2404-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2408-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2456-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2464-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2532-595-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2616-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2660-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2892-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2900-125-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2924-589-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3080-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3248-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3248-619-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-601-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3280-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3284-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3476-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3500-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-550-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3556-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3572-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3596-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3660-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3684-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3796-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3956-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3988-92-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3992-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4036-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4040-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4104-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4136-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4196-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4208-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4228-574-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4272-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4380-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4408-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4436-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4452-562-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4452-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4456-117-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4460-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-514-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4596-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4668-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4672-577-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4724-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4740-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4776-196-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4820-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4864-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-563-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4964-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4976-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5068-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5084-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5112-212-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads