berbew | 8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe
Size

1000KB
MD5

d4f9f7074e0f0cb9fbb8d1cf2a10b01f
SHA1

d1fe6c2ccc0c52665e6bf560ec07881b31973302
SHA256

8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd
SHA512

7a0c01f37daa7928c4c536d819ee5a68b8b99f39f0d519a7b89d9a8aa250dc68d88c9b492cbcd3a16b8fc238ca4fa5578ac366bfa9dd6d611774c13c31db396e
SSDEEP

12288:i9piSTtHBFLPj3TmLnWrOxNuxC97hFq9o7:i7JtHBFLPj368MoC9Dq9o7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3212	Kibgmdcn.exe
1712	Kplpjn32.exe
4152	Lbjlfi32.exe
2624	Lgmngglp.exe
2792	Lebkhc32.exe
4656	Megdccmb.exe
3984	Mlampmdo.exe
944	Mmpijp32.exe
2340	Mpoefk32.exe
3156	Mlefklpj.exe
1896	Mcpnhfhf.exe
3276	Mgkjhe32.exe
2224	Miifeq32.exe
3220	Mlhbal32.exe
748	Ndokbi32.exe
1388	Ngmgne32.exe
400	Nilcjp32.exe
2312	Nngokoej.exe
1800	Npfkgjdn.exe
1460	Ndaggimg.exe
3188	Ngpccdlj.exe
4700	Njnpppkn.exe
4368	Nlmllkja.exe
1452	Nphhmj32.exe
4420	Ncfdie32.exe
3912	Neeqea32.exe
1052	Nnlhfn32.exe
2288	Npjebj32.exe
3948	Ndfqbhia.exe
3988	Ngdmod32.exe
1924	Njciko32.exe
5012	Nlaegk32.exe
3744	Npmagine.exe
444	Nckndeni.exe
4644	Nfjjppmm.exe
2196	Nnqbanmo.exe
1296	Oponmilc.exe
4840	Ocnjidkf.exe
1708	Oflgep32.exe
3200	Oncofm32.exe
4436	Opakbi32.exe
3960	Ocpgod32.exe
1484	Ofnckp32.exe
3108	Oneklm32.exe
2408	Odocigqg.exe
364	Ognpebpj.exe
1248	Ojllan32.exe
3868	Olkhmi32.exe
1928	Odapnf32.exe
1952	Ogpmjb32.exe
408	Ojoign32.exe
1684	Olmeci32.exe
3496	Oddmdf32.exe
4696	Ogbipa32.exe
4296	Pnlaml32.exe
3416	Pqknig32.exe
2736	Pcijeb32.exe
5148	Pfhfan32.exe
5184	Pnonbk32.exe
5232	Pqmjog32.exe
5264	Pclgkb32.exe
5304	Pfjcgn32.exe
5352	Pnakhkol.exe
5384	Pjhlml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe

Program crash 1 IoCs

pid	pid_target	Process
7144	7020	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3212	1412	8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe	85
PID 1412 wrote to memory of 3212	1412	8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe	85
PID 1412 wrote to memory of 3212	1412	8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe	85
PID 3212 wrote to memory of 1712	3212	Kibgmdcn.exe	86
PID 3212 wrote to memory of 1712	3212	Kibgmdcn.exe	86
PID 3212 wrote to memory of 1712	3212	Kibgmdcn.exe	86
PID 1712 wrote to memory of 4152	1712	Kplpjn32.exe	87
PID 1712 wrote to memory of 4152	1712	Kplpjn32.exe	87
PID 1712 wrote to memory of 4152	1712	Kplpjn32.exe	87
PID 4152 wrote to memory of 2624	4152	Lbjlfi32.exe	88
PID 4152 wrote to memory of 2624	4152	Lbjlfi32.exe	88
PID 4152 wrote to memory of 2624	4152	Lbjlfi32.exe	88
PID 2624 wrote to memory of 2792	2624	Lgmngglp.exe	89
PID 2624 wrote to memory of 2792	2624	Lgmngglp.exe	89
PID 2624 wrote to memory of 2792	2624	Lgmngglp.exe	89
PID 2792 wrote to memory of 4656	2792	Lebkhc32.exe	90
PID 2792 wrote to memory of 4656	2792	Lebkhc32.exe	90
PID 2792 wrote to memory of 4656	2792	Lebkhc32.exe	90
PID 4656 wrote to memory of 3984	4656	Megdccmb.exe	91
PID 4656 wrote to memory of 3984	4656	Megdccmb.exe	91
PID 4656 wrote to memory of 3984	4656	Megdccmb.exe	91
PID 3984 wrote to memory of 944	3984	Mlampmdo.exe	92
PID 3984 wrote to memory of 944	3984	Mlampmdo.exe	92
PID 3984 wrote to memory of 944	3984	Mlampmdo.exe	92
PID 944 wrote to memory of 2340	944	Mmpijp32.exe	93
PID 944 wrote to memory of 2340	944	Mmpijp32.exe	93
PID 944 wrote to memory of 2340	944	Mmpijp32.exe	93
PID 2340 wrote to memory of 3156	2340	Mpoefk32.exe	94
PID 2340 wrote to memory of 3156	2340	Mpoefk32.exe	94
PID 2340 wrote to memory of 3156	2340	Mpoefk32.exe	94
PID 3156 wrote to memory of 1896	3156	Mlefklpj.exe	95
PID 3156 wrote to memory of 1896	3156	Mlefklpj.exe	95
PID 3156 wrote to memory of 1896	3156	Mlefklpj.exe	95
PID 1896 wrote to memory of 3276	1896	Mcpnhfhf.exe	96
PID 1896 wrote to memory of 3276	1896	Mcpnhfhf.exe	96
PID 1896 wrote to memory of 3276	1896	Mcpnhfhf.exe	96
PID 3276 wrote to memory of 2224	3276	Mgkjhe32.exe	97
PID 3276 wrote to memory of 2224	3276	Mgkjhe32.exe	97
PID 3276 wrote to memory of 2224	3276	Mgkjhe32.exe	97
PID 2224 wrote to memory of 3220	2224	Miifeq32.exe	98
PID 2224 wrote to memory of 3220	2224	Miifeq32.exe	98
PID 2224 wrote to memory of 3220	2224	Miifeq32.exe	98
PID 3220 wrote to memory of 748	3220	Mlhbal32.exe	99
PID 3220 wrote to memory of 748	3220	Mlhbal32.exe	99
PID 3220 wrote to memory of 748	3220	Mlhbal32.exe	99
PID 748 wrote to memory of 1388	748	Ndokbi32.exe	100
PID 748 wrote to memory of 1388	748	Ndokbi32.exe	100
PID 748 wrote to memory of 1388	748	Ndokbi32.exe	100
PID 1388 wrote to memory of 400	1388	Ngmgne32.exe	101
PID 1388 wrote to memory of 400	1388	Ngmgne32.exe	101
PID 1388 wrote to memory of 400	1388	Ngmgne32.exe	101
PID 400 wrote to memory of 2312	400	Nilcjp32.exe	102
PID 400 wrote to memory of 2312	400	Nilcjp32.exe	102
PID 400 wrote to memory of 2312	400	Nilcjp32.exe	102
PID 2312 wrote to memory of 1800	2312	Nngokoej.exe	103
PID 2312 wrote to memory of 1800	2312	Nngokoej.exe	103
PID 2312 wrote to memory of 1800	2312	Nngokoej.exe	103
PID 1800 wrote to memory of 1460	1800	Npfkgjdn.exe	104
PID 1800 wrote to memory of 1460	1800	Npfkgjdn.exe	104
PID 1800 wrote to memory of 1460	1800	Npfkgjdn.exe	104
PID 1460 wrote to memory of 3188	1460	Ndaggimg.exe	105
PID 1460 wrote to memory of 3188	1460	Ndaggimg.exe	105
PID 1460 wrote to memory of 3188	1460	Ndaggimg.exe	105
PID 3188 wrote to memory of 4700	3188	Ngpccdlj.exe	106

C:\Users\Admin\AppData\Local\Temp\8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe
"C:\Users\Admin\AppData\Local\Temp\8225798d0af23a846398774c683abbf7d0ab96803355bb27b2a4797a9e27f8fd.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\Kibgmdcn.exe
  C:\Windows\system32\Kibgmdcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\Kplpjn32.exe
    C:\Windows\system32\Kplpjn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\Lbjlfi32.exe
      C:\Windows\system32\Lbjlfi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        24⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        26⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        31⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        33⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        34⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        46⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:364
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        52⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        54⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        56⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5352
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        66⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        71⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        73⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        74⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        88⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        92⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        94⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        98⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        101⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2840
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4716
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        108⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        113⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        115⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6832
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        129⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        130⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        138⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        140⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        141⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        144⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        153⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        154⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        155⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        156⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        159⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 408
        161⤵
        Program crash
        
        PID:7144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7020 -ip 7020
1⤵
PID:7120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gjeieojj.dll

Filesize
7KB

MD5
76de80517c67dd7f263eb3915b39e778

SHA1
068725dd3b0f0a6fe145b4b336ed0965e5ebdf00

SHA256
d7b009987bf8b61a53eea76a3d672900595fd942fa8a00b30ea9dff6c592f02e

SHA512
4ef5096b341ef58fcc6761014c3a3a4d486a44d8408055979604926d00beb9867f0d1d844deb5a052e8546d04c508ff179465b550ebc9bb703d437039180ffe0

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
1000KB

MD5
cb74e206e4301234091fdc712537d072

SHA1
e85771d0468e34faa3c956b0f7b8abc23116824d

SHA256
bc9824766390db64510c7316ba709bd89d3da1aff502399472c973624cc545fa

SHA512
403add3ad43b5404edeec32f0c20b160432e2acdb955b06129bd9cae9ea1225c33c28f10d8c4a7a4964675b41a77a29a9922b1a54e24f8dc30a193e74b3cb4bb

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
1000KB

MD5
24ce6efd0904cf1a0fa7dd1dd0dcdf9a

SHA1
a97b25a7e575dfcd4618adf95275f1d5bf059cf3

SHA256
878f783c3c53e81249056a9828cb6b7efecc022897d7ecee44b2b56129b43404

SHA512
7bc7d83a6e57aa2f7a3bf8c47f4e089295a0147ae09187e4b01fe6ef0de22d3d5c047d2aec87213bf6bc596fe70684729bcbccef358abdf5f2e863d0fcc4c56a

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
1000KB

MD5
b691307d63932217ff8a83ded7f20e94

SHA1
9f8f2def17c2cc23c5a2337bb7b5131c4335c46d

SHA256
66875633c595d55e4bd5bfd4c70c3321b322ee6e11ee9d92c8ffc63e2941c6a8

SHA512
057a755fd9a54f2c7580237ea7059a01c9af1d2d8f1a92aeb630f763ee921058583d711281c072bb11990fd03ae53153143635715bb54e35b6ee226d8ac714dc

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
1000KB

MD5
6799686d3d95306341872a510d9dfb6e

SHA1
9a4eaec42b25d2e7e011e9b46cd4a0e2cf922fd4

SHA256
8d7e105580a468206b8fedc1c42c8862698553cf505602dfdf2b203889f40233

SHA512
86626ed04479e25ab745ab2ed838671ed59451b988c0cd3f728a45d295068e70fd07137ab300551ec4ad80eaa5a6721fe60eb83b8bcc0cbaf9b327b37b775b60

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
1000KB

MD5
52cdddee41d8998f8770d8bdd7baba42

SHA1
1a2cc0593d204bd4c7a404fa48e50ac9c4e9546c

SHA256
0c37b5eb8e0e28c819d4cb36081227ec67489e2b24b6b679c69afe10d61f8c29

SHA512
e78cac521ce7c05b82f1144fb6d5a44af6d31dfdaef20712e279b5a3768a426b1fb42814b7731fa3266190cfa924983b3f0779f3574294befbceeb47c02e97de

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
1000KB

MD5
e0153ff01e22d3cc736647d8bd92d07c

SHA1
eaca2888cfca1115197d35cff4e76f1eb45f7be7

SHA256
d685c0e32838766532528ea8fcf2821e9a28947621a2a55405fab1e4a3c8828f

SHA512
09dffa962e0b813f146750f6c58dd528139e977d6047f9deecf96574c422ac0d27af121165091881bff556cdc2ae7693b5c012a172d546dc3aa10fba542b261f

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
1000KB

MD5
05bb04a021733ec7d93d0145208225e4

SHA1
5127e2dfcf016266ba4b72486c2bd876bcd39d14

SHA256
5aba36e1c4293d6b8e40f34639e07ea3a21261cc389d6d5d3773f92dcfc8505c

SHA512
dc02e780dd0129aa796d0126833b6d0d1c45bbeef4aab1ae314b4ff3357c2c3d38cb340aab7a14cacdfef0401abb11ffbbac9688e91999574989f9f01c4315b0

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
1000KB

MD5
84e67479b0d3811bea586f72e917c001

SHA1
8cb3aaa112989d624a923747a24fea095e5901cb

SHA256
328e1cacfe7c0f8a3ff30461b802b4849b56888e8dd40beddcbc4e3991a5ab5f

SHA512
8ceca27490f488b6f6cd737bf58d798be0c9fb17c9ce3448c97259affe1817adc86dc192411c2e84ec5c2da73a05a551954ac8bc69a7d27a75bab42212cc8e10

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
1000KB

MD5
400ba034130403ca6fd8ec9403966d77

SHA1
bb4af3052b5394ebb3700369417da0d981cc38a2

SHA256
435b4d924c72ba454c7a7106b0cc638679e9207b36adc319964f5223cacff517

SHA512
561a4184da9f91e5945e48755ecb2f2db5be70fde7c279cd1420de3e919f9689a880d896b9c8ca68d6ec0582f49ee4aebb8aa3d559f50880be70fc9a2ab1ff54

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
1000KB

MD5
ec3643579bf106d66a185bb364e55bd9

SHA1
d20c60a7a02b12db108e7872d66b39962725d53f

SHA256
a5e34b3320693ed1a284678920453f721eae99487cc0866c54b1c31ad74b0166

SHA512
50932025928e91f8866ddea801f21254e0cb6c0f15876eb8627b29df8544ba0946c18852059610eb95d88aea0ba9844f5189593d632b7a2b7ae8a9ba763d079d

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
1000KB

MD5
2c53e43e12011df198a07ee56515e3ce

SHA1
860691004236ee11dbd3e841ffb25ed3937fc601

SHA256
b3651572598ca9dc1f8cf5982d5287e2f42f9f26602b6066f8f15093131fe7d0

SHA512
6ff6b6d21efe79f0b3a3f4648c2b0f411043d99223cbab5a00bdb534bdb8504c1ddcc19cadd9e3dccecb1caa943a8f1a70fea54d3af488300525d73f1e4e99f4

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
1000KB

MD5
ced91fb37c36588af6e9ca6a91be8fa5

SHA1
684564e07dc2ed2c63a73d9010fe3e53a1f0186d

SHA256
6ac3c02c5ee42dc560f94fe92173743fa8ed3b69fa3e3249c37f8c0daa04c99c

SHA512
af279cec7b3e8322b70a2eedd4b738a27422cdf07dadcff6db51c7d09aa2fc8f005656370c7e46c16fdb8904a7475a7540728b5c23c2eddee0a163e55916ad22

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
1000KB

MD5
0494dc42834a60e03adc4f3e8ed270e4

SHA1
23d662f9d6b9a8f51626ad441c7fe48524f86ccf

SHA256
3851a88ad3ead2028165660408e87afe9feb15a0441553b30c16254c5e3cd2c5

SHA512
d89dd87b22732a378827a74adcf052a48055dc38548cb0930fd5a8ca898814b55483c4257d166735169761bfabbc7466e57fab49868134fccb04532404b08289

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
1000KB

MD5
346d02cab033ab36b99c0f043a22f3ef

SHA1
a4229b4c0610a394cb3cd99c0464ab2219b4d9cc

SHA256
ab9e8b810712137ca1ae7d76d50824e43d1b161c8f15a62e67fa9fd8f135b320

SHA512
bc7ff510ad828f92469ba8f855933d868fc56ed9df7a1d6f02d08277180dce29caca034aa7e6ad062401f4e5cd32ea1ad177b86efc0104c06092a4cbd8dc8131

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
1000KB

MD5
63065638413127b9ea47e1f1e35559b8

SHA1
297fe0c2a49e4b76475d9536ca3e530d6222d4a5

SHA256
5c1e7dc324a15382d796d877c881d2cc5ac18ddffbc545c940a473299e699d14

SHA512
19deb65955fbd2ff52a10a394096dac13efdf5cfc73708bf68c860f6350096ff59a157e0bfc1e4f22b828e6d9b23ae55cfc293513b703e7defd391683a9d4247

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
1000KB

MD5
8fd8b3c878fa3b3c021e30096a44b3a8

SHA1
4198d9b91059fe26e6b873ccc6300a62770b1241

SHA256
4ee3777d9115ec577dc9206e009f242edd1e8a2a5dfb16ec460a381dcbf8a0d9

SHA512
ba902886c095a2c1cd073d70dd7e9f3c465a1c3db54b6bb8b7e23d0f404ec4d40d4f1a99d4f539d9d49115318abf10072b3e06336dd868492bb4336ab7e0a07f

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
1000KB

MD5
ae8ca89dfd2a725e61a169c29f1cd1dc

SHA1
9c838c4f79e2ba82ffd58907a9d203e77c0aec27

SHA256
55987ad0ef3a89ca2d335c1383d27f03341aeea42660ab9eb96a33e7f079ec43

SHA512
18d46658b56cbbbde69e45cbd82b1e33b0e477624239213c7fa8d93f8eedc7b9f3bf73f9aab3e42c871245c224d50695ff741143c9d0daba94a0dffa088c3185

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
1000KB

MD5
e0870acbaf22f2b7393013f9621032e1

SHA1
b175c369513d0acec10fff11b830a832601343bc

SHA256
15cea2f25115956aee1db6bf91192ee15d15f2fdf510a0776b1b3bb1f4fde446

SHA512
2b5cad0f881b0a413494ccb41f76acf731bcc3249baf1317e4f806fbbb51d629c59de37f0ea16ded49e41458e95f730de7fbde7c2ed9a91b3b05cc4f2b53e554

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
1000KB

MD5
52ecf284222c20e8457803559c911c14

SHA1
07caf11781c2441b49968580265175b45405dc62

SHA256
5272452408425cde0b8e235a8a454102aed9db4f10da80bf9643c975921dd25c

SHA512
ff9997806672960c6619c47007915605db5b9a928fcd3336d6560bf9a97a84412f1ba89e7e1e00d5b83ecb7d04f67169441128650e3542758e55d23e62a64d29

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
1000KB

MD5
54926d4d1218705095bec9f777a9f730

SHA1
ad3aeae6a1bec6b3c3219be508caa0e1db9d61f9

SHA256
386abd9b6b5e70aa01568f84ca3cbd1accb6bef656bf8c9ab8366b0fb25b0f50

SHA512
37f8013c8fe1046e42b8a903a2c837d5fe5a9d5fad9336532f1bedf88c164b48657898276a5a23295fd008d2a7445f1e33e62da848a839a42dee21b8da989ce2

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
1000KB

MD5
92fa294a617795ec3a6c9ca1b964281b

SHA1
8b8afb2dcde7377c0bc81f846f638368589c287f

SHA256
a19cf0f44f8e201e9d9750a62dc0ff339a4766f9104b8bf1262451a8c3fcbe9a

SHA512
20e492727df312a4a2079f51c85d836fd49923300c2f7a8fa53570683a53035582b0506876f3306e5d096e953647f305a8face69a1ce132d49032521c805ba14

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
1000KB

MD5
1c6b8aaca02c34b077682e848032de7d

SHA1
6e5b5a2cbb95e51e433194691e47e26a12ac0410

SHA256
09a8dacba0fe80750b2f5fbc115e8eda4a4e4e7dd6e3c67e0afe9561ad3bb0a5

SHA512
0c51b53bf27d6fcee97c3a3b3c6639c1200eadf460f0f9f78eee05341099fa14053a2beb776de6fd310c1be80c0b082650d84fc62f07159d06e023b80ec6048c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
1000KB

MD5
6a280920f9a1b058e8192f735c42b0e4

SHA1
061f27fd6aba2114c393784e44bec2e24c96c595

SHA256
c9b6872ebeb68c5bb40e895e2ca34976253088a16b36bdb3666fa819daa85284

SHA512
424fa04bd2d887061c6704494cb0d6d4dc509985932df2cde362c694000b3882dc47794f70bae14f0af03ed8b3c8832ecd4754ccaca74703806ef91c1d68eb95

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
1000KB

MD5
b1a4db4b46e7097f2cea403f5671c6f5

SHA1
9b4c4d0078707dc2e44c0e0804cf2825f4405ca9

SHA256
5f3116bce0ce553473f8f3cac89e2bf5545818e31be3a9c21c36d1398f14dc53

SHA512
6436fe63bfb73aeca455404a6972465c67e48d57ecc8192214690600ce61e0470a03bcbed5882fc841538f22ca83dd27b88bb0c7aa1951e3ea1ea3430fb7f7e1

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
1000KB

MD5
dfd7f66e9d369d14255806ca86d8a77f

SHA1
11f5437982c16bcfb86dfb7101f0455fbc9faac1

SHA256
2015fa5f0c3b193b498250d3214945b320ff4c7462ced52dd6f7756435f1c677

SHA512
c66a72a95f5a1feeeb2a8d1632a37c802b8e469964543f7e080334a38303b1b0c3e9da6b5f54faf58a991748ce63bcd1760612df0ff5546d088f7b020caa1fa6

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
1000KB

MD5
f8cad170a18907848199da442382d929

SHA1
1c05a1f0c30037436b345d7062e31e893046ae65

SHA256
a2c805ffe8f4c0cc613ae911fa4d715f218ebb63118fbe2a4f76968ef8fe1d0c

SHA512
64ee776e906a82741778306dd8beb418efa9e71749b04d021e2b9bc9c8b60dcded4ddd7cac14e26f43f04fed3e46f74e49e7ea18f0e79cd19f5a009e543d6dd6

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
1000KB

MD5
5a0aef4a63c8d3cb5f77331523748f5b

SHA1
ff11809a3c424a24c4539ec58d66fc3668d6ec13

SHA256
bc7156a570670f5a258e7b9ab19a5644ab20fea5b733ba135723257644f28690

SHA512
58aafc600a5d047e34e9bbcdc2848a9233dc952cd5e173c2b256a7b3e98bcc4f21aba4d327c1d4827fe4d5aa8fc08e23538511243757aa8921f89798922cf8b7

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
1000KB

MD5
dbf1864ea93c948f802fff919919991f

SHA1
ff5cfe2d6ff0a48107ca2fa1353c01691d8aae8c

SHA256
fe8dcf0c10e1bcd2d43a76eddaf91dde0b5b5bfd17772d6c58b5f7bb3a492571

SHA512
c5e9a37d289b24c6cd30766f6cce36a2a7af778371280a01bbd3643e840c1446c93e2bfc027308802ba9894bb49e0a7f22982944302d5aeb875d1efccbbdc516

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
1000KB

MD5
c1a6631d88d524495180e8f012b0372d

SHA1
b5bcc4568c10cd20bdffeeb11fd0a20ac3be8fa1

SHA256
d989594267e80ba9051f10aacabfdf328abdd2af897a6a8bfa8153d251f273c3

SHA512
89448ce5e49253d44f8d175cfbbacfd5524b310fe472b0affc31468378a5aa110e228a6d0390686f9f1e5df62c4e155d58b350f4362e3071328beee222a6ed65

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
1000KB

MD5
308889b0251ddf76e5da2811c8eb164a

SHA1
6aa0447787fb06f03ff88d3c65c66d207b8240a1

SHA256
bc65c5dedf6a34b5cab72935271dbfaadf4a6e820c077e74bba80c548efda5da

SHA512
88c758cf8607d05b5af9d972a50dceac042a833898278c3b5d9ec4df5e3221ca6836a9ff9861f0769755316b522c903f35c27b09265a7acfbc77befec5ca8641

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
1000KB

MD5
3405f1e41ab1770dd78e6962f676d9b1

SHA1
68305a2062bb45e86c8df5b51225acc535bb513a

SHA256
0a95a0e07b73a711a4e94d1ff8f2ba29ce06fd24f773c1253111a84b024a966c

SHA512
f8425718ad06f22cf281207914a352306d06b210997b9aba993059a901bc87d170269b81d2794334fc18c87ac3b49d96ad163bdda224e55fe476e5cf716f20a5

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
1000KB

MD5
3c42717f2e6b3d66b8714217f00271aa

SHA1
15475b6da1b667f759cd8e382f1b607d2ccf042f

SHA256
ec890730f09cec56c77c33b6d0cb2585bece5c007eeee1f574b80dcc8b9d3522

SHA512
50ca8939f81758614b97923246bcb7e72c33f31f32c1300fbc659a700674722834a5107b3f720ba50f106f24c5b537b000005359fd30afdc7b66762f0f612701

Download Submit
memory/264-603-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/364-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/408-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/444-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/748-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/944-602-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/944-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1296-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-548-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1452-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1460-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1484-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-590-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1800-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1896-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1952-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2224-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-575-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2792-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2792-582-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-583-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3156-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3188-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3200-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3304-596-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3416-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3744-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3960-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3984-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3988-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4152-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4152-568-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4368-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4436-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4644-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-589-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4696-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4700-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4840-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4852-576-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5148-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5184-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5232-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5264-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5304-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5352-446-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5384-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5424-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5464-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5504-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5544-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5584-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5624-488-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5664-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5704-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5744-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5784-512-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5824-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5864-524-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5904-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5944-536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5984-542-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6024-549-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6064-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6108-562-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads