berbew | da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Size

94KB
MD5

af4090b11eeef59e47f69e3357be4440
SHA1

60201b29f7c18fbb39bc964a2a2b06acfa020016
SHA256

da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5
SHA512

83cdf6791761cdc465d9291516ebc9f6749b4421eac4649cacc004ee6d199c13700bc22bf224db892f910aa3e135867f4d4d408980ca0a58372748ad339497ab
SSDEEP

1536:rytTtvGMVEL7Xr+0CkNbnIlxbSxR+LfwLP1voSDGegBeD7iH6s9+zruC7BR9L4DV:rytwNL7X60ZMl5OQ4H6HF9dC6+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moloidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnknqpgi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oepianef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqgngk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnknqpgi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqdcgib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moloidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkkepio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opqdcgib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngoinfao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbmgkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqgngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqdaal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjcnfcn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
1508	Moloidjl.exe
2224	Mbkkepio.exe
2912	Mdigakic.exe
2284	Mbmgkp32.exe
2640	Moahdd32.exe
2636	Ndnplk32.exe
2460	Nkhhie32.exe
836	Njjieace.exe
2156	Nqdaal32.exe
2908	Ngoinfao.exe
2988	Nqgngk32.exe
2904	Ncejcg32.exe
1260	Nnknqpgi.exe
1032	Nqijmkfm.exe
3040	Nffcebdd.exe
2216	Nmpkal32.exe
2228	Ncjcnfcn.exe
1988	Nfhpjaba.exe
2232	Ombhgljn.exe
1908	Opqdcgib.exe
292	Obopobhe.exe
1972	Oenmkngi.exe
1616	Oiiilm32.exe
920	Opcaiggo.exe
2808	Oepianef.exe
1592	Ohnemidj.exe

Loads dropped DLL 56 IoCs

pid	Process
2552	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
2552	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
1508	Moloidjl.exe
1508	Moloidjl.exe
2224	Mbkkepio.exe
2224	Mbkkepio.exe
2912	Mdigakic.exe
2912	Mdigakic.exe
2284	Mbmgkp32.exe
2284	Mbmgkp32.exe
2640	Moahdd32.exe
2640	Moahdd32.exe
2636	Ndnplk32.exe
2636	Ndnplk32.exe
2460	Nkhhie32.exe
2460	Nkhhie32.exe
836	Njjieace.exe
836	Njjieace.exe
2156	Nqdaal32.exe
2156	Nqdaal32.exe
2908	Ngoinfao.exe
2908	Ngoinfao.exe
2988	Nqgngk32.exe
2988	Nqgngk32.exe
2904	Ncejcg32.exe
2904	Ncejcg32.exe
1260	Nnknqpgi.exe
1260	Nnknqpgi.exe
1032	Nqijmkfm.exe
1032	Nqijmkfm.exe
3040	Nffcebdd.exe
3040	Nffcebdd.exe
2216	Nmpkal32.exe
2216	Nmpkal32.exe
2228	Ncjcnfcn.exe
2228	Ncjcnfcn.exe
1988	Nfhpjaba.exe
1988	Nfhpjaba.exe
2232	Ombhgljn.exe
2232	Ombhgljn.exe
1908	Opqdcgib.exe
1908	Opqdcgib.exe
292	Obopobhe.exe
292	Obopobhe.exe
1972	Oenmkngi.exe
1972	Oenmkngi.exe
1616	Oiiilm32.exe
1616	Oiiilm32.exe
920	Opcaiggo.exe
920	Opcaiggo.exe
2808	Oepianef.exe
2808	Oepianef.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nfhpjaba.exe	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Ombhgljn.exe	Nfhpjaba.exe
File opened for modification	C:\Windows\SysWOW64\Oepianef.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Oefcdgnb.dll	Ngoinfao.exe
File created	C:\Windows\SysWOW64\Mdigakic.exe	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Kahmln32.dll	Mdigakic.exe
File created	C:\Windows\SysWOW64\Mceodfan.dll	Mbmgkp32.exe
File created	C:\Windows\SysWOW64\Libghd32.dll	Nkhhie32.exe
File created	C:\Windows\SysWOW64\Nfhpjaba.exe	Ncjcnfcn.exe
File opened for modification	C:\Windows\SysWOW64\Moloidjl.exe	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
File created	C:\Windows\SysWOW64\Nqgngk32.exe	Ngoinfao.exe
File opened for modification	C:\Windows\SysWOW64\Ncejcg32.exe	Nqgngk32.exe
File created	C:\Windows\SysWOW64\Obopobhe.exe	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Njjieace.exe	Nkhhie32.exe
File created	C:\Windows\SysWOW64\Gkmkilcj.dll	Moahdd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnknqpgi.exe	Ncejcg32.exe
File created	C:\Windows\SysWOW64\Qenpjecb.dll	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Bghlof32.dll	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Moahdd32.exe	Mbmgkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpkal32.exe	Nffcebdd.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Opqdcgib.exe	Ombhgljn.exe
File opened for modification	C:\Windows\SysWOW64\Mbmgkp32.exe	Mdigakic.exe
File created	C:\Windows\SysWOW64\Ihfmfdjf.dll	Moloidjl.exe
File opened for modification	C:\Windows\SysWOW64\Nqdaal32.exe	Njjieace.exe
File opened for modification	C:\Windows\SysWOW64\Nqgngk32.exe	Ngoinfao.exe
File created	C:\Windows\SysWOW64\Oiiilm32.exe	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File created	C:\Windows\SysWOW64\Mbkkepio.exe	Moloidjl.exe
File opened for modification	C:\Windows\SysWOW64\Mdigakic.exe	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Nnknqpgi.exe
File opened for modification	C:\Windows\SysWOW64\Opcaiggo.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Eehkmm32.dll	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
File opened for modification	C:\Windows\SysWOW64\Nffcebdd.exe	Nqijmkfm.exe
File opened for modification	C:\Windows\SysWOW64\Opqdcgib.exe	Ombhgljn.exe
File created	C:\Windows\SysWOW64\Oepianef.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File created	C:\Windows\SysWOW64\Oenmkngi.exe	Obopobhe.exe
File created	C:\Windows\SysWOW64\Opcaiggo.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Mbmgkp32.exe	Mdigakic.exe
File opened for modification	C:\Windows\SysWOW64\Obopobhe.exe	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Nlcckc32.dll	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Nafbcl32.dll	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Nnknqpgi.exe	Ncejcg32.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Nnknqpgi.exe
File created	C:\Windows\SysWOW64\Nffcebdd.exe	Nqijmkfm.exe
File opened for modification	C:\Windows\SysWOW64\Ombhgljn.exe	Nfhpjaba.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Oepianef.exe
File opened for modification	C:\Windows\SysWOW64\Mbkkepio.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Pbbfhefe.dll	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Ngoinfao.exe	Nqdaal32.exe
File opened for modification	C:\Windows\SysWOW64\Ngoinfao.exe	Nqdaal32.exe
File created	C:\Windows\SysWOW64\Ncejcg32.exe	Nqgngk32.exe
File created	C:\Windows\SysWOW64\Pfiffp32.dll	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Dpeack32.dll	Nfhpjaba.exe
File created	C:\Windows\SysWOW64\Kgggld32.dll	Ombhgljn.exe
File opened for modification	C:\Windows\SysWOW64\Oenmkngi.exe	Obopobhe.exe
File created	C:\Windows\SysWOW64\Cjjdgm32.dll	Njjieace.exe
File opened for modification	C:\Windows\SysWOW64\Oiiilm32.exe	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Jligibpk.dll	Obopobhe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	1592	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obopobhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oepianef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdigakic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moahdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffcebdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqdcgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkkepio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmgkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcaiggo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqgngk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnknqpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngoinfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncejcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfhpjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhhie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombhgljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oenmkngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiiilm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjieace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqdaal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njjieace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnknqpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkhhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaijph32.dll"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcckc32.dll"	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbkkepio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feiefo32.dll"	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnknqpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfpegkn.dll"	Nqdaal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeack32.dll"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ombhgljn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkmm32.dll"	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjdgm32.dll"	Njjieace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghlof32.dll"	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefcdgnb.dll"	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oepianef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbkkepio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll"	Mbmgkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll"	Nnknqpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qenpjecb.dll"	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofpmj32.dll"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqdaal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1508	2552	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe	29
PID 2552 wrote to memory of 1508	2552	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe	29
PID 2552 wrote to memory of 1508	2552	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe	29
PID 2552 wrote to memory of 1508	2552	da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe	29
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 2224 wrote to memory of 2912	2224	Mbkkepio.exe	31
PID 2224 wrote to memory of 2912	2224	Mbkkepio.exe	31
PID 2224 wrote to memory of 2912	2224	Mbkkepio.exe	31
PID 2224 wrote to memory of 2912	2224	Mbkkepio.exe	31
PID 2912 wrote to memory of 2284	2912	Mdigakic.exe	32
PID 2912 wrote to memory of 2284	2912	Mdigakic.exe	32
PID 2912 wrote to memory of 2284	2912	Mdigakic.exe	32
PID 2912 wrote to memory of 2284	2912	Mdigakic.exe	32
PID 2284 wrote to memory of 2640	2284	Mbmgkp32.exe	33
PID 2284 wrote to memory of 2640	2284	Mbmgkp32.exe	33
PID 2284 wrote to memory of 2640	2284	Mbmgkp32.exe	33
PID 2284 wrote to memory of 2640	2284	Mbmgkp32.exe	33
PID 2640 wrote to memory of 2636	2640	Moahdd32.exe	34
PID 2640 wrote to memory of 2636	2640	Moahdd32.exe	34
PID 2640 wrote to memory of 2636	2640	Moahdd32.exe	34
PID 2640 wrote to memory of 2636	2640	Moahdd32.exe	34
PID 2636 wrote to memory of 2460	2636	Ndnplk32.exe	35
PID 2636 wrote to memory of 2460	2636	Ndnplk32.exe	35
PID 2636 wrote to memory of 2460	2636	Ndnplk32.exe	35
PID 2636 wrote to memory of 2460	2636	Ndnplk32.exe	35
PID 2460 wrote to memory of 836	2460	Nkhhie32.exe	36
PID 2460 wrote to memory of 836	2460	Nkhhie32.exe	36
PID 2460 wrote to memory of 836	2460	Nkhhie32.exe	36
PID 2460 wrote to memory of 836	2460	Nkhhie32.exe	36
PID 836 wrote to memory of 2156	836	Njjieace.exe	37
PID 836 wrote to memory of 2156	836	Njjieace.exe	37
PID 836 wrote to memory of 2156	836	Njjieace.exe	37
PID 836 wrote to memory of 2156	836	Njjieace.exe	37
PID 2156 wrote to memory of 2908	2156	Nqdaal32.exe	38
PID 2156 wrote to memory of 2908	2156	Nqdaal32.exe	38
PID 2156 wrote to memory of 2908	2156	Nqdaal32.exe	38
PID 2156 wrote to memory of 2908	2156	Nqdaal32.exe	38
PID 2908 wrote to memory of 2988	2908	Ngoinfao.exe	39
PID 2908 wrote to memory of 2988	2908	Ngoinfao.exe	39
PID 2908 wrote to memory of 2988	2908	Ngoinfao.exe	39
PID 2908 wrote to memory of 2988	2908	Ngoinfao.exe	39
PID 2988 wrote to memory of 2904	2988	Nqgngk32.exe	40
PID 2988 wrote to memory of 2904	2988	Nqgngk32.exe	40
PID 2988 wrote to memory of 2904	2988	Nqgngk32.exe	40
PID 2988 wrote to memory of 2904	2988	Nqgngk32.exe	40
PID 2904 wrote to memory of 1260	2904	Ncejcg32.exe	41
PID 2904 wrote to memory of 1260	2904	Ncejcg32.exe	41
PID 2904 wrote to memory of 1260	2904	Ncejcg32.exe	41
PID 2904 wrote to memory of 1260	2904	Ncejcg32.exe	41
PID 1260 wrote to memory of 1032	1260	Nnknqpgi.exe	42
PID 1260 wrote to memory of 1032	1260	Nnknqpgi.exe	42
PID 1260 wrote to memory of 1032	1260	Nnknqpgi.exe	42
PID 1260 wrote to memory of 1032	1260	Nnknqpgi.exe	42
PID 1032 wrote to memory of 3040	1032	Nqijmkfm.exe	43
PID 1032 wrote to memory of 3040	1032	Nqijmkfm.exe	43
PID 1032 wrote to memory of 3040	1032	Nqijmkfm.exe	43
PID 1032 wrote to memory of 3040	1032	Nqijmkfm.exe	43
PID 3040 wrote to memory of 2216	3040	Nffcebdd.exe	44
PID 3040 wrote to memory of 2216	3040	Nffcebdd.exe	44
PID 3040 wrote to memory of 2216	3040	Nffcebdd.exe	44
PID 3040 wrote to memory of 2216	3040	Nffcebdd.exe	44

C:\Users\Admin\AppData\Local\Temp\da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe
"C:\Users\Admin\AppData\Local\Temp\da3a39355fc7c82ad819ded1cf68739d4c2bea45f07aff0006f4e8bf08460af5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Moloidjl.exe
  C:\Windows\system32\Moloidjl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\Mbkkepio.exe
    C:\Windows\system32\Mbkkepio.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\Mdigakic.exe
      C:\Windows\system32\Mdigakic.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Mbmgkp32.exe
        
        C:\Windows\system32\Mbmgkp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Moahdd32.exe
        
        C:\Windows\system32\Moahdd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ndnplk32.exe
        
        C:\Windows\system32\Ndnplk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Nkhhie32.exe
        
        C:\Windows\system32\Nkhhie32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Njjieace.exe
        
        C:\Windows\system32\Njjieace.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Nqdaal32.exe
        
        C:\Windows\system32\Nqdaal32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ngoinfao.exe
        
        C:\Windows\system32\Ngoinfao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Nqgngk32.exe
        
        C:\Windows\system32\Nqgngk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ncejcg32.exe
        
        C:\Windows\system32\Ncejcg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Nnknqpgi.exe
        
        C:\Windows\system32\Nnknqpgi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Nffcebdd.exe
        
        C:\Windows\system32\Nffcebdd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Nfhpjaba.exe
        
        C:\Windows\system32\Nfhpjaba.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ombhgljn.exe
        
        C:\Windows\system32\Ombhgljn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Opqdcgib.exe
        
        C:\Windows\system32\Opqdcgib.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Obopobhe.exe
        
        C:\Windows\system32\Obopobhe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Oenmkngi.exe
        
        C:\Windows\system32\Oenmkngi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Oiiilm32.exe
        
        C:\Windows\system32\Oiiilm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Opcaiggo.exe
        
        C:\Windows\system32\Opcaiggo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Oepianef.exe
        
        C:\Windows\system32\Oepianef.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mbkkepio.exe

Filesize
94KB

MD5
b13c236fc6d6895fd7b1abb2cc72961b

SHA1
ec9d9a3e5b7d04a768f3d198570cf363a7b82dec

SHA256
1fefea54c5f4b13b9f256b4aea66f63260b3c32944928c4894a74f927df40c79

SHA512
bf0ce5fbbade6d67f55913ca6d317127e7f7bde01939c02071e306bc3305bcd6565e88528cf9bfee73be6deb67f41acff05a509358fc6d9dc84c9ebe8d806ccd

Download Submit
C:\Windows\SysWOW64\Mceodfan.dll

Filesize
7KB

MD5
e270ce786c00ba877f0404611a04af1f

SHA1
5fcf3886e4886812a92a4df92bb59f0c3d3f0969

SHA256
57f15c2074c8edc6409b9eb34aef78029896e49fedf093df37b9c6e5ca730d70

SHA512
ded8e2fdfce0b01ae1906e72a7df884c60006b2135f819ec87c5d0441283b18f7307711eb5467811950da5c6d6b242898c2dd89d472a9ec934471c380760889f

Download Submit
C:\Windows\SysWOW64\Ncejcg32.exe

Filesize
94KB

MD5
230b4af8dc61ee8b7525202ef2a2b218

SHA1
42adb6923251400a0912efbca5e1a614e393e4b0

SHA256
f82f6e16ba2aee9d9cd4baff1a5bce15849b855eeeae9e95b9fdcc2d9a8ceed9

SHA512
cb255155a27fe370eea589d35d87c93a8b6e78a25ca459829fabb88e1acd7153e95c0b5f2a1c2a12bea8618a18959e631bad7a3a978bb9c2d7fd2defa8967f01

Download Submit
C:\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
94KB

MD5
3803ee229e6795398b0f2fa34af9ff28

SHA1
a4342fc56034773da6383d64b87263f96f8702bd

SHA256
602a295d3477297b9e32ac9bbe8619a21bdaecc5e77025da62eb91681d96af04

SHA512
fc3460688ad13c953ab636a822744ef5238fe3dc278f294d6e93445bd8094724576383e93a93163c7d423d79d1258d4dddebb976485686f88d648eeaa9c854b1

Download Submit
C:\Windows\SysWOW64\Nfhpjaba.exe

Filesize
94KB

MD5
a9d3fbfe3e4e7dc1aa4b8528c79d0e1e

SHA1
156bce9c2828931324becc383ac5e8c147aacfba

SHA256
33e39e31e76be410c9fd80ec6ce28d0f07369ce3100202bf6407240a4f5d98e2

SHA512
05f8d33a100012e94d099abee44f0bca401cd3577c7798053e106055d0f096d7bc462f50318170d0e748ceb76d69c64f98a1228b73cb081617a3a040a3fc7b24

Download Submit
C:\Windows\SysWOW64\Ngoinfao.exe

Filesize
94KB

MD5
fa6f974f417db7f4c8f94280dcfec2da

SHA1
fa6d1dcef153c01543e2cce7f9129d50f940f158

SHA256
c6ac7dbc9794b0ffa3233317c5232209e189bc6b3bfb07480de01c5ad92ee508

SHA512
bb283ddef241b151e62b5888dee9cf0f7047d158e0e8c83a59b78f9f01ebd55b7617707cec9551a78215759f92ea106075cc2894d0b3992d1431946047c5e6f4

Download Submit
C:\Windows\SysWOW64\Njjieace.exe

Filesize
94KB

MD5
72f8874f06010ddce215311a2160aa14

SHA1
39fe3fd01c6ed0e08546120d12f95239d6491952

SHA256
33475f6ecd55011a648870aaed3a5b97b42f3719ef03b0ebb4b63d060192e149

SHA512
7d48f900b659b1009358068ab63b0150d6a9a0a3bb8de7c2dc8dc3d52915c63c170bc059f1a6e674ef0bcf6ba37cf0dbc83348845b4d9f115f201305ed2b8898

Download Submit
C:\Windows\SysWOW64\Nmpkal32.exe

Filesize
94KB

MD5
b7b6f1d13ea799e7cd4635e7b057639f

SHA1
d607b87ee122616ef6a6cb30544bf9e7e7d15dd7

SHA256
68e4a4255bd1ea65f4404f25567405a25277d8ed0431bcf90f6ef27e8e4b597b

SHA512
bd80bf08a52cbd6144cebcc90badc47fc3ee16a15fa742759217e7da9fbfecb128b907d85a4954940cee4b8a8e7ddf4ae3693f54a48f7776fe04b417e03cac94

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
94KB

MD5
c318c85296f7f312883c3722fa253bb5

SHA1
08e38815e2fee187f3b519a67df65d472479eb9d

SHA256
a999a6f875a8527c66bf1f87e5dc65a692d77557d1e32301ee4049b2a7505531

SHA512
7e0598c6684b06a82eabfb72f3dd7b015400a9d4c73a45fcb1aa99c4ec405480a47d203c0f32cb54e74b992f8a3bc3fb136132e0273f1ea5ce2db424730633bb

Download Submit
C:\Windows\SysWOW64\Obopobhe.exe

Filesize
94KB

MD5
39ecd51db8212fd3de078bcc9570a4b6

SHA1
97e9451e447f8802c4f695804abe4c87b186c3ad

SHA256
26e567dbf4e19374787f377e88063e440f6fcaaef74a269e415df95ac692ece5

SHA512
76453afd6a411f8ebb129d06a821d57475384020488a0803478833c2454167f8329461eb0b090809413b50cbdebabcd111f634374a4eaa5764b04f8a4ed15939

Download Submit
C:\Windows\SysWOW64\Oenmkngi.exe

Filesize
94KB

MD5
7037b49e9f10eb3fd1ee881907e0b15d

SHA1
bc1e7de8b20360318ea81e1519343039b134fa01

SHA256
1f9903b326380c2fd3501cc81b0223334f31c9a9da7f84c0bef0a1e9737a44ae

SHA512
bc68541eef51a2ba6d51a2a34c5be8c040b0dd8abbb6470b8afa13e59cfcecb19a7bf98e03d4ea676baa29ef3d8a7b97bf322b831ffd176593dd15e88d4c3c87

Download Submit
C:\Windows\SysWOW64\Oepianef.exe

Filesize
94KB

MD5
7a839b78d8d371fd68ed3c66f9c07050

SHA1
a92c60bb0882449b4038c5ec2d0e23944cf251d8

SHA256
40e1f47b46396de31b147e061b2a00ab2967fe544f2550682ce24525a9249938

SHA512
ca2f8dc516bcef43df26a1e1be01873a0322e3d73989869d1d9581d8f05d5e2b5414a5332dffd06bb4c6d5385f8a3ea0178a28a0ef252f742bcfb5954bf94404

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
94KB

MD5
baebd69a9d6b0c5c3d3d787110853016

SHA1
9116ad4543e1eaec9cbaf35b496197be543029e9

SHA256
588d09643fe15ce5a45d15016d7dc3097b5d71c2cfdc4ebf9a3581f42c9f82d0

SHA512
8d8673f0ca13c0a708ed3fd79b340f4ab9c1e7c391bf32416d844d1d121b0b2322b8fe8044647fac2bf92d960fc5f18a2ac3de18714ae5f5823da3efbf6f701a

Download Submit
C:\Windows\SysWOW64\Oiiilm32.exe

Filesize
94KB

MD5
70cf0a4d28e6fe44b1003e14ea9cac0d

SHA1
d8933c8fa550dc84d611106ed6351bf257c0839e

SHA256
6a5d92cdacb871f26043c780621ef7fa905b740f4059ce4b1ea5cfd1effde257

SHA512
1d9a0b18b7188710cea15072c2332a5079ae68a0e3332eeb16ab75b8ba268df9697349a908b07231c37f101b274ede1b7bd17d401e36bdca63c42a95eaa1f563

Download Submit
C:\Windows\SysWOW64\Ombhgljn.exe

Filesize
94KB

MD5
1b28b08f6d16f99d7146f9d77e42c925

SHA1
c21942157aea0981993b443fcff2e8ce390d707c

SHA256
d3dae02a286a7799dd72731125ec667f92d2cc852d898476f184d68701775a6c

SHA512
9705987758c27507f1c371acc2b3118c7cd361795d8c3c0b57911e388b709bd170c7da81de78194429f6df3f52abd273d36fb02d708163ff25d2c7f207fd8f03

Download Submit
C:\Windows\SysWOW64\Opcaiggo.exe

Filesize
94KB

MD5
29221eaa3be0ccc9f213089357909ff5

SHA1
aad86b3cc42a9dcdd828bf6312b0c30a626828ab

SHA256
b68afaa01f342611569d53d71d57a840642ccf4a1d9d4d3f78ee7c9dde149048

SHA512
312b21e2c695595bb6ad3a19c50c741893e601cae0211f5bc9c21504ea3acdd1b662e6d7966777d071951f2c898bd41b454ce53a00339f4cfef34b78718337e6

Download Submit
C:\Windows\SysWOW64\Opqdcgib.exe

Filesize
94KB

MD5
35fc10da331909d21d67925d38247cfa

SHA1
61eb10e5435262de4c40c547c9ddac12b9c2a2c9

SHA256
37756d3ec333312d2e0c0e00c28546e3f88da37d21a470e90c9ec840022547c2

SHA512
956deb873213142d4a8ad71d033aba274a7dc4a945bd02af35001260c57a219498763faae7c39f91eb9fa420526b1fe1441466a265277e33682fe48cca02d8a3

Download Submit
\Windows\SysWOW64\Mbmgkp32.exe

Filesize
94KB

MD5
9b908fd7250220eb03f3f26930291dcf

SHA1
7de28d827222d8ae5127eca6c245310ed7f9be15

SHA256
c7a3e45e22e1a777d1c9e45fe709d8214e842257bc97116b985951f83683831a

SHA512
181e3315a876fc686dc8fb08afa9ff3e5969b8d6bbee798fbd1cc04e0c1f4748c82b516f352374eb61f80424e4f2dcb93b7dac0b553288b6980bf9f00d61e9aa

Download Submit
\Windows\SysWOW64\Mdigakic.exe

Filesize
94KB

MD5
ada7a9752ae99daed8868561ae0a7f98

SHA1
bdc14161db5594749677b71ac31c7c85bca467b3

SHA256
3e78d0039063d64cc7dd97b8efc355d4392747de3c001f9b14e9717867c67277

SHA512
251160dbfa7b4e675a22bd03fd94388ead8a30ec0b3361459bfd8587f876fc6d83a92abd39333951580a812dc2819ebfed69841125693b2b95ffaf2c4c45d2a5

Download Submit
\Windows\SysWOW64\Moahdd32.exe

Filesize
94KB

MD5
f1cd718fa8e459450d50310226d72a0b

SHA1
c1c5943595b417892bac16c13fc34ee0e4fc25e9

SHA256
cd57b5377623c9679e7b34a849e60a9e3e51ec8bd0645d6689f3847a056d0a1e

SHA512
2d0306ca0749e8472dd40c477df8c5dee5c008bc93ee05795f65fa8f6371568abd381ddf82724ea0722c244b3b9f467384f02b2a94bad8710131b821d43ecccb

Download Submit
\Windows\SysWOW64\Moloidjl.exe

Filesize
94KB

MD5
21a94d17098af5ad8fbf4507d32593b0

SHA1
34c110b63acbc7c883499b0e843cb4e0457923e2

SHA256
db27742be01339a1c6b96310e3fd67adde2c1c63dd327d43a5f520fa1d016282

SHA512
d65c52a3bdab5d597238e38a929d47d6adf7051e21c0fff83f80f6dd4984f6cc0796eb8e50e261c765bb4cefae1f1a147556d8965c2ff520f6305894be2dcfe7

Download Submit
\Windows\SysWOW64\Ndnplk32.exe

Filesize
94KB

MD5
02bb79938def9d9f4568517d62f42e69

SHA1
5fec55f47d86f171a07daac51daaadd23f115150

SHA256
af970910063970931156fad9e4343ef2d393317fad7e5f68c59a5c24888d5cbe

SHA512
0f3e6d6091c73deb6aee79349436e6f0553d965563474c033b55afcf9b4e2ff464e4b702eae798eddc84eb750d924c90b6075381f5fb648c5d463920901b85e8

Download Submit
\Windows\SysWOW64\Nffcebdd.exe

Filesize
94KB

MD5
f3016458ccbe14e52f855e73e48b86a7

SHA1
f1b21f169675888a97e858e4b09fbd48a10142bc

SHA256
33510e1d775ff776f983907b146f1d5a89ec7be61f1882f0517b41f774137cec

SHA512
c3424666cf190683011fde9848ba81dfbcbf953aac029f46391fc36b50a7bb9a4bcc1065f5fec8ee6beac52aff1e88157db72bd00c279df42f06eefeec3b67ae

Download Submit
\Windows\SysWOW64\Nkhhie32.exe

Filesize
94KB

MD5
da313adb3451f35cc6169117709a0ed1

SHA1
6b68080f4c0d21535605afbb52baa7a398b05f76

SHA256
9b28ac507662901ae899ea24804fb7d39e704dc0084c60e10c56fff581fa34cc

SHA512
e2576541b7256922726bdd64a0bbaff9e1177abd0e6d691e04cb62e4bdec1d9ccf0e69ffc06f5650bac4291086cc2ccc81b977b569afa5b70272dd9694cbd7b2

Download Submit
\Windows\SysWOW64\Nnknqpgi.exe

Filesize
94KB

MD5
40c9008b63d7034e5d11949ae72f6306

SHA1
edbe61d8e377f74cd86ab38472a18a5633edd376

SHA256
58f1617337c472b005bafd44eb0cc1358507ca317909a815bd1f2d9ac175d0e7

SHA512
15eecb00c5ad1317044a7c52baaa8b35f6aed227ff360e945b7a6c6248c001a5b985e0197a8a2879dd6fe48d29904c1ab2e1793bae66345bbd42dfb28bb821d8

Download Submit
\Windows\SysWOW64\Nqdaal32.exe

Filesize
94KB

MD5
f6dc6761e98cdbde715b03db3f52ba31

SHA1
418ce4e61364b9e18a3b3d706749471d6208faa9

SHA256
f560498efb2413137a9ca6164242b7906604ef3f103a62972b7fa8cd2a655409

SHA512
0fe96acbc05ed7b26505f026b24bbeabf6452e19e0f73b6cea9e486eea731fc9a6c09efa4b10a12513cba8130196a18a3638aab2c24f63ee29edc8b2c78407cf

Download Submit
\Windows\SysWOW64\Nqgngk32.exe

Filesize
94KB

MD5
20773bc667a8671c2c94660948e9e435

SHA1
bbb15fecd3983f548f59676c7c2b4aaa70f32d5e

SHA256
73de901d5cae96513b74e7db2b6a98ca915859e00ca9fd9f2acf7355268ef34d

SHA512
32dd2741b09f8c8b9a45b0d5f417c2ba5682f2d4f81eea391848b3a21042c0b60d76e758df2600d5b632c8fd78bafc0c2865081133fd75e370e17ae863e97dc8

Download Submit
memory/292-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-116-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/836-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-304-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/920-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-305-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1032-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-196-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1032-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-294-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1616-293-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1616-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-260-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1972-279-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1972-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-283-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1988-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1988-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1988-242-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2156-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-223-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2216-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-34-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2224-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-63-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2460-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-102-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-12-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2552-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-13-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2552-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-317-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2808-315-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2808-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-174-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2908-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-142-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2912-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-54-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2912-53-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2988-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3040-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads