berbew | 5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe
Size

74KB
MD5

13d29c06f627dc1ed8a310544b300ef0
SHA1

d33ff1104134a1339b91cef8fa4d42926e35556a
SHA256

5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940
SHA512

68f3a233dc3654d3f1faf6db5fe30223a286c70dde826210483185265baa133f965fbc3c529e2db1321aa0dad59671f4622882cb9b8fc9f978e05a40bda8e203
SSDEEP

1536:CjYF5IFd4F/O26ZMG8LVe5Ht4rwqFLKWjRJU8URQxRcRes3cO57OW9:FF5mEz6MG8LVe5HtowqFLjM8UexW199

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4860	Npcoakfp.exe
3552	Ncbknfed.exe
2216	Nepgjaeg.exe
1144	Nljofl32.exe
3308	Ndaggimg.exe
3532	Nebdoa32.exe
5040	Nphhmj32.exe
1388	Ncfdie32.exe
3840	Njqmepik.exe
3556	Nloiakho.exe
2976	Npjebj32.exe
3392	Ngdmod32.exe
4104	Njciko32.exe
4436	Npmagine.exe
1484	Nggjdc32.exe
1132	Njefqo32.exe
4480	Odkjng32.exe
3272	Odmgcgbi.exe
3644	Opdghh32.exe
3408	Ognpebpj.exe
448	Ojllan32.exe
3600	Oqfdnhfk.exe
4352	Ofcmfodb.exe
4872	Oddmdf32.exe
2060	Pmoahijl.exe
1872	Pcijeb32.exe
2828	Pjcbbmif.exe
4940	Pmannhhj.exe
2272	Pdifoehl.exe
1780	Pggbkagp.exe
2860	Pnakhkol.exe
2564	Pgioqq32.exe
2660	Pmfhig32.exe
3300	Pdmpje32.exe
4332	Pcppfaka.exe
4536	Pfolbmje.exe
528	Pfaigm32.exe
2740	Qqfmde32.exe
1136	Qfcfml32.exe
4968	Qmmnjfnl.exe
1500	Qddfkd32.exe
4196	Qgcbgo32.exe
3460	Anmjcieo.exe
3924	Ampkof32.exe
3604	Afhohlbj.exe
2924	Anogiicl.exe
4952	Aeiofcji.exe
3992	Agglboim.exe
3472	Amddjegd.exe
4596	Acnlgp32.exe
2104	Ajhddjfn.exe
1732	Aabmqd32.exe
4660	Acqimo32.exe
4972	Afoeiklb.exe
3480	Aminee32.exe
1972	Accfbokl.exe
2804	Bjmnoi32.exe
1428	Bnhjohkb.exe
1272	Bcebhoii.exe
3980	Bfdodjhm.exe
4076	Baicac32.exe
4344	Bffkij32.exe
2116	Bjagjhnc.exe
2340	Balpgb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Njciko32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2592	2716	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 4860	324	5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe	82
PID 324 wrote to memory of 4860	324	5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe	82
PID 324 wrote to memory of 4860	324	5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe	82
PID 4860 wrote to memory of 3552	4860	Npcoakfp.exe	83
PID 4860 wrote to memory of 3552	4860	Npcoakfp.exe	83
PID 4860 wrote to memory of 3552	4860	Npcoakfp.exe	83
PID 3552 wrote to memory of 2216	3552	Ncbknfed.exe	84
PID 3552 wrote to memory of 2216	3552	Ncbknfed.exe	84
PID 3552 wrote to memory of 2216	3552	Ncbknfed.exe	84
PID 2216 wrote to memory of 1144	2216	Nepgjaeg.exe	85
PID 2216 wrote to memory of 1144	2216	Nepgjaeg.exe	85
PID 2216 wrote to memory of 1144	2216	Nepgjaeg.exe	85
PID 1144 wrote to memory of 3308	1144	Nljofl32.exe	86
PID 1144 wrote to memory of 3308	1144	Nljofl32.exe	86
PID 1144 wrote to memory of 3308	1144	Nljofl32.exe	86
PID 3308 wrote to memory of 3532	3308	Ndaggimg.exe	87
PID 3308 wrote to memory of 3532	3308	Ndaggimg.exe	87
PID 3308 wrote to memory of 3532	3308	Ndaggimg.exe	87
PID 3532 wrote to memory of 5040	3532	Nebdoa32.exe	88
PID 3532 wrote to memory of 5040	3532	Nebdoa32.exe	88
PID 3532 wrote to memory of 5040	3532	Nebdoa32.exe	88
PID 5040 wrote to memory of 1388	5040	Nphhmj32.exe	89
PID 5040 wrote to memory of 1388	5040	Nphhmj32.exe	89
PID 5040 wrote to memory of 1388	5040	Nphhmj32.exe	89
PID 1388 wrote to memory of 3840	1388	Ncfdie32.exe	90
PID 1388 wrote to memory of 3840	1388	Ncfdie32.exe	90
PID 1388 wrote to memory of 3840	1388	Ncfdie32.exe	90
PID 3840 wrote to memory of 3556	3840	Njqmepik.exe	91
PID 3840 wrote to memory of 3556	3840	Njqmepik.exe	91
PID 3840 wrote to memory of 3556	3840	Njqmepik.exe	91
PID 3556 wrote to memory of 2976	3556	Nloiakho.exe	92
PID 3556 wrote to memory of 2976	3556	Nloiakho.exe	92
PID 3556 wrote to memory of 2976	3556	Nloiakho.exe	92
PID 2976 wrote to memory of 3392	2976	Npjebj32.exe	93
PID 2976 wrote to memory of 3392	2976	Npjebj32.exe	93
PID 2976 wrote to memory of 3392	2976	Npjebj32.exe	93
PID 3392 wrote to memory of 4104	3392	Ngdmod32.exe	94
PID 3392 wrote to memory of 4104	3392	Ngdmod32.exe	94
PID 3392 wrote to memory of 4104	3392	Ngdmod32.exe	94
PID 4104 wrote to memory of 4436	4104	Njciko32.exe	95
PID 4104 wrote to memory of 4436	4104	Njciko32.exe	95
PID 4104 wrote to memory of 4436	4104	Njciko32.exe	95
PID 4436 wrote to memory of 1484	4436	Npmagine.exe	96
PID 4436 wrote to memory of 1484	4436	Npmagine.exe	96
PID 4436 wrote to memory of 1484	4436	Npmagine.exe	96
PID 1484 wrote to memory of 1132	1484	Nggjdc32.exe	97
PID 1484 wrote to memory of 1132	1484	Nggjdc32.exe	97
PID 1484 wrote to memory of 1132	1484	Nggjdc32.exe	97
PID 1132 wrote to memory of 4480	1132	Njefqo32.exe	98
PID 1132 wrote to memory of 4480	1132	Njefqo32.exe	98
PID 1132 wrote to memory of 4480	1132	Njefqo32.exe	98
PID 4480 wrote to memory of 3272	4480	Odkjng32.exe	99
PID 4480 wrote to memory of 3272	4480	Odkjng32.exe	99
PID 4480 wrote to memory of 3272	4480	Odkjng32.exe	99
PID 3272 wrote to memory of 3644	3272	Odmgcgbi.exe	100
PID 3272 wrote to memory of 3644	3272	Odmgcgbi.exe	100
PID 3272 wrote to memory of 3644	3272	Odmgcgbi.exe	100
PID 3644 wrote to memory of 3408	3644	Opdghh32.exe	101
PID 3644 wrote to memory of 3408	3644	Opdghh32.exe	101
PID 3644 wrote to memory of 3408	3644	Opdghh32.exe	101
PID 3408 wrote to memory of 448	3408	Ognpebpj.exe	102
PID 3408 wrote to memory of 448	3408	Ognpebpj.exe	102
PID 3408 wrote to memory of 448	3408	Ognpebpj.exe	102
PID 448 wrote to memory of 3600	448	Ojllan32.exe	103

C:\Users\Admin\AppData\Local\Temp\5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe
"C:\Users\Admin\AppData\Local\Temp\5ed35b71aa9c5f99e3b68ecdb9b83484870e714d15ac3c11929172fd06f7b940N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\Npcoakfp.exe
  C:\Windows\system32\Npcoakfp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\Nepgjaeg.exe
      C:\Windows\system32\Nepgjaeg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        82⤵
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2836
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        87⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1340
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 228
        100⤵
        Program crash
        
        PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 2716
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
74KB

MD5
8cacbcfad77ed15a1c54b39bd03f4f6a

SHA1
b9123e4c3f205383ad639daa2a78a7df0841e37a

SHA256
c99f55c2797015efab4f4fa999c8c2d91c2b3eafe8378c0a5b960770cbdb1bb3

SHA512
4ddedd85bfe9f39bdf21cc40e6e5defa3b9a7c11560aae12f7089e6a9064d532ca6056913b6691293007ab6eb57ae71eb6a18977ce36548a4310457227902455

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
74KB

MD5
dd058b54cd0796add3829dacc5a252f4

SHA1
71e02e20364bf28ce715a1f8f78878666ee4f9f6

SHA256
1c16ee7605d99e339a08dcdd30f3321ced4716a7d9eba76196b18ad098899cc0

SHA512
3b259ac14e9e46bac10ff55c1e0f7ddbc1e9203bcf2fe1a4604f2cda19efc222a80c241e8a785dea9cb5e942d1797d666fec972b734da0befa954d44bd1c8bd3

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
74KB

MD5
fe3d2cdae91369aafb188e1b034f18d1

SHA1
b99ee687a6288682750839ee94d26c86c9a47201

SHA256
f819502bffe08475736a7d545e344971e572d93caa6532ab6727ff5b97bf1c70

SHA512
4c28abdc60212a1efb50a1be179da8276ee81d5f3a63dc03d462e823d51bc54b5aa654b28a4cda75f22645150471154224342968b4af1c7eb1e525f5c3e0d1bb

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
74KB

MD5
5b2daae1771fa2b37a47fe34a4de7d67

SHA1
6193ac19bb47e4ba0939b65e0e782f4ae44e8a05

SHA256
83f249b3c8d9521b0c7763f3f0b1868c8c4827cf15c2b13bb3ca5409ff60da40

SHA512
8c76dbb815a927304feba9e5423c3356857f83fa8c95ece9abbeedcc5fe5b4d0609b2457f8ab60187e2bb1b9f14eef34ed457eb588f90c7caebb13632e5db534

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
74KB

MD5
6df4828ed4087393049ae744ff2741ac

SHA1
4a98d8d97dbabe020af6b7946ee16d5adac6b2ea

SHA256
d5b9b71749ce8a2e7ce4eedbf33dede084fdcea022b6eeb778a517945f6b32e9

SHA512
c3e8d7b687dcd28964ca351e0c87f512e14036c2aa2ba588e6bf268e17940f62d0325ed48d34ada245befb3ef0a12d21db3eff4ffc42f9972ade297e29a8eb5f

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
74KB

MD5
753a00bf1dea4781c10e8cb68c775d17

SHA1
18006281410a7bd92ab2da70d2e80b79d133b882

SHA256
df4a4e69bd6007f4f969dc46973e23691a64fb4f96bea817a52e097f46f851b2

SHA512
fc2a0dd83aadd08234f41112fd28559f750d188a9c7fba9822d319e63d064301404774f5951c2bc96cf66390289f046bf5533282e83fc558fe099c25a5ac0ff5

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
74KB

MD5
522c71b57d380b6d43b7b5c0cc55ab35

SHA1
e63e367d016eec75add8f250fbe23804321904d7

SHA256
68315ef8a6665ec1c044df686c7d7aaf5d434f5dacf63b38c348a757a49a24c9

SHA512
c781d01ed8d0430d632c06a32ec525f84336d7ae960a02d37ccc871ca942d296b25f133601efc0d9c1f03e05c2c81eddecef5e2358e22cb28ec0e46e0661171b

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
74KB

MD5
3145ec9582fbde97eb4b4eae0e757371

SHA1
4d18f1648df74d4abd4122fbca30fd79545703fa

SHA256
46918b9a991d734bcd88df29f07a43e0811f1ed2e8551b03e963e1c56c8e3d14

SHA512
5fc209a01134c9d4025add64afb336dda2d8897516ff4bcdb3c1517bffe723b0e6f9e216940c1d9652fc1c333b83d0837f5132b2ad6fd5c8f4aaf46524153c78

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
74KB

MD5
898d934a889ab0b6caad8542ffa22559

SHA1
6c544b5d319cafc8a2adab0c6fe545001d26bb91

SHA256
f6c679f84904139c1abdac5514044a8c0f3201832461c345325c2c593d0a1a19

SHA512
f9fdc27840cccf62255934278b6856fd6cbca841857198fa21216b56c8cdae75e322a88858a1bc13fb5a83f20dde5e1d258bceb8dd2a8168828468a3dbabf29c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
d3fa66aabcbb009af6f7a870e529a7cc

SHA1
f8bf465df09213e75fc1b95a7ed872628cbf32ce

SHA256
f703a2b9c06c511289f0d61b48e8cdffaa47d1516d44940be9926d5721b1e992

SHA512
6d34c90cda12c41f09b56cf81ae823cbc6e8051a17ff9a3f76cf38dd4d8c40c78dfe1bda1c2c4fe61c3ed4ec41ab34efff58ea2cd0ce82b6e6fa7348bcfe64bf

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
74KB

MD5
d95f209e24659e339b5e8320349b8ca9

SHA1
7f577645431f791d7e08fcab6ef49449d29fee0c

SHA256
e27ed0d28b3aa7169cdcb6ee450e44b3c93dde9f8476560ec2ff46c38d9c9e94

SHA512
1c7071f2019f70c3a01a80ff9c11a04d993ac919238d68cbcf1edc1914eb0b29bdddbaa7338326de1d18f26600d3ae5adc6b451a51038ffff3dea6d61ad8ce0f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
74KB

MD5
f7d82a149ac3c3c36dae54a47b90cbc2

SHA1
bbc041eb16ab4069fa0a782560ec5a4e0175b54a

SHA256
08202683d1ff44d8306362fe11771a3fd8930e601af25908dcb27f44ac54aa9d

SHA512
6ae82c2a1fc2246d1a196ead6b352d70e516340cd69bb3fb6bf8bdec8fe90fccc7785d611675c8583801c592a1010ca838e114ff9ba6baaa6f496659ede0fb48

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
74KB

MD5
ef29eaa412ee28ec1fa4177b9eed706f

SHA1
3f9606dba9b18a26dd0339877188757cb1bc2702

SHA256
53b1c7735b7e203a1f81b595b2f41797e8c6bb4fd011e930feb7c7b907c3d2c6

SHA512
3077f5578f06ad418fdf02b3e782ba01e9ee13433261a177eaf22a666e5bb3b3cfc9a33f41d207104cdd0940090a2c888bedca1d07155f9bd8c7c6b5f29ceff4

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
74KB

MD5
9513e5aa06a3b050beeae3070ca5c461

SHA1
64015ab14f5c39c321785b4c7370ab935a4dda58

SHA256
61ac573a924b40e661fbcc68c888a82bbfdd1d73974cc9240130b3630b08d2d2

SHA512
7f7f05a8334169b841637227fbb2f2b8f74c56154c71ca3d60c7b1113efdda82be884bad18148cb7b6417d99dc90313582f1312a66a484d6304872c70e281217

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
74KB

MD5
25610827551b006a196a2e628ed456a9

SHA1
0c0ccd66e17f40ae8633c2de1895e9835bdfdd5e

SHA256
c3576ec6531b168e403c37182015a8a4ff92e345b7be20a5face513b1f4933dd

SHA512
ecaf3a16ef8670fa31cfac478c23c7ca2d5fb7b00c0ab4a6e6ee2eaa9524754d3d6d98275e31ebd59f99ec87059d2e96f41436d316f3fda42965979f377aef44

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
74KB

MD5
9beae9968597eac382b422f7ad488e93

SHA1
ec6051ba329484f13785c27ae6f2eaa63a4a2aac

SHA256
c5ed5d07bd825806a95faa28e58008c7e6e42df8c511b84c26aa2bb310ba1152

SHA512
7c4311e59c0205c11afff8dae8c56cb4667dbe8921065b3a598adfa0e7de2d83169104cbe80cb44a7e90865e7dfb6943e8481afe3e7edd80ccb06ee7bb923979

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
74KB

MD5
d875a59de58e26ebdb9c170d3ec24b7a

SHA1
cd9ebb294c046473efb50c35c0886e67823869d8

SHA256
d15d2ffb41c9dc83ddd5b9b0636e59bde68aa7cdcc545cc4a9c5795c1d8ae2da

SHA512
2aa4b8a62d1529d0ceafd31f2bcbf53191473cb731eb0bfdbf47cdcaf8c31b563f2672cdac1ac95d99f30fa6000ce261304b572336145b6f5bcfd1d2ec00828e

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
74KB

MD5
a2dd2896f0a84d51d289b254c9aeb81f

SHA1
c409e08489519a402d1eb1766fc99de48c2de577

SHA256
feb212f578f4b6b91bc3e243ed2a922b3e209785c32d019a254813d9c7329653

SHA512
7e3f8f5bea0d547eff6fbbf7390cc012a56cfd511515bed9ea069ca041e7ca289a0aba9014b3f79d868f7182c1578ea650794fe05d8ff2e0ad4e0e014c9f42d3

Download Submit
C:\Windows\SysWOW64\Nenqea32.dll

Filesize
7KB

MD5
6ee22eac7daeec2f0daf8e8a01ec07de

SHA1
1377211c8668ffd96918d11f014bfd434d044c01

SHA256
c3d40deada375cbb9d64a06a3656de11df1447dc337303e4599d3a60213763cb

SHA512
191f4fe980073c73f477cc9387a5f5ef3b24b570d55fc70da1e52c5bfee1b577c1f77b9141fb339480b4d5cba8d3992fb7a6a02414f62d7c394de1faef855c28

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
74KB

MD5
5ce5684a5cb410ed28f9c2f328d4913b

SHA1
09763192e3925c0e4ee64bcec3130d35d16390fd

SHA256
00036f4878cf7c37ae4ea55980a04799c45766e85f8d366c4ecd72305a2bd146

SHA512
cab6710e89f58b6a7b1fa6daf37cf5f9444a19708c6197c7da6e94ef5b9398c850168446642e2d10e9bd1992be25a707811447e114b1aef6afc3868b71b8a09f

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
74KB

MD5
2bd9f0957e14e3ef881327a2fac8bd7d

SHA1
64cf7dd38742d55c1c05e0e892fb4774bf0b9f5a

SHA256
abb471306e3b1050574e03cd0bd1706cfa23d2b5f8c6dd165eea9722768365e4

SHA512
830dc243b4d0240d970657501b0ccc4839ad069d2c29dab794c1ac53ad4b718201a7c5604602949a600d494a6ce7652161833b5508637ce6cbfed7d98845ea54

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
74KB

MD5
e3348a7ec439dda9ca5c514a85583371

SHA1
1bef9b2a0f0d53f33a10035bbeff5855594d5fda

SHA256
8feeec138932e12be0cec3f17e9b107f20d3392aaec1361ff04752036fe6f3bd

SHA512
fbbaebf089d29d866f83698b58b9dd529955af41bb3bb0e2d5261bb75460dabbd5ce7463e68e3c007ffdfb1398274ead1786c968983599bb8d35f62de7da38c1

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
74KB

MD5
02bb798b4939853c83bc3bf1fe312d73

SHA1
5d2b246b0a00b439d4d4f59c42f32acf9f2b3af8

SHA256
4f4cbaa7d86ab8d46b8f00d606935358efe3bb6fa073a23370ca0a97b46e081d

SHA512
1835ca91708dd98fcab6f565347b326d99b76e51bb61877a4f3fdceab8d5e305aaa267b42f38fec9d03726ce5152d5748b0e12234e09b483beed8e8c11b681ad

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
74KB

MD5
302fa094d6b736ee9268b69814122748

SHA1
41ce9ddaa132c24c20399d583c183d434f2da0c0

SHA256
05716e8b920beab2cd9b81b563a96c1a06d8011571cd7394fdcacbe7e1641136

SHA512
a46d9884a16cc408c006669b1c71047ffa32a9e57eed9e8213c0ce2e07f8919ff60ac050a1c0053e7c4b075f4c22cca23d0ff9a587ee13f112eff2dd77c58b27

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
74KB

MD5
49a7be10b3dfa9d77637f127d0fa07a4

SHA1
1d114777aad983522426431158ce9a491ce8c6cc

SHA256
7ffb92d88efd6a9d38dac24a94e4f3f58efb6ce6df3d2bf82dc79d0ff8c37163

SHA512
12a49900c99a5343b412564f1923020db15606d2ad53215e09bdafb21f60087939c56cca39e4adfbff22bb558a29a9ce5afa48b795070628e96536786e1c7f83

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
74KB

MD5
1c11e3fafb871c0d0dff86a648f294ad

SHA1
ef5599765e317c6f477f06e17b431aa5e82a2e6a

SHA256
b47436aebb1d70dcdf82502b01d473c99aea96daf9d85b31bb913fd804e06eaa

SHA512
23bf8b900111ee8ea74301ffd2b4b1c072a2ab5335ae11b2eef5385779125fc47c5101f32cfa782d9e2b9b62516d916eb685a04d186147d130d28efed5bfdf01

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
74KB

MD5
04cbc86e73e6b748d3434504e2601f5a

SHA1
fe971b2292aff0edcfd6c9fdd1111954bb1ef5d6

SHA256
1d828e38a99e096b32185d3d5312b102afb56f87952081d847ab2ea40e4bc8e1

SHA512
78e29d835bc3c99d773709852bc5fb6afcfcb3d8685bf4db97f8a5c61966344ccaeeec72319391f806f79598926897f55660955fb51e5c0b4eb803a7bd379f14

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
74KB

MD5
870e414b785dd931b14a9f68e068aaf6

SHA1
52a3668050323f1bf79b791b098e7f65522cdc62

SHA256
6d662c58a26d0a44f531c0ed53a924ed681a1f3065517181c93b8156b3e92794

SHA512
f4be9f8cb789a4871f8395073dae1ee8ab2752f995561443869e60c77546282647995c67423a1a68a0218101ab70c7227ac5f25da56cba268389f54b230f3899

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
74KB

MD5
a561196e8bd7adeadf6c060ea7ed79de

SHA1
fc039bccdf8ec88f139ce4069a487bca8187df99

SHA256
16cc8fe9c3f7b1d3af1bb2dde5f97831096af0cdfd5813d131b5fe8a1bed29bc

SHA512
bc5c3056f6d0051e3d91cf70cefb928e887aedd8449db6d4e37e0a52001b4d4a7bcd33de9ad11a6c0114fd52d3152bc7c2a3345b3302dcff6ec6259e2c4f0614

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
74KB

MD5
23313e6ca1f9ed0e4c6036c8cfa9791c

SHA1
00757d85cf22126942e9a16de63db01b8ae0253c

SHA256
5ebf039730f952935f444804d05499da2b162ed25e50fa74d7f96d5ab898d72e

SHA512
66c33abc7deec4ef7af17d3f864c84071dc628e5762f04e0ffd104341bd47a9389c62d4b3d773bb110d256b0e74099106b00c6b7f5f87972fb76ac15e87b9f52

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
74KB

MD5
17c4bb61d7ed4b555bbfc70ebe8bc060

SHA1
467dd6562145d772a6db30c15f3a224f74e2dd2b

SHA256
5d8364d385bfd82c43c45150dc652e32e22c7374e2807d07699ee4524e716cc5

SHA512
df0d034d7dc1a6ea8f241179daa46c8dd14b7ec4092e163a84a0cd319cae4a200cd738a6255eee831f26b617ef215dd1c4e8fb9c7f9f370b3d1c588038c2c1ca

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
74KB

MD5
886064cd6f069c099eeb1a8bf034625c

SHA1
3717c0bf338eca243d9fb9e75c95ab933285454a

SHA256
6cc98f3aac884d6ac36af05366ea9a0464a2c0e49a91eed82b5ec25662f4c578

SHA512
67a1a366aa688d8b108a2d8cb458abc4510d8bf0e2c97ee27e45c657491d23c678561a820b41455e3fa28531dba1d26c9476f0cad92fd06b7901e56203611f0d

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
74KB

MD5
6d50182d6d4a4e4f6387248c7192e74c

SHA1
7ad45a34aca3060cfe68bb62b8482f803a8ef12c

SHA256
2a5ed10c9801c75bae361628c4dc73dee7ad8ceba8dbdd74ae9e93463f2bc388

SHA512
21059d52bce1d86fa6745193f71bbc3f6532edb87d1fd5d1625a62bd9ffd101d0fd60cd4311e11d4e4aad5f98e30aa6f656a3f61280022b127725083cfc6fd59

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
74KB

MD5
6aaa1e3a63cd492218b9e713ad2db970

SHA1
c29865bcbcf9aa7083dba6ea8d79efc57e38222f

SHA256
a9b24892b6b54b312ff97374da69d3d24928cf0d211df8f7360f8c8c9e1d26ec

SHA512
b3c69c118007f05aca82f5954666b06b6251967ef17172dd96fb813b45e3afb88672ca76e573e32604be810ccda20ae746827236d80e51ab63ead6f559056f60

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
74KB

MD5
8410a9f4a2956e3c9454d40153cd0925

SHA1
d79ea554fa757d4afbfdc78016c634712c90cfd3

SHA256
85915c754b794254f0dfa71925df5063b936843106b363c8e60c316f9cf19ab3

SHA512
36b1d7cedd81432930e4451c7f8085d89577ce9f343a11e92d5ed79b827ac26b6fd679ce24e6249273358f4667c3c01c9be01ca5bbc1402f117c4c766d649cee

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
74KB

MD5
dbb727a1dfcc001a2cfc3552f1a29254

SHA1
00086bb9ad8787b8446c8952ecdd02e91e47d8d4

SHA256
52283c1554861ca6c0d985a58566e6368c5e77d0fff97feb53cae2d7708999b6

SHA512
77c32c318519f597ad18a8345f64f40b40e8a7d3559ccf56871ab9be344b7322ac5252db8cae544be6f4447611fae9ac3b7088a1c00561b22e0046feaa60a9eb

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
9ba905df7722c465dba99fc3f6fb0942

SHA1
632d67a717e5c82d2b28a46cf47531cf8b0f3891

SHA256
4f3c204a59cf31ecc7ad84c072cba99bb532aa5f3be1ee1726a4080616ba984c

SHA512
0e8a8b06e30c3dce3315cc6b197ffea42dc05f43eaf93ff4a3383e99320c25af74f221f4f2afb3ed8f8d99f297971ebb09fb16d7579d45208e06aa4bbeefcbfa

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
74KB

MD5
0f93f16e2a43b1469fee4d94df4a43bd

SHA1
770e661b9dc86391c65323b1027cfb32cfbfe29c

SHA256
6972f27388ad4810f2810ea4d12a475a5190bbe709d2f0ca237e3679c7484427

SHA512
441c258f1246985968e312ebd81e9c137daf47cf52875085c63c60f9da5b07ef024bef77f94f5dddd10eec2596506bf0ce20925f57cafe02cd7ec0708711425c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
74KB

MD5
c5dc6229a502a1ca24d68b16eb0dc6da

SHA1
0b8ff2b8d8ff0cee5d40deb3053862c9f3beb756

SHA256
c8b1536ae1593949ca0dd157c0df93f3dde01eda30f6f45554fce14c11365537

SHA512
c17bf6413dcca4959b1489cfee1bc2aaf984c49d2ec2e18460d9e7ae0a77e43c843193e8997e5d97dbb2ea2dc80caa9b47afda223ba143cbaf84240d4041542a

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
74KB

MD5
406e704ca770b24aa8ed923b7da56b7e

SHA1
ee0758ecf1aed48b5757c741f92e763798435fb9

SHA256
ab515c4132ce252ff7324d4b21d623557d0b714b8fc9d5b28db9e0e78fdebeac

SHA512
0e03a1d79221200c8017fce7826c003e1f12044afa4cb5dcccf56c54450e1a9c68305659764df0992087a4ca348cad310b17a5e5417d09de151cc4b0b0387f36

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
74KB

MD5
eea9e4406d3f3b8cdf1727e1e1eb8436

SHA1
89dbafb6ad4f2fcdbaca603235488cb79009e95f

SHA256
ca48a8f59e2cb3dd5b54275bc63b9c7904e4dc6f096fc57e9816fd5a5cad0628

SHA512
77dc082b4e038cb72faa0366686bd24ccd627bc731425d824cf300853072401af4a40159231a4558ee005d16752f17e06cc3789fb5f828be36a2eb1236e0efa3

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
74KB

MD5
8b3113a8079e656ef40558bf6b51ad9b

SHA1
1029d606e1ff2b5d007d9177f725889b10eec8bd

SHA256
5101b169e5147db2e295502142f582919d61058afdfbbd83eae9dc12c16592fd

SHA512
8fd0ab17c86a4461481393aa19adf7178712bde7ead86e3941bcd739978beda88e3f7e92eba3d3bfe81d78d9926ff0266f53cb0aa99e6581810a3b865e6e6c1b

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
74KB

MD5
ebf70c5b1e614427497192a00c9250b8

SHA1
a6a965706361361813f5e3b04993f72c3b32c704

SHA256
58ab897546b4b8c85cec28055813bccfa3a785d6ddd6e70f6bab07661f86d0dd

SHA512
7d0893009b24cb7a681a58fd11820a45299c89f4029429d780b54a400f6f3f03c9e2e2443aeed9a603a76dde99375448791a78266e295d5ca8dea598e611ed80

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
74KB

MD5
2077ba58615fb8c644c156ccad45875b

SHA1
64a2cfa0acb2b2fef767f250fdd68bfa31383646

SHA256
7453ab89645d5c53ed632cf826c003c4e554d63a82de055b8cfb876f7743919d

SHA512
048048f14df2fdb26b67d53034f4da44ef8a110ec42fdcccdf218b2250a426123aec7c434621e240445e0a0355a2502555b5cb1f8dd2b4c55265bb1eb89349db

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
74KB

MD5
03b11cea72f7977cb048c75f3f9bea8b

SHA1
22c1a5d3be965bce81981b20c9d60ebc1743b36c

SHA256
a94a56a76b9d68ee526f92ecfebb1273262e9e230230d8824578118ed981975b

SHA512
d3826710f6804f99b2337d00ce21ba2aa102e319858035a0e62d48520df8837a531cd22f93163584254aeaa1fd8ce34fe78d31da8ebbbaf8cd6c1c0faac674fe

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
74KB

MD5
b6318f51616fb070c237feb8f954991c

SHA1
25f02a7d295cd7d208fbf17a9bb79fc139e6e5ac

SHA256
87b3c030ddc37cdc35a8cd86105639a993b2a6a748ac6a75b43b3e801a8684cc

SHA512
a6a7304eaa0c3c8c17dea49a872c7016e069f5f3062ae06fc5b77e08a6cc173ac3bc73236a9d40a2fe036b580ae9f191c8ef5fd1096c774f9579b5955bbb5c60

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
74KB

MD5
ac34dfc46a0492fc0976aee38c420d33

SHA1
57e9ae9d228116acd3cc51c6d36d9e239e18c66c

SHA256
7b025a124f08c4b1fde43f701ac427d115417f42b4726c2243ca311cd4cb8c4f

SHA512
e6a7531a947ff2319a8372f147e9278b18e3a475ad27ad91e2ca793253455da9c23c22d31ca83ca927c8a637c643b1f465c2e2379f2fb39225e9981f339de5d8

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
74KB

MD5
80d875d8ab579e75c82c64969fffd385

SHA1
8f99099095a9e090c2967f4144fbb7394d878551

SHA256
2111ab4d846e5749fd05c3ee8ff85812dec58cd39ef962aac7fd5a482bf26f03

SHA512
74920b35ea82204b59d26f2e4145ef7330cabeb4a67d11dbaddb93bdab912d95ad9a2cd4aeca40f5aa518676f0765af19303d197c62fe2c8ed0c77cd81517bbc

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
74KB

MD5
358f3cc0af8a50256fb342ec94b6a7f7

SHA1
55670127a68c64a986b0350bfd31d67ee6c46f1a

SHA256
8388be885e77f621b1123c5e4f4e90ebdab12653a5f19695dec592d027b930a6

SHA512
fa02780dc7a358e3b794026ce853c172c873f7388aa241b61519280401a34fc8c67b122bc90d3773a3419cb40e16dad240071eedf875476f196e098f97c8ef2a

Download Submit
memory/324-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/324-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/528-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1108-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3252-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3272-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3300-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3344-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3380-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3392-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads