berbew | ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3

Analysis

max time kernel
93s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe
Size

69KB
MD5

5d6ef4cb14cbf1bed11c990222db50ec
SHA1

03468a30e5d6647df550922d541ab9c252af7a48
SHA256

ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3
SHA512

8b3bbb33437fdd4eb9e00a8678940920f22bcf1fcc71ec16c2ac2cb4e632587251b27190f69305fab66f3665c83472ec24e7e9374ac720f0c2409e3ec16f01a9
SSDEEP

1536:mgNAhnT0dq1rU0MF4YPCHrQJNO5PANein/GFZCeDAyY:mgNwt1A0DHrQJNO5YNFn/GFZC1yY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2320	Mmbfpp32.exe
4808	Mdmnlj32.exe
4616	Mcpnhfhf.exe
3100	Menjdbgj.exe
3960	Miifeq32.exe
2588	Ndokbi32.exe
2660	Ngmgne32.exe
1100	Nngokoej.exe
1276	Npfkgjdn.exe
3036	Ncdgcf32.exe
3864	Njnpppkn.exe
1380	Nlmllkja.exe
624	Nphhmj32.exe
1488	Ndcdmikd.exe
844	Ngbpidjh.exe
1828	Njqmepik.exe
1716	Nloiakho.exe
2460	Ncianepl.exe
4452	Ngdmod32.exe
2908	Nnneknob.exe
388	Ndhmhh32.exe
1096	Nckndeni.exe
4336	Nfjjppmm.exe
4556	Olkhmi32.exe
3740	Odapnf32.exe
3440	Ocdqjceo.exe
2088	Ogpmjb32.exe
1984	Olmeci32.exe
2592	Ocgmpccl.exe
5036	Pmoahijl.exe
4228	Pdfjifjo.exe
1712	Pgefeajb.exe
4720	Pmannhhj.exe
3924	Pclgkb32.exe
3772	Pggbkagp.exe
2996	Pnakhkol.exe
3976	Pdkcde32.exe
2616	Pcncpbmd.exe
2316	Pflplnlg.exe
3064	Pncgmkmj.exe
376	Pqbdjfln.exe
5096	Pdmpje32.exe
4500	Pfolbmje.exe
4328	Pnfdcjkg.exe
4056	Pqdqof32.exe
3728	Pgnilpah.exe
3432	Pjmehkqk.exe
4432	Qnhahj32.exe
4496	Qqfmde32.exe
3600	Qceiaa32.exe
2252	Qgqeappe.exe
2220	Qjoankoi.exe
4436	Qmmnjfnl.exe
4308	Qqijje32.exe
4652	Qcgffqei.exe
2268	Qgcbgo32.exe
2240	Qffbbldm.exe
2004	Ampkof32.exe
3472	Aqkgpedc.exe
408	Acjclpcf.exe
1384	Afhohlbj.exe
1852	Anogiicl.exe
3204	Ambgef32.exe
4992	Aqncedbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7016	6928	WerFault.exe	236

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 2320	404	ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe	86
PID 404 wrote to memory of 2320	404	ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe	86
PID 404 wrote to memory of 2320	404	ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe	86
PID 2320 wrote to memory of 4808	2320	Mmbfpp32.exe	87
PID 2320 wrote to memory of 4808	2320	Mmbfpp32.exe	87
PID 2320 wrote to memory of 4808	2320	Mmbfpp32.exe	87
PID 4808 wrote to memory of 4616	4808	Mdmnlj32.exe	88
PID 4808 wrote to memory of 4616	4808	Mdmnlj32.exe	88
PID 4808 wrote to memory of 4616	4808	Mdmnlj32.exe	88
PID 4616 wrote to memory of 3100	4616	Mcpnhfhf.exe	89
PID 4616 wrote to memory of 3100	4616	Mcpnhfhf.exe	89
PID 4616 wrote to memory of 3100	4616	Mcpnhfhf.exe	89
PID 3100 wrote to memory of 3960	3100	Menjdbgj.exe	90
PID 3100 wrote to memory of 3960	3100	Menjdbgj.exe	90
PID 3100 wrote to memory of 3960	3100	Menjdbgj.exe	90
PID 3960 wrote to memory of 2588	3960	Miifeq32.exe	91
PID 3960 wrote to memory of 2588	3960	Miifeq32.exe	91
PID 3960 wrote to memory of 2588	3960	Miifeq32.exe	91
PID 2588 wrote to memory of 2660	2588	Ndokbi32.exe	92
PID 2588 wrote to memory of 2660	2588	Ndokbi32.exe	92
PID 2588 wrote to memory of 2660	2588	Ndokbi32.exe	92
PID 2660 wrote to memory of 1100	2660	Ngmgne32.exe	93
PID 2660 wrote to memory of 1100	2660	Ngmgne32.exe	93
PID 2660 wrote to memory of 1100	2660	Ngmgne32.exe	93
PID 1100 wrote to memory of 1276	1100	Nngokoej.exe	94
PID 1100 wrote to memory of 1276	1100	Nngokoej.exe	94
PID 1100 wrote to memory of 1276	1100	Nngokoej.exe	94
PID 1276 wrote to memory of 3036	1276	Npfkgjdn.exe	95
PID 1276 wrote to memory of 3036	1276	Npfkgjdn.exe	95
PID 1276 wrote to memory of 3036	1276	Npfkgjdn.exe	95
PID 3036 wrote to memory of 3864	3036	Ncdgcf32.exe	96
PID 3036 wrote to memory of 3864	3036	Ncdgcf32.exe	96
PID 3036 wrote to memory of 3864	3036	Ncdgcf32.exe	96
PID 3864 wrote to memory of 1380	3864	Njnpppkn.exe	97
PID 3864 wrote to memory of 1380	3864	Njnpppkn.exe	97
PID 3864 wrote to memory of 1380	3864	Njnpppkn.exe	97
PID 1380 wrote to memory of 624	1380	Nlmllkja.exe	98
PID 1380 wrote to memory of 624	1380	Nlmllkja.exe	98
PID 1380 wrote to memory of 624	1380	Nlmllkja.exe	98
PID 624 wrote to memory of 1488	624	Nphhmj32.exe	99
PID 624 wrote to memory of 1488	624	Nphhmj32.exe	99
PID 624 wrote to memory of 1488	624	Nphhmj32.exe	99
PID 1488 wrote to memory of 844	1488	Ndcdmikd.exe	100
PID 1488 wrote to memory of 844	1488	Ndcdmikd.exe	100
PID 1488 wrote to memory of 844	1488	Ndcdmikd.exe	100
PID 844 wrote to memory of 1828	844	Ngbpidjh.exe	101
PID 844 wrote to memory of 1828	844	Ngbpidjh.exe	101
PID 844 wrote to memory of 1828	844	Ngbpidjh.exe	101
PID 1828 wrote to memory of 1716	1828	Njqmepik.exe	102
PID 1828 wrote to memory of 1716	1828	Njqmepik.exe	102
PID 1828 wrote to memory of 1716	1828	Njqmepik.exe	102
PID 1716 wrote to memory of 2460	1716	Nloiakho.exe	103
PID 1716 wrote to memory of 2460	1716	Nloiakho.exe	103
PID 1716 wrote to memory of 2460	1716	Nloiakho.exe	103
PID 2460 wrote to memory of 4452	2460	Ncianepl.exe	104
PID 2460 wrote to memory of 4452	2460	Ncianepl.exe	104
PID 2460 wrote to memory of 4452	2460	Ncianepl.exe	104
PID 4452 wrote to memory of 2908	4452	Ngdmod32.exe	105
PID 4452 wrote to memory of 2908	4452	Ngdmod32.exe	105
PID 4452 wrote to memory of 2908	4452	Ngdmod32.exe	105
PID 2908 wrote to memory of 388	2908	Nnneknob.exe	106
PID 2908 wrote to memory of 388	2908	Nnneknob.exe	106
PID 2908 wrote to memory of 388	2908	Nnneknob.exe	106
PID 388 wrote to memory of 1096	388	Ndhmhh32.exe	108

C:\Users\Admin\AppData\Local\Temp\ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe
"C:\Users\Admin\AppData\Local\Temp\ca2d83bd945300dec4fcbfb822da0cdf046a6d8cece39258a60f461b127364d3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\Mmbfpp32.exe
  C:\Windows\system32\Mmbfpp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Mdmnlj32.exe
    C:\Windows\system32\Mdmnlj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\SysWOW64\Mcpnhfhf.exe
      C:\Windows\system32\Mcpnhfhf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        39⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        48⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        49⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        54⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        55⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        57⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        67⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        70⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        72⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        76⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        79⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        85⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        89⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        92⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        96⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        97⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        108⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        109⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        111⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        116⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        119⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        128⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        129⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        131⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        132⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        135⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        140⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6684
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        143⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        144⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        145⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        146⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 404
        147⤵
        Program crash
        
        PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6928 -ip 6928
1⤵
PID:6992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
69KB

MD5
c951f3aa8a4497b42d758e4fdc5577fc

SHA1
291ffcae5ac25eb602a7eaedd6677b63375945f8

SHA256
05c482c4b5a93181531cd80d85f507c877458263976f82eabcf5f77c16bd15e3

SHA512
a86f45e62712cacf50fb7140349779c75a78971e253956eb944422e4ced2df61d425b594cabc224fd531fe1f29a4596895c729583d868989578ebdb5e76b188c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
69KB

MD5
4c8f2a473ed7e13ead8afa89360106b0

SHA1
fea779871caaea90b457e5b9fd7d8c0415176098

SHA256
42e89d1ecc088d63f3ea48c92368151a0d09069bc8d4fbdd75af1e5026804e44

SHA512
dec5cc8950297872788556a6d731d641e4d2a528971930335956f0e8c44b5f4d536980385e2a169723942f41f9497e2d3e3aced47c70dee2b12b323e5cf5a755

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
69KB

MD5
8cb54d0fbea13fcdfef559fe2ae27dca

SHA1
299645e255180e045511ecf27fa63c21157dc472

SHA256
54da42b3f6a29fb562e825abb7d20f4d3aabd1126517e02c5aeb4228e1771bb5

SHA512
3d6b3b64f6979b622999c0d006f464f9187c7127c4249b22fcc6ddf1a979198b949c6567350001861c8933792449a99e153a7bfce10b241bdbdc79d4ff7754c4

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
69KB

MD5
cee953c827db9c1d87e473bb77fcdb7e

SHA1
799d52d5a4b955fb457a3cf1de1b655f47bee092

SHA256
99d9a29729e213e55dd9ce3f652d68b7ae8c46e23977600a8a028e2044863e01

SHA512
8489dddab8e742430ff4f77baa874c54b38d6b766f57946b022e3ae0a131817595ca95f08ba2999c8a655d9303ae1a4a3bc04935e5fc0a7a6b9dc5137c8064de

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
69KB

MD5
2b8614a176591decea849def99c6ab8e

SHA1
8b952583982eceae7d67a8a1498c4b1674e11470

SHA256
8ca3ae4aa329442fc4cf0fd00d3ab5bcbe5dbce9520dcd4ab551633dcdcd02e0

SHA512
0c3b47d3f0303ea49ecb25c6b246eb816803fab3e23df39981159c80fa9cdfa21a2102701674948f01d98fcd9c76a5c5f669069fef73a05c3d2b03b2d5012c5c

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
69KB

MD5
e0ad91d9dccb11b72f7d051ae05e7e65

SHA1
7edd5dce5446d6b4c1f74b2509f28de78792d7b6

SHA256
650fe72f5816f84c016157ce15b5adfa35cd7b47a6519fdcda12d040a063fd14

SHA512
432c1df8f90b59dd4cb4bc040d8b977b8acb6a87d1a0425a7257ff9bcdb1fb81e99b4aeaf27fcf6c6e7214174034bae53391fa9a067c8f26552295ca3118bc8a

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
69KB

MD5
55d6f3794f6b25cd8b3a85efd5c49f7f

SHA1
48055a5293c59698959698ea785ac7588ee29b60

SHA256
87d725e4a94bcdf63216495e40e27fcd9982149b4bf2024bf095e65009bba78f

SHA512
920aa99e6251cbabff040ec8765777820b332c8b0a3504fa420b8897f569a2119dc2c486dd05e2322ddd559aa45f485914054bdaa2eea6003e1ffdb5faad8004

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
69KB

MD5
f84f43de282ac150a9602f7866198bc2

SHA1
19de466c450eb977c95e32424c5c83809c949f0c

SHA256
b5a0f509e3a38fe8eef7b51d6d76d05611519478d22848b2c8fd8e811d1fe7c8

SHA512
b4dad466b18790b5c54eafc3c66d97c06a55a4002ff35b346c2430d42189497ce1ae5dddfeb97c9e507a780a0f6b74f7b36ea5852251e62a1dd230593742bdba

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
69KB

MD5
a12915f21fb5f13d9094a28b4b5c7f59

SHA1
7b4eb7b460e78d05ee6b7321bfa8b1c2167c0f95

SHA256
56c8bf00a4d145c5a0e8eb0bc5aa2fc0662aa3f95a069b6dd1aec0157df1528d

SHA512
40da5db0cce96ad1186ab73e61fbd46744a60d17b79c59188f015cb7320a5092aecf436be000b9fb68a5ed19d8e6674a39b2f6d0b1dc28555612eaa0455840ec

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
69KB

MD5
85db5b9356de14c46d158c5d14718b0e

SHA1
1486f4d6bc646d799ba1fb2cceef4b318688d16d

SHA256
46ee8d14e800dba3e337e52bb0980ac50cc8530ba1f314951387bc279fec30b5

SHA512
07420ba6b307bdccd62a887cd838e00ee142c4069b76ff880db61f9dcaf1476f916e1e0581efb9b7618686bd5449f5556094d5463ec37e9debeb5f447c18e251

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
69KB

MD5
00b9dba23693f4ff7d7293537ed444c5

SHA1
25833c0c873f0dc84873c1b286cedb7ad730d913

SHA256
88d02cba57f41079ce00b4d5068c62720005075e58fd39848555aa46f2be2151

SHA512
69c134f48a6c2af977196025f700bbbd2c085697125c99ad93325a74e2a2d2c8562eada2f24725929d908467301ccd941c8377495e020d73ac7cec399071aff4

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
69KB

MD5
6336bb6c03877e4f70501f0e7a4a7577

SHA1
605b57920d2badda409f0a43442cb9d4b1990d5e

SHA256
3743323df576465607ea93fb62ee724841b337c7ccbac799cc97a80b58591734

SHA512
5f6b16663fb1bb66a7575adaefc7aa49afbc5b767e732df8b13ed187442d1a363d444f78dd063ffc98c891f7ebbf9da21ecdfc568e2a8f552d365179d55f7d12

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
69KB

MD5
ff9d8d6746a6f4e63af26710592b97d2

SHA1
b83215dbfe3bb0ce99392f25617f01c55d1fb928

SHA256
05b98b1c4b0d475dcd85bbc87554c4cf910947ceb12e78616841bcb2554ef022

SHA512
4e5ff91006b9d473d30535f0214dcef8e64dcf077c2a904b8aa31ccc60b443ed784bbc32e1651f4d727c0571975aed5a2497efc5a98886f3281bedae2464198a

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
69KB

MD5
2934c27e7c443942306e58075040973c

SHA1
bd71612fe4c95dd7700baf5195bc7e6472a12ba4

SHA256
c7b5cad1d4f88b677738a48db725090f0a46a9f50e56634c0a8f890a5c913cb2

SHA512
c0ef6097b9370b477831d0abe3d458646d8f66c3bebd439280f45437bd15d75a6fcb4db0984a21f3ad78f4d52d1c79075e3ad7f92fbe3d4cb764db9e9d280925

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
69KB

MD5
bdf3c3da9625cbce79550e792b7b22bd

SHA1
8cfb2c1a7113ff739ef91128ca171afc12e37380

SHA256
9e73e0ad024b79e04e0eabcf2bda4e21271470a4fbc7fb00e97a3147cbf27b0e

SHA512
62dcf042edf0adaa2d1d904f546cb4f270b7a26f671f62f8737a1d876188af69f36cdef877900ae3c101549d4f715adf09fbf7fb780bd2759f05e34874be4aa1

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
69KB

MD5
6e8d39e266af398f08b4503d3fc08d30

SHA1
fc3060c797924f1d430bfea16f1085a5b565509b

SHA256
a9d5499c4957df71b5fb426a714c93a47f298e82b67725d70ae72350e2957a6d

SHA512
ea726f789e16b6de657bcd59e291e352ac32fbb5b68d5acaa1ccdbed867522f7710329b224b987ff19000966464981fb2e0886bf60bf9823b100562c07a3e838

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
69KB

MD5
074f9f0a2be2bf0c979b541040351fb6

SHA1
aeb5c86657d4b71b2c341e2cf80942dd86619cae

SHA256
8835d2dcbf25272ff9cfa966dce2eeebfda854d0b4c4eaac7d697d98307a50b5

SHA512
17c6425d01b489b372b4284833f021b8ff281a1c84e0063e578e6e5a7936beb829268becd70e5e02ef7f67f13bb5617a645f5ad45a0c6aff69f57562ce4c826d

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
69KB

MD5
9f5a302a343d662917f286bcc107afd0

SHA1
4ea918a3744d441e5b162d05e045058c4d8c37bc

SHA256
d57e0b5cf646e182620fb5cce86002280c1a173be1fecfa5cbde1c58be2e534d

SHA512
c5fd210e75bb1e8d202ebf229f47f4ce2790c54091879b1b141eb70facd3768322b831e00b875914cfdbe55baecfb821716e72955641a8dd7f323172dc08ab11

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
69KB

MD5
2f9c5f8d986aa80c456cfd26c999aab9

SHA1
e434a28fcac4d96c802aa4e5f46afb5adaeeb07d

SHA256
c264616499d185602d1aa5faf20ab567e54a5591173e96bc02da1f5ecc947fba

SHA512
f0728b9a85618a586e39540b8fe1ef28e6abdbe28e19a7ed60b69133639700bbcb2c9d92a38c20716b6ae2f0c111521f7dfd0a31d9746fff113a789a4f07326e

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
69KB

MD5
91eb6a1a0eebd7646041f80d0b53d021

SHA1
dcde0ea2f204d3aa483644af19854d02876395c5

SHA256
aa1f51d74f63b0bb22d367b0fff475107753a52fe29f4213655350b25c4ad96e

SHA512
fe5e7d7dc9ff584feae73f947b649944c300d29cf1e122dc684f50945184b1181341396c000d9247ad54d61c567a5cb6a53355cafe80fa13e2bbd6c38be62e67

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
69KB

MD5
fcdcfcad257c781f65acc99c109f9b6a

SHA1
2d8b74f56c3ba9e69b5e5e3198852d244be1b9ec

SHA256
ea0c368e90041b5182c7c91b7f5220ef854556f60b61b13e402dd80832154379

SHA512
b1125f921b3ceaf604648355d3b0fcf26d33b2210a97899ef7741aacd9e232b9d2cbc22a40a044b3a40b6d6d98c8c95137140da91931f255f71663ae7f88c7a7

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
69KB

MD5
2c59ab76eb5012c9c4a9e627a9493d8a

SHA1
4bad8c0ac4b7d4d47dc8bcd4eea3e000e136a149

SHA256
61a296e6ea1aee5879cd53334cc3bf32e6ee25128e074755e8886cd2e5867aeb

SHA512
6674a6ba21a30163aea458b9af8354eeb93748da65d06b66ca3104e7c543d0e0243841603f0a3c48240bfe539038ad2292cdcd8ca7bd23fad8f12819ea658e92

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
69KB

MD5
5ab7845ba510f1d735815ee3c4c90b2e

SHA1
47198523711009100919c02ee269309aa3b65131

SHA256
9791c7abbd2878f77ecf9706ae995bcaac6a2d0f791c30b57a6ac98cef49194a

SHA512
3e4bcb5fc5ec16769a5b72da9565b7e46ee3536fcff0d11c1fefce1ed2755afde15d0f24f6fc0cb44e3c8f5233321f39c9ac8eaea7d36906fce1b3514da61107

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
69KB

MD5
9e1156d26f26c7040f795a5c14b1b0fb

SHA1
973cd25241d57a556c7bb3c6db29118ee2f7ec0a

SHA256
527e8e6f441f196203a2da13023196bdcb2a22be508f6c211462c4375c7cbb4b

SHA512
08c82137db135a918f6528b1dad309c48ad8ea436eee247b95bab7d2c884590da4207b325152585e5c59376da1cbf6d4280000e048495546c3f60546c6ed0d1b

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
69KB

MD5
fc4ccd0cdcb681df7a482dc96755238c

SHA1
afad79d3eb1d482816eb64245851c9809e61b0b3

SHA256
04853953008185dd0c2b7ef70fcbfabdd7e0f9a6f65210c230cd615afcf3c5df

SHA512
ade43ff40fc11a302e4586dd6923f56952d4add5d22aa62235404166911ef8cd6e221e99b15e957df683c6b088c1742d8f1108d11750bef6728e917a72df012f

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
69KB

MD5
a88460ec4c62b7b8a437a876407ac4fd

SHA1
6e3879650931f39b98a7b18017eb3330f514b3c9

SHA256
afc595e016970cee3a9695d9ad5cce8958a6bfd8c16e04edc7f487097864dc94

SHA512
1db4c2c2e4229736922ed19a10bad78c3cb87b2149128384d931d1bee99d88ac05c832ba368fefca30bc44f332402592406708801a03ef378d584f5f9147b062

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
69KB

MD5
72d80d838e7c6dcd676ffc59aa8bbb5c

SHA1
12bc8168d9ad9e796826ab55d178dc0db1f5e325

SHA256
efc4470c28c8fff043e4d583d21ca3b0502bcc91c04b860fec42603c1906710e

SHA512
05cab2b1f3ccd5ec6511d70e13c32ecd78363acd914840c7af557e763cc877ad258b6b30897ffb8a7f08c9ba2bb0b2d0abc97b9b792dd1a7fd6e4e2145b940e5

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
69KB

MD5
ae5171a22651e43f17bec71671375d2f

SHA1
ae84c79420decea260cd57006ec85590802b1ba6

SHA256
392733bcb4598d716b3e397d9a0ecaa6eca7bf9975255f7ba79832b767e1fecc

SHA512
671937bd74895ae5ec4da1b14371617e29299d825a8e11f2a12b82a97cff7d4ab59a3122f3a41398698b9fb06862fcd179f2293ce68f485041a796713305b82e

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
69KB

MD5
13e200ddb273156e52f8800fa298b031

SHA1
74f7461b814fb93589823daa374143af78422bf9

SHA256
f5d8a7c35b2b2997baada95b3ae39686fe2afdc1011cca9ad309a50bbe695d35

SHA512
f95c92e13b335df9df05ec6d2331b8304e7609e62eb9dc47618595d5eb46856ec0b1730b0d5075b3493b107eac670119c31d1b2942a3892c5500cf182b0ba29d

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
69KB

MD5
8a6a4cf9cd7dde069709ad45997a2c6c

SHA1
9a03f8ca4e140410a239c52342e25b0a8e3a13f5

SHA256
74ee120a35d213aeba1947edbfce5dbc27ad00ba43ee46d980d196a734162b4a

SHA512
df21934d9f1b62b009b4adb77b7e735c5ab2beebe4ef1a846db3e5d6a3bf9b7a85a2e6af9679946ba7035969d4d23819fcde0249bd7768a81f73ece58149caab

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
69KB

MD5
b7388ae085818df486345b892089e435

SHA1
b10922bfff739746329aca769e6cec2ebf7d0e9a

SHA256
740beb4228ac27faddec7c0d2c279dd237b7f1d415e27e6bdd4e1c2772f24c1c

SHA512
bd868d4ae07054dc1fd94e26274b6c2133a18f2379777cd71cc7be2ba31c1e3ff56e3c8555dcf6a0a6e47a9cb3ce78b10702727464019a2f3f651f5fb3351c29

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
69KB

MD5
3e60b5a626699422b8f71aaab421d30d

SHA1
425d2d88c03527d4e459e686af6f787fbfdcc918

SHA256
04004111dc11201f308d307d19dc8235b303dce9bf6edf3bed99e3ace986c162

SHA512
520c67af42ac85f2672b415c11da5a91c7afc98c6c1b1255fe66ef6c04f721a89e026b80c06a91ec36ceb16c7fb157ebeb7cca16b608909ac43cf4b90729480f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
69KB

MD5
d7470d7a470acbc23b9798f6ba6c4eee

SHA1
8e2fd4cf84df03536493b0e2e8b56476d482d0b1

SHA256
7fb0c2788966f0cea2582389139deee1d34710f717a7992862b02542758e0408

SHA512
259e0c813d3e6dbcdde3cac0845e4fad87642a42a5d0b7b620bdb2749750b4c33a9cbc5bc14d52d614a4f42a5057d646f56fa972d570418807708f70f7592a59

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
69KB

MD5
20bfcc3c78a6a02aa615319871257913

SHA1
8b11e3c66efe47e51833286902f8edb19cd54533

SHA256
0a840fb9695eacc41e5c78c4416be59af69493738b388c58a1ef28f3bfc399ff

SHA512
1fbbafbc157315966f5e66ad239c5042d6e8d361c130405224f0a9e0a6f338c353948580cfbe92cca9e8a175cd5544f26535728551876f1e1f57626756e886b2

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
69KB

MD5
ff502a432f36aaacb666389126b089a8

SHA1
95d1618a421495eaf9d65c68bf2fddab24faff6a

SHA256
079bcc60cd1227f7d85e5697b2fc5f48b0d3a344d7086f00381a68fb05981f7d

SHA512
4ccc3dddfd8044099ba24210522c29c4748cee92b02cb78db15ff9fa9aeb41c44889c54a83ec351ec9eda0703a0ac01496403532e1259958e304e338183fbfd4

Download Submit
memory/376-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/388-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-539-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1100-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1100-594-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1276-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1828-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2220-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-546-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2460-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-580-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-587-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3064-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3104-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-465-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3432-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3440-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3772-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-573-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3976-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4056-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4308-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4500-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-560-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4700-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5132-497-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5188-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5228-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5272-515-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5312-521-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5352-527-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5392-533-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5436-540-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5480-552-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5516-554-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5568-561-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5616-567-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5656-574-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5728-581-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5788-588-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads