berbew | 93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
Size

161KB
MD5

3fc72c301663e1402cd1fdb3290560b6
SHA1

7717f2c14f835b4151c6b2011c8d6606e9cf3bba
SHA256

93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3
SHA512

cce69440d80be48c1214e5e268948e3856df388dbc56e70ec3a5b8c8c91483747e0aa6c942dbc324a02697cbf70d0920055089dfe491a9b28af1add1d3a08213
SSDEEP

3072:ILTCMCaImXOVkBVwtCJXeex7rrIRZK8K8/kv:b5nkBVwtmeetrIyR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfiale32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfiale32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnace32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 56 IoCs

pid	Process
2880	Jdgdempa.exe
2604	Jgfqaiod.exe
2716	Jfiale32.exe
2708	Kjfjbdle.exe
2664	Kqqboncb.exe
2532	Kbbngf32.exe
2980	Kkjcplpa.exe
1112	Kcakaipc.exe
1116	Kklpekno.exe
2676	Keednado.exe
1712	Kkolkk32.exe
1836	Kbidgeci.exe
1076	Kgemplap.exe
1988	Knpemf32.exe
2468	Llcefjgf.exe
2480	Lnbbbffj.exe
2208	Lcojjmea.exe
860	Lgjfkk32.exe
1252	Ljibgg32.exe
1880	Lfpclh32.exe
1444	Lphhenhc.exe
2260	Lccdel32.exe
2896	Lcfqkl32.exe
2884	Libicbma.exe
1516	Mpmapm32.exe
2724	Mooaljkh.exe
2660	Moanaiie.exe
2856	Mapjmehi.exe
1340	Mhjbjopf.exe
2988	Modkfi32.exe
828	Mencccop.exe
320	Mlhkpm32.exe
2796	Mmihhelk.exe
552	Maedhd32.exe
2476	Mdcpdp32.exe
640	Mgalqkbk.exe
2996	Moidahcn.exe
2968	Mmldme32.exe
1820	Mpjqiq32.exe
2000	Nhaikn32.exe
2992	Nibebfpl.exe
1700	Nmnace32.exe
2156	Nplmop32.exe
2064	Nckjkl32.exe
1760	Nkbalifo.exe
1624	Niebhf32.exe
868	Nlcnda32.exe
1528	Npojdpef.exe
1844	Ncmfqkdj.exe
1520	Nekbmgcn.exe
2760	Nmbknddp.exe
2764	Npagjpcd.exe
2556	Ncpcfkbg.exe
2564	Ngkogj32.exe
2456	Niikceid.exe
1500	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2284	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
2284	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
2880	Jdgdempa.exe
2880	Jdgdempa.exe
2604	Jgfqaiod.exe
2604	Jgfqaiod.exe
2716	Jfiale32.exe
2716	Jfiale32.exe
2708	Kjfjbdle.exe
2708	Kjfjbdle.exe
2664	Kqqboncb.exe
2664	Kqqboncb.exe
2532	Kbbngf32.exe
2532	Kbbngf32.exe
2980	Kkjcplpa.exe
2980	Kkjcplpa.exe
1112	Kcakaipc.exe
1112	Kcakaipc.exe
1116	Kklpekno.exe
1116	Kklpekno.exe
2676	Keednado.exe
2676	Keednado.exe
1712	Kkolkk32.exe
1712	Kkolkk32.exe
1836	Kbidgeci.exe
1836	Kbidgeci.exe
1076	Kgemplap.exe
1076	Kgemplap.exe
1988	Knpemf32.exe
1988	Knpemf32.exe
2468	Llcefjgf.exe
2468	Llcefjgf.exe
2480	Lnbbbffj.exe
2480	Lnbbbffj.exe
2208	Lcojjmea.exe
2208	Lcojjmea.exe
860	Lgjfkk32.exe
860	Lgjfkk32.exe
1252	Ljibgg32.exe
1252	Ljibgg32.exe
1880	Lfpclh32.exe
1880	Lfpclh32.exe
1444	Lphhenhc.exe
1444	Lphhenhc.exe
2260	Lccdel32.exe
2260	Lccdel32.exe
2896	Lcfqkl32.exe
2896	Lcfqkl32.exe
2884	Libicbma.exe
2884	Libicbma.exe
1516	Mpmapm32.exe
1516	Mpmapm32.exe
2724	Mooaljkh.exe
2724	Mooaljkh.exe
2660	Moanaiie.exe
2660	Moanaiie.exe
2856	Mapjmehi.exe
2856	Mapjmehi.exe
1340	Mhjbjopf.exe
1340	Mhjbjopf.exe
2988	Modkfi32.exe
2988	Modkfi32.exe
828	Mencccop.exe
828	Mencccop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kklpekno.exe	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Jfiale32.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Pelggd32.dll	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Llcefjgf.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Kcakaipc.exe	Kkjcplpa.exe
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Kjfjbdle.exe	Jfiale32.exe
File opened for modification	C:\Windows\SysWOW64\Ljibgg32.exe	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Mapjmehi.exe	Moanaiie.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Allepo32.dll	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Lphhenhc.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mooaljkh.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Qocjhb32.dll	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Moidahcn.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjcplpa.exe	Kbbngf32.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Kbidgeci.exe	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	Jfiale32.exe
File created	C:\Windows\SysWOW64\Jcjbelmp.dll	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Kqqboncb.exe	Kjfjbdle.exe
File opened for modification	C:\Windows\SysWOW64\Kqqboncb.exe	Kjfjbdle.exe
File opened for modification	C:\Windows\SysWOW64\Keednado.exe	Kklpekno.exe
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Knpemf32.exe	Kgemplap.exe
File created	C:\Windows\SysWOW64\Lgjfkk32.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Ecfmdf32.dll	Moanaiie.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Npojdpef.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kklpekno.exe
File opened for modification	C:\Windows\SysWOW64\Kgemplap.exe	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Jgfqaiod.exe	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Kbidgeci.exe	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Modkfi32.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	1500	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knpemf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfiale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjfkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgemplap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbbngf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfjbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keednado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgfqaiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdgdempa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkolkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjcplpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfqkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjbjopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqqboncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcefjgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljibgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbidgeci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnbbbffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphhenhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kklpekno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcakaipc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbbngf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll"	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcefjgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimckbco.dll"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Ljibgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Keednado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll"	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll"	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfiale32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgemplap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2880	2284	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe	28
PID 2284 wrote to memory of 2880	2284	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe	28
PID 2284 wrote to memory of 2880	2284	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe	28
PID 2284 wrote to memory of 2880	2284	93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe	28
PID 2880 wrote to memory of 2604	2880	Jdgdempa.exe	29
PID 2880 wrote to memory of 2604	2880	Jdgdempa.exe	29
PID 2880 wrote to memory of 2604	2880	Jdgdempa.exe	29
PID 2880 wrote to memory of 2604	2880	Jdgdempa.exe	29
PID 2604 wrote to memory of 2716	2604	Jgfqaiod.exe	30
PID 2604 wrote to memory of 2716	2604	Jgfqaiod.exe	30
PID 2604 wrote to memory of 2716	2604	Jgfqaiod.exe	30
PID 2604 wrote to memory of 2716	2604	Jgfqaiod.exe	30
PID 2716 wrote to memory of 2708	2716	Jfiale32.exe	31
PID 2716 wrote to memory of 2708	2716	Jfiale32.exe	31
PID 2716 wrote to memory of 2708	2716	Jfiale32.exe	31
PID 2716 wrote to memory of 2708	2716	Jfiale32.exe	31
PID 2708 wrote to memory of 2664	2708	Kjfjbdle.exe	32
PID 2708 wrote to memory of 2664	2708	Kjfjbdle.exe	32
PID 2708 wrote to memory of 2664	2708	Kjfjbdle.exe	32
PID 2708 wrote to memory of 2664	2708	Kjfjbdle.exe	32
PID 2664 wrote to memory of 2532	2664	Kqqboncb.exe	33
PID 2664 wrote to memory of 2532	2664	Kqqboncb.exe	33
PID 2664 wrote to memory of 2532	2664	Kqqboncb.exe	33
PID 2664 wrote to memory of 2532	2664	Kqqboncb.exe	33
PID 2532 wrote to memory of 2980	2532	Kbbngf32.exe	34
PID 2532 wrote to memory of 2980	2532	Kbbngf32.exe	34
PID 2532 wrote to memory of 2980	2532	Kbbngf32.exe	34
PID 2532 wrote to memory of 2980	2532	Kbbngf32.exe	34
PID 2980 wrote to memory of 1112	2980	Kkjcplpa.exe	35
PID 2980 wrote to memory of 1112	2980	Kkjcplpa.exe	35
PID 2980 wrote to memory of 1112	2980	Kkjcplpa.exe	35
PID 2980 wrote to memory of 1112	2980	Kkjcplpa.exe	35
PID 1112 wrote to memory of 1116	1112	Kcakaipc.exe	36
PID 1112 wrote to memory of 1116	1112	Kcakaipc.exe	36
PID 1112 wrote to memory of 1116	1112	Kcakaipc.exe	36
PID 1112 wrote to memory of 1116	1112	Kcakaipc.exe	36
PID 1116 wrote to memory of 2676	1116	Kklpekno.exe	37
PID 1116 wrote to memory of 2676	1116	Kklpekno.exe	37
PID 1116 wrote to memory of 2676	1116	Kklpekno.exe	37
PID 1116 wrote to memory of 2676	1116	Kklpekno.exe	37
PID 2676 wrote to memory of 1712	2676	Keednado.exe	38
PID 2676 wrote to memory of 1712	2676	Keednado.exe	38
PID 2676 wrote to memory of 1712	2676	Keednado.exe	38
PID 2676 wrote to memory of 1712	2676	Keednado.exe	38
PID 1712 wrote to memory of 1836	1712	Kkolkk32.exe	39
PID 1712 wrote to memory of 1836	1712	Kkolkk32.exe	39
PID 1712 wrote to memory of 1836	1712	Kkolkk32.exe	39
PID 1712 wrote to memory of 1836	1712	Kkolkk32.exe	39
PID 1836 wrote to memory of 1076	1836	Kbidgeci.exe	40
PID 1836 wrote to memory of 1076	1836	Kbidgeci.exe	40
PID 1836 wrote to memory of 1076	1836	Kbidgeci.exe	40
PID 1836 wrote to memory of 1076	1836	Kbidgeci.exe	40
PID 1076 wrote to memory of 1988	1076	Kgemplap.exe	41
PID 1076 wrote to memory of 1988	1076	Kgemplap.exe	41
PID 1076 wrote to memory of 1988	1076	Kgemplap.exe	41
PID 1076 wrote to memory of 1988	1076	Kgemplap.exe	41
PID 1988 wrote to memory of 2468	1988	Knpemf32.exe	42
PID 1988 wrote to memory of 2468	1988	Knpemf32.exe	42
PID 1988 wrote to memory of 2468	1988	Knpemf32.exe	42
PID 1988 wrote to memory of 2468	1988	Knpemf32.exe	42
PID 2468 wrote to memory of 2480	2468	Llcefjgf.exe	43
PID 2468 wrote to memory of 2480	2468	Llcefjgf.exe	43
PID 2468 wrote to memory of 2480	2468	Llcefjgf.exe	43
PID 2468 wrote to memory of 2480	2468	Llcefjgf.exe	43

C:\Users\Admin\AppData\Local\Temp\93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe
"C:\Users\Admin\AppData\Local\Temp\93859901ddd8144b5cc63c7bd1455ae8d14c33d3acadc11edd21b2246e324fe3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\Jdgdempa.exe
  C:\Windows\system32\Jdgdempa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Jgfqaiod.exe
    C:\Windows\system32\Jgfqaiod.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Jfiale32.exe
      C:\Windows\system32\Jfiale32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Kjfjbdle.exe
        
        C:\Windows\system32\Kjfjbdle.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Kqqboncb.exe
        
        C:\Windows\system32\Kqqboncb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kbbngf32.exe
        
        C:\Windows\system32\Kbbngf32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Kcakaipc.exe
        
        C:\Windows\system32\Kcakaipc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Kkolkk32.exe
        
        C:\Windows\system32\Kkolkk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Knpemf32.exe
        
        C:\Windows\system32\Knpemf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Llcefjgf.exe
        
        C:\Windows\system32\Llcefjgf.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Ljibgg32.exe
        
        C:\Windows\system32\Ljibgg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 140
        58⤵
        Program crash
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdgdempa.exe

Filesize
161KB

MD5
12dd006c90ac7842f8b2037cbeef6573

SHA1
e7ea996e13005d14b91235f6dbc799af44abe98e

SHA256
8f2bb5d990aa5091778d783a70641853c29ef0dd88b20f529df77715e31445f4

SHA512
9fcbd68959baa9d0cc2a73bf071066e6a40a1220e8b401222403b29a10bf31563639a7b353c5f25aa6302c5a8dca3208b9e4af8ba0c6c7a38790303db4c8122f

Download Submit
C:\Windows\SysWOW64\Jgfqaiod.exe

Filesize
161KB

MD5
af8c812a5a544aca62a8466b0e3b1626

SHA1
9a1b078f923d4ea82f216768e0bc232ee49837d5

SHA256
6c7bd3ed34d63fb9688530b88faafd09b72379b08b1a08da827c22bd7651c0e5

SHA512
e59cbd8f39132178c7a64d9366ccf547852ba53c711c35f71ba41fe839759af9e5859a4c484b40c43737d756837947156551e1c9d81cbad551572292f06f2ea3

Download Submit
C:\Windows\SysWOW64\Kbbngf32.exe

Filesize
161KB

MD5
164cceb700bb1524d9639d8f09b68e27

SHA1
6ba2d10412725c8309cde2e6f1cf62bc1223f972

SHA256
2e09534cba84aee4992370f5ee50a3e3643132c447fea163586077d8c272e5a6

SHA512
b4889613e4c3d334bc5f75b22b522e9ecc2a969ee87847de067010840a87b73a3bc78dd2970d4b63104c8a979ff7b6c57c90de219db24f7faafb855ec73399ef

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
161KB

MD5
8eb5ff94faa5bc11864d614d1d279b45

SHA1
56c21726f0832775378b74ffd035caca3242accf

SHA256
7cab8029e41239f77e6a8542649c315eb4617c6bea1ce8e1f0f332cefce52252

SHA512
c0f6da26e5a2cf052a4032b6aa47f2f9512ee0b083b990ea811cfbb72954a077ad4defafbdc1628fe55e51961cb0c3004c58dba4fd315747518ab61fb22f1ccb

Download Submit
C:\Windows\SysWOW64\Lcfqkl32.exe

Filesize
161KB

MD5
605997a807e951943d54c2db8d6fdbf4

SHA1
fbf5d519397b6302ee5362c59f2a265cb6362829

SHA256
70a3b3963557e062a751fbf5a575b673a7eed623d183f4beeee83e178b787771

SHA512
f513ffa4dc444e46d22cf080234bd17f6736fd2259ce38f4809e366d641a565aa822ffc4b156180b3f6b4c27afb685ce1568444d8f89eafe5d75cde82ae580fb

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
161KB

MD5
083168fb3a8727fe772efe50526ddc04

SHA1
0a25f15b9b50a96e5f2359f03b5a9adcc2e1ec90

SHA256
ebe917fea03c6ac4f50e2defae3034840497f15fd74b06a219713d7d27d93e26

SHA512
7899aa2e1dafff4f56658ad99e35469ffcf001731ee460d57a4bdd250294a25d6091a2b2045f9ee8fb46dfd155125cb5b6f60ce5c4d86c0db4ce50aedc09b2d5

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
161KB

MD5
42832126cde03380673fdccc5145aa49

SHA1
8bb880b9d777eff6eb17b377a5b2ff49f70c279e

SHA256
5d1bb69e1423105e72d77ec37fba6687ca8283cb88f9174166a1e9048015f2d0

SHA512
d080cbbbd24b2fd3e4287dc338ab9ea5d56025c2a5fb728260d44c50af473816141b93a84c1f707dd4c26ea95729c0c6c6f36c83a2b4f7917de2ee1b8e25de60

Download Submit
C:\Windows\SysWOW64\Lgjfkk32.exe

Filesize
161KB

MD5
8ed964d04e60e244a68048182aead332

SHA1
da7f6d5887dc8725c3c3aa21b1d00d82d819a9fc

SHA256
e44e14e097bd357df5fea5e3c6e16a3775cd86d5bb2f622b31d19ec172e424fd

SHA512
541814c9e18d5ddb16a485d7e318f5833c34b664823ecf6fe57e571a4caa1e4fda2a3f365c43614fff6332dbe8b7d2014c7aeb0dfc72d8fc2cc1411c79fa825a

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
161KB

MD5
5d1003fb61c11a86308e30d67c1a3956

SHA1
6f436d3cd704697e4ed01fc02237c77e01dff34c

SHA256
ee3993f523553113e8fe9f46347e3caab32ccb46894d2330b0aea08a33b6ee6a

SHA512
db455a19c4bba7aef443a3801dd32c24d5e248bf21aac44780ee665a3cb406a98b3b2272ec60e60615960825dae1c14718ae373c5fd9e4c327f2dfbe3cabe279

Download Submit
C:\Windows\SysWOW64\Ljibgg32.exe

Filesize
161KB

MD5
a61db251ca4c25e3cb906ae2151a0ff8

SHA1
7e66fc4b2372c6fd829d7b7a3c1dbc93bfe82aa5

SHA256
a0b061cf3e04e021d351f75795d5aab3b2e6ed1e553c122c67053d603d63e6c3

SHA512
6646afa4fdebf85ae79dc3df1006453bb63452846865a9af0a9d6977cf7e8980bb361e5898bad7b38fc4d999575bed95f890a59c68711a35167d5f02f8fe8e6b

Download Submit
C:\Windows\SysWOW64\Lnbbbffj.exe

Filesize
161KB

MD5
274d51c568a30c22df64aab696911b7e

SHA1
30f236ee2a281b29190772ae375834adda92ac9d

SHA256
30efe38d901ab1c5ccb37ddf2453cc63b3b5b83bca08cdbf3a0771cc6052fe30

SHA512
56095c44c0f32320bc8afec1025f49ca80f1f97129ec20cc2488aa450c30ff03e5467a9ef62770648a5b4cb4e4934fc6868a447a1c7b8cbe352f2d28323155ad

Download Submit
C:\Windows\SysWOW64\Lphhenhc.exe

Filesize
161KB

MD5
846f1fcfcbdf2abf033a9c1b9a1a1881

SHA1
ef828804f508c5f04d57fb5b75595fb933f0b9ce

SHA256
2d9fee46d9b839213e27a3b39f49a65d8613125093df8ed0c1989729298a8d46

SHA512
e5274fa6568e0381f769673647719570fac6c7354d3a98f811ed3532485533ba8252e325aa5aa730a6a35b5660f3b426ba9e641a02c67699c24ac3c0915312d6

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
161KB

MD5
fda395822643547e1a29eaa76582da21

SHA1
591d6172c721a75a8dabf5d652990e0b5b846618

SHA256
229fb64325cd4ec03418f2bd23582499a727156f09aedd37f053152089b57356

SHA512
48f0cf3d64f95fbaf40fb92612dcb3a386ed3c95c99252e2ccb045827cdbab3e064ed1b7a1111a873db904a34b67c8dab29c06b6a14ed13aa237f78c3d0dd1f5

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
161KB

MD5
02aeb69ee35e3fd7eefdaee0f3adc91e

SHA1
45f3bb8c23bbb61be2c925df43a91a107ecae5ad

SHA256
2405acea9029095f5bd183a8a617c9ba87dcf25a7c3d498b52ae8f5a50134f98

SHA512
dc4d71b1b729704b9e69d21682f730aefc4338836a7f78f5cdd29ce2c26f55d04f6ba45b6fe47714dabc664d6fc5d8a7e54d0ad3a01c4f93ae5f21cf82cf19de

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
161KB

MD5
094d8004902f5cc4ba4fcf29b77da79c

SHA1
86b26b7c1918b77cb4c467421736a0ae00743b08

SHA256
90ef813a4b4bb3617267de0626c8a88e82cd5521d24561b2a23a0b8b22be0318

SHA512
119c32c59be9cd4529fefd751da7789dcd2afc2bc714714b287ee100d43ab21b67183ba19a06d6f4cefc3c5d00c2fff6dcbffc3f79145a1714fa95f63dde7061

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
161KB

MD5
388c48e6ffb828bffac71e99e28d96c2

SHA1
de011b7e31d53b74c709f9d7491442fbf3cd1500

SHA256
6374fb54e0f3ab0b2c940a83a699d175c8fa338145a05b2e3c680206728beae7

SHA512
b89ebed743a2dec80bb75ff4b5121b8116c69c0272fbd509e13adb55b854132212521f741f18d2076482a47a1c8919732c73d4d8b8629fd64b5fd26a34bf69ea

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
161KB

MD5
888b256bcd19ce37ffc6cb18c1caf65f

SHA1
80a1c679ad346649c11ad6a02f9311ffaaebfca0

SHA256
f4afdc1e61a8c05a71a2bffbb86062cffa06439b5bb8f0aff02cd1571e5e4f48

SHA512
9345abdb992851715931af60e06e7fe3950caf6a34b44e7899c348f6cfa1595db4c88a5df0f46b0f4bf18420cd5444cce14b7cfefb3d1421905d322ffa13d9d9

Download Submit
C:\Windows\SysWOW64\Mhjbjopf.exe

Filesize
161KB

MD5
e47b421582446bc49691d43e521d1d51

SHA1
daea74e45795651e47c630684e06577555256f0d

SHA256
6b682a8eea6b620623a19318e4600fc29e2d3a4bbe771d927532ab0e74dc8bbe

SHA512
c01f7ebc15b690ea68fbefc5d3bcf71233830d14a4f62361a4a049246d8837345f224597e773cd48fd4442b92b8a95df3338c90bd7501a5aed9dc3218b040a5a

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
161KB

MD5
f46ce7c17abcd0c141499745d2e554d7

SHA1
f9a5dbf6518b9582d953e42be9a5f8a8629675ab

SHA256
1c03fb289eabc9039379f0db609c5c0b7013dc870672a3d2e8f031c8900b91a8

SHA512
bddfc8b4e83fb17515e885348b2823ddaf4dcc7f9f36e1770384fffef37d7d8360fd0e44cc3c1e63af4a81cfd3f1a581dc1e74d5508e2f8d3e3af05c6b275436

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
161KB

MD5
0b96cda689e48473d7943e766e5a2912

SHA1
0d9468b57732206500a9c2c1a1d9139b993f400d

SHA256
763bc1c798eb5509668c7b010b973ad52a31fc7984d431b96c747138ff1802f9

SHA512
040170c34f7ecabcf2195b66c3902dd259af6d7dbfb0681d4747ca1f3528e9ac29728fa96d10b75494976f7d5222d63b9aa47c4beab10bbc14a5a0fda2823778

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
161KB

MD5
1fe7c41332f75cddae6dad7ff8d886e7

SHA1
28dc5ce53857f12257ba065c0c4df43dfe49a4b7

SHA256
fde13702adce45c853e0632b10506079f1eed8783be1d341b436f99ec62b2e8b

SHA512
41e6f0313ef6ea75d270d999e3a37599153a5ceb79780251cbbccc60e4edb0b7512365ef06780ba317248ff8daf81f07a2f02e6f6378c106f75b9af00a066bed

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
161KB

MD5
43bafc55b2d7986da4881f19c9f82959

SHA1
6e3a7e78a1eb3d6fd5e0d181368c8c6a8fdc3a67

SHA256
a390fddd8f066f875172ec9e79918a74d8252f0324734f7eedbbf1af9788e60f

SHA512
26fd71d94e4d6ccd02f6af9c7b850398a27ef7a18457185c0e90bbaad475cf02ae0ec1fc1eeae5f1631a5f467ac9f2d008042c021636278aa66654c9af9f4e33

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
161KB

MD5
c89ae264c155f5004461c5fb6fa123aa

SHA1
44154a8e2a165351eaa2e218ee19a8e9e45aadb3

SHA256
bef670016c9da07e96d2571dfb2a713809f6ba30acaa3e85aeb1e74b469e7e58

SHA512
c66063d783e7d4301d266d2a5c09dae6d0a8fa69b7ff3622d655817f2671f4abc8db8656e8b960c63ec2f9b33490d19d54a654fe5a8d106fbb02868df6f188dc

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
161KB

MD5
6b431fd5896b15beadae3d0ee537d5f3

SHA1
7e5eaaf80d9ccbc6b46d5358dc3f5f58d3227e04

SHA256
574e3c3f7f7e3f666ecb239d4b6a3728fd4a8a46b8dbc38bcd4ac2973bd06f22

SHA512
2a978293cb7c4bc2a4e7cdb7c2a6ce838a20593191e6ec0f60eb77110a495b5871985f307499896c72b03ce0a763cf2475301fa4a486b3970da9e3d91200a303

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
161KB

MD5
509b0f5880a1fdbac3da6fbb091539c2

SHA1
38f2ba7c94c4310f853128637788a7de681bc8cf

SHA256
b2226082171872f9b94bc2c31212f681afc3077cd65a33dd06983d4ae57b6c70

SHA512
ed98bbb1c0934fa18e66195211f8ab8486fa53fc72d5bfa07d13e6cd49aacd71817d7f68d0b740d044d4c64bebbfee7631063a421bb12d2ef062c92901973b4f

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
161KB

MD5
0af6bfc984b9e3ceb90ad5bc99fdef1f

SHA1
379e80073c70c4680687ee1d85a9422e87910dfe

SHA256
297f6570fbb62b3f4b4500a630f24a0f89fb03d5807ab4bce1cbeb3e94dc6da8

SHA512
77dac84aca750640474e147d033974c8be36bbfae7fc95f7e0233cd83a407d653638d67080564958b919aa37450d8ee80298211df4b784759e018b9680389bd8

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
161KB

MD5
104137d583c4fa99f08c7c3b97414e95

SHA1
98a4e420d7ac9dd0c591868321b82a69d814cdaf

SHA256
3ab960f72a13ec8d42a7c29b86937c338048d5d10425445cc07fd88bafa207f6

SHA512
e62b727f7f68e214aaf1854b7bdc694ee791e6a3f8e6783e618dfade52e4d79d65076792d21dd2b90f1321fe31609299d516e60e3705baa2750d1cf05d653a08

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
161KB

MD5
5792576cdefa65f269e74cb410da61c6

SHA1
019e834de0c1043f1a0b0fd0b281d40e0324008a

SHA256
fb215e846ee0497717e6ff22410b837561439f7ba898355f3c32cad044f31eff

SHA512
dcc09e0b1d4b3078e305ac48a0ee1c57545a75f8724343411beae4707efad8b1b83a2305c4183dd50a8509e14fbbaec832d2d40351b990a63cd8d9575b07c5f5

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
161KB

MD5
685b239fbe15b36c26193937d8e55ebc

SHA1
67e0b21bd1dc54d981e3c8ce0ad9a91d20455285

SHA256
59a7de9e35205480ca1b8f8ec8074464ce0b090744b641d4a6229761e72a4792

SHA512
5c0ae139028ba6d824f78c0d54279624c0552c0a8ec5aaa6836b9b877178492e707e46453b4404907b60d2d7511bd081558f8d2499f6c235d9a47540a5801278

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
161KB

MD5
81a462f411ece4eb82ad96ec7787e517

SHA1
b26a74177e753519129bfd9826d3e6a1700d09f9

SHA256
564275585e6baa4c76c1eb7a8c4a3beb33874f2121b6dbeeef62724dc02c46e9

SHA512
62823b40bade5a6ded6d843241d9ae7bd8b4232e8bc4f818a2201b2f607474ec925021ee5f5d004cc78995a893dfea6ad0759594a8703f559d92b451e57e9ba0

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
161KB

MD5
4acef744ab6b07375d826e158669f24d

SHA1
a05b58d49f20e8b22af01702e837728e5cd587cd

SHA256
d6cb8a7c4b11ba7248461f8b6d7d76809141b37d12df798f1a1d32270a2549e1

SHA512
2c734208da89eb50da2e00ae6c76ddac9ed347ebdf51686300d37eff34b3b4a1e3b1f28c3aaa94d0eb2ff2d72be2ab364ad5808c74a0d3d97dc32df45b2f80a6

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
161KB

MD5
e5c4aa0119d082e7177b1fe5e7aa06c0

SHA1
370674d864585a00744298ca9d46aea5cd823313

SHA256
7a27f0b8190e4bb522b38dd5a8ac917c392c756e265098ea3d205419880e1a16

SHA512
924b6a4f0fa332f081ce9e72e4ad380a2fcfbe32def012f548ffbf90e684ba1170a6451a6514426d08aa6166cfb930e6e9f5848408036a2d4d11e2d9b3ea7778

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
161KB

MD5
c7a0da2c195e98b9d8571c80f18185db

SHA1
6a73eaa509e7cb66cff4563679e0f3c4ce1e1d8f

SHA256
9149cd5ae4456b741c6c03d28f79ba8f3ac283e26e419cccec05bc2d536a054f

SHA512
ccbbd72a5ac922aa981c496ea30795f7c8560a3e8b16207f1ff3a0d7b0d8f014b83e9ce5f55ff9d027a482cb36805d58938b6e8ee253ea4f1a451af2b25b6973

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
161KB

MD5
ff8078674c727b32022991b05cb2a7ee

SHA1
014be9221a22762ba6d0391d10e8128a91859364

SHA256
9c2012acde37d37d94b7db4b41d6cb5cb01e924d65e5a960fd031a8bdd86b3f1

SHA512
f78739befa85cd8ca54ac0447abfbbadec70707bdd18836c3e731ef02cedf71259424731cf3faf954a1fadf3a596c0b1a729f0396a997dd0e93cb3784e19da59

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
161KB

MD5
9f606aade4094d1ea39c59fce28b38f4

SHA1
ce7bde1e2d4109f9839a083099d1ba90d9b0c443

SHA256
eec4d1752f1a4041eefcf752382d0b46b7416f918bcf5844a0e5ba4342333eb3

SHA512
6480692214f957a0caa58426cf0688c81e1f9c82e88d1ca3a9bc37496b23bba5528e444486c14bad972f812aca08f99d1c160490101ae8137acd4572ec9d286c

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
161KB

MD5
e09dbc926f0252d7d4c7ca3a49b20bc0

SHA1
853ff02e2006933582fa222169648437e02eaaa9

SHA256
8a24ea8101ff35e0d5af9c3868487aa9f76ddf4431f880fa4adcd32114b398c2

SHA512
3c340357e05d92c45171876d5c29c6c74529d6ad70f6acdb9383dfdec41e8c1fb1778e782644e45d79ac77f681f9cc91ff7782926721364ff9390beb1d30d119

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
161KB

MD5
c785dedd77ee0dcc3d75e09533d8c9bc

SHA1
5512e3eb276fa7b3750f23971fce703d1282cf7f

SHA256
edcf46a1fb52c77feb9e789b59642fd70d361bcfd05dcc4f64fdc15d39c8df10

SHA512
5e4e72b52bb9f592bb02cfdadd132c2c8b31a4479c0af7f8940fdc38d19c21d13ef29ebc1cac1cebac9e90b2561a2ce83191f4bd691c45b45ce16d6cb925226e

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
161KB

MD5
90ff6b21844d267ecf859688dc191031

SHA1
192cd86c17ce525eccec8101710e0360895b2de0

SHA256
d1fbddf68e53ae66210186155967ee77c3b58bb7fb382a4e9f891742c52aba65

SHA512
0dce579c7287e078c0e7dbc1c26a74f26725488b4da486d732b364af7497259932a9ad5ac29361d75c5258c7c92a8f56596cab32fcbfe51d9c11dd66ada70867

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
161KB

MD5
f2ee7e44c430ff0f955d6b5b6cf72f31

SHA1
5741dac1c2e8cdda254684ed476f1f8b97351558

SHA256
22023500d3a221024902ca7527c70c3de9e779397c5895a498b4750de115c239

SHA512
429a9cb80976e6990904339f0beee67cbe0d3e4ecae46bb8bf966d3d33381f551b9cdded2a8a872db025992b8c9ca297a79a9ac5e2a61b4f79f3a8e0de7b9740

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
161KB

MD5
27cb718443edeaa696d4dd5ec33a810b

SHA1
a005d35590965b0481258864fbdda8d7c8759869

SHA256
71b1611b24d6c9dac03f0c56856fbdecf47ea4c1d154c3723fb4632da273283d

SHA512
0f831a256485db0ce1b97796fa78452846fc34ac34b892ce59ad18c39d1bf12246942a1921d46dd30a03b8987780891048cd4dc2cb298a3471b86386278fce07

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
161KB

MD5
d7757dc3dce14644bb2f2bf8a35ad8dc

SHA1
73dcff1fffc2379e8bc43f9cab1259818be81bcc

SHA256
5f29195b834f5884d0e7febb617e7a9d8bb085ff01c5b64cb5b9065ada66f860

SHA512
fff41a1de9b7aa1dba70a22235ca738771d00664fb387d7ba4c9e1a3497f700632a51c0da15afdfd8da85f8ae78a3f9fb6612d9f65599f35093f866419327342

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
161KB

MD5
f8e29e5ed02f2e6b6aaa21e14ce9ff7b

SHA1
d373407522bbd384a496c272309ed2e74b4b132c

SHA256
14b35a278dc0e0dec1eb7bceef644e8aa47a53e1564c59bb11513e397ecefe07

SHA512
d5977933a8157a5cc77f8fe72185cc6b447172e6ed936083f09dd9789caad45d850527188d6915d27d7abbb2c335bfa3dc2c2403c922a5e5e4cb1d3450175100

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
161KB

MD5
85ea6838ae73f3225de26833446af1d3

SHA1
cac3b0c4c2f3c15b59c6c3c4feee8e46ca3abffe

SHA256
e95343b66f655efe900480cc0d194cdea1a67c6e925577054f45cef5af7af33a

SHA512
4f0505fe74261645cb177219aa2f4df9850ed5a19509d78a9dbc6bb603cad37d250df8769185c11905925837d71d0395f0ad34c988d82a04c81fcf0416068889

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
161KB

MD5
ef895b65bab667c8900188ad1db3b499

SHA1
a1bd33f57e470f699cf91efbe20ae00b07ad0c74

SHA256
402b7445bd050d28de17f0df677b04f583ecbc98b9d1d66730395131fdf17181

SHA512
c28179d55d3d42b7f5212ce4a50ff8a4767a0dc5a0f1f3186cde3f3b5a45ac00380a4d0f7ba5171ab82243bcfe39b8f80f3d502dc82aece96227a70a88ca8b4e

Download Submit
C:\Windows\SysWOW64\Qocjhb32.dll

Filesize
7KB

MD5
d7440a158ea5ded227303a3151f5a46a

SHA1
73faad97ca0ee912920b4ee43f49f61dbf9b8153

SHA256
88d53ccc714dcff0c68afdb1b7e12c8f6624b863502f158b6d69685be707d5d3

SHA512
981ca91cdefbc548b6a514f6ecf10dbb6c96519b8f916f79b32cb64a3a47b5ed44be197df472173449bf30c07af2c1e786856329e4ab945a1935cd4e62b3c0e4

Download Submit
\Windows\SysWOW64\Jfiale32.exe

Filesize
161KB

MD5
d8e88b753c0d7b16a8be53e9f9b7455b

SHA1
b722bfdfd3635e64269af6110794ec48ddbda1bb

SHA256
7852ef104bbcc63e43e3e530685e5c181306bcdc4b38e340e851c6a1e3dd6ef3

SHA512
b2ad0cdb35957a4c0531fd4efb84eec0773d83cca90060f782a5f0a8bc88ccffbb7b48270473aac7f5854d5ccbf7a19e9e65792f33d6b32dbfd350c7214140cf

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
161KB

MD5
6abef3fe43bcff42eb03468d3323912a

SHA1
1ee217b05a515dfd9594687d8ea3b67eb71f8943

SHA256
c0c6a7827cfed365199e5c96b498e5d71f4edf41a36376fbfaf017a680f6f8db

SHA512
4aa52c339847fae6bb6b4d29a1c3b89a24286bd2cce88d9bb6c7751603ef7140682fa731b399417dfa289ce000eb9c2ce9fade67e2b70c9864bd9e09683c9919

Download Submit
\Windows\SysWOW64\Kcakaipc.exe

Filesize
161KB

MD5
3a7b848d7cd5cff33311736e0798c4a4

SHA1
0e4c23b32904c3efe7aeac38abd968bd64492acf

SHA256
117e135a16591935d97365f7b50b221d66026878948af6008588ad3d018b2df1

SHA512
370cd9ab3e492ca0247cf79ec1fbb0f15d4ec9b62817a4073d9269b35c31e97b095e752904697bbc81f35ffd9df9ac8fc2c182cc68eaa91220bb3276b54d5fa6

Download Submit
\Windows\SysWOW64\Keednado.exe

Filesize
161KB

MD5
47dc5ad0774843d80dc41716c625db54

SHA1
a568e7d64b037fe9809fc5ea4bb27b89332f5a43

SHA256
6222b857fb778bd95b6675e09147180bff853d111f6afdfcae419fa728fc8abe

SHA512
d3998ab95100abd8266d3e89662cbf3e2fb7458c0165040bf9bea407b7aa85a2bc19c8ee5588bc2a80f624d1fe5700bd379c8f637b877f48be5c97da7b944ff2

Download Submit
\Windows\SysWOW64\Kgemplap.exe

Filesize
161KB

MD5
c84085a488d90dc41440d4b1c4f5fb04

SHA1
dd74ea5eb6f6c19f04b7967f7f0307379d7c2d92

SHA256
47e67561a84c4f9738b8baa8dddb29f9b6dc306d2322abe10c59f339c6789794

SHA512
84cb68f2ec499d138c35305ba152ac8072c87f03ee0725d9630437ae826c3e910c8ac36c3ee9113d680ab79aa697aa6504768f18692fd1e32ecff8e124459fb8

Download Submit
\Windows\SysWOW64\Kjfjbdle.exe

Filesize
161KB

MD5
58600e9b02892e3d834501491ec022c8

SHA1
4241f633d971482e92d0e95844f7f7b5d6691914

SHA256
14ce5a2bf29702ce25150912fac36c9e2d6f89bb7f04c12a2c43cb962b7c10c8

SHA512
228304c28a013fd25ee774d9892ea3dd4d0116007ba3ca8662aaac117761d336e942ea8d0b22d95721b98c864ed200c0508d07a40077d6cee2ebf2f0e7fbd834

Download Submit
\Windows\SysWOW64\Kkjcplpa.exe

Filesize
161KB

MD5
f2519fed100c5740e01c272256a6f890

SHA1
bfaf471eef7ba9db4047c5137582afb9c0ff0004

SHA256
c1087a8d153a98533bb8f140996b07464fb08d38b973f2a941a902f7d573505d

SHA512
ae948b674865ebfa4df793bf2155b3f702b1978e1094a96ebfd50a3d0b25c7e2328270c28e26a39d28f62a0ca363dd1d8b88b8064e2272b90093a633a53f5d24

Download Submit
\Windows\SysWOW64\Kklpekno.exe

Filesize
161KB

MD5
5c6db7788f80b866c9b74f0afcd6278f

SHA1
f462a11a245077b47135fe34a919c1cbf187763a

SHA256
a5ed41a7be6b29c21d4de2dba6c3e547bdc24aca44791397dd8643a1b589531b

SHA512
377f1071aeb5a91bf79670da33202ff8dcd308014b3f298f2978dfe7d1fa30bced6c10570e912a441d913daa5694cbecace6efaf86db21feae40043883f0c1e3

Download Submit
\Windows\SysWOW64\Kkolkk32.exe

Filesize
161KB

MD5
127c33cd4548546d8ed3794818de79cb

SHA1
91277d779864941587c1d587e63c2699d3c366ad

SHA256
93c3523a6e5619de681e2c25a62492a07f9c11752dd9ef2f74224d8942f6595d

SHA512
21e3993d176097756aaccfb523b897df896b7a2a1f9083c67af476c1a3be1517aa528dc7c047a36cdfb922c81846a2d8b26c96de898738aafa7bf85c2a2b1488

Download Submit
\Windows\SysWOW64\Knpemf32.exe

Filesize
161KB

MD5
1e42bebe417fe2ed0b0cbaa1a78d918c

SHA1
7d6d96e94b28e639b0ec304314ca43b24190320c

SHA256
b81e327f1927af46558fbf87f6907333ab103b066f1a5125a850f2f5304c2188

SHA512
e50f7853b8f9f8f5e7d19433a6d197b6d0cba012c99aed9600e2809113470d3ffa75687bb5f454c9623ea00d89f408fc270b3ac50022db7ab4b3dd1aae6afcf7

Download Submit
\Windows\SysWOW64\Kqqboncb.exe

Filesize
161KB

MD5
54fd25e3fe5d890cf2360ea895a2c6b8

SHA1
1f410ae6edffd7c0836aff5ca72954bd7c27537a

SHA256
89d6c2e874453ca78742c415aa7aa9ec4014dd23602027efcca578655b3ef353

SHA512
d6a005fc1834e6debc004cf447157ff6c03b33756d437dcf019fb36898bb741a96dd0f1c9352793950927abf5577232c0d26e57bc7b1ccddb9f573f6ef2a554a

Download Submit
\Windows\SysWOW64\Llcefjgf.exe

Filesize
161KB

MD5
99634b12e4d765ee6eb2d7f567267051

SHA1
2434896f82e0cdf820728c8e67c92da1f27e26ed

SHA256
48d116e959d80928c36e90bd3b82f0efc5fc417bcc68e57b37552b847a3f8031

SHA512
c58e05469483735b95406516d6dcd67804d8fb32d72344b845631905693ca83b96c7a109000c960587647680041bbea9a9e6242ba82e697e4eee87fcc6f06f24

Download Submit
memory/860-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-272-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/860-309-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/860-307-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/860-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-205-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1076-199-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1076-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-249-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1112-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1112-128-0x0000000000370000-0x00000000003AF000-memory.dmp

Filesize
252KB

Download
memory/1112-167-0x0000000000370000-0x00000000003AF000-memory.dmp

Filesize
252KB

Download
memory/1112-126-0x0000000000370000-0x00000000003AF000-memory.dmp

Filesize
252KB

Download
memory/1112-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1112-181-0x0000000000370000-0x00000000003AF000-memory.dmp

Filesize
252KB

Download
memory/1116-190-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1116-142-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1116-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-321-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1252-283-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1340-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-308-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1444-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-354-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1516-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-389-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1712-222-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1712-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-173-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1836-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-182-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1836-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-331-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1880-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-294-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1880-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-296-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1988-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-213-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2208-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-318-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2260-355-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2260-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-353-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2260-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-11-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/2284-12-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/2468-235-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2468-271-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2468-236-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2468-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-270-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2480-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2480-284-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2480-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-96-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2604-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-34-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2604-41-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2660-372-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-82-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2664-81-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2664-127-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2676-152-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2676-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-112-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2708-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-63-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2716-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-363-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2724-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-385-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2880-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-367-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2896-332-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2896-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads