berbew | 6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe
Size

97KB
MD5

f3d2aac6074a0a5790537520ff0cb7e0
SHA1

b2dee06a86e2b568188b053cbd9df7b46f2d4e56
SHA256

6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78
SHA512

8369236a4e7357d3fc2f70b48a920f2e13efccdbc0e94e238ccd697ec4b84fa1f28ff8657578613abbe39b02216f3f094407c54159ce93fef238774021125084
SSDEEP

1536:I0ulz2r0X/i2TnCpjbqnDg6pZ+HyXEyOQZMZ3QNlnW/rLqvJXeYZ6:ri2remjbqU6pZ2IyZ3QNSL6JXeK6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1592	Jmkdlkph.exe
3216	Jpjqhgol.exe
6060	Jbhmdbnp.exe
4040	Jjpeepnb.exe
4988	Jmnaakne.exe
1608	Jdhine32.exe
2152	Jmpngk32.exe
4744	Jbmfoa32.exe
4880	Jfhbppbc.exe
6092	Jmbklj32.exe
5812	Jdmcidam.exe
5060	Jkfkfohj.exe
5004	Kmegbjgn.exe
3556	Kdopod32.exe
2116	Kkihknfg.exe
3580	Kacphh32.exe
3432	Kdaldd32.exe
6036	Kkkdan32.exe
5044	Kaemnhla.exe
5600	Kdcijcke.exe
2172	Kknafn32.exe
4104	Kagichjo.exe
4108	Kibnhjgj.exe
5212	Kckbqpnj.exe
3268	Lalcng32.exe
2248	Liggbi32.exe
3092	Ldmlpbbj.exe
4132	Lijdhiaa.exe
2244	Lpcmec32.exe
212	Lkiqbl32.exe
5016	Laciofpa.exe
4356	Lgpagm32.exe
624	Laefdf32.exe
1748	Lddbqa32.exe
3476	Lgbnmm32.exe
1436	Mnlfigcc.exe
3680	Mpkbebbf.exe
2456	Mjcgohig.exe
5848	Mpmokb32.exe
2176	Mdiklqhm.exe
6048	Mkbchk32.exe
2520	Mnapdf32.exe
3940	Mpolqa32.exe
3392	Mcnhmm32.exe
2052	Mkepnjng.exe
2392	Mncmjfmk.exe
2748	Maohkd32.exe
872	Mcpebmkb.exe
852	Mkgmcjld.exe
2212	Mnfipekh.exe
1992	Mdpalp32.exe
4088	Mgnnhk32.exe
5504	Nkjjij32.exe
5276	Njljefql.exe
4028	Nqfbaq32.exe
5584	Ndbnboqb.exe
3168	Ngpjnkpf.exe
3616	Njogjfoj.exe
5540	Nqiogp32.exe
2156	Nddkgonp.exe
3768	Ngcgcjnc.exe
3712	Nnmopdep.exe
3344	Nbhkac32.exe
4904	Ndghmo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3676	5980	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbnboqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjpeepnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcgohig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpolqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdiklqhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nddkgonp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjqhgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmnaakne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhbppbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkihknfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liggbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiqbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndghmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcijcke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldmlpbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lijdhiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laciofpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnlfigcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maohkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmcjld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kacphh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbnmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcnhmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhmdbnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmegbjgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgpagm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkbchk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mncmjfmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmohbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgnnhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaemnhla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laefdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngcgcjnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njcpee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkfkfohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljefql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdaldd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkkdan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kagichjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqiogp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpngk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcidam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibnhjgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcmec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpjnkpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njogjfoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnmopdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbmfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdopod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kckbqpnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngedij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdhine32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kknafn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfipekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpalp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbklj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lalcng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddbqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbhkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjjij32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1592	4564	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe	85
PID 4564 wrote to memory of 1592	4564	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe	85
PID 4564 wrote to memory of 1592	4564	6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe	85
PID 1592 wrote to memory of 3216	1592	Jmkdlkph.exe	86
PID 1592 wrote to memory of 3216	1592	Jmkdlkph.exe	86
PID 1592 wrote to memory of 3216	1592	Jmkdlkph.exe	86
PID 3216 wrote to memory of 6060	3216	Jpjqhgol.exe	87
PID 3216 wrote to memory of 6060	3216	Jpjqhgol.exe	87
PID 3216 wrote to memory of 6060	3216	Jpjqhgol.exe	87
PID 6060 wrote to memory of 4040	6060	Jbhmdbnp.exe	88
PID 6060 wrote to memory of 4040	6060	Jbhmdbnp.exe	88
PID 6060 wrote to memory of 4040	6060	Jbhmdbnp.exe	88
PID 4040 wrote to memory of 4988	4040	Jjpeepnb.exe	89
PID 4040 wrote to memory of 4988	4040	Jjpeepnb.exe	89
PID 4040 wrote to memory of 4988	4040	Jjpeepnb.exe	89
PID 4988 wrote to memory of 1608	4988	Jmnaakne.exe	90
PID 4988 wrote to memory of 1608	4988	Jmnaakne.exe	90
PID 4988 wrote to memory of 1608	4988	Jmnaakne.exe	90
PID 1608 wrote to memory of 2152	1608	Jdhine32.exe	92
PID 1608 wrote to memory of 2152	1608	Jdhine32.exe	92
PID 1608 wrote to memory of 2152	1608	Jdhine32.exe	92
PID 2152 wrote to memory of 4744	2152	Jmpngk32.exe	94
PID 2152 wrote to memory of 4744	2152	Jmpngk32.exe	94
PID 2152 wrote to memory of 4744	2152	Jmpngk32.exe	94
PID 4744 wrote to memory of 4880	4744	Jbmfoa32.exe	95
PID 4744 wrote to memory of 4880	4744	Jbmfoa32.exe	95
PID 4744 wrote to memory of 4880	4744	Jbmfoa32.exe	95
PID 4880 wrote to memory of 6092	4880	Jfhbppbc.exe	96
PID 4880 wrote to memory of 6092	4880	Jfhbppbc.exe	96
PID 4880 wrote to memory of 6092	4880	Jfhbppbc.exe	96
PID 6092 wrote to memory of 5812	6092	Jmbklj32.exe	97
PID 6092 wrote to memory of 5812	6092	Jmbklj32.exe	97
PID 6092 wrote to memory of 5812	6092	Jmbklj32.exe	97
PID 5812 wrote to memory of 5060	5812	Jdmcidam.exe	99
PID 5812 wrote to memory of 5060	5812	Jdmcidam.exe	99
PID 5812 wrote to memory of 5060	5812	Jdmcidam.exe	99
PID 5060 wrote to memory of 5004	5060	Jkfkfohj.exe	100
PID 5060 wrote to memory of 5004	5060	Jkfkfohj.exe	100
PID 5060 wrote to memory of 5004	5060	Jkfkfohj.exe	100
PID 5004 wrote to memory of 3556	5004	Kmegbjgn.exe	101
PID 5004 wrote to memory of 3556	5004	Kmegbjgn.exe	101
PID 5004 wrote to memory of 3556	5004	Kmegbjgn.exe	101
PID 3556 wrote to memory of 2116	3556	Kdopod32.exe	102
PID 3556 wrote to memory of 2116	3556	Kdopod32.exe	102
PID 3556 wrote to memory of 2116	3556	Kdopod32.exe	102
PID 2116 wrote to memory of 3580	2116	Kkihknfg.exe	103
PID 2116 wrote to memory of 3580	2116	Kkihknfg.exe	103
PID 2116 wrote to memory of 3580	2116	Kkihknfg.exe	103
PID 3580 wrote to memory of 3432	3580	Kacphh32.exe	104
PID 3580 wrote to memory of 3432	3580	Kacphh32.exe	104
PID 3580 wrote to memory of 3432	3580	Kacphh32.exe	104
PID 3432 wrote to memory of 6036	3432	Kdaldd32.exe	105
PID 3432 wrote to memory of 6036	3432	Kdaldd32.exe	105
PID 3432 wrote to memory of 6036	3432	Kdaldd32.exe	105
PID 6036 wrote to memory of 5044	6036	Kkkdan32.exe	106
PID 6036 wrote to memory of 5044	6036	Kkkdan32.exe	106
PID 6036 wrote to memory of 5044	6036	Kkkdan32.exe	106
PID 5044 wrote to memory of 5600	5044	Kaemnhla.exe	107
PID 5044 wrote to memory of 5600	5044	Kaemnhla.exe	107
PID 5044 wrote to memory of 5600	5044	Kaemnhla.exe	107
PID 5600 wrote to memory of 2172	5600	Kdcijcke.exe	108
PID 5600 wrote to memory of 2172	5600	Kdcijcke.exe	108
PID 5600 wrote to memory of 2172	5600	Kdcijcke.exe	108
PID 2172 wrote to memory of 4104	2172	Kknafn32.exe	109

C:\Users\Admin\AppData\Local\Temp\6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe
"C:\Users\Admin\AppData\Local\Temp\6201f354e396c0c5016e5a43bef0fa7f6b49cfa96c14972d72bc5fc2da330e78.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\Jmkdlkph.exe
  C:\Windows\system32\Jmkdlkph.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\Jpjqhgol.exe
    C:\Windows\system32\Jpjqhgol.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\Jbhmdbnp.exe
      C:\Windows\system32\Jbhmdbnp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:6060
    - - C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6092
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6036
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 224
        70⤵
        Program crash
        
        PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5980 -ip 5980
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
97KB

MD5
eb1ee4dd6fa0c96f8d9bec8893300b5b

SHA1
ac86492dbff2790bc5684fab9a0d7e0e3143099e

SHA256
551ea443c63d5377add2ac71e1ac580a51687ee1a41ff2b8fd99778f5e3a9a68

SHA512
02905f72fdba2884d4652e767c09bf6b1b49c555ab9af8d186f31c864ac72fd79e5e36493b46068de7d883d05c11a706d905dba375a44b321a6ae7a9c4036af3

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
97KB

MD5
3cfe1b729d8445bd2d668e285be52f67

SHA1
e1105c46796836a94dd3105111f79358642b58eb

SHA256
56fb98ad9391164af8a00193d1766b28db449629aa9a5bec6aa5a49f332f3e9b

SHA512
fd7aae29e653b9e4fabc2879d74211992c8b5edf786f2b93d50da275f80d86b39cac89b508f923d361a642623d2f97dd6b068b1715321fa55270fb3e7ae9b04d

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
97KB

MD5
affb160b827efb9f918bfd93ed868848

SHA1
794da418cc095c887e350c47d1c944179b8b20b1

SHA256
1d6b92f990c4c8983b7f6ae83aa27ecac1380dc8e31c96246d98f276f1cb4169

SHA512
7afea7ce1e6a3b1a22258aaf91f0af5a1539c77e5df3ae4693c144b512ecfab5cb78eb05cad82f7a5bb850b13893d4a7b3864e8c9a1ead3e529c2d2510a48734

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
97KB

MD5
6faf28b8cbf78a10ca17dc519b1ecb2c

SHA1
664e5a2504e2e789d9c3f349e03e983978f88de0

SHA256
47c221ce72ef3a6f4b5476d40a3fd6cc2ad33caecdf86c6b8218ebaad5704c61

SHA512
7fb7ccbccfc9ace1a9c1f13a774ebbd62d4f82eb5021226e965baf82ac1ac1a76082c3c5a23341ed0e32301c8ec27f8ea549f5aec03d89e8a62a413e21336880

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
97KB

MD5
a9564f668d98802d6210ef8fbf53daad

SHA1
20d78b6d275974fdbb34aa4c9dbd494acb1b7643

SHA256
e12b94b714c70b4ae21e52d7f1f0a89352eed9bc87218e81ae11b2de9352c976

SHA512
9c4b9247f39a04fb8696fcd9036441e346a8b6277b7bbf5754dc6f6ff5ea269a5b2b3791661e42b3fdd16ee65645bfe2a3541d314e53f3c199ead93d9d7c0b4d

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
97KB

MD5
902ba42276e592b601672fd0b03dd5de

SHA1
3a2abb754b46b85ca525893c3ccaa7c12d18d1d0

SHA256
b03a9bb2d5da0b591dc5b4c8287838a7908a0cd92961cd00b2917eea0ba1fab3

SHA512
4c4d7ac3dd9b615ddf130d61c11d7077176d7f08e611cb2b88b8f4007a8e3578ceb96ccca12a7a250b0fdad59082ffda5c86c381bd8d6bbfc0660eadaa05d1a6

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
97KB

MD5
0dd28e40d3f6bab5bafea76de7739bdc

SHA1
e479a5adebd317312eeee3be55c14454f6ec9f06

SHA256
693483511b1b6f894b363ea053831fa798b819fe6ca0e1e8eedc72974bd5de5a

SHA512
ca2f3ca5768cacf8562b4b7ef8086b5b041f4189261bb603e15f6138867118b8dc2299635972786b29e9c047f4f939555bf6fa6b485225370aff60f702ab9918

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
97KB

MD5
726275ebfda2cd422b8b73679a4f7ca6

SHA1
bc057e12d7a1495dc68908bab2646a85791ed72d

SHA256
50f469297a42864b0d37cfc4dc3b4693fb65e46cfe3cefdcdbdf568cce448356

SHA512
96b355def0f7adb5d4d3287b7b0c8c52d24cbb3628e4a75f568db004fa0079e433090e4be9e9db2955cebb1f42aa242edb6acb97dd9d578a1271eae91ee5c2d4

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
97KB

MD5
1bbc4b5cd944eada5a47d232a8fbc316

SHA1
9a967b4239ca8b7e131e0c2b793cb59432619316

SHA256
b46129950e71b01a234325d2f494072716a60a0c77fd1a4a07eda7b2fecfea97

SHA512
00ffdac5ec77ba696acbf42cdc0909fad1bb83d04531b944e7783654370ace4ed7e9e85f6a589c7d55162b51a13f6b58325bd64e4bf66e3edea33193ae74ccdf

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
97KB

MD5
8b5a0366564612c8c97058ea519be2a7

SHA1
0e5dd90ecc3ae3be6a50f96129c792a1728c665a

SHA256
a1282548509a590b7d11e70534d1979145d4fae6a5d83cb221550bd5d3068052

SHA512
ac3960bea72705b7b7a5352881a5e45fc4d50e5f9fd2124b275ad6193225c19f8441a6b25cbaaa9ff70508ca68b03ad4c8323d1ea3a35b4f7e0128e2263f2bb2

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
97KB

MD5
00af34c0758d84aebb715bb2157fa672

SHA1
89e7023022fb8a2dd37a778a8e9f043b8b46a68b

SHA256
1c79da88ea9526987ce26a7e3a7ac77592ef2a938efab877d734b07d8a7fbfbe

SHA512
2a07d59e9b7c9494b73be9846198a6b42b8242c892a08020f74f7302d432ce477ddebe84e8a1d77f0ce3bde9debb49cfe059b63831e39a06d498b95e63c7497e

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
97KB

MD5
a85fbf4b8ec23e1f34689d89ec36e25f

SHA1
f732a5a6eff0d5fd973beb96c81b48ca199de1e6

SHA256
038675fca590a2da04dfa3fbd61cdc2173db3230c93821e244877460daff2b6e

SHA512
94295ad5a4959828052cffb827da8ce51766d2ecfc8186f27c19a7edc96b7244adf97761b94cf4e5c65c78c7ff899bd46d835949887ed84d5b9dfcd35499924f

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
97KB

MD5
332247c40e72877cec877754a222b434

SHA1
f23953c5c6c510dc7ec4c62e21ab6da6b74502a8

SHA256
40f850b2f01be03efe68d20a4244942ef5aa38070e5ca53d343ec31627f32ec5

SHA512
5f046ea7ac5bd6cad2a8eaed2444cbe91a3586a879b2d5e18a08b0b2517af64cde19351d875119f70ac55d25fd6912261c196e438f5044f30e6481300188041e

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
97KB

MD5
1401d1e5c86234ac3d735409681a6a86

SHA1
dbbf24d119346e1df00c722dff609ad078823e57

SHA256
f4e1b7aacac255ad026993d860d9d85ad20e12ddced980d5282cd4f1f900897e

SHA512
52e490537b248225dd046b886bee56ae8fefa8ad99cf8475c4843208f980d6e28273cb7db3e5805f9c5c83f3dfb0a916b2c83bd811ab7480b5ab7667c23d685e

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
97KB

MD5
fbcf88d322e2b4bbd2456f91b5618f49

SHA1
4aec8909ed6feba2a2988d9d2ea9b82c096ddc21

SHA256
924f927e0c4ed8dd82133ce71a9c71d5a7b3f0cebf285ef7c93a07a92375bd70

SHA512
4f17a9c5909ca78d102a3044ec87caff28b9c7c886ed21cc40c204f4fcd9311178db4a0cfab075b7eeb9fc9feeaaa0ed97bdf08f6a02015af29ebe16466fee0d

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
97KB

MD5
1e395c1c73be2c211bfcc235e574aa22

SHA1
7cb81f37dd7a2e56e36e21833b5e0deeb2181b0d

SHA256
ea44342f30a04d180876c9dcde2ec75dd17ec2cae92256857b023dd1f5326a47

SHA512
074366ff3dad1fb50d25e7be0633d5bac77dca6212721cd95756f1e3d2e80f8af6f2dd818ff741944ac53f9cb5ec9d3067a3218a0c5e707d4b7414a1b6962aaa

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
97KB

MD5
9fc1c745e89834d20b1692cef5e42fd9

SHA1
b00b854a1ed4b42fd8e251796d1c84d6310d2a0c

SHA256
6a53ae29bfd1d32b1e5d1b903c40795bac14d6b166b4a99388d2bd81239d11b6

SHA512
1494f19d66e6dcad3785c13c3d11f7ba25db27c9c7244efa0714d5dc353f7da665f13fa840749fcee8507c9ae3d9e073c8d50051d793178b7737cbafd8cc39e2

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
97KB

MD5
a08e9c824a54f818f7d072a2ba211371

SHA1
1322c909dd3461a270d299cba6d63b8eb9886e09

SHA256
b219e453c16197ce857834d1f546babf479ba454e3d42ecd04e0bc1c2c76a5db

SHA512
6f9d8588f0a0ed79e9273b58f60af35f119fafce81386a06b8cafac8ba2ce07be3f61091fe5c6aa86cff9620ab8929404264a71e920245d9979dc47527da7c5e

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
97KB

MD5
52e2abd681ccd30146867d84168a277f

SHA1
0ad6743334eb5772a5148bc08215655656aca694

SHA256
0e5de4ac3269b1239caa9a1830faf371ef63b3c89002691a3e59d7e7b87d12ee

SHA512
fe97e1d0bfdea0b5b06a7be79f92453fedd89c446765bb93aeb6135a5bdd155a205bd8073b9242b5124e562307ad6c9ed9672fd2ed6c30135f599bacc54e05c1

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
97KB

MD5
0076abe31ca5d2a107d2692fa28e600d

SHA1
f3ef2e5b834758600b6e375d3df2d11fe7c0e972

SHA256
9fac624f1173e9e0fef32393c13f082e96b821a15e4bbfbe6eb1018fbb32f8d5

SHA512
0a1188cd024cb132c1e06243c9ae053afbe6d6503cbc34c6720dc8a80e868f52df828c6c25f939dd4799c8a476f155eac1c884790da9fca337d4bc4fc148feff

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
97KB

MD5
1831af0097cb73e763db4a14bf962508

SHA1
d0bedd06f0d81ddd4d4915df852a030f3d61991d

SHA256
442034747abb9653c9e915215c25642ee8ed90be5ddaf022e33825da2a48ce4e

SHA512
4af3e82e988e35237f70c9a13247a4a9c3b1d4a7059c0855c4fe8ce55008c957c2fb9f52d158425b661431e7ef94f95459ad67f9d0b52aa0a241f7a66f3c9a8e

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
97KB

MD5
3278b3ab16459e929ca8a3c141dd66c3

SHA1
e88bdcd3bf30aa2929ede5029dadd3bccc0d4a10

SHA256
b0d932e19d6971122528650fd8561b9d4dc1abc8f4340098b9c80e5a59f1795d

SHA512
148a211c6424199d0f03c33606d7793595c2952779c438bc8b42c8f86f74538f6fb0a43e177122169437ce379cabe21459591648d378a124d2803e9bdcf1f691

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
97KB

MD5
d776d3ab6665cbed87d413d160ed5295

SHA1
3f37aec5d12db162acb9583c927f9e8befea87a4

SHA256
3a5c2e65eba4e9d36ba16471c7b1f52315a48807bbbc80fb5e3e72f607863b58

SHA512
8c0f88dfef22eb38344e717f63eac8d739d3be88be2799de402e47b496cc05babe2a4fc65b82a1c864333e77eb8b33db949518709f566f24c3b90cc28623cef5

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
97KB

MD5
a340ebb74ff36206c5c18654cf6056c3

SHA1
4d2076c0c3f50a1acbe082811fd16f75370330f6

SHA256
737627fb782baa3ab64937952322bccc675006937769c1652ca822d1dc1fe649

SHA512
cdd0b918f11cba9a41c56e4516dca90d86af448d9b740481cef77a73e1280b1ce031af0d0a7d01a124bde35c3fea7f659f065fc664f16fbb5aa5816ebd3ee878

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
97KB

MD5
91d32fb99eaae0ac939cff1956e15b1c

SHA1
b4ffc1dc8027e5cb6a51d4399ee7f016b7076a8b

SHA256
fe96d6626710daeb732cfe003484d12b226ad0ac45517ed4c6e19b28fae5fa98

SHA512
824e75f9fa314fc64ebd640acc487d530ccd2eb7cc70fb086683b9093bde9ac0328dc917e2329d83b90923291bef2084c8f2f05fd527451909b57450025a1f54

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
97KB

MD5
2adaaf48501853830983a67dd8b30b1f

SHA1
f96384b6cbd1c03c17c34793fb7ba5908bfff272

SHA256
51161fcd06bc70de2f64a047577e54310b0046f318c09e56de4a1d6fad4da7af

SHA512
07ab733c50d588cc8b38c3afbb6fe605bb9269e346d4b8cd16a9e1f65c527e1965b2eae5b2d7b50e5846b89501061b2c1baf2667fa0248f1377976cfbfb24836

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
97KB

MD5
02f2743cc562e6226a4a987eec36f290

SHA1
4d995c058faed1c6df564e24aa1ee2e43d2c9e79

SHA256
30ec7e868e2f170aeada75b54eef10857a735b22c562e61d8df66bb7d4b54f52

SHA512
c84d463ec7553668174cb7b5354660c4eb837ede72bf92d8906f7ea2d703dd9da400772e1f66b01db420446ff71abe95496fe1af0b932a2103ecd8dcd97840c2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
97KB

MD5
ab3b42bff680eb9e0fd08485105dbef3

SHA1
16917a6bade145ecc4b6ce365f43d12279c11bf2

SHA256
a55d40b47412052650b0a611d6d22c70589bedd11f0551718080fbe522828aae

SHA512
af7f93efc29f5bdb55b322857f36c700eea3790def74a39039d650ec75835b7aa386b001807e0338073eafe980a59605b90a6e8e66db4007a9dcf3cb22a58ca5

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
97KB

MD5
435e8d5335f6f7bf244329a440bdc39d

SHA1
52f2fa8663072b0b7c5c8e7fdf7529af46d7e20f

SHA256
6ca983c3255996cfa01de843fda67d48b556626ab37e7ce012a8501ed8a5c83e

SHA512
7e61722016330e5d1ea1296b78d4e2a64a01f319c3d06bff4fe741ca901f314191ca397f695277760ec20c985cc54d7d5e48c8c7a6ae9178404cbbc12dc59b05

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
97KB

MD5
050a74a8295534ca57fc3e529cfc5d96

SHA1
536cd6b6c66e53c04fb486a2a3c2a2d924240913

SHA256
45fcdb8fec1c3f65e9fc597b392f01acd9af45ba622306b2364fdc35406382a9

SHA512
6c3fa6e45a18b6b2242ad69aff8339055800303d970a0e471d913333794af9889530a2ce4a65ff5b39461114f8ab4148c1b43b8899e164523126a0baebe05b5e

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
97KB

MD5
3b4d40cf3214e3bae9dfb408a3b5438c

SHA1
5dd3b05cd0c61beec970f2fb2b1c0ffd665bc2de

SHA256
7cb0c64885e2d4e704e0b930a941204323193fadcf260c39f26c693bb3ef1ad2

SHA512
657bd4538fc1a3de1b5ee5122bbc1448985d5864cfb7a74012330a9efa4d4708b884f2b7457e6ae55fe1645b1a593aef4f3f087e48aed4c36727753cb21e6f1f

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
97KB

MD5
0f24a7c4f37f12b15dce88dbcbec7d77

SHA1
be20eac45f0d69986240aaa27bd47f019f6fe9e9

SHA256
6ea6874c13214657e48bdd7648d82becfcc40191bf4e92de7f3780a3a6833fdf

SHA512
5f05dfbad8f92443c2e62825df8a9c90be87b9324be546f5769fb66af44b610626b376655cb0ad3b7f0faf15463450a7e59d7e22238ee23134debfaefe30afdb

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
97KB

MD5
519e29f091f41cf85bbb9029356ce693

SHA1
81c230d2ac77874fd6195022818d08d654777c28

SHA256
6ae04fee8652109ac1f2654ffdabf721d264831eb1f723e4e6e7c97145bd6299

SHA512
60e8c23d8abd3264eb75ba4e295d941ffef354db30982c2935f52ee7e476975a8cc6829b7450059d2f22c811c45abf202119fbf9bae97ce839e47348b4c7bc31

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
97KB

MD5
5538af5c276152b3880e9223c8ec6a65

SHA1
fca60eb3b34f77cf5d033ca18cbe9182c9aa2990

SHA256
b9e95f9adae12b15003ae0dc813b24a2a4e2d2f642ecef95de5050ecb300df05

SHA512
379315819bc265a7045d14a8feafb41e8e673eea376476760e81700cae69022baa5fc84b757ddc88a9a15638515eb3d39b5266ed714588b7515f3b1d4ea22630

Download Submit
C:\Windows\SysWOW64\Omfnojog.dll

Filesize
7KB

MD5
57eba02ee8fd57d43d8b19a6a0092e35

SHA1
32546520ab251fd1cbf461e67b9c797d4e54454d

SHA256
2c1e7cf619c0762d6532df7c9fdd11f0726889bd0aad501f6e7137c39766d2a2

SHA512
c8eced7c53b63677ac24a601a4298732baeb88f02cf271fab5a5a278dafde02e758e7196da8263427ad1292db99f6cddd03b5fba5f5cfa1f5e260acfb6c2bff8

Download Submit
memory/212-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5212-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5504-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5504-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5584-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5584-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5600-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5812-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5848-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6036-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6048-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6048-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6060-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6092-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads