berbew | fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe
Size

337KB
MD5

ea24452cb0a73030f0ad9954cb7e29e0
SHA1

3865b917007ccfdece34c4172c759d53432f94e6
SHA256

fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20
SHA512

41034ad9554cf914c126cc3b5526f80040008b554d01bc9938e30d7a30a101231c45f6d8666e4ebd33eb310725361afd43f4661661940415f06cfaecf7d777ef
SSDEEP

6144:zNzcEGmJmel1V38y2QrA1+fIyG5jZkCwi8r:5JElapiZkCwiY

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ochamg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maoifh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlifnphl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1092	Klpjad32.exe
1464	Khfkfedn.exe
1460	Kejloi32.exe
4892	Klddlckd.exe
5064	Kaaldjil.exe
4652	Kemhei32.exe
3924	Khkdad32.exe
4360	Lkiamp32.exe
3588	Logicn32.exe
2376	Laffpi32.exe
920	Llkjmb32.exe
888	Lahbei32.exe
1672	Lhbkac32.exe
4548	Lbhool32.exe
744	Lefkkg32.exe
220	Lhdggb32.exe
3632	Mlbpma32.exe
3048	Maoifh32.exe
5028	Mdnebc32.exe
4460	Mlemcq32.exe
2084	Mhknhabf.exe
2624	Mdbnmbhj.exe
644	Mlifnphl.exe
4296	Mklfjm32.exe
4864	Mkocol32.exe
4580	Mahklf32.exe
4344	Mdghhb32.exe
2912	Nlnpio32.exe
4508	Nlqloo32.exe
3452	Ncjdki32.exe
4256	Nhgmcp32.exe
536	Nkeipk32.exe
3156	Ndnnianm.exe
3760	Nocbfjmc.exe
4200	Nconfh32.exe
1172	Nfnjbdep.exe
3152	Ndpjnq32.exe
3656	Nlgbon32.exe
4932	Nkjckkcg.exe
3936	Ohncdobq.exe
4524	Obfhmd32.exe
4056	Ofbdncaj.exe
1364	Ollljmhg.exe
4068	Ookhfigk.exe
3192	Ocfdgg32.exe
3972	Ofdqcc32.exe
4320	Ohcmpn32.exe
2232	Okailj32.exe
4560	Ochamg32.exe
4128	Odjmdocp.exe
408	Oheienli.exe
4632	Obnnnc32.exe
5000	Ofijnbkb.exe
960	Ohhfknjf.exe
4536	Okfbgiij.exe
2792	Ocmjhfjl.exe
3548	Obpkcc32.exe
3704	Pdngpo32.exe
5044	Pijcpmhc.exe
2776	Pmeoqlpl.exe
4332	Podkmgop.exe
4176	Pcpgmf32.exe
4732	Pdqcenmg.exe
4292	Pilpfm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mklfjm32.exe	Mlifnphl.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Ofbdncaj.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Mlbpma32.exe	Lhdggb32.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe
File opened for modification	C:\Windows\SysWOW64\Khfkfedn.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Ohcmpn32.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Lhdggb32.exe	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Nlnpio32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Hjnmfk32.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Mhknhabf.exe	Mlemcq32.exe
File created	C:\Windows\SysWOW64\Mkbdql32.dll	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Qfjcep32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Ollljmhg.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Peempn32.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Ollljmhg.exe	Ofbdncaj.exe
File opened for modification	C:\Windows\SysWOW64\Okfbgiij.exe	Ohhfknjf.exe
File opened for modification	C:\Windows\SysWOW64\Pkmhgh32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Khkdad32.exe	Kemhei32.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Mhknhabf.exe
File opened for modification	C:\Windows\SysWOW64\Ocfdgg32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Clpkdlkd.dll	Pdngpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mahklf32.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Aeopfl32.exe	Abpcja32.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnjbdep.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Ohcmpn32.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Pkmhgh32.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Kaaldjil.exe	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Ipdkapdh.dll	Mdnebc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Nkeipk32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Logicn32.exe
File created	C:\Windows\SysWOW64\Gnggfhnm.dll	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nfnjbdep.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlemcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnggfhnm.dll"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakpfm32.dll"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okailj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfidek32.dll"	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll"	Mdnebc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1092	948	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe	89
PID 948 wrote to memory of 1092	948	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe	89
PID 948 wrote to memory of 1092	948	fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe	89
PID 1092 wrote to memory of 1464	1092	Klpjad32.exe	90
PID 1092 wrote to memory of 1464	1092	Klpjad32.exe	90
PID 1092 wrote to memory of 1464	1092	Klpjad32.exe	90
PID 1464 wrote to memory of 1460	1464	Khfkfedn.exe	91
PID 1464 wrote to memory of 1460	1464	Khfkfedn.exe	91
PID 1464 wrote to memory of 1460	1464	Khfkfedn.exe	91
PID 1460 wrote to memory of 4892	1460	Kejloi32.exe	92
PID 1460 wrote to memory of 4892	1460	Kejloi32.exe	92
PID 1460 wrote to memory of 4892	1460	Kejloi32.exe	92
PID 4892 wrote to memory of 5064	4892	Klddlckd.exe	93
PID 4892 wrote to memory of 5064	4892	Klddlckd.exe	93
PID 4892 wrote to memory of 5064	4892	Klddlckd.exe	93
PID 5064 wrote to memory of 4652	5064	Kaaldjil.exe	94
PID 5064 wrote to memory of 4652	5064	Kaaldjil.exe	94
PID 5064 wrote to memory of 4652	5064	Kaaldjil.exe	94
PID 4652 wrote to memory of 3924	4652	Kemhei32.exe	95
PID 4652 wrote to memory of 3924	4652	Kemhei32.exe	95
PID 4652 wrote to memory of 3924	4652	Kemhei32.exe	95
PID 3924 wrote to memory of 4360	3924	Khkdad32.exe	96
PID 3924 wrote to memory of 4360	3924	Khkdad32.exe	96
PID 3924 wrote to memory of 4360	3924	Khkdad32.exe	96
PID 4360 wrote to memory of 3588	4360	Lkiamp32.exe	97
PID 4360 wrote to memory of 3588	4360	Lkiamp32.exe	97
PID 4360 wrote to memory of 3588	4360	Lkiamp32.exe	97
PID 3588 wrote to memory of 2376	3588	Logicn32.exe	98
PID 3588 wrote to memory of 2376	3588	Logicn32.exe	98
PID 3588 wrote to memory of 2376	3588	Logicn32.exe	98
PID 2376 wrote to memory of 920	2376	Laffpi32.exe	99
PID 2376 wrote to memory of 920	2376	Laffpi32.exe	99
PID 2376 wrote to memory of 920	2376	Laffpi32.exe	99
PID 920 wrote to memory of 888	920	Llkjmb32.exe	100
PID 920 wrote to memory of 888	920	Llkjmb32.exe	100
PID 920 wrote to memory of 888	920	Llkjmb32.exe	100
PID 888 wrote to memory of 1672	888	Lahbei32.exe	101
PID 888 wrote to memory of 1672	888	Lahbei32.exe	101
PID 888 wrote to memory of 1672	888	Lahbei32.exe	101
PID 1672 wrote to memory of 4548	1672	Lhbkac32.exe	102
PID 1672 wrote to memory of 4548	1672	Lhbkac32.exe	102
PID 1672 wrote to memory of 4548	1672	Lhbkac32.exe	102
PID 4548 wrote to memory of 744	4548	Lbhool32.exe	103
PID 4548 wrote to memory of 744	4548	Lbhool32.exe	103
PID 4548 wrote to memory of 744	4548	Lbhool32.exe	103
PID 744 wrote to memory of 220	744	Lefkkg32.exe	104
PID 744 wrote to memory of 220	744	Lefkkg32.exe	104
PID 744 wrote to memory of 220	744	Lefkkg32.exe	104
PID 220 wrote to memory of 3632	220	Lhdggb32.exe	105
PID 220 wrote to memory of 3632	220	Lhdggb32.exe	105
PID 220 wrote to memory of 3632	220	Lhdggb32.exe	105
PID 3632 wrote to memory of 3048	3632	Mlbpma32.exe	106
PID 3632 wrote to memory of 3048	3632	Mlbpma32.exe	106
PID 3632 wrote to memory of 3048	3632	Mlbpma32.exe	106
PID 3048 wrote to memory of 5028	3048	Maoifh32.exe	107
PID 3048 wrote to memory of 5028	3048	Maoifh32.exe	107
PID 3048 wrote to memory of 5028	3048	Maoifh32.exe	107
PID 5028 wrote to memory of 4460	5028	Mdnebc32.exe	108
PID 5028 wrote to memory of 4460	5028	Mdnebc32.exe	108
PID 5028 wrote to memory of 4460	5028	Mdnebc32.exe	108
PID 4460 wrote to memory of 2084	4460	Mlemcq32.exe	109
PID 4460 wrote to memory of 2084	4460	Mlemcq32.exe	109
PID 4460 wrote to memory of 2084	4460	Mlemcq32.exe	109
PID 2084 wrote to memory of 2624	2084	Mhknhabf.exe	110

C:\Users\Admin\AppData\Local\Temp\fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe
"C:\Users\Admin\AppData\Local\Temp\fbb5285ba906a6b247c76b768edddbd7d56035098c3daf878f69aabe0dc28e20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\Klpjad32.exe
  C:\Windows\system32\Klpjad32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\Khfkfedn.exe
    C:\Windows\system32\Khfkfedn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\Kejloi32.exe
      C:\Windows\system32\Kejloi32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        30⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        39⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        54⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        72⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        84⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        96⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        97⤵
        
        PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:5904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
337KB

MD5
a24132b70c1015f2f12397db4821a073

SHA1
c41228abf146ab7e0ba7f5b5cb958bdb8517a3b6

SHA256
4ef5cd1dbe9484c946df5786c1265bc2bfe45391a1171200a75c91c747f1de9c

SHA512
8743be6f49773e8f1e0d2e55778c073fd3160168d8bf40739fea84620af144c0f037f8bf305fe1c9a66414c1769fa4de5d4865d01dbe60a807a35c40ca052bec

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
337KB

MD5
a4786536d09f66c9e1ec952272b0b35f

SHA1
506e058073e7898bb1d3a046f190239b2739d7e3

SHA256
c638284f460ae2e469f5bc00a520ff2370958a4023687b929e9db55e88872ae0

SHA512
a92406058f9f2f22b20048ee5516ce2cb9856bbb669ffe026a0d089b79e69651a04c42343f762c0b18cf38319de8c2b2692318fe53175b9c70e54ba1d156d6fd

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
337KB

MD5
dbdb1dace13d1390807ad94db6152937

SHA1
f1b66a0dc9eaec89369601d91380313804ad64df

SHA256
880c957051565cd29fad65d403c14fae68884a708a19c608bf4ba871fb1744f5

SHA512
7b98e2be541f1c9fc1d01e09a9a4e6a0e2e7d5af5ae2dfaf9920e8e851e15126a3122a0e8103c3969d6f6e2676d5c1b4d7128ee96d9a431ea894929d3d2b945e

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
337KB

MD5
1e7cf571d08ab280fb683bd924083c17

SHA1
b1e8aaf684daa18b04ed8679132f2da7411bd0e5

SHA256
1bba8e327daaffa5f18cff656261151670ecebc98a78b0e5b5a6b28512ca98ae

SHA512
558843941f43b722a102adf1c1594c0c9e3effc57adc50f4678e7bfb100f69eebd9181e9177783fd00a6a2807bec8ec2600f468b050c37079c25d0068b38e353

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
337KB

MD5
3de63ff1502ff99f55fd561a9f93e6c7

SHA1
e84be1108db54e39720533da5f4fe508c7d43241

SHA256
9f227242f5d37edae341b59a15535fe50259e31bc58c97c58b42723508d7ef83

SHA512
72bf6cdb3ffc47f61faf0a0bda8989effd66976417f7b15c782c3a452c9b8546153c82e292e2af94b9a874769590486d95a0d5a18f398f431eacf6bf544655c2

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
337KB

MD5
b88ca7a285c59485ae6b278d1b30f8e0

SHA1
cf13644277366452d3b270c8e3a081b837ae3ad4

SHA256
672dfaa4c2333e763ff944748b40b1ff71e5d264e86ce518e88c36d54476944a

SHA512
4d4eea7a214a2b7f008e8712fbf3c89ff33500c9f6bc63393dfcc2c78faedc7ee9b07d98a2b5bda5f3606f7fe70d8625c5ac65efe84f7bafcd9302579a20a767

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
337KB

MD5
935f47524cd3b410b67d6d623ca99f25

SHA1
529ff5e7dd326789ea9304fee0653af0803c791e

SHA256
b77a1bda52610bca38d7ca328727ca802d1e88b600f4031e9dbe2293a77ee14a

SHA512
7f07b6d62bffdd24fc5ac72c7507ea5e0756b7c070650b481f6c83b3515a7e19dadff0c8ab880f6ebb4f1b893a067f997f8defc60d0ece1df5541cb631509c5f

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
337KB

MD5
58488bbdbce6ac924b53300df1eb01cd

SHA1
b1e579ddc259c61d4800eb2ef57225873ceaca35

SHA256
0a820b3fdb46b5b7f08da18b0357b6386b21451bedf52c5d91f62f40d33922b7

SHA512
2ee72abad77230e1654434bc4da8bea2fd376d2c524ca3209a732973743cc95483cda5ff2dccf470679e1b6da10864347684e7a904eae2327d41620773fe7b0c

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
337KB

MD5
9af2630e243b0a182c41095e4e249249

SHA1
9c6d6ad23099adb24a54b4de205c654e09bf27ca

SHA256
20ad55db4895fa98727d5e488ef33e4d854057a4783ff8b6075e80aef6602c30

SHA512
bbca5ec8ff739d410ee37a03c64ebf0c71fba3864eb6f8005775366843b7b6d6dab325739163742d1635f8242723cc504a2be2e8b737899c46cd0b3fb6d35e83

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
337KB

MD5
f20cd209c11c609df85acb462c76e61e

SHA1
195b3697dfbbda97beb318f22f579386535baef5

SHA256
81564a30ceb5add4f5fbba07e9d7e79a6182e12265eb6223dd8a7eb2f5b8cc37

SHA512
f70358fb4da4dd46272ccc6c37c22270cbd403c941cc6d47001b5c1926d90d470dab15ae842744f87f5b0d81184435efe157c319e9b6c09f9287c8a58ad7e731

Download Submit
C:\Windows\SysWOW64\Lefkkg32.exe

Filesize
337KB

MD5
875273c14242c8f7bc53395c961c93cd

SHA1
09f1a93273b665b9e62205264c1f60d1ebbab849

SHA256
ad3cce079cc19ad4cf803ad9a40bab4537965bbf43ae577f6235548c562dbaf9

SHA512
fa052b7420e0473341b9653ee061ed3d4446cdf10a79ba5da9b7e691dc071bc1bd15a24bc87d993cc173bbb08ad6a52ce4e870d0277533a802aecf6a429dd0b9

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
337KB

MD5
ffb562f87b9b88c8a136eb159f92321a

SHA1
d21b1d3b80d6bb9b08ad0866285d242acb82e621

SHA256
9d9f22981e2a4dc5f4b0e0cfbb6c04360d2d50e8e7a772ee1b8eaca8e364d5c4

SHA512
7549282bf338f163d80fd76a0c18f2ecf9156ff7be25f1ca16a6e19b60c28bede389f681b7b0936b5b8f3d05e9fdad15a73a4e5807567669499ef01ddd9c5b01

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
337KB

MD5
c742340da1f39ae504f61477421a1a9a

SHA1
2b6c08eaa1db4e7d9b165c593f41f18dd997b1ce

SHA256
bb3aba2edf355d7f17460b7c10fcb2699859a077ebfda41901062cedcaa05552

SHA512
2e7b13379f179dbd662ae35cee786234e4e2688d3c47665e8a94c3e83bc7bd8baecc7c7b779ec38dca08240a941f3cc311c67dd5ceb269722706dff14703c4b8

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
337KB

MD5
8f3857acbeaa58eb2ef2cdb1f2d11392

SHA1
dea6d8f5e715308ba08a7f699952a156f9ee18af

SHA256
bb7559ae4f9746b53c87f10c54588155854782433246c2550b5415d0649c9b47

SHA512
5a55c0692236ad2024664e9f181a29c9eaf331f69f10d301872c35480719a8ebe6af8c410818e0f39d09aff3b22d449c76034bcf987336fe3ad735783d335288

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
337KB

MD5
db5322bc38ee3e43992ac5d5657ec350

SHA1
688c5d89de9b587a17289c0a1eeb07056122c121

SHA256
ffb8a2222dd89178f6d81a6c535fc54c64165b105ce9b2be2dbe7c2f0969b71a

SHA512
c9e4746077e5c887610fbc132c87a6062934c3ee823f0a6c8f3a64f8680f443be5fe1bd6691ef71db80e401325a2421bac8a8cf52593bd95e38fcb34833e44df

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
337KB

MD5
1501eef9cf696a1f0daeb43d72bab8b8

SHA1
ec77ad41e31d827bd08ed07d752e52bb8116e4eb

SHA256
322b469f49ce75512a5bf365810314e3735c68479a219c4182a6f2d8e7ee2df5

SHA512
c0abbffd479b404799f5f411b8fdc3cf177ec9cf0e78e9f15ae22a5de912f7b3744e1a5073d16eb31ee9356760edeac6299923209a4b5c44f76ea8c106c65c6c

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
337KB

MD5
2be69de1d9ffe5fa1096d19cd08e9012

SHA1
697d846c255ee348e0041b85e5084fa7ddea3917

SHA256
501d8f9070834ea2f79230a51fd30616bf7c0d9274745ad4253063ae8e6e996b

SHA512
ecc4a45e4c7aba74eb92f2494a9e0e9f7cce28afb34fad03413240991b557cfb238f86820fc3b25569a05137d4bf544e8e1956e35577257e43fc977ba0205a2f

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
337KB

MD5
282ffdc5bda3008a5ad5198d3c5cc742

SHA1
032aa6d3ef2282c686cace23d1ac9797d25f40f8

SHA256
89b1ae263023fe2b978c0d6e016c921f21584b9db1a8943eaf0a58a050eb5786

SHA512
efa93b851f5d970323df6db2ad121e47fb8a2325921c5c983cad496b433d746b40a7b3a72b8de4fd2f5a367e4c2fc625d85d9d14712886fb6a2cb834d4899fef

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
337KB

MD5
4a445ca361b0b76f084f93a1dc7bdb70

SHA1
7addfa568148fbef75f9ab246b5f26fa223d2759

SHA256
99adc39490ad966675b9cbec187ca505b2683982dfa1067fd1b7b73776004f4e

SHA512
b580bbbab0f4ae6b3be0c0a4b33949b6fdb53f1153a3beb889375d36d2ad7021d3f87f89c82b8766acbf78609694088b27deed284590201c2bcc6f48da0aa1d0

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
337KB

MD5
b951cec87a815114361186fbf16f6fbf

SHA1
4a900091dd7fb28e5188246335ccfed7062b3dd9

SHA256
6ff66986175a0a3779efe9c32853e45559370c99d7b9ca0e3deaf9f2269974de

SHA512
0005f381f0ecc612030fef54b82b74b5f19ffc636f10fd1c51a601d1f45ea235d42d2af765763695c80534179022a0d555cd36873fdd969c00ff9b7194bea044

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
337KB

MD5
370e16d13cffeecfd90fd43102197bf8

SHA1
cd73bf8563d01ec77bd6c3747afffc04105b525f

SHA256
62992967cf1e781615ecfb2c0fa1d1f7b597988cfb68d5f9b25accf6ad15c2b8

SHA512
2e03bde9060ac208d2ff1320e456bb9cc9947c9f58ec1893b27aeac2ab9e0be4676f5a7dd9803b2b3e18b792f3ccab1ac2cf2dda5a5bb49a087fbd73dfa21b3b

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
337KB

MD5
11baffe01d0c4466b6440aab62c60cf3

SHA1
89b0f528d381ac4ed2697653179fae321d1f3d40

SHA256
d3d9357284425fd8ef55087ae4b779a126dbda4a192ab83e326ba7aa3dff7d26

SHA512
6c87349a3c497b79ec5846d4300879e7dcd99f37b0768e68ea1c200e80d5ecbfcc5814f442cb800acd7e1efd9d6684882ae6e45feaf6a179a2acc89ffedad1fd

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
337KB

MD5
4a58f65581a0b44b917ae37ef6971e88

SHA1
46ef4e160f028749963fff8458cfbb5eec1b1914

SHA256
9505845d211bbd45aa50c0190c4d43b4fccb1b3da552c7c3d14644fa04e88e25

SHA512
33f71ef47f0a5e61621d8e614c00d00f3c569d14426b949969cef013391fd36710b7d87d1625334781f35429d960376ce42675a96cb9fbdaa8b8562fca9512e1

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
337KB

MD5
ffa73e654a170013df79169c2e44c8ca

SHA1
55937170be8819c2dff6f74863c5eb20ca7ab480

SHA256
24819ee0aefea2ec5921c23e793b390a9441d908ae513f51cd4270272b824a20

SHA512
07b762cac82e6a5f7aefeeac90e24536790251e09af2d9a02d2239b7c3cecd31398b5c5767b19db9a850f6e6d9ae3aeafd5af9f850550c15605740293b2f57ae

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
337KB

MD5
4ba228d6aadd470a3bf176088a655b4f

SHA1
3cff97d1e759995093a76e04e30482f81fb46305

SHA256
eda93ac8b90d62d25d1ec4078f1c1bfea45544e1338428542efd6991edec16a9

SHA512
fd3f842771f707242623082b75529112b52e0990d0656e77c67b37a4ab6fd9e37adaeb5ddae9295d39e44e2e38fee1111cfa3704a55189acb0f09e22f6b35e3b

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
337KB

MD5
b065144514d5185321fc082c0220e782

SHA1
254c11d5e2f0674863dad143e362ca3ab2315fc5

SHA256
614de1885f71fef0096f993665f2fb05043bc908ec2d858f36e7caad65fe425d

SHA512
8c1807f459a13b2aafae00726be6404e8e292317857d3e825f980d91bc580ee387c1fbf3fe875c01d07b177df7b3d52be3c2a7f26740a200ce6f5bfca8dcad8b

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
337KB

MD5
a9667dba5d84a5250eef7b93670e4e97

SHA1
0a7797f273b790c6c43933a1298a133ce7a2fb63

SHA256
06a2ac7b02fb084e3d9a8de2685726a094b6a5e99bef7a05364d052e095c6ff7

SHA512
f2628caa8d640f796c5b48266b150d4e5dd1f33362c1f21d81887b263ba0b48156a5f5be49a775e86313427cb53f94bb459230d7565ca8dad26342eed6ccf0c9

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
337KB

MD5
0564f9e278608f43fb94683c1d0a33d0

SHA1
6622fccf9c0701ee7a5555bfb6455aa12d264648

SHA256
466fb062e63949479320e975f0c1c48755ea51f42206b67b6172eee91748fb42

SHA512
412c4f29aff4e2bcffe3f7a4a45155445d34ee4c0cdcc8b216fb2fb6a5fffe57ffb8624f957803f25e3341e003ba20a871e8899e3afeab9b9f0e463db87860ca

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
337KB

MD5
70af6de9645748375fe8104f60729347

SHA1
76a3541cc26c3f7c7fa17dccc2bb767d984fa31d

SHA256
d1a05b523b5f9a119182d056bc27c644dfff709294d206490c43c7aa2f2fb1b7

SHA512
c704dbbda4ed0be9292e8ecc8cd49068557c29ef801c366d18764bfbe44d5448391867b489b8943c9e3434859a07c97bc2a0a6246793c3cbe20d6466a1ea59e0

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
337KB

MD5
b449a48c4c905421179f82485533e44d

SHA1
544d5ed9ec56ef5314d1f9532533fca13614e409

SHA256
60f53c52fa655dd8b08cfa6ccdd9153c8275038b893d93f1965251262ef50afc

SHA512
ca0890107ee83fa53cf0d31b6365a40de6fdc68e2720ca158a199f6bce42cd4ced265866728f3104b035f7c91046f718f81177f210be23014b11f84e11e621fe

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
337KB

MD5
8c726a5940ba92ccb9265efb3b5ae103

SHA1
236e2420cbd1997ad3b7082c3edcb69b95f88035

SHA256
67c40260dcde815be094a7fd7a3c1410a91ad7856439c049a61d91225a5fd4cb

SHA512
a29d10b5e45748f0c46d5b0695f31a3a095c6adb7ecc2e44c7420ad3cfc9e391ff076e61a78a0bc92cdf0168a4d88b88bfcfff86cff392931f9b571d08ae1f17

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
337KB

MD5
c3b7f992fe763b88b19a2b3963105adf

SHA1
93049d73932676993c4b07f082bb8704a9f89ef3

SHA256
6682cf7591efacc94c444492561ce2b85f62663627ac3c59e73ab11212d4566c

SHA512
7a6b590f667a31501549ab58ab5d9c3485db419c9fccdcaa17da3b9cc863e50b0f2a184ffa09bbfdb9b64b4ed29fc385c7c840ac76abf85622c7b6c42e54f1d0

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
337KB

MD5
6fc96d0acc8fd7387f75c16947c4c39c

SHA1
e6e81f6fd15a8a43b1c1215d5572f632ed2c71f5

SHA256
6d18321987bed04ef24836d443cb8420b4e38e888b2d62d24d97bccded56a499

SHA512
4f3840dae7c8fc0250a827b2df2df7eb975e133be84032ae668770af89f67e1835a6e4101dcfde14ca98552323309ced19e64d7e6ea8759bbcdf3a11c8da3556

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
337KB

MD5
43dbee5c05f34a43de3d2e9815d581f5

SHA1
5fa7806f37c812c9ee925f2699ea6637439af400

SHA256
54bfd676ca48e9052377f52da0b05be61043edfd4c84a217f5608a878af54f14

SHA512
073746dd56743b62baeed236b269f8ce705e1cbc899d88c32c6403809f315c873e120ba46b4bdd1477370644fb03a4c7184c6baab8202602d670a3782afc6075

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
337KB

MD5
cd94630a36d09e1ade630adc2d2fe835

SHA1
0555c92c419f1ec2cbc0d74d32ad113da51054cf

SHA256
c4a6f98d6e95cf881ff18da2808d5a4f0675a337c3099e958f1983d021e1609e

SHA512
4ecd5bf760feff07d8d9c0bd58ea5b9193e01c55ea6a18a4fb2f18449cd6d1081ed807e972303942d704d7afc4c941bac2c3fc517f8227b471e4f2bc84fbed07

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
337KB

MD5
9a4a3454b6351573d321531b5313cc86

SHA1
fca70c7e9281cc877b1ee95588f60f741eb39252

SHA256
0a0102f50d122552ebbb7e8a69134789e4c5b6cc6e8ad19d8ba0def59f1717f9

SHA512
d94966b08ae7a681707a4f9ecdb91eb034f77e8e9124eec2a433a5e4936b1c08c0629e99a30b28f249e8fee02f756e34ae0f190f7ae35433ed65c84b2ff67b72

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
337KB

MD5
3e4329214a1ef1b38a057331d3f47a00

SHA1
2ca327d72c945d666dfd126db45c1553b952931b

SHA256
7d1667caa4995c858019ef66befef547dcb3a16d25d3977d8314ba9695eba617

SHA512
1737d01f1b9fe7aedb52ffc39130cd0f83e006fefe822a1510fc2d5ec5210e62bd413b8e70467a4c6da1849381f77e1cc75baa0fbe5ad77f684c40ff033710bf

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
337KB

MD5
7464548845b61a2b3527748335c65ccc

SHA1
ae184fe10084a63d999e0654c79a52be7aa79f43

SHA256
b9af218d7d848cc906a29fc6bd455da61165bd828ac8cc2f95042429a23bc8ca

SHA512
8bd7284d67d0c8ca80b7122526b91384ed850a5c1a40c520107336b18e4745b87240f6c245d29828634c7b0f941279aa2ea880a078b7997f7de2ea89b841e53a

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
337KB

MD5
d3931e81d72e46044333672f7ce37bad

SHA1
f88f180f9d75d52fdfa08040abf9ceaa244b81b1

SHA256
49c2129bf273c0c48c423a8d7897fe73e774c26209a117a8ab658f2ade2e8659

SHA512
189bf29897c170d2f721a5b7b0db761f701734dd1169dd077b97cd0f3c4136e1232cf182a628135d7e3801dd26495d08c4b6dc0c157d55e8654906d3c44dbd0c

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
337KB

MD5
7ebb9ab1ad254d487abbc8fe8c9ac3e4

SHA1
b96e776cf035168ea1fb51ff0c9cc6076b0c3b34

SHA256
3e22cc3d11cae8d2bdec6a157ccbfd3a24a6b7007ae73403f885fb2193da59b6

SHA512
11939930e0df48a19cacb3fbdb5ab9a0650911ce954dd54adf794421203ba7d260c9206a2201f085b7df0134086a2c67c52ba137463205619fbb27fd87e6b10a

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
337KB

MD5
1d31b6364432d0d7b6e2248c7dd2f0c5

SHA1
6b5436a827a1d6effedbd25b6be81ccb38cf331e

SHA256
f83f43a841a6f5751969e2e84b61cbf3c3172d647a00d4cf1df3c00529dd8402

SHA512
bde6bf14c11a844bb7bdfcce419a231484a39bdec57c7d9bd5ed3e9aaf2b493c5bc6b517987ecab06088260d7db74d907d58e7bef796b84398104089eff276ef

Download Submit
memory/220-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/948-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-692-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-694-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-695-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-693-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-690-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-689-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5260-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5304-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5348-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads