berbew | a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe
Size

337KB
MD5

9e52a76d9128ddad100160651b15c390
SHA1

9e53b446838ad5bf2bb51d4a828e29d265903582
SHA256

a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81
SHA512

4415b196a0e1d0bb57bfe9130ada7314edbcbfde2a3bdb2867868a65594ccac88ef0cb93ed1e095c96df4a9ba715d37e8f3f1893cdbcbe8f34f37dc70d048b15
SSDEEP

3072:8zAaci+vfwjHIxgcTj0JtSTgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:BwDQj0JtST1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
4884	Mgkjhe32.exe
4536	Menjdbgj.exe
4916	Nilcjp32.exe
1092	Ndaggimg.exe
3088	Ngpccdlj.exe
2064	Ndcdmikd.exe
2356	Njqmepik.exe
3900	Ncianepl.exe
3716	Nnneknob.exe
3780	Nggjdc32.exe
524	Olcbmj32.exe
2344	Ocnjidkf.exe
2380	Oflgep32.exe
1616	Oncofm32.exe
4160	Oneklm32.exe
3460	Ofqpqo32.exe
4016	Ogpmjb32.exe
3272	Oddmdf32.exe
3508	Pnlaml32.exe
3924	Pdfjifjo.exe
1200	Pclgkb32.exe
3484	Pmdkch32.exe
1456	Pgioqq32.exe
3860	Pncgmkmj.exe
3692	Pqbdjfln.exe
852	Pmidog32.exe
744	Pfaigm32.exe
808	Qdbiedpa.exe
4420	Qnjnnj32.exe
2948	Qgcbgo32.exe
1084	Ampkof32.exe
4260	Acjclpcf.exe
4352	Ajckij32.exe
4444	Aclpap32.exe
5032	Ajfhnjhq.exe
1600	Aqppkd32.exe
2080	Acnlgp32.exe
4804	Afmhck32.exe
2196	Andqdh32.exe
3556	Aabmqd32.exe
836	Aglemn32.exe
4748	Anfmjhmd.exe
620	Aepefb32.exe
1788	Agoabn32.exe
2900	Bjmnoi32.exe
4372	Bmkjkd32.exe
2440	Bganhm32.exe
1756	Bjokdipf.exe
4928	Baicac32.exe
1396	Bgcknmop.exe
1576	Bjagjhnc.exe
2288	Bmpcfdmg.exe
5112	Beglgani.exe
3128	Bjddphlq.exe
4732	Bhhdil32.exe
640	Bmemac32.exe
3796	Chjaol32.exe
1520	Cndikf32.exe
4104	Cdabcm32.exe
4316	Cmiflbel.exe
2408	Cdcoim32.exe
2332	Cfbkeh32.exe
3284	Cmlcbbcj.exe
1568	Ceckcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3752	3696	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4884	4672	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe	83
PID 4672 wrote to memory of 4884	4672	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe	83
PID 4672 wrote to memory of 4884	4672	a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe	83
PID 4884 wrote to memory of 4536	4884	Mgkjhe32.exe	84
PID 4884 wrote to memory of 4536	4884	Mgkjhe32.exe	84
PID 4884 wrote to memory of 4536	4884	Mgkjhe32.exe	84
PID 4536 wrote to memory of 4916	4536	Menjdbgj.exe	85
PID 4536 wrote to memory of 4916	4536	Menjdbgj.exe	85
PID 4536 wrote to memory of 4916	4536	Menjdbgj.exe	85
PID 4916 wrote to memory of 1092	4916	Nilcjp32.exe	86
PID 4916 wrote to memory of 1092	4916	Nilcjp32.exe	86
PID 4916 wrote to memory of 1092	4916	Nilcjp32.exe	86
PID 1092 wrote to memory of 3088	1092	Ndaggimg.exe	87
PID 1092 wrote to memory of 3088	1092	Ndaggimg.exe	87
PID 1092 wrote to memory of 3088	1092	Ndaggimg.exe	87
PID 3088 wrote to memory of 2064	3088	Ngpccdlj.exe	88
PID 3088 wrote to memory of 2064	3088	Ngpccdlj.exe	88
PID 3088 wrote to memory of 2064	3088	Ngpccdlj.exe	88
PID 2064 wrote to memory of 2356	2064	Ndcdmikd.exe	89
PID 2064 wrote to memory of 2356	2064	Ndcdmikd.exe	89
PID 2064 wrote to memory of 2356	2064	Ndcdmikd.exe	89
PID 2356 wrote to memory of 3900	2356	Njqmepik.exe	90
PID 2356 wrote to memory of 3900	2356	Njqmepik.exe	90
PID 2356 wrote to memory of 3900	2356	Njqmepik.exe	90
PID 3900 wrote to memory of 3716	3900	Ncianepl.exe	91
PID 3900 wrote to memory of 3716	3900	Ncianepl.exe	91
PID 3900 wrote to memory of 3716	3900	Ncianepl.exe	91
PID 3716 wrote to memory of 3780	3716	Nnneknob.exe	92
PID 3716 wrote to memory of 3780	3716	Nnneknob.exe	92
PID 3716 wrote to memory of 3780	3716	Nnneknob.exe	92
PID 3780 wrote to memory of 524	3780	Nggjdc32.exe	93
PID 3780 wrote to memory of 524	3780	Nggjdc32.exe	93
PID 3780 wrote to memory of 524	3780	Nggjdc32.exe	93
PID 524 wrote to memory of 2344	524	Olcbmj32.exe	94
PID 524 wrote to memory of 2344	524	Olcbmj32.exe	94
PID 524 wrote to memory of 2344	524	Olcbmj32.exe	94
PID 2344 wrote to memory of 2380	2344	Ocnjidkf.exe	95
PID 2344 wrote to memory of 2380	2344	Ocnjidkf.exe	95
PID 2344 wrote to memory of 2380	2344	Ocnjidkf.exe	95
PID 2380 wrote to memory of 1616	2380	Oflgep32.exe	96
PID 2380 wrote to memory of 1616	2380	Oflgep32.exe	96
PID 2380 wrote to memory of 1616	2380	Oflgep32.exe	96
PID 1616 wrote to memory of 4160	1616	Oncofm32.exe	97
PID 1616 wrote to memory of 4160	1616	Oncofm32.exe	97
PID 1616 wrote to memory of 4160	1616	Oncofm32.exe	97
PID 4160 wrote to memory of 3460	4160	Oneklm32.exe	98
PID 4160 wrote to memory of 3460	4160	Oneklm32.exe	98
PID 4160 wrote to memory of 3460	4160	Oneklm32.exe	98
PID 3460 wrote to memory of 4016	3460	Ofqpqo32.exe	99
PID 3460 wrote to memory of 4016	3460	Ofqpqo32.exe	99
PID 3460 wrote to memory of 4016	3460	Ofqpqo32.exe	99
PID 4016 wrote to memory of 3272	4016	Ogpmjb32.exe	100
PID 4016 wrote to memory of 3272	4016	Ogpmjb32.exe	100
PID 4016 wrote to memory of 3272	4016	Ogpmjb32.exe	100
PID 3272 wrote to memory of 3508	3272	Oddmdf32.exe	101
PID 3272 wrote to memory of 3508	3272	Oddmdf32.exe	101
PID 3272 wrote to memory of 3508	3272	Oddmdf32.exe	101
PID 3508 wrote to memory of 3924	3508	Pnlaml32.exe	102
PID 3508 wrote to memory of 3924	3508	Pnlaml32.exe	102
PID 3508 wrote to memory of 3924	3508	Pnlaml32.exe	102
PID 3924 wrote to memory of 1200	3924	Pdfjifjo.exe	103
PID 3924 wrote to memory of 1200	3924	Pdfjifjo.exe	103
PID 3924 wrote to memory of 1200	3924	Pdfjifjo.exe	103
PID 1200 wrote to memory of 3484	1200	Pclgkb32.exe	104

C:\Users\Admin\AppData\Local\Temp\a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe
"C:\Users\Admin\AppData\Local\Temp\a21e9a88a29c4a99533702a7064af99e5b796bc302756ad526931af13aabbb81N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\Mgkjhe32.exe
  C:\Windows\system32\Mgkjhe32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\Menjdbgj.exe
    C:\Windows\system32\Menjdbgj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4588
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        73⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        74⤵
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        81⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 396
        85⤵
        Program crash
        
        PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3696 -ip 3696
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
337KB

MD5
231f30317af1a80319f2c2747deffa28

SHA1
ca034945a8889d517cc7a5f0e70e8ad6564becef

SHA256
55163359f0d5d8e450ddfe7606b09185c483a0813ff1d5fe5eedae989fd74a9f

SHA512
526a61a612acccb4c2e25b721a0ca00a431adbbc7f705876b83636d73dd4b18f3385c508a1c1a1b5e26f9dea454633a1b3f4b8f5963666a1f688a861653a1b2a

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
337KB

MD5
762f9219c68f18eeeb1fbe2a5c52ea58

SHA1
7329ca78e7804a76ea362198185ec72c0ca1ff10

SHA256
ccf4eea4f41b44119a249ea674a12056e1159d545aa5c963a5b7474356f65fea

SHA512
410850dbe2b02f3fa63066bc7a9b4b7e08f4d78cb6735bef5045c474a02920eda160fb40004d3622d90245e428ad1ec0d38dd598f8cd39cd71a637f385465372

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
337KB

MD5
7ddecff81308db37af8f216a282fc7ce

SHA1
b8f1457cc8fa3f23a6efe639c1d589b20b678866

SHA256
40b7320bfef52104d01939d84a1444cb7235d6a5b6b3d8105f956d9cee54d372

SHA512
74bc9079b64393f3d59ffc7f16723ad47974d87e55d9f3d933ef919837b695e2d6c4b275e33c10583b883dcdad969c1e4dc3c2b647dd4d03a21ef8600ada9aae

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
337KB

MD5
04d8222141dff450d15252c231e291ec

SHA1
b591346b12cfcc5a09a19e214d919dcdb4d795ea

SHA256
d20c74529667f2ffd0c907995716b7fa902a50a3cd6ecf496f9e801dea2dbc58

SHA512
29ae81d4bc3201355689ca590bb999d02e21447fa087c8714778df31f80b80a0f12ac2e51b3f0f3f474a59125af917de81260ffdc267a6afb3521e86c22b287f

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
337KB

MD5
aadbbae6d33bbb58a2504a6498353350

SHA1
1e34909a35e1039e49d3a61973badebd805c274b

SHA256
241596d29e41751410f4919314cb41e9eefd02b81afa28d42eb74bac9c09ffcd

SHA512
f61017630237f7146edf2138b3122d869fe195b1dffda1439005f7bc2749a577fdd48999c8a5571da711c0254bdf5e065cfdb57ee6b77416d54cf32d9932784c

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
337KB

MD5
201a92fe228f7e0b2db71a68518852e1

SHA1
f9b4e9ea31a8349774a5f7643c1e142289f9359f

SHA256
4cecbd1987ac78eaf197621654ea330ee3883ef22606182cbd8ea5be7374f030

SHA512
be206ecbed883ac4d3eb304211fc9864a39df2efc0d2c9db190c4a8048a14f2c5ed0e175bf2c8d37b03e76699d3d73bc85b69552bc0f6478d43913f4b08536e2

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
337KB

MD5
ebbfaedcd2163f1c2a8de1ad43b46a6e

SHA1
293ff04d0af823edf5135a6303835fb8f4271441

SHA256
f4c3ce38e879c29c062273a4a313d7dc20fd5e10bca3cb204138e02ad04473a0

SHA512
75d55c40fc123e83cbb26aab018c96d9b3a492c38f6226694cbd72f6a1de486263e5327a4b9de7d4075e01e5d055ec7542f0c4e88ad3db393e7033d749f38bd4

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
337KB

MD5
26721a07863ea6c87f0e85c7d45b96df

SHA1
4be3f2c1015b402191b8d4e3a69850dc9dc83aa2

SHA256
b92d6168e8a37f8b34e0900c982c0cdd61be5d1ffe67d61c9c55af9bc230bc04

SHA512
c3c081e0fdff15fb31b33987641a0a6993d32a05d3c479c39f99cd631972353dab2fde720076839e17b700f1dfaab7f7fe7980b7b66d21dae7d5309cc5bf66bd

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
337KB

MD5
86c312c2e9d13040fe593723613f3f95

SHA1
e5e607313cc811ce97108ef285b3e528b5a13174

SHA256
7090d6b4bc4ce58ca7e8295d0ff21512d810aa7dcd7d43a53b5ae7d7d1904ffa

SHA512
65b3996d31d8ca2792bc968ed08f6261bb5387859811ebae0b06c1b6ee3905f77417ed55f84fd4b788b8668e07dd093d18c9a0ff47978e6dd1ef555a035006ff

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
337KB

MD5
3d8bc3645dbe2820faeb83884c68b1f4

SHA1
b99a2a07fd47e6d4db53d0c6f5b5fe54a02206a6

SHA256
1607251cd6b8ac151464bf61618a009da790d3f0a13e58c669b915eee197c377

SHA512
974ac8a0f7e4bc62511c3a6f0a3fb92d3543f385224093821ea734f3b64df8bca62d497f63d1ac51bc68214584255caccd8c0fe5ee94c8852d822b7c4359d981

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
337KB

MD5
ca210ecf70fbfe9ff1a9b4205285e33b

SHA1
0e46d52db16eaded989925fa8eb8e165105d9a1a

SHA256
5b11419f39ccb099a9a6e3376b435a2a857b1b9809ad3d4f7944170954932a9c

SHA512
80bf9020210e41348c14a3ec1dbb3bf338c746359ac0345bb7e57517611d49ee995a1cb9db45708ca17375c175150024c0bc734731d75b45f656dd89c5b5f4a6

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
337KB

MD5
913d9812c6c4f195c4f56098492e679d

SHA1
9ab50d85faf14e0002af7d80b1e341999cb8a283

SHA256
22f56c82d902a54851a6ce2cc41f3a8fc3a76623cc6c72053041f95710efae3e

SHA512
9b3200a05b774a7b44f48f704a28844fd4e0d715c5aac3a2a1b77524e6dad0c4493eda458a1b2cd675230f340212d546ac6f2e0fd7f345f51a696cb3bbc39fab

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
337KB

MD5
73931d5190602172cba5a2ea75010397

SHA1
26bcb51677d097d7ef247fbbe7ccb4f5d8172195

SHA256
335e78af4c5454cdd8027f6374bdce6810f387ef9c67024899b30fa8c4bf057f

SHA512
bd3b8211abf5f8f31836b16cb18671890f9d0ac9fd92329fcfb4fbafe677a5443303d0fab554df5e6918ea989f9ece89cd0e2101c3d7d2b2338b5dfe850727fa

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
337KB

MD5
e34c56f853c5af2eb6c8104c92248882

SHA1
f8fa51a239dd31c9c878c964eeccb1beb24dbba3

SHA256
525e69cd1a8bb77f8a0605e794a72fb54b8306f7e1853db5475949026a88c20b

SHA512
a52acdef26eb7d444d6fe45f0901804bb5496b21acab1d56f5d6a2d6bff21d6bda3ff05aac41e0c837897935257b80eb4692f6dc4df5b39328419092cc637240

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
337KB

MD5
7c586eea896579f9878bdfbd526d3fe4

SHA1
d05b8e6a236fb527881c9d74de00e0c5f5822124

SHA256
9049d6f3c585bde1b039f17da2a972e63235967802baf9caa8a1427746889b4c

SHA512
44e969c73d9532bddc546795f7e5d6543b1cb8815bcb8cdaf4249b2596b0045c410a4e69297f03f6f1c694b7f0db479ac7cae31111cb3b5cbc856f0f474485b8

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
337KB

MD5
8f5b9f333068b73c39b3bdd062200753

SHA1
0334f9c97d864fddddb74ca01e2f128600603fcb

SHA256
7e86a9b0344ef34c54cd09a00d88e9db103d3d0ea8354032dd86f51b5cf14763

SHA512
8e227961e244eedd4460d800dcb6e731d6a78bb4b4671cc3ea5a54cbd9cf6b4a4eedd7ee0ce098e2cfffd8918aa436b9df1a190fddbe1e17cad5083c65030d02

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
337KB

MD5
5c39f34e9f8bfee00e8a7fdf3e74d50f

SHA1
42df90fdcf85cbf7099711e094f5c20fb5640fcd

SHA256
f40cfcb48dd2c746f4c0b7f9ff8a31108aa6080b6f2017ffd14cd9621f719b51

SHA512
a4da2c1c09f7d167282088bbf188a3b439772cc5f410b811a5c98817c6b476605d8b94e1fb5c4e7be67c31d6048d8b57ab5f3dfdac8737647d5e9dba28e81d74

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
337KB

MD5
c09ac85d0e26a024fbaf8e2096ce77fe

SHA1
c5a2760c9ac7d539b2fab01a47d1322fc0ec90ef

SHA256
6a7d61c92c872cea1ea21d1b78841c30e0e79556078dece57f527dddefeba6a1

SHA512
3a113ba166f288a536064d3a7ac7b5571b29e4bc241e556c75c9520e1537f3deed3fa28cc9d092ecefab62d34684de759e50f769142d34b354fc8859fd302e58

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
337KB

MD5
89c6937441a14e3919ec78feea309d7f

SHA1
fa3124236d72aa0337e2e7783c8e4184963c713b

SHA256
51548244734b124ea0db2ea092c7babb195f8effa85ae4bd48ff15def5f02b9a

SHA512
b728c805dc4222a5237705a8b36f765fe38cd2a36920659993f7cfe2ae934c4aa7006ea760fe43e24d0892ab923e70c043a0f586e71c97d09298867f0d61ad69

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
337KB

MD5
6c44e504c381672454dfd7125295a7ca

SHA1
6fb77071318f4914e15bec89094e2f3179af97c8

SHA256
53d166c6168e061da609208bde5fd621ffdbc7a1dc50a2bfeede726400f32b22

SHA512
8ad5cb759ad80b1f2c13c356a0074d3b86e26054f0d07d310732115ebf0dfd42ce66c8621dfd076b9c21549a877fd1960a1743d4df17073fcf1692b0addf5b14

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
337KB

MD5
e6a61dca0b5b1ab1bac7fc462798e394

SHA1
7ebf589096f084830ed20d9ee0689a6bf7e57126

SHA256
592429f48825f19a420af7acff9ed6b329f9aa8bed318f0d181e0cfe13539599

SHA512
7a8c2f97af582c95ef5d3317627a5623ed138b104e81334c9c446ac9612cc68fdebf93ca4404a1f4453bea21c5588bf0e00eb1877cd90de92c958a30a1c1b92b

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
337KB

MD5
902ff7c21cd943bab1b865f31344a365

SHA1
56d0e3783cd9b5bc920a82dc79c8aa4249df7f7a

SHA256
6636635e9a0bc6eec1df79348da25cee59e4327eced94ab4cd07e3c160507e7b

SHA512
93b652d4dd7460532d9a497419997a5ab30eab5cf81a8bf03d35a64d31f061b3ff6f49dab492f78006ba07da30b7261e522b2fb1dddbdb92837ce3bb918cdb48

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
337KB

MD5
01806ed649ec7b611f19c90a1e703c87

SHA1
d8dd1a03e2f6983f232959c2990aa69590c579f5

SHA256
7a13310d7d5377db74cf98f53b9da7b5e547c6850f5811d30dc83ad15b189ce3

SHA512
8e31f043f4562512f150535b3f34421522ce7d498f5961a53918d2144d2e6589c950e4dcfbb52b925127d875464fefee0471247bb186a0f2284d77fd442ac88d

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
337KB

MD5
2eceafab29377b50475db1a50c1a93eb

SHA1
3df6f928f462f8845159129f2f07f24c95d2f970

SHA256
a051e0ae64addbde406bcb85125fc055f24e1f971b3f12a06090b9d185f4d049

SHA512
35e85c405d33563a3d4c5a433d3bebede56513cc2a928f09b4d4b85e79905528bc5eeee60e6842d29f0580115c47e795338a347edc53e5fd76a54b0c3526a19e

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
337KB

MD5
c6449b7d4ac9d41852a60fc54c47248e

SHA1
2752e40e2e3d3589ea158a1ab1701248214999bc

SHA256
81ca1993b28fcc02f09ef8b3eeb9854aa3f7ee6affc3cff15e216756b6b18326

SHA512
b6088e3803e67826dbc43742c922ae2aa690c0393815d68d3ea81cef2382aa835d9c65959140dcf2abb14b4916a2056897d63ae9359e415a798e482323bbbef8

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
337KB

MD5
d4983101a56fe6e404fca738b2fac3de

SHA1
d8fec783f3ffd713b3628d7d48c82c896213246e

SHA256
7bc6fd036b85511e6252c1015ae2ec901f5a80497fe8705ecd4204a0f96ea342

SHA512
23180d94fbb9804f662bc784a4b76e01376a41d3041cbc5cb6d9f24440576233fca671d8349776659b22c03e8dd98831b3d52e0b8f47bb822784b0b7c966852e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
337KB

MD5
f9eabef8032ea2222a9c598bfaf5e965

SHA1
fa5a519c5a141de8ce8dadb08d127d02f14d270e

SHA256
f03b0423734cf2be1fe231d11396f313a09152c11cf4bd22b826559ad4a2ec33

SHA512
2d6c5372387621b3244d19d9bc2919b6dd05c818e9f65c310ad7b72f81db1cdfc25ed7f0b649f7ad3dfdb37e15cd60b33f01da8d3eccc5188b316759f054ace7

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
337KB

MD5
9bc85b9be8d43cd56b927fe0d9ff7826

SHA1
8344ca0fd8599167ce996d159407dcc5bbc071b4

SHA256
078508dc4394d4021c9ebb7d5967585de218f100539d6994fe8d7e70b3fe6836

SHA512
7dc875499b9a098acb9ff3c441ee4557b6aa5be8fb4c8305aaed554b8acfd0e556c0a7eb512be47d3f474e35a43000091266f7c0faa25a102dd7dba3618070d2

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
337KB

MD5
a5e05b3cd138a38c0fa674ddad936980

SHA1
b620f86726dfc4d25ee5a21d05a884d70ba447b3

SHA256
84a7a6aa703303bf65fc6ca90a4b3c3157ca3ad2379fb382f4c176cac0c53e5c

SHA512
d7ec989c567389b3adc3279142a5492ab3f77f77714c49aa13dffa36579f183298287a644c2e0aea5a9478d467f7c56930871bf6168e78e62af0d5cec20ae233

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
337KB

MD5
72242a8f16b75a6ec0cd715974603619

SHA1
36931ef12ae473768f4df93197ea7491fb1b1f6d

SHA256
9f55aeda2c64cc83056514bbaf85dd2207f455173437665e2ded72f6b4c07241

SHA512
77c6df4375eece22dd55a7f412db977793c15eee12571dcc80ccd1cc52d80487f6942e336898a6d1c592c2950729114f99dd6c2bdef472cae380eb77b79634f1

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
337KB

MD5
658bcd5fa86ac9507f2ed068d3b9cdd4

SHA1
531be2fcb7ff62e0bd3a76f776b4d8cd0b25c229

SHA256
5217d12e0406aec887afb0bcea59c8618196d75d4e1c4070d4154018314f98d3

SHA512
98ae9ea857cf6464933dc6fedb7e6792db40bee40841fbf0988c9b929a166f24c6504386ab29f3f9d523d7a0775aed79421d1051ed17bc6e7cf1b23fe384adb3

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
337KB

MD5
13824f3798516a71750d2f27e23ee69c

SHA1
8fdd733e5cd864db9002d034954b6c08a2e8c766

SHA256
77aa80faa3fcf82658ac9deb9527462922d76a7e4746e247abb98d2a5b9f314f

SHA512
89d4efb0bc01d6a076398e188c0f0da401b3b5381a67f0e059234e841b38cfca23bfec690bd5c37412752585486c9a5432815402a8949f03cfa34e490fd42fad

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
337KB

MD5
eb4dc3504a10fd5982dde697d8c10ea6

SHA1
35ea5de2a87d94a59fc97863205a1335e8a7d3d0

SHA256
31fe00f50b19daf95820b6a658161a91ec442b56f68a7759d18ff3f282902fcb

SHA512
68c8be0b308d05950f3c53f49bd652e8cbe11ed23adc49aa567a2cb8dc6aceff13adb526a68fe49e8e16e388be455121c331b8a5dafa1108c724b69d4613ae57

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
337KB

MD5
96fe9b02349a752ab29fe5167db33867

SHA1
e4cfd10f162994f5430e58eb9bcbd7ee83b0250f

SHA256
40c0177631619afc626883704a0a10a85900e3a44b13ab2137d3a960b8eddb80

SHA512
44224bcb19d632f206823a1fea6f09a3633853fd953c81779b00061a5feb236c2275251c90d30950eac9e39e920aa35bea44fa5dbf257d23c201adabd3b9f877

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
337KB

MD5
70821e9672559f09ef112d9f1a036c68

SHA1
d6b14b7080dea0c2b4afd95616f103a279b5b6e2

SHA256
6863cab264e5ba0033e591f902d563769bf476ca5e3fd297a0d18ded6905d7df

SHA512
71846ee75f4f37e515d33c91f39e6cbc23ebc3e6aea59e6fce8b72bfa20d18f74549eac8abbd4e3d71dca30f0499e26ab4749d0a4a9b060562d2c29fda2cb63e

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
337KB

MD5
8bd6133d3d5f80c0b277c0af9f19dd76

SHA1
8f793cb093dc77b7f3b87daba09a51a644afdc5c

SHA256
3e5b341114a58e4dde39d93f83d1a82ba39e0dc272a0f7a330cb6171f92b5cb7

SHA512
d016f7f75b5bb9065df5ac634286bb8b8a953dee652da2f1ff84c973ce78abdc2865dcc00046d0eeb7e11393ee6a92c7a8a14a7c26b509feee52030ac794d782

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
337KB

MD5
4dbe8964ffc82d66b372428cb245473a

SHA1
dd4467929ddd5ab109d5755dd31e05f807fe6547

SHA256
232e092eadae8b34c0d946663f7d235ac4eaab6bdc8fbca2f5f46cb0153056fd

SHA512
661495fc1200e63e721b05a43a03b74977f7f107fd17321f3d88bb24cae048e680709677869167048073139bc735d7da776ceaadde60d4a7081212fb72e7104f

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
337KB

MD5
bb230a579c1571f857a3c85af4251edd

SHA1
f90f1f112844e15a075f5ce234e766aacd17d0de

SHA256
ef50c41acff5eb3a9eae583943e1f0e057567f51d1358e20789a22bf8cdb6e79

SHA512
2338d229bdb2e19c69cafcf3ac62823d5b3a57df9c1317d68ebdba53c31274967839dab0644a1b59ed3651f7bd9a25a72dcddf525070b32d41455d6ee8fa0309

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
337KB

MD5
f776149a20a2a37553a6bc5277d974f3

SHA1
6764f8e2cacef5c378f2fe21c61f9821d907be90

SHA256
7db9c7929f842ef59870a14ab91f4d8843e20cc3e32e7b169244864b4de31fac

SHA512
fc666d0aea864e485fb5a6f29c14ea47e49e996f3520ff67da6b5b918d7b52c55d207e13ea962b30577fcda7cc8140ae59471124e4df090e726ffb06aea06626

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
337KB

MD5
b8482cd496fd88caa4d130d0995b8570

SHA1
64f5b6f68f7c28fa4fcab7605d6d5ca8dcead320

SHA256
1e74eac7c1e23738d49c54b46f74fbd74cb319d159708cfe95235cbc284dd6d3

SHA512
dfaae1a41143b80edd7099947dd6cfc44d1b9ac321ace8c1cd3f5a96997380a0606a7c9165895480e162a44af7a1fbe6a88cbc6e70ab15837351dd2453b5202e

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
337KB

MD5
a1cba3806f352a78e483102918e2c0cd

SHA1
994c16b88d60e7a904a87a48790c2f750e6ce956

SHA256
09d24866855acf90bc35065b5d799284c36e14ff4a344328842affa192af6a15

SHA512
b3fd9b9cd8c22f41b9ad3f4170d51a4edc618749d7ab03a1d6d2d608915576de08aa6d7ac517bc3baf711710f19b7b4604ce06ce33c7209387e840d4a09646d2

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
337KB

MD5
70094ac4fe13af3effb2133619f6ca43

SHA1
0ec6ecef8a78021a3a206d871501676001b02a8d

SHA256
d7ea59b8bf5eb34243306562e835c03112896f44177440f16e8d78df53c8696e

SHA512
0ed5e1478818c5fc2134907f2689268ec31948dc0f758f5cfc2e494f543aaf9e38ba3cf7309105b36444db1591450c649ab70941fabd7e525f6fdb03a0567a4e

Download Submit
memory/524-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-675-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4672-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads