berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
123s
max time network
175s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/04cdfdef32e604c59822bff2f7412eb2.exe
Size

337KB
MD5

04cdfdef32e604c59822bff2f7412eb2
SHA1

20e3dee726826783a7ea4834b80badd1ea626612
SHA256

af3721b46e91eb79e33fda423a58be171a7ecc8baab829a35940cb4b0e976578
SHA512

fbbe8867d7f8adbcc4d52a21e304486cda4efb11e0dfd35e022c0f23a5c6abaf2503951ca9938da64a40549985c09462dc6fe8e1efe6a762f3871f1eced0a902
SSDEEP

3072:hJ0OcTRw/F6ufgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:hJ0pErf1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glbjggof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqojclne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpenfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klahfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekqmhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikmbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glbjggof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
15	2940	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
4132	Fealin32.exe
2504	Ffqhcq32.exe
3940	Fiodpl32.exe
4012	Fnlmhc32.exe
952	Flpmagqi.exe
3420	Glbjggof.exe
460	Gmafajfi.exe
4468	Gihgfk32.exe
524	Gikdkj32.exe
1680	Glkmmefl.exe
2328	Hbhboolf.exe
3772	Hoobdp32.exe
1108	Hfhgkmpj.exe
2180	Hemdlj32.exe
1160	Hoeieolb.exe
3632	Iikmbh32.exe
2596	Iinjhh32.exe
2580	Iedjmioj.exe
2104	Imnocf32.exe
2540	Ieidhh32.exe
4660	Jekqmhia.exe
3756	Jgkmgk32.exe
3544	Jofalmmp.exe
1784	Jpenfp32.exe
4976	Jniood32.exe
2476	Jjpode32.exe
3024	Kcidmkpq.exe
216	Klahfp32.exe
1188	Keimof32.exe
4360	Kgiiiidd.exe
5064	Kodnmkap.exe
4116	Kpcjgnhb.exe
3948	Kfpcoefj.exe
4676	Lljklo32.exe
4472	Ljnlecmp.exe
1104	Lqhdbm32.exe
3636	Ljqhkckn.exe
4860	Llodgnja.exe
1136	Lgdidgjg.exe
3196	Lnoaaaad.exe
1412	Lqmmmmph.exe
2460	Lfjfecno.exe
2144	Lqojclne.exe
1300	Ljhnlb32.exe
3448	Mcpcdg32.exe
2936	Mjjkaabc.exe
3428	Mogcihaj.exe
3752	Mfqlfb32.exe
3664	Mnhdgpii.exe
2160	Mgphpe32.exe
1916	Mnjqmpgg.exe
1788	Mcgiefen.exe
1280	Mnmmboed.exe
2664	Mqkiok32.exe
1948	Mfhbga32.exe
1896	Nnojho32.exe
4080	Nggnadib.exe
3580	Nnafno32.exe
2056	Ncnofeof.exe
2916	Nflkbanj.exe
5004	Ncqlkemc.exe
4424	Nnfpinmi.exe
3828	Ncchae32.exe
1132	Njmqnobn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ompfej32.exe	Ocgbld32.exe
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Iinjhh32.exe	Iikmbh32.exe
File created	C:\Windows\SysWOW64\Nnfiop32.dll	Iikmbh32.exe
File opened for modification	C:\Windows\SysWOW64\Kcidmkpq.exe	Jjpode32.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Ncqlkemc.exe	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Amnlme32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Jniood32.exe	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Liabph32.dll	Ljqhkckn.exe
File created	C:\Windows\SysWOW64\Lqmmmmph.exe	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Kmkdjo32.dll	Nggnadib.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nnafno32.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Fealin32.exe	04cdfdef32e604c59822bff2f7412eb2.exe
File opened for modification	C:\Windows\SysWOW64\Jgkmgk32.exe	Jekqmhia.exe
File opened for modification	C:\Windows\SysWOW64\Ljhnlb32.exe	Lqojclne.exe
File opened for modification	C:\Windows\SysWOW64\Mfhbga32.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Pmiikh32.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Hemdlj32.exe	Hfhgkmpj.exe
File created	C:\Windows\SysWOW64\Mfqlfb32.exe	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Iocbnhog.dll	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Ojnkocdc.dll	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Mfjnfknb.dll	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Pfdjinjo.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Iikmbh32.exe	Hoeieolb.exe
File opened for modification	C:\Windows\SysWOW64\Kfpcoefj.exe	Kpcjgnhb.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Nggnadib.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qmgelf32.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Lobpkihi.dll	Glkmmefl.exe
File opened for modification	C:\Windows\SysWOW64\Lqojclne.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Figfoijn.dll	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Kfpcoefj.exe	Kpcjgnhb.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Eemnff32.dll	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Aogbfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5320	6116	WerFault.exe	219

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fealin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoeieolb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljklo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llodgnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgphpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpenfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcidmkpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keimof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcjgnhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoobdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieidhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgbld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fiodpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpcdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mogcihaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iedjmioj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekqmhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjjkaabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmafajfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kodnmkap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggnadib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jniood32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfpcoefj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnoaaaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkibgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbhboolf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imnocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmgelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flpmagqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclknk32.dll"	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klahfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpode32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll"	Iikmbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnlmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	04cdfdef32e604c59822bff2f7412eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgkmgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll"	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 4132	3920	04cdfdef32e604c59822bff2f7412eb2.exe	89
PID 3920 wrote to memory of 4132	3920	04cdfdef32e604c59822bff2f7412eb2.exe	89
PID 3920 wrote to memory of 4132	3920	04cdfdef32e604c59822bff2f7412eb2.exe	89
PID 4132 wrote to memory of 2504	4132	Fealin32.exe	90
PID 4132 wrote to memory of 2504	4132	Fealin32.exe	90
PID 4132 wrote to memory of 2504	4132	Fealin32.exe	90
PID 2504 wrote to memory of 3940	2504	Ffqhcq32.exe	91
PID 2504 wrote to memory of 3940	2504	Ffqhcq32.exe	91
PID 2504 wrote to memory of 3940	2504	Ffqhcq32.exe	91
PID 3940 wrote to memory of 4012	3940	Fiodpl32.exe	92
PID 3940 wrote to memory of 4012	3940	Fiodpl32.exe	92
PID 3940 wrote to memory of 4012	3940	Fiodpl32.exe	92
PID 4012 wrote to memory of 952	4012	Fnlmhc32.exe	93
PID 4012 wrote to memory of 952	4012	Fnlmhc32.exe	93
PID 4012 wrote to memory of 952	4012	Fnlmhc32.exe	93
PID 952 wrote to memory of 3420	952	Flpmagqi.exe	94
PID 952 wrote to memory of 3420	952	Flpmagqi.exe	94
PID 952 wrote to memory of 3420	952	Flpmagqi.exe	94
PID 3420 wrote to memory of 460	3420	Glbjggof.exe	95
PID 3420 wrote to memory of 460	3420	Glbjggof.exe	95
PID 3420 wrote to memory of 460	3420	Glbjggof.exe	95
PID 460 wrote to memory of 4468	460	Gmafajfi.exe	96
PID 460 wrote to memory of 4468	460	Gmafajfi.exe	96
PID 460 wrote to memory of 4468	460	Gmafajfi.exe	96
PID 4468 wrote to memory of 524	4468	Gihgfk32.exe	97
PID 4468 wrote to memory of 524	4468	Gihgfk32.exe	97
PID 4468 wrote to memory of 524	4468	Gihgfk32.exe	97
PID 524 wrote to memory of 1680	524	Gikdkj32.exe	98
PID 524 wrote to memory of 1680	524	Gikdkj32.exe	98
PID 524 wrote to memory of 1680	524	Gikdkj32.exe	98
PID 1680 wrote to memory of 2328	1680	Glkmmefl.exe	99
PID 1680 wrote to memory of 2328	1680	Glkmmefl.exe	99
PID 1680 wrote to memory of 2328	1680	Glkmmefl.exe	99
PID 2328 wrote to memory of 3772	2328	Hbhboolf.exe	100
PID 2328 wrote to memory of 3772	2328	Hbhboolf.exe	100
PID 2328 wrote to memory of 3772	2328	Hbhboolf.exe	100
PID 3772 wrote to memory of 1108	3772	Hoobdp32.exe	101
PID 3772 wrote to memory of 1108	3772	Hoobdp32.exe	101
PID 3772 wrote to memory of 1108	3772	Hoobdp32.exe	101
PID 1108 wrote to memory of 2180	1108	Hfhgkmpj.exe	102
PID 1108 wrote to memory of 2180	1108	Hfhgkmpj.exe	102
PID 1108 wrote to memory of 2180	1108	Hfhgkmpj.exe	102
PID 2180 wrote to memory of 1160	2180	Hemdlj32.exe	103
PID 2180 wrote to memory of 1160	2180	Hemdlj32.exe	103
PID 2180 wrote to memory of 1160	2180	Hemdlj32.exe	103
PID 1160 wrote to memory of 3632	1160	Hoeieolb.exe	104
PID 1160 wrote to memory of 3632	1160	Hoeieolb.exe	104
PID 1160 wrote to memory of 3632	1160	Hoeieolb.exe	104
PID 3632 wrote to memory of 2596	3632	Iikmbh32.exe	105
PID 3632 wrote to memory of 2596	3632	Iikmbh32.exe	105
PID 3632 wrote to memory of 2596	3632	Iikmbh32.exe	105
PID 2596 wrote to memory of 2580	2596	Iinjhh32.exe	106
PID 2596 wrote to memory of 2580	2596	Iinjhh32.exe	106
PID 2596 wrote to memory of 2580	2596	Iinjhh32.exe	106
PID 2580 wrote to memory of 2104	2580	Iedjmioj.exe	107
PID 2580 wrote to memory of 2104	2580	Iedjmioj.exe	107
PID 2580 wrote to memory of 2104	2580	Iedjmioj.exe	107
PID 2104 wrote to memory of 2540	2104	Imnocf32.exe	108
PID 2104 wrote to memory of 2540	2104	Imnocf32.exe	108
PID 2104 wrote to memory of 2540	2104	Imnocf32.exe	108
PID 2540 wrote to memory of 4660	2540	Ieidhh32.exe	109
PID 2540 wrote to memory of 4660	2540	Ieidhh32.exe	109
PID 2540 wrote to memory of 4660	2540	Ieidhh32.exe	109
PID 4660 wrote to memory of 3756	4660	Jekqmhia.exe	110

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04cdfdef32e604c59822bff2f7412eb2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04cdfdef32e604c59822bff2f7412eb2.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\Fealin32.exe
  C:\Windows\system32\Fealin32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\Ffqhcq32.exe
    C:\Windows\system32\Ffqhcq32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\Fiodpl32.exe
      C:\Windows\system32\Fiodpl32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        24⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        31⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        37⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        42⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        50⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        66⤵
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        67⤵
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        70⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        71⤵
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        72⤵
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        75⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        83⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        86⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        102⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        113⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        121⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        123⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        128⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 436
        133⤵
        Program crash
        
        PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6116 -ip 6116
1⤵
PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fealin32.exe

Filesize
337KB

MD5
76c48fd46d52d006ab97bbd8417ad037

SHA1
d17354c0aec69ed067706829f1003017a54878db

SHA256
dbfec468eb9316d28c3507d8cc7018ebef2dbdfa308343469f8ec29c70b1ad47

SHA512
8dc1e2e3a719db9208f5eccae152c3b38ddf0cdb3eadcceb05bfdd03ee6bf662ed928e5bdaecdba8f1b7d7b5ba62ba759bd1693345eb5a8ccd13a6e4ce6342ae

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
337KB

MD5
adfdc9c2cd1c51022c91069f97c8d52b

SHA1
a206ea90dd22876668faa7f151881ad3c51d54ff

SHA256
dd95d3dabef2bcce54b2de567ccfabb7c14c8019d61278c5cec07775429e92f4

SHA512
02159a2cebb10856df609b7f4139084d2cf34732ff7831cacb7f7b3aed38ebae0f4ba8849a2182364f2366983a3a16af416a611987a474d9a09ca370cec28bbf

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
337KB

MD5
bdcddefd5118db6318ebaa88c4ebcb95

SHA1
b5b71bee85cdecd6a92061dd08bf02bb7b5da456

SHA256
f93676bcb133924bac00edfb291bc8615b1f598e6f5f6696dd6ab0c7df20ce8c

SHA512
fb22f0ddca18640550b5291076006b56394d3f83311704a59a66dd095b27ae3c67f32317bb9fd7eed5c6c4be49df4375a89a21ce6f0a133aad97643b6cbeecb6

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
337KB

MD5
946f2de8b63f29df0704fcaf207c7144

SHA1
bcba2abacc643b402cc7405c50df839aa55a3515

SHA256
360e9b6238b32b242f43f9dc4c5414ff5b2e0e9b7f1145df9ac30f468a3df31c

SHA512
9029f8bcc42d1bd2da24986e3a1050fb8db41610058d966bd89207095f9b2a759a96ca3fde10fc8defe10e572d52f4445b2bcafaa7e637bca3ea85fa8562e17f

Download Submit
C:\Windows\SysWOW64\Fnlmhc32.exe

Filesize
337KB

MD5
f7935e5339656547ac52a4dd5193be4f

SHA1
d25735ba6c9497591953fb248a1cc73db77fb4eb

SHA256
467059d4b2bd81ba59bd04d0a628193ebe94c6d3f7e5c19c2e91e2b26b4c560f

SHA512
f54e3d56796346b469c2d3b953f17db601e38952c7b184e3abf9e52bc896746a4c4c8233bfaafbd2619d599d5bd03dd1de8730ed2a473aa23ef33b2067f0023a

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
337KB

MD5
a6ce14867b65b14fb0a81db8b50ff75f

SHA1
3a1cfe0fe4d88782675977d7f7ffea8ecdc3542d

SHA256
7548d94b0e33f1c91f951d5daa6749bb2756eb6145d9f6cc1c181abbb3ac4d51

SHA512
d9e3a244b53b6694f1438dbf805cb58ef16e6870e01102cb8c11e6c3b0ec5b89817d52186daaeef79054cd5a2f5c91d80c34677797a53f03e1eddf458f6d2aad

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
337KB

MD5
094c54c6b90a8ffc64af0e15e1a65e87

SHA1
babf1298eb7a395a0ef2d954d30dad11096849d3

SHA256
d5f9f96f6a174358d0434d92e29576e1f65e01ac007205f3734c773effa7ab1d

SHA512
dc4352db380a14dde6376111f7ae97a4b499fc9ce6fca6fc9f08a20d3832014303cc661b7d139e143539450cae0b01d393bc974f89b98da21c3e2a4e14196178

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
337KB

MD5
60b687cb02d113d81a2e2bdf9e784d2f

SHA1
8dee30059664de5f58e9f656c57714f1af31217f

SHA256
e0b1ae32766229bcdd032325d75357a6238136f633fbf44234ee5ada8ee88e01

SHA512
463c756275c972c7828b63ff8eba9da829f09141c3ea564b4a18bc0015befebc574209b955193851101079557c451f873f38ae2770365537d36afeb332f0c1a9

Download Submit
C:\Windows\SysWOW64\Glkmmefl.exe

Filesize
337KB

MD5
9b41f4f63155832d218062ef14b35650

SHA1
0fc9591f578bdb28c45b7c3afbd308d31efc69fd

SHA256
0b29cd2a8dfad6ae5061daba83a6673518ea40245a6c2a3cfdc897829e41f93f

SHA512
38ed0820d881ec55a19b2d0200c196fe867825884396e3d533034f4438be8e13256622a6b2e7670d8487d7a9a6f6c75484bf4c4b103d8d0fd2d14be1eee59c14

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
337KB

MD5
1c95e7aca1898884f9f2c60e14779127

SHA1
39397803f6d9effff20137b1cc64b3dcc55bd91c

SHA256
6d0fcfedc82d973ea2bf3d9d6fc59f43e38ebc57f3740f75f216a81a9af00a4d

SHA512
8bace8b5dfb007fa465a8718522d15f84703250c7503318efd4bc3ec2bdd60f96e48d88f2a2f2bd913337f0bf7251952b99b1dd8efcc31652ab21af00c45ee87

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
337KB

MD5
ca7538303d7678091a7d3324dd7bd692

SHA1
ac011fae72969c3203ba6ecd693403803bc4b1a2

SHA256
832b0a7152c641ba21eae3b4b94660175dd3307a67749bf0adb2b91998e03e86

SHA512
d8cd1a1d37f7451026651284d29f9c2e3a79a209bd8c17eaffd5d161f6ec5a704ee9b7d87200dd7becfc8a236b5551a7fa1d6f81e7e9a54963e52abb05897721

Download Submit
C:\Windows\SysWOW64\Hemdlj32.exe

Filesize
337KB

MD5
61796c4f3451d24291e624226b5aed90

SHA1
6379dcbf5349ff972e78f16b4488bc4245b6aaed

SHA256
e61b885329d7838129f0d96d58e64516b2d7b3c38eae658f3cd316ed3bec69f2

SHA512
ed58c3cfe4b5a8fe47f1f9ddc6e0bebbe2da57f921faa6db9ade29d8a07d02a728cc2528fdd23c475f02416b964ea51f6435cefd4b80f1a5d617a28a52e4d74e

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
337KB

MD5
099114ed10fe303979e8ca19d738102a

SHA1
d54f70747d3d7ceeb50e8058b020d756d3cdbf0f

SHA256
a6ca4b6e160c15a7d93d77d87758d90d03e59983072edd35bfeefb2a7e622219

SHA512
b1039617bf4352f013f1cfdcb7ab697950747ad57e62c0f58a060be4e945ff2e62ae950017a3c6bff2cdc734bee90acd62dd1ba31c1e6a636f044e94f036456a

Download Submit
C:\Windows\SysWOW64\Hoeieolb.exe

Filesize
337KB

MD5
368d831ad1b512f6cc1f9740dfbd24c7

SHA1
e7f8a80d9aebcf169be5a1bb7d11c9cbe341416b

SHA256
da310b806f42160906cbf10acee7bfcb4a3fa6788980ebd7484fb045a7d3d9e7

SHA512
b33b196655bff3ca559125a324c5e91cdb4abbd0a9a802765a41d579d6ac647986c7cee305142bb63c2537275b0d7fa09241c813647efea124805cce321d29a1

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe

Filesize
337KB

MD5
49e7ee751e67ecec976806cbcd0f3999

SHA1
3031817a4db3ae63a779adceeeef1d953ad903f7

SHA256
84951d54b838ae93467d5161a63b4f6bc432d7c2b5130ae2bab0efb02a093039

SHA512
995560996cca0dc27ab766e989d24960fdee2e3b30c6d2f8fe5e17b2badf4ce4610548c6c0831d64d9446cfc232560ba3117cd0fae1e0a786ccc8fee70bae9d9

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
337KB

MD5
e8d9f0f9b5dd526c250b0078cfee0253

SHA1
e1c82ea605c1a39ec1c8362cafcb5d93f121c66b

SHA256
ca26274faf0ccfab5fe230a72a211a718ef8f0dad0d014c85f6eddb6cc868390

SHA512
3ed75a3f93c9cbd5016ad4b2ec81d2d3d0ae2ece2475741d5267d0a71d60e1a0a6e7efb3e2afcdd071304e71bd113f1a3b8124180b309700364d6bf92afaa420

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
337KB

MD5
7663856ae97260c712c4baf7d1b5a83c

SHA1
dc4b61334f7b26f99782de50d65493bc027f51da

SHA256
0f5852d56c0f2c254067934af331125d3b6a43d8bb5ec2d782de341d679f4ee8

SHA512
1a8265d3418c63abf39a2498af010528942ed6b8d2c469bba203480eacf4cb08201dabd8209bee07048a6e575facdb267d489e5986e991e890835f2c35ffc7fd

Download Submit
C:\Windows\SysWOW64\Iikmbh32.exe

Filesize
337KB

MD5
a898834d86145f08bfcfc56effa6c269

SHA1
be5082f847d401878075b266197a8c667726bd28

SHA256
dd1244748ad364b8bd5a97744db4573a0561feb5c74a4e1865cbf620db19e720

SHA512
d05e6cc67def7bf43b233e2dd41b152f29975ff94c9cc5f2c0db1df2848b2f15968bf77e2ee87b809c024e0f35cf3ed2c51953f061b7764e54865a9bc7663009

Download Submit
C:\Windows\SysWOW64\Iinjhh32.exe

Filesize
337KB

MD5
325b059b70b70ffe07dc3983a148b962

SHA1
8b0ed7542d3ceae9dd6cb67b55e14de0ab07b4eb

SHA256
ed5d2dfa3a3e69e16c6a524e03037525f41957ed0e477242a0ea080923c559c5

SHA512
77963b761e4f13a7ba3a170bba3a6ffdeb855a09a328cb3809413584af2be2e537ffc404fada9a9af3306064554037db6c0c197e261d8cd965e62e492bba318a

Download Submit
C:\Windows\SysWOW64\Imnocf32.exe

Filesize
337KB

MD5
afdc1ad5ad58b4b219e9a4ba468cd58f

SHA1
7f09ad3fcd9b32458455ef5d17d566b84eb04884

SHA256
9795bb2cb0b2b59f216b6f8837ed5f93dcc778d2ebea7717187ce91527e74d2a

SHA512
20baa25909c3e56ac1b85c5702ad25d4e0fda12d90bc6d5f9473c03d39c5e9b4c30982bf3b0619c4983ebde4a53ee5039bc9c3fad01b3a1f4a7016d6562af916

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
337KB

MD5
510db119199d8f4316aa2a4b9c448795

SHA1
28ee42a5d01e648e016c22be700e046249af53cc

SHA256
43bbd263024a956c826b094ef9fb11679b7872084d0bb9805fa04a8cf5c4f179

SHA512
5c1e39232defc02af3e8fbb84e4dfdb263b47e952b7e40fe85a615e443c14c2b4523f134eec1aaa173437e185107295a606a4d1cb77f2e58c43fcf1919ab45c8

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
337KB

MD5
7da47e0d3bd1b01f8d7dc36d705c8162

SHA1
790a3c89e23d654f4a037119675c57c62e1264af

SHA256
e5e4559154aad0dd89efc31e87a930eac358720ab90fdbaef0675e16695d55f5

SHA512
bb18cad497b7cc657d0c7ee67ea0ec82e6f48ca2d7db316a4625efd59ab2f77b40ca1514af6f096bb4e879256247a1f0a595020fea77b456e906dc5f34258483

Download Submit
C:\Windows\SysWOW64\Jjpode32.exe

Filesize
337KB

MD5
db0e8a241366ba858a52dbae59da55c1

SHA1
241cffac333331246516d58ccc1098361ec2c0c8

SHA256
a5266b3cc2000f64de88e371e8961c6b501d883358a190fb439e023662034269

SHA512
71c7d18a0ed537883f6843bf269e498fc6c62aec8b5e6319c24c7845f2d88a990ab2d8e348c6917c6fac8d5b75b8ed07c2d10dee06760e557bcf24cb1f0c727e

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
337KB

MD5
3f92cead727d64fae6275eff36fd1d7c

SHA1
2afcead813f340bc8caa31ae7b70a82c4b06c769

SHA256
52926b42ad982c3427d80e14c5ba75641874baff93e38030ef5a0b956a404a1b

SHA512
ab13d4c5b56f0b062e8e4023875c7fb970cc756260ee9a6d1467be7825b89a9a97b336089251a08d239cfae92f796f3d4d110736ca02195707acc9c86ed89ee2

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
337KB

MD5
9a92c3fe8a57f6d9e4917fd1f5579cbb

SHA1
606cdb69fe74fe878fcd417585ad41355aad74e8

SHA256
49baec85a7d8613c629c2a7ac1327d42e35d717c3af3fb28dd5210f508fbb4d0

SHA512
8557898b78b8d43be5ea41e5270dc114df63a4a199fed3277bcf6da4f638ca571feb314f98e5b703a4223205ce971ca9765833848f98e493cc23c916a1bac881

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
337KB

MD5
dae86bd1d0f1d0dd460c810bd3a52871

SHA1
7a8af7c5d292add63e4a8fb9743cab743a517b78

SHA256
03d0e4780ff6eb19a5f5d60752849a8b9265475676473218baf1cce4ab0ae91d

SHA512
058c5c1ec6ec4917697d9ffba49a5e38b8b393bd854a25f9309223c197c43b3592f90fe3d00309a619a483830e0a8d8267970be5545383dc60d75ba82d991c06

Download Submit
C:\Windows\SysWOW64\Kcidmkpq.exe

Filesize
337KB

MD5
3501d9c7a3edd256a5e9298207dd9100

SHA1
5f112cfa970f03f8b5d7ccb1df9a4c59c7bbe420

SHA256
ac77db4c209b6a3987bec319f9440d874185ba6660b73836c0f17aa504de2f95

SHA512
1bf8f67c13916194030a3fa60968a85626049e157922113c0e6c0ba9d564391fa3a98c1e5ba8fe1200f9d311c4babb5035a2ff99d257f4893d6242ba4277e384

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
337KB

MD5
5a6ea9367457d93aeb480fad3b559ee6

SHA1
2fbb6fceab997698f0b0fce1a0ef98c02e915e81

SHA256
a042d788abd03f437baec724f02776e97cace4d7c7eb1d7955312b1ddfc3ead9

SHA512
68015ed2ba3a336524f2d855eb202f2fbdc5c61f1a63e055152ef15843eab63e7b6e7dbc2f899d1ccc2f0198d7f65d5a2a76aadd40fab992644018cb0961128f

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
337KB

MD5
fb5271e7d87996c147d04caf7d12ff5c

SHA1
d5b126590a8c4fe3868c56b6dc4bfe4e94a229a1

SHA256
de5a3c77ddfc152a6b21ab854465e4642057045f3acbadd84100c37f70d8aceb

SHA512
8e3f4cb3ce85d3721c906c588e42d20ea5ab4068e76b447405d8313d5849210d51895d5d92981128e6d16a24a46147cf6700e5db81cfbd3761d071237f89f8d9

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
337KB

MD5
c322ef5483d4ada6110da0a351dc5d55

SHA1
77e16053a5ea77fc3f88082cf27bde42f8fcfd19

SHA256
61a9db7955a1c029b2639ef91e446ee3d69c0faddfae2e6781e6ae1c7437a82b

SHA512
e07e1674c885941d5edbbef8d0f11ce3af60f80197893f4e1e613c5a9e9a4bc4c909f6a3b12accbad30c7db636726b17d5207966e0ccd80b28f4e87565357e8a

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe

Filesize
337KB

MD5
6db07f0afdd647112d33560a89dc4c65

SHA1
13bbabea9bc663caac9af8a3882c41845f42e548

SHA256
fc4f2146a50dae71bbf7320e750b5a6884f2abd9ec819ada29ecef2e6b401c73

SHA512
23cc85398bb31e48068c8d1ea7621f7e60fc1d295ad0a672deb7f0f41b9d5b82e21ef326c35a6e2625059ebf3451ab85cf9a7881bd11c6cafdc5ce4afcc23264

Download Submit
C:\Windows\SysWOW64\Kpcjgnhb.exe

Filesize
337KB

MD5
5acf05b131ded25d25e5a0458b19c997

SHA1
c39cc573f48a85aa2da475822d1c08e0a477d7df

SHA256
070c8b517856abb9c1804a8a18dbdc858cbb007b91071b9c0872e8b7b270c699

SHA512
2ec267b47edcaa77cbd9eb66667977313fe25038f64830064b48c398373bb07f6b40ec921c8b8d7c4420f0b77b023af378b2618326a54c4df6ade2befbeb5d6f

Download Submit
memory/216-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/524-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3940-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5384-709-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5472-659-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5540-657-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5792-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6116-642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6140-669-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads