Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 14:49
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
160KB
-
MD5
ee5772c4c83a528008493409fa45cde0
-
SHA1
b5d0f91f065c322b6968be5afddf807a016f2b92
-
SHA256
8088e8f95c01ec6a8a37c942eea3ec5b68449451713d0770c4254442e13919c6
-
SHA512
c867a8371a610ab8e18e8b4bb84a300305c3d1fcc32e65f3d99d4cbe414b25fbd89a5a5161e984bce744d1864a5945d0c6f9348a7c491029c1c8c2c257db928d
-
SSDEEP
3072:PJXUw9ojQE9jUgj6+JB8M6m9jqLsFmsdYXmLZ:PJXE9Ugj6MB8MhjwszeXmF
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madbagif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpjnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofhbgmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nooikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkdohg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acppddig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimhmkgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmcdhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koimbpbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mllccpfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofijnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbgnecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfhgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgkab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlidpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaemilci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihceigec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddble32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfknmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdobq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhoeef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koimbpbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoifh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okceaikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poidhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qelcamcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefbdjgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdgahag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podkmgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nconfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pilpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nconfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okceaikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbmdabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkdohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hannao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmoih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdplaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefbdjgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibdplaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgkab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledoegkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajokiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okailj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflpkpjm.exe -
Executes dropped EXE 64 IoCs
pid Process 4412 Hkaeih32.exe 3056 Hnpaec32.exe 1556 Hannao32.exe 4292 Hejjanpm.exe 4456 Hghfnioq.exe 2600 Indkpcdk.exe 1676 Igmoih32.exe 1996 Ibbcfa32.exe 1780 Iholohii.exe 3800 Ibdplaho.exe 3084 Ilmedf32.exe 2324 Ijpepcfj.exe 1604 Ihceigec.exe 4792 Jehfcl32.exe 4288 Jjdokb32.exe 2316 Jdmcdhhe.exe 2920 Jjgkab32.exe 4492 Jhkljfok.exe 1184 Jnedgq32.exe 2596 Jlidpe32.exe 2308 Jaemilci.exe 5108 Jhoeef32.exe 2796 Koimbpbc.exe 1980 Klmnkdal.exe 1668 Kkpnga32.exe 4116 Kefbdjgm.exe 4360 Kongmo32.exe 4832 Klbgfc32.exe 512 Kaopoj32.exe 4808 Kaaldjil.exe 2436 Lkiamp32.exe 3832 Ldbefe32.exe 3968 Lddble32.exe 3804 Lbebilli.exe 1324 Ledoegkm.exe 1660 Llngbabj.exe 2428 Lajokiaa.exe 392 Lkcccn32.exe 4364 Lcjldk32.exe 3328 Ldkhlcnb.exe 2840 Maoifh32.exe 384 Mhiabbdi.exe 4520 Madbagif.exe 3908 Mklfjm32.exe 2072 Mllccpfj.exe 2460 Mahklf32.exe 2692 Nchhfild.exe 4500 Nlqloo32.exe 4052 Nooikj32.exe 1504 Nkeipk32.exe 540 Nfknmd32.exe 5076 Nconfh32.exe 1488 Ndpjnq32.exe 3304 Nlgbon32.exe 1180 Nbdkhe32.exe 4380 Nfpghccm.exe 4376 Ohncdobq.exe 1868 Ocdgahag.exe 2112 Odedipge.exe 4284 Okolfj32.exe 528 Ocfdgg32.exe 2688 Ohcmpn32.exe 664 Okailj32.exe 776 Ochamg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibdplaho.exe Iholohii.exe File opened for modification C:\Windows\SysWOW64\Lkcccn32.exe Lajokiaa.exe File created C:\Windows\SysWOW64\Kmjaeema.dll Ocfdgg32.exe File created C:\Windows\SysWOW64\Pfbmdabh.exe Poidhg32.exe File created C:\Windows\SysWOW64\Pbphca32.dll Qelcamcj.exe File opened for modification C:\Windows\SysWOW64\Aflpkpjm.exe Qpbgnecp.exe File created C:\Windows\SysWOW64\Jhmimi32.dll Lkiamp32.exe File created C:\Windows\SysWOW64\Lajokiaa.exe Llngbabj.exe File created C:\Windows\SysWOW64\Mkbdql32.dll Okceaikl.exe File created C:\Windows\SysWOW64\Dqjhif32.dll Acppddig.exe File created C:\Windows\SysWOW64\Gcqpalio.dll Hannao32.exe File created C:\Windows\SysWOW64\Mjfkgg32.dll Ihceigec.exe File created C:\Windows\SysWOW64\Mklfjm32.exe Madbagif.exe File opened for modification C:\Windows\SysWOW64\Hghfnioq.exe Hejjanpm.exe File opened for modification C:\Windows\SysWOW64\Qkdohg32.exe Qifbll32.exe File created C:\Windows\SysWOW64\Jjgkab32.exe Jdmcdhhe.exe File created C:\Windows\SysWOW64\Jfbnnelf.dll Nlqloo32.exe File opened for modification C:\Windows\SysWOW64\Nbdkhe32.exe Nlgbon32.exe File created C:\Windows\SysWOW64\Miiepfpf.dll Ofijnbkb.exe File opened for modification C:\Windows\SysWOW64\Amfhgj32.exe Aflpkpjm.exe File created C:\Windows\SysWOW64\Gckjdhni.dll Aflpkpjm.exe File created C:\Windows\SysWOW64\Bmaoca32.dll Backdoor.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Nlgbon32.exe Ndpjnq32.exe File created C:\Windows\SysWOW64\Nfpghccm.exe Nbdkhe32.exe File created C:\Windows\SysWOW64\Ocfdgg32.exe Okolfj32.exe File created C:\Windows\SysWOW64\Nbfndd32.dll Ohcmpn32.exe File created C:\Windows\SysWOW64\Ofijnbkb.exe Okceaikl.exe File opened for modification C:\Windows\SysWOW64\Aimhmkgn.exe Acppddig.exe File created C:\Windows\SysWOW64\Qhomgchl.dll Jhkljfok.exe File opened for modification C:\Windows\SysWOW64\Qckfid32.exe Qkdohg32.exe File created C:\Windows\SysWOW64\Ihceigec.exe Ijpepcfj.exe File created C:\Windows\SysWOW64\Cqgkidki.dll Ohncdobq.exe File created C:\Windows\SysWOW64\Hghfnioq.exe Hejjanpm.exe File created C:\Windows\SysWOW64\Eepbdodb.dll Jehfcl32.exe File created C:\Windows\SysWOW64\Ifkqol32.dll Jhoeef32.exe File created C:\Windows\SysWOW64\Okolfj32.exe Odedipge.exe File created C:\Windows\SysWOW64\Mpaflkim.dll Pilpfm32.exe File created C:\Windows\SysWOW64\Pokanf32.exe Pfbmdabh.exe File created C:\Windows\SysWOW64\Lgahlk32.dll Hghfnioq.exe File created C:\Windows\SysWOW64\Ghikqj32.dll Indkpcdk.exe File created C:\Windows\SysWOW64\Aannbg32.dll Jjdokb32.exe File opened for modification C:\Windows\SysWOW64\Nlqloo32.exe Nchhfild.exe File created C:\Windows\SysWOW64\Hejjanpm.exe Hannao32.exe File created C:\Windows\SysWOW64\Fcnhog32.dll Kaaldjil.exe File created C:\Windows\SysWOW64\Coffcf32.dll Lcjldk32.exe File created C:\Windows\SysWOW64\Gcdfnq32.dll Odedipge.exe File opened for modification C:\Windows\SysWOW64\Hnpaec32.exe Hkaeih32.exe File created C:\Windows\SysWOW64\Bkclkjqn.dll Ldbefe32.exe File created C:\Windows\SysWOW64\Maoifh32.exe Ldkhlcnb.exe File created C:\Windows\SysWOW64\Codncb32.dll Nlgbon32.exe File created C:\Windows\SysWOW64\Kkpdnm32.dll Pfbmdabh.exe File created C:\Windows\SysWOW64\Bdelednc.dll Hejjanpm.exe File created C:\Windows\SysWOW64\Pkbpfi32.dll Ibbcfa32.exe File created C:\Windows\SysWOW64\Hiocnbpm.dll Ijpepcfj.exe File created C:\Windows\SysWOW64\Jdmcdhhe.exe Jjdokb32.exe File created C:\Windows\SysWOW64\Flekgd32.dll Nconfh32.exe File opened for modification C:\Windows\SysWOW64\Ochamg32.exe Okailj32.exe File created C:\Windows\SysWOW64\Fbbnhl32.dll Igmoih32.exe File created C:\Windows\SysWOW64\Jehfcl32.exe Ihceigec.exe File created C:\Windows\SysWOW64\Hmfchehg.dll Ledoegkm.exe File opened for modification C:\Windows\SysWOW64\Ohncdobq.exe Nfpghccm.exe File created C:\Windows\SysWOW64\Hlcfmhdo.dll Hnpaec32.exe File created C:\Windows\SysWOW64\Gnggfhnm.dll Nooikj32.exe File created C:\Windows\SysWOW64\Jgedpmpf.dll Nkeipk32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkhlcnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpepcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmcdhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkiamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llngbabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedipge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofhbgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmoih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgkab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaopoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdgahag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomncfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnedgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddble32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nooikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghfnioq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbgfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoifh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkpcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpjnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfhgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfknmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijnbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbcfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iholohii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoeef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllccpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madbagif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hannao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaemilci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefbdjgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledoegkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pokanf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgbon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okailj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbmdabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchhfild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbebilli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nconfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpghccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifbll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehfcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkljfok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kongmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qelcamcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbgnecp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdplaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahklf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkeipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll" Ochamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgkab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlidpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaemilci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ledoegkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomncfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" Jdmcdhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll" Nkeipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkidki.dll" Ohncdobq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll" Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll" Pomncfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll" Aflpkpjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaemilci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koimbpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmpceo.dll" Mllccpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll" Mahklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnpaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll" Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimhmkgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbgfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajokiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll" Ofijnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acppddig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghfnioq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilpfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qifbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmcdhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncdobq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpbgnecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll" Hannao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgkab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kongmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll" Pofhbgmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indkpcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll" Ldbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll" Ledoegkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbnnelf.dll" Nlqloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll" Jaemilci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll" Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll" Omcbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iholohii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaaldjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll" Nfpghccm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdgahag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll" Kaopoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" Lbebilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll" Lcjldk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbpfi32.dll" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jehfcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhoeef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pofhbgmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" Kkpnga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4412 4016 Backdoor.Win32.Berbew.exe 89 PID 4016 wrote to memory of 4412 4016 Backdoor.Win32.Berbew.exe 89 PID 4016 wrote to memory of 4412 4016 Backdoor.Win32.Berbew.exe 89 PID 4412 wrote to memory of 3056 4412 Hkaeih32.exe 90 PID 4412 wrote to memory of 3056 4412 Hkaeih32.exe 90 PID 4412 wrote to memory of 3056 4412 Hkaeih32.exe 90 PID 3056 wrote to memory of 1556 3056 Hnpaec32.exe 91 PID 3056 wrote to memory of 1556 3056 Hnpaec32.exe 91 PID 3056 wrote to memory of 1556 3056 Hnpaec32.exe 91 PID 1556 wrote to memory of 4292 1556 Hannao32.exe 92 PID 1556 wrote to memory of 4292 1556 Hannao32.exe 92 PID 1556 wrote to memory of 4292 1556 Hannao32.exe 92 PID 4292 wrote to memory of 4456 4292 Hejjanpm.exe 93 PID 4292 wrote to memory of 4456 4292 Hejjanpm.exe 93 PID 4292 wrote to memory of 4456 4292 Hejjanpm.exe 93 PID 4456 wrote to memory of 2600 4456 Hghfnioq.exe 94 PID 4456 wrote to memory of 2600 4456 Hghfnioq.exe 94 PID 4456 wrote to memory of 2600 4456 Hghfnioq.exe 94 PID 2600 wrote to memory of 1676 2600 Indkpcdk.exe 95 PID 2600 wrote to memory of 1676 2600 Indkpcdk.exe 95 PID 2600 wrote to memory of 1676 2600 Indkpcdk.exe 95 PID 1676 wrote to memory of 1996 1676 Igmoih32.exe 96 PID 1676 wrote to memory of 1996 1676 Igmoih32.exe 96 PID 1676 wrote to memory of 1996 1676 Igmoih32.exe 96 PID 1996 wrote to memory of 1780 1996 Ibbcfa32.exe 97 PID 1996 wrote to memory of 1780 1996 Ibbcfa32.exe 97 PID 1996 wrote to memory of 1780 1996 Ibbcfa32.exe 97 PID 1780 wrote to memory of 3800 1780 Iholohii.exe 98 PID 1780 wrote to memory of 3800 1780 Iholohii.exe 98 PID 1780 wrote to memory of 3800 1780 Iholohii.exe 98 PID 3800 wrote to memory of 3084 3800 Ibdplaho.exe 99 PID 3800 wrote to memory of 3084 3800 Ibdplaho.exe 99 PID 3800 wrote to memory of 3084 3800 Ibdplaho.exe 99 PID 3084 wrote to memory of 2324 3084 Ilmedf32.exe 100 PID 3084 wrote to memory of 2324 3084 Ilmedf32.exe 100 PID 3084 wrote to memory of 2324 3084 Ilmedf32.exe 100 PID 2324 wrote to memory of 1604 2324 Ijpepcfj.exe 101 PID 2324 wrote to memory of 1604 2324 Ijpepcfj.exe 101 PID 2324 wrote to memory of 1604 2324 Ijpepcfj.exe 101 PID 1604 wrote to memory of 4792 1604 Ihceigec.exe 102 PID 1604 wrote to memory of 4792 1604 Ihceigec.exe 102 PID 1604 wrote to memory of 4792 1604 Ihceigec.exe 102 PID 4792 wrote to memory of 4288 4792 Jehfcl32.exe 103 PID 4792 wrote to memory of 4288 4792 Jehfcl32.exe 103 PID 4792 wrote to memory of 4288 4792 Jehfcl32.exe 103 PID 4288 wrote to memory of 2316 4288 Jjdokb32.exe 104 PID 4288 wrote to memory of 2316 4288 Jjdokb32.exe 104 PID 4288 wrote to memory of 2316 4288 Jjdokb32.exe 104 PID 2316 wrote to memory of 2920 2316 Jdmcdhhe.exe 105 PID 2316 wrote to memory of 2920 2316 Jdmcdhhe.exe 105 PID 2316 wrote to memory of 2920 2316 Jdmcdhhe.exe 105 PID 2920 wrote to memory of 4492 2920 Jjgkab32.exe 106 PID 2920 wrote to memory of 4492 2920 Jjgkab32.exe 106 PID 2920 wrote to memory of 4492 2920 Jjgkab32.exe 106 PID 4492 wrote to memory of 1184 4492 Jhkljfok.exe 107 PID 4492 wrote to memory of 1184 4492 Jhkljfok.exe 107 PID 4492 wrote to memory of 1184 4492 Jhkljfok.exe 107 PID 1184 wrote to memory of 2596 1184 Jnedgq32.exe 108 PID 1184 wrote to memory of 2596 1184 Jnedgq32.exe 108 PID 1184 wrote to memory of 2596 1184 Jnedgq32.exe 108 PID 2596 wrote to memory of 2308 2596 Jlidpe32.exe 109 PID 2596 wrote to memory of 2308 2596 Jlidpe32.exe 109 PID 2596 wrote to memory of 2308 2596 Jlidpe32.exe 109 PID 2308 wrote to memory of 5108 2308 Jaemilci.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:512 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe39⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe43⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:528 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe69⤵
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:436 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Amhdmi32.exeC:\Windows\system32\Amhdmi32.exe87⤵
- System Location Discovery: System Language Discovery
PID:5544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:81⤵PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5cfc43097bd361e16d04df25d2f9b2bcf
SHA1268870633b056d240bd62cf112a54494ac725d8a
SHA256a6acdfa49b6bd1f6680f5c3055ca568c7f22062728504bc4ddcb52468e76a336
SHA512de1b89e13e406b22e7cf7a307b8b4302026015da97729befd26df8bb94dca40b1c9ae141d0f0463560957c00ace0a5deb6f66d26ef56c1f64721e3b010358be2
-
Filesize
160KB
MD5b33e7953fa50791e7ae43d5e1f6c51cb
SHA18b3ec9a706d2456030cf74ece930fa2d6db07d0b
SHA256b9ca9a4978d24b407decb32b55de1e66e098bd948658745afaf27852f9948497
SHA512367fc448d80d10915967e9472d38ed7cdd272aa54f6939927336d92725d2513310a8adebffe2dd09e76e467c63d082846cd8c016b72e8ecef5cfde6a874bde49
-
Filesize
160KB
MD5bc18c86f5ff985c134d1f952c6924917
SHA15558ca50ac0df2f505d528d10ae85c987c68ec22
SHA2563241ba7522a9d7174a5a3fe78096f997cc404291ec719c20e24b1d74dfacaa0e
SHA5126065c2d6a51d64723eb90af747c362c7a2ada3907cc3ec1fb404d47f12f6f1f2287c23cc31a2f6001bb06c983bca5c5e02b17f4a39e0711934b92fc1a9b7f46a
-
Filesize
160KB
MD5cc3b21d8d9be995814c65add9cd279c2
SHA1b25c74791efa93fb7ee212f8d34ed96d2a6a9b76
SHA25627b32fa5c2edf67de0beb318099c57031d504f9a251d3ee6cd7ea21418c71c20
SHA5123c2cb83bb8cc4f15a103e3f983a8d8cc02cf431d3b3f938627f729bbaefc00f57d15ce2db9d936d9867ea867b8ceff7f403611e0b3e5add0d22000a179069dc6
-
Filesize
160KB
MD5860a8dd3bd79c0d43157f315a05204b4
SHA12b0b887403184ff97f808703782a36c168433e2e
SHA25669c14fd4c88e2f7fe5c035e07757e89d317ca9d6fc38f33cd4e75c4600657761
SHA5123038375d1886836d78433c3355e7557efbec684679b2dddc6c350e07678b2c4b15c44daecbc0b4431327868038d33a0b9850534ca1b27e0df91c366415230a1d
-
Filesize
160KB
MD5923f21d3cb9607966d7fd05c6a509d7c
SHA13a41d631bcc26698608f8996729ee890da786e33
SHA256191ed49712342456a94630864e1af18e8841019d59378f952c1088e880f0361d
SHA512608c998fe062a2939d6aad0fad370eb19974cbf9975179f914f176b85a859058bf45b1bc7855ca18010ce59ef38de397c80f9ed806cf56f23f8af4141484de20
-
Filesize
64KB
MD5e3042d4c0dbfd91afba7eac88070824a
SHA1ffebc2b28e8c87ec7686c1ff49ab0b524fb9fa39
SHA256d305f1a3120ad105dbd754e26f00e82e5502582346bf0d859e48103bd1d335a7
SHA5122b66dd20bfa5a5528450479a4672df5f4aefdd4f35de46397162adb20bd043f1cb84e846aa8f2eefa4ba786f0bb19515c205c13418e0bbf8ce457afd800358d6
-
Filesize
160KB
MD509c1755ca9271f387ed668b2d8bd8fe2
SHA18c14e3cda54e7a284f5afb8d2727b75632aebcc0
SHA256a750f7137a1bfd57959647630d00ce638b0e3e9e8228bc9a630036f0b744f91b
SHA5129ade2b7ce62119e7c876a26ee509078c7cfbe9c21b9867cded669b636fbbae998f5c061b3c9238f0e4d8088d0a284b1a9a9d352eabef83954a1dc921cacbf187
-
Filesize
160KB
MD5f58e908878b0dbaf375a80421d96d07e
SHA1eecfb450e181722b29842449a272433479179e51
SHA256c50dbe9ea69ee7846f7ec43996147d901788bbb088e9efa809541633f18b6d20
SHA512d23d52bc181e48cef35553b4345a900c2defb7b9e4ef8c272f0cc20a9ddc41abaf549421a48cb9a54fb71d5b7e946afb03ea1a311570a7c9a2da0e8f6ad2b0d8
-
Filesize
160KB
MD5e4855bac9f3e31d163843f48991db9f2
SHA137907da0150479f907ad7b6c7c212d3192bbd72a
SHA25674ba8961bb39f4692047f0f05c358d667498fcd54c88a8a41cfb2b2411968bd7
SHA512ad495e6f5cc762786f7cd3693472ddb5dd0c4ef49503e57303ea24d3f3051586e45240385a2387a7761a461068803197da8e093d8a930daca83ce0386c4cc269
-
Filesize
160KB
MD5b2267d5015f90c9304ad8be008320464
SHA146fbff744b4c74dd90cdcfa9a121809ab69c0c72
SHA25662957a184f21470bbbf722684c13cb460c7891e687a86090e504b0942f0bf165
SHA5128440d745e50f38f7d4a6b2f6f7a005e89e5177332e3b4049fbfb826afbee668547508da82cb3c2e9d9932f7e3e191c591d073aff6ca2c361e4a69ef5e75e7aaa
-
Filesize
160KB
MD57f251e8dac840e260464e8ecc2186ab7
SHA1b1183a9ce1abedb04a361e23ba061ea7cb480027
SHA256ef90f5b859f37cc050be2cfa91e92ea9d64764da508fa41959d90f7669399100
SHA51257e18a593688fff1da7e70113f9bb9b3278482163571c6b5f247bd9ace87902045b4fb467e9161195a2529454989150f78f658a7917dfef1f79df8fb91ff8cb6
-
Filesize
160KB
MD54078122a083814583e4235003fefafda
SHA18f1f42c46c0e2cacede5863c3a9a5b5bd382c093
SHA256ce40df50f8560368fd7ffb4700c4f586aefc0368d1b8b24c0c7361bbe5bdb4f9
SHA512bb30c2a6c547c5bc09428148bce17ace27fbf32b62fdcc5a348b0d3a49790d73948e0698ff963dfde61ab2d3b8f0e47cd611163d7dd9260506bf96a5d13e3db7
-
Filesize
160KB
MD54ca92b899ccc4613422688a897044aa6
SHA1992fb492428aed23becea524907338172823abbc
SHA25629ac6e37c717be8a1142db153c9770efe43e4fdc28ae2ba94b6f67ea8a5a520f
SHA512adcd9ae9a536c82549c8e58dd260179fd061e7ba352ff107d6a8cde67c37cb21c9bb38ca3d6ed59c39309a87f21c8b558c585a07a930247ee8e51e02f5cd2ec0
-
Filesize
160KB
MD5043630e1875380ac29aed7403ea66f4f
SHA1c9c344e0ca46428a138038208ee355f0e9edb7de
SHA256cb814d7074d1120323549c89d5dd10499ae6505d0f416fa5fc9f2a28c7a551bf
SHA512a42f71c2b425c6ebaf5f496674ccbfea26ce1cbb1be1fba7d4d2b538c47c5e22014c8d171fcd5c33f9a46d8e7b379859e1e2f2da4ed57c32356570fb96cc502c
-
Filesize
160KB
MD5839da7b996ee3063b5b0b1806a0d5f29
SHA15f546bc0f6387b3d47fb9d9e2fc63307e33ce312
SHA25693219ab83063a15612dc5f583db444c2e8ce92a3839344fd616da95a8e065b60
SHA51292992bd57bc341b6324805d59531e78688734d705b9508b1892ef3ecb3be62e2850eb0214832094774c3d26ef30d30c63d5a9228eb6bd68b80126227beb2b285
-
Filesize
160KB
MD5ed5f88a3f1dfabfecdd52b7c9fa45f46
SHA1002dbfb1a1caedb86a6674429e4025c5ffa502ab
SHA25612da2f1d515d7c61762eaeef358927d026a626ceb923c46b6d2c0f85765e0c30
SHA512037dfca6b239e188cce13f4d92f06ea7fccffba75742b58fdf5fe76bca7b12b9037f40cf328073df8083f8e09d171a6c9b000a5a5a1f21bf806fdca3a21417f8
-
Filesize
160KB
MD58d3079aeede4aded76a860f4b02338c7
SHA1a03db8a6d3cb0d39a05db201c1f261c4655fd57b
SHA256776e5f7978fd1e2fd98c3b89f7e74b67cba3ca4237cc5a3624a8cb8a2711136d
SHA5121bee3f63f3d7d4103930a0e0bb4bc0a6a8475814a1498975a1df37a08df5b17215f0d920cc4d6cd47110ebd927a2248e3b5e221fa023cc21f1a6b0d306fe8148
-
Filesize
160KB
MD579aded636197b9afbc5e8a745e5b4956
SHA1ad2255348ea806d78e50c2e67f5812e01bba6874
SHA2567890abf0cfa6f3922428d36986a14ddb45a1f4a097d16e8b8288c79741cc9f52
SHA5120a8c662a55d4f1f73b4345dd3c7fd1cb4d0e59628e10986f0c1fe5d98ab589ee2f7d98152289c0187de718b1842636bea300ab4675f79254f606f1114415ddd7
-
Filesize
160KB
MD5584326e036e75e4a705a2db38bc3c243
SHA14f8a3c11595efd2c2996b88a3996597f68118142
SHA256200c2b9919c2a1b581c4cf330b13f0a3c276a0effb18c637c2e2d17e5486de37
SHA512db1552880301bd248e1b1061e799373438c470f87dbb3908777f835e2d39bb021e378e092d3406e662d5d1b1c4abd8e4022f4b6bbc64191e010e27318db42835
-
Filesize
160KB
MD5c3d6c3e29a265dae2dcd4337c8146d1f
SHA1db52eca07af239220e99e00f50cb7088de035868
SHA256545fea561874a824f978b91f2ce5e594cdbefcf064cf7d06e2a4875b6b240ef5
SHA5129e0929bedf0c8e8797d1ab683949779a6a71f66ff199049182547e410fee54aa5a7aaefd209dc451f286a939f0ff7f0d3ccedac3317f86283246cba1910401df
-
Filesize
160KB
MD519560d18a119bcfa99ee5619c5ee6758
SHA16e73ca421c6cf533ceff729fc14d716a17f5d7a9
SHA2566374d25ab718de9eacdc3e7a50e954176cde512f1ad218e0dfb9c58cf015982f
SHA5120332645b1bd93d5f96b077c7c3f7381ae145b9d80f7f3b1891b24681b178d531c7ec99ba27755411d34ebb48e54d4fd65c425313baa3f5e394a014a65f66091c
-
Filesize
160KB
MD50ca048ebe612a110eb8a970b97c9bcdd
SHA15eb99fda23d29777b5b10c3ad757633b4afc1df5
SHA25696722965f8db784d53b563e9edd35a160ab81a57d8e1d5f5877d8e4dd57ff835
SHA512ff1b027c846a438257d52e6c8d1c373f5a2296f94a2e1f8c592aa3af1b061fa8543a9148bcb400095f91a4eae24cc882f43416c1e9e2f2b0d79232e71fc4ee55
-
Filesize
160KB
MD57d26f2b4917def6d4006af9d4734c474
SHA169e478ca39a624778e64a51c3d76c07b62101f10
SHA2568c8c20d54158538404f79a47157f0241146da2959f97b7b426880d3861947346
SHA512743fb5d667a1e3576a99a26d9f8084e20792f33117b475debe8b06d8dbe3a512a4bb2d6ee546c1c256ff97964fb5eab34a451936feadb3ff0b5f7e95f0c7e846
-
Filesize
160KB
MD58fc654542867b0c96ba49dd5eea6fa71
SHA1163f2f8bf3ae1bb2dc330263142bad13726708e1
SHA256aa3511afd671a12bf6eed109bf8176b73370c8c03e48e97496048fd2e2d11b5c
SHA51214b0ea24c7fe2236b3041c1fa4bb533991f2b663e46f821f686caa8b07f11c09f016583e9d8dc2e040621c666117456a51a7f8e27b9106b9ee465f1f18f15f3c
-
Filesize
160KB
MD52aed1d03e00098cbd03a22a549580846
SHA1c45c337787722cdf5cd786938a678ecfc7bd2f21
SHA2561a8a50f052d2e2e6b3965ee45aa62391ce0cf915d9af1cb42e4fcd8334cbd8c5
SHA512e40d967d6e66669e8b1eb9ab9d4ff599e2d20da7de427d58d046bf7a81d279550cfcd88ebe37a1b1e56fed2020b267b11c39e4a3f9babbcabeb31546a33d67da
-
Filesize
160KB
MD57aa5b0aa3a1c60e8b36f2437c01a67f9
SHA10c3de794a6fe28c442485e721e4ad0ec1966e4a9
SHA256289d6a4524a8a7d1b252e5ea101a524e1b9b1500413447adb976a7d3cb552603
SHA51219727b353c8270094844253fb89ca47952aa8908296c89d4c3dd5fe0624fb363e319a8abdfd5a57469bb96a6cfe8466e8b99c53d3a6a5099898903937fda11e6
-
Filesize
160KB
MD535a28aac11a1acee3f0666f7e3aa0bc7
SHA1ee43b490c47f4bde06efd36857b8e20ca641b8cb
SHA256372ec48ab4c2f67f7f0ac3fabe10f4a0d54c627e5920c3071324db0451a0743f
SHA512dd0483a5243cf9d45387e4773e8deeed0b10750025f34e3f352fcabf76bfc2b3579b589d5139499ca4e8fb4150155284bf199a53955c4a96ad9528229a13fcca
-
Filesize
160KB
MD56e4f34bbbb97121792713e5ddb9946fd
SHA10e48c79e8bb1f85c567b1d4909480cf21c4cebe3
SHA25620731ab5a232a495778ae2aa9b0e946c7e8039e5fa0a461b1245c73590ec493b
SHA51213d491aa6fa93a6aeecc0a3ef05efb775e598630714a44b4519c79017fe2a3c63c801fb0cc49f0e5fdfc70235f035ec06af281fa31cff9cab3e242aa0c7027f1
-
Filesize
160KB
MD5d2b07d498276cb176ac478f0251c9a15
SHA1a51548db43184792f9d389f7986b311090498671
SHA2560833bc01a13b94b2e0df69a60bcc2aa4f03d4a87c612ad809041a8fe946c796b
SHA5128b81422cc72ace07bd1e2160ed3f98806976e3949b6f5cb0f5cd889a6f4ab95522b8173111d6d1a7145e5a39b31eb592ad4e0b23e080e8b3e4b44aa5a19cb798
-
Filesize
160KB
MD5760b08161e8f1863b1bf3b9fe6568139
SHA1198481c3165ca36d8952f79fae2d25a93439ba86
SHA25652ccb8081a595b7d12da17ec048398848430a99ec0831b69a1ad632775cf3f77
SHA512f20241f6dd93e4aff6c39cb8bb02a21d5dec279933b74e30b7adb8a5608080e044815070b00dd425f67132efb1f751e0b50d44c3affb26926ed606de56239a13
-
Filesize
160KB
MD518d16b30bc9abeab1ec9faaf1fb76404
SHA195e7f8287ed7c552a945e01ad85c24584b3e6c9b
SHA2566fc572b474cda5df6e4b33c9039fd94a34136aac539cd962bfcd711f8ef83459
SHA5120ba592d47647a13271c1b2923b5392e41c3e0010f1920ed614e508d228b42ff3bddcf8c4ad9207f6a5f6563acade360c36d5c7c5b2c6206755508e03b2d41e3e
-
Filesize
160KB
MD528cb10677fcbaf86fb04afdf22d242d2
SHA196f27136203f890b53ed74a916aa001e25ac907a
SHA256955a797646a73c6d5521c38523a49528ed10917a7b379afd5ac3c846d937970d
SHA51235eab2374aa7099083e12da8351dd605854b486f2289f084d3caf28edf6f36996517c9d59d4ae69f756ff2a102cca25571c11e885a942eaf58c8cc31e12a1b40
-
Filesize
160KB
MD5f879f49c6bd248841231d13c17391099
SHA174908b213f65e3409a7529e5bd7efcd3f0987e43
SHA256fef466b4a30e36598c1d35bd8780e59c076a03856ed247978806537de4659e29
SHA5124c1b509b1a46805e077d62dec037920e050f4e1327df54318726cf50abcc1ad9832d151ce13361b1634153cef954b6b4c5c5d422646eeee72c3c50b9ffd0b36b
-
Filesize
160KB
MD5b34756d360c922cb3711ab61adb3d547
SHA1abda63d6777f916039502fc93c59f2f1114e1234
SHA2567aa2bb3231b78d700d8c904fdc600e79a71374de960d7031a2a1f2b57343a7b2
SHA512a7b72864d0a5c3fbc12e7cb630610261fa3ce0b4e84f6caf0e00ea7b5c64b4f9bf8b9c5612cbff25a302d706b402f040d5d5a5903d5aa59274b4848039c54a52
-
Filesize
160KB
MD58e52a2612bedeba2743a413cc2c9df98
SHA1508d106bcd56932fcb5fbc5ea39f4c5a7e806f06
SHA2560fc4ad66361fdebf4418d1226b195a9f94a830e90664f2d46af49be2151d4542
SHA512cf6fa10371168d7ea572504ad6ca3fe3b3721b1472c4ae94de411c7bde31904f6fc5a0d65bb759b48e3c725562a39e770c5b5ad45b8133ebaf0042a7cae007b1
-
Filesize
64KB
MD523a68198ad222b6f223e26c77c31f022
SHA192e59dd8e9c56c05029b2964032808f556db8a4f
SHA256b9da1231e35342c409e7fae16686ad263f3b482a24c1aa425adb3c09467943d4
SHA51298e36f71da031a8832cb0aae9e364d0ecc2d4b598f81fff35b2f44d1cf034039539972d6f3dcb6ff13c20c10fcee1afb6197a28e933955859008a33b24a7062a
-
Filesize
160KB
MD5454376c67e7562861d9b2e51f41e4621
SHA13c85520e3e227d1fe7927105b982f1b2124fec83
SHA2565c90410650d554153789079c8eb3d0bac0f3d89ab3efdee9cc4413823fffefc4
SHA512d546fc5f287ef0c45782b6f6208c8590457c94b35a2ea0703190069d232ffda9685d5c7f35d3d8983bd45ed5ff9f4f77e40bb9c3487f74b0a4a02bd26e05c431
-
Filesize
160KB
MD5c3d7edcb23d7182f5a2685b558a77979
SHA1b7577e8f234d98e7f9531e9f6647f7cb65ad295d
SHA256f9ca3be935f961219f2388d804afaeb93a8861b8ecd52cb134bfe193c5243a71
SHA5124f72769bb6c2329c0be4d65805db6c80b1fee06f0306d210e6cba528d9f4870f6ac1ac534ddd35196fde12a30be4f0bcf44056ed215ff7c37400ab0f102e227c
-
Filesize
160KB
MD54692d02fb64dd23dbb11115f54e81879
SHA119e5efdcaed3736a87bf780f01f4e10d454c1d6b
SHA25645cab15c42bef2e0a83c4b91b9a44f2572914e0fd4bfb4c2c2bbd015077a600c
SHA512d3adffbeebe7522c22f6e586a0db180c2c736e44909afa172081b1dffe4138f3d65f1f451f42fe1ee429306cc1a498261ec261194cb2f576cfbb8fed1679c233
-
Filesize
160KB
MD513bef9aef2d8a349f1878375e51de065
SHA1a997c9bed7140a8f72882b91a6e56aeffaf30268
SHA256b31dbf8837e7ca685c6d2e94bb2b4c71c46ce5b25a2b2787f86c26bebc957fca
SHA512244f2f6790743b00da16fa24608c8a508770b441e15ebf9ff8bf60f7916bc2a900877919ce6e6194f3710b0993e79b64d8fcb540fc7bb39db9a8a9f6013e3b84
-
Filesize
160KB
MD5e84a2c673921402d2c5c3c90da623ef9
SHA1b13d0b0b882804f69600d9fb0a3951fa6a1b8f60
SHA256f7c57ab74a77701fb440bcc9158f28de303b2aeb1775c13afb89378844363920
SHA5127d1854e9d01facc0929cc0df9766324d4c37bd3d78581ded631dedb7d93aa58cd5a0d936d117130d8f161da7f4b786e32038ab9b422b5786f4ed4410ba5021fc
-
Filesize
160KB
MD5a27d111777188c063e900f82437a4431
SHA15dc14289a34ebe0dab14db7924f7f635e43d8750
SHA25655510a976c9dc6178acaca01ee82caa2f45bb8f059c48f372af772f3ab505cc6
SHA512012597398d4caf49aae73a232971abeeabbaf8c026ed8e054ad753fd14c756a4872c3f494283f7a2f7e48975a2b3d3b74a90a4a97cdba256651850db7729c258