berbew | 81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275e

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
Size

45KB
MD5

bfe61b74900c060787d2cc2ef4861b50
SHA1

d2e990d7d8ef6812b185f6e6937c981029d06052
SHA256

81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275e
SHA512

85bdef358e5218f012a81a37646f93d246cd28975ee9d89a1fab17a60c367987e7b1c4ee81982ba027697f7f70d8f18fc7c11042304706b67c6f15dd0bfa4334
SSDEEP

768:+KYN4w3x+5MFnBmfwji0E4ghKi+3VM94MHMVK7beJsX/1H5:+lF305MFBmftg0+ZKeJ8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajaelc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3712	Aiplmq32.exe
3008	Aagdnn32.exe
1472	Adepji32.exe
3784	Afcmfe32.exe
2412	Aibibp32.exe
1096	Amnebo32.exe
2156	Aplaoj32.exe
1852	Abjmkf32.exe
1404	Ajaelc32.exe
3892	Aalmimfd.exe
4908	Adjjeieh.exe
868	Afhfaddk.exe
3976	Bmbnnn32.exe
4864	Bpqjjjjl.exe
2868	Bfkbfd32.exe
2380	Biiobo32.exe
4520	Bapgdm32.exe
3616	Bdocph32.exe
4888	Bbhildae.exe
1136	Cibain32.exe
2284	Cajjjk32.exe
4076	Cdhffg32.exe
4472	Cmpjoloh.exe
2900	Cdjblf32.exe
4192	Ckdkhq32.exe
3344	Cancekeo.exe
3200	Ccppmc32.exe
4360	Ckggnp32.exe
3764	Caqpkjcl.exe
940	Ccblbb32.exe
2820	Cildom32.exe
1960	Cpfmlghd.exe
4044	Dgpeha32.exe
4584	Dinael32.exe
4088	Dphiaffa.exe
4876	Dcffnbee.exe
1796	Dknnoofg.exe
2796	Dahfkimd.exe
2592	Dcibca32.exe
1936	Dnngpj32.exe
3468	Ddhomdje.exe
2584	Dggkipii.exe
3956	Dnqcfjae.exe
3796	Ddklbd32.exe
2424	Dgihop32.exe
1444	Daollh32.exe
4428	Dcphdqmj.exe
1392	Ekgqennl.exe
4416	Eaaiahei.exe
4280	Edoencdm.exe
3972	Egnajocq.exe
184	Ejlnfjbd.exe
1464	Eaceghcg.exe
3528	Edaaccbj.exe
1568	Ekljpm32.exe
3704	Enjfli32.exe
2432	Eddnic32.exe
2756	Egbken32.exe
1712	Ejagaj32.exe
4976	Eahobg32.exe
788	Edfknb32.exe
1536	Egegjn32.exe
2344	Eajlhg32.exe
216	Edihdb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Ajaelc32.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Edihdb32.exe	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmbihg.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Eaceghcg.exe	Ejlnfjbd.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fgnjqm32.exe
File opened for modification	C:\Windows\SysWOW64\Amnebo32.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Daollh32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Adjjeieh.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Dfbjkg32.dll	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Cdhffg32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Eahobg32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Bapgdm32.exe	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	Edfknb32.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Ekgqennl.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Adjjeieh.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Fbdnne32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Efoomp32.dll	Abjmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Aagdnn32.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Amnebo32.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Enjfli32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Aagdnn32.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Dahfkimd.exe	Dknnoofg.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Eahobg32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Egbken32.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Eaaiahei.exe	Ekgqennl.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Afhfaddk.exe	Adjjeieh.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Ddhomdje.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Eddnic32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5224	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiplmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aibibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhfaddk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajaelc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adepji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adjjeieh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcmfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll"	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll"	Adjjeieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinael32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3712	3224	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe	86
PID 3224 wrote to memory of 3712	3224	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe	86
PID 3224 wrote to memory of 3712	3224	81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe	86
PID 3712 wrote to memory of 3008	3712	Aiplmq32.exe	87
PID 3712 wrote to memory of 3008	3712	Aiplmq32.exe	87
PID 3712 wrote to memory of 3008	3712	Aiplmq32.exe	87
PID 3008 wrote to memory of 1472	3008	Aagdnn32.exe	88
PID 3008 wrote to memory of 1472	3008	Aagdnn32.exe	88
PID 3008 wrote to memory of 1472	3008	Aagdnn32.exe	88
PID 1472 wrote to memory of 3784	1472	Adepji32.exe	89
PID 1472 wrote to memory of 3784	1472	Adepji32.exe	89
PID 1472 wrote to memory of 3784	1472	Adepji32.exe	89
PID 3784 wrote to memory of 2412	3784	Afcmfe32.exe	90
PID 3784 wrote to memory of 2412	3784	Afcmfe32.exe	90
PID 3784 wrote to memory of 2412	3784	Afcmfe32.exe	90
PID 2412 wrote to memory of 1096	2412	Aibibp32.exe	91
PID 2412 wrote to memory of 1096	2412	Aibibp32.exe	91
PID 2412 wrote to memory of 1096	2412	Aibibp32.exe	91
PID 1096 wrote to memory of 2156	1096	Amnebo32.exe	92
PID 1096 wrote to memory of 2156	1096	Amnebo32.exe	92
PID 1096 wrote to memory of 2156	1096	Amnebo32.exe	92
PID 2156 wrote to memory of 1852	2156	Aplaoj32.exe	93
PID 2156 wrote to memory of 1852	2156	Aplaoj32.exe	93
PID 2156 wrote to memory of 1852	2156	Aplaoj32.exe	93
PID 1852 wrote to memory of 1404	1852	Abjmkf32.exe	94
PID 1852 wrote to memory of 1404	1852	Abjmkf32.exe	94
PID 1852 wrote to memory of 1404	1852	Abjmkf32.exe	94
PID 1404 wrote to memory of 3892	1404	Ajaelc32.exe	95
PID 1404 wrote to memory of 3892	1404	Ajaelc32.exe	95
PID 1404 wrote to memory of 3892	1404	Ajaelc32.exe	95
PID 3892 wrote to memory of 4908	3892	Aalmimfd.exe	96
PID 3892 wrote to memory of 4908	3892	Aalmimfd.exe	96
PID 3892 wrote to memory of 4908	3892	Aalmimfd.exe	96
PID 4908 wrote to memory of 868	4908	Adjjeieh.exe	97
PID 4908 wrote to memory of 868	4908	Adjjeieh.exe	97
PID 4908 wrote to memory of 868	4908	Adjjeieh.exe	97
PID 868 wrote to memory of 3976	868	Afhfaddk.exe	98
PID 868 wrote to memory of 3976	868	Afhfaddk.exe	98
PID 868 wrote to memory of 3976	868	Afhfaddk.exe	98
PID 3976 wrote to memory of 4864	3976	Bmbnnn32.exe	99
PID 3976 wrote to memory of 4864	3976	Bmbnnn32.exe	99
PID 3976 wrote to memory of 4864	3976	Bmbnnn32.exe	99
PID 4864 wrote to memory of 2868	4864	Bpqjjjjl.exe	100
PID 4864 wrote to memory of 2868	4864	Bpqjjjjl.exe	100
PID 4864 wrote to memory of 2868	4864	Bpqjjjjl.exe	100
PID 2868 wrote to memory of 2380	2868	Bfkbfd32.exe	101
PID 2868 wrote to memory of 2380	2868	Bfkbfd32.exe	101
PID 2868 wrote to memory of 2380	2868	Bfkbfd32.exe	101
PID 2380 wrote to memory of 4520	2380	Biiobo32.exe	102
PID 2380 wrote to memory of 4520	2380	Biiobo32.exe	102
PID 2380 wrote to memory of 4520	2380	Biiobo32.exe	102
PID 4520 wrote to memory of 3616	4520	Bapgdm32.exe	103
PID 4520 wrote to memory of 3616	4520	Bapgdm32.exe	103
PID 4520 wrote to memory of 3616	4520	Bapgdm32.exe	103
PID 3616 wrote to memory of 4888	3616	Bdocph32.exe	104
PID 3616 wrote to memory of 4888	3616	Bdocph32.exe	104
PID 3616 wrote to memory of 4888	3616	Bdocph32.exe	104
PID 4888 wrote to memory of 1136	4888	Bbhildae.exe	106
PID 4888 wrote to memory of 1136	4888	Bbhildae.exe	106
PID 4888 wrote to memory of 1136	4888	Bbhildae.exe	106
PID 1136 wrote to memory of 2284	1136	Cibain32.exe	107
PID 1136 wrote to memory of 2284	1136	Cibain32.exe	107
PID 1136 wrote to memory of 2284	1136	Cibain32.exe	107
PID 2284 wrote to memory of 4076	2284	Cajjjk32.exe	108

C:\Users\Admin\AppData\Local\Temp\81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe
"C:\Users\Admin\AppData\Local\Temp\81b930a05bcfad48290123ffe08f6d998eef8f277fabd7062449392ef364275eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\Aiplmq32.exe
  C:\Windows\system32\Aiplmq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\Aagdnn32.exe
    C:\Windows\system32\Aagdnn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Adepji32.exe
      C:\Windows\system32\Adepji32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
      - C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:184
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        63⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        78⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 400
        82⤵
        Program crash
        
        PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5224 -ip 5224
1⤵
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
45KB

MD5
c7803a337d587e109c5436063921ea20

SHA1
f764454fa0f3731af22881d4e041b4e72bbb8076

SHA256
9d42a9c8a827ed568f6e784ea66585f6c9fcc23bd1cf2444c7ac578b52ce777a

SHA512
445f56809c9f80f12af741f03ca0bf7d8faa016a50f2d9bf2a8ace356ed7167be5f92b90511a84fcd0c2b24951bf51495c82d9b53b70e5ae301f0974ca420beb

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
45KB

MD5
a144baeff262cea29b53903075df67d1

SHA1
4caa2b80aecb60d019bfbd589fd4c094c2ce4a30

SHA256
a6037f19d78606cf73cfb2fe354303c9ba17c1cf081618652128ae6409994426

SHA512
13b268d293565e0811c9c98815e62f52cb1d5bcebf5b5d836bfedbf251a6262898baf49b6b473429105a5ce76826537d7f04df4bbdfff2beb55fb0625aedd4ac

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
45KB

MD5
938fc6c42e81a9d362d3708916273955

SHA1
5126db0241b88645cbd71c83cd85b4cad60c0b60

SHA256
bfec287f9dbb534cfe3eec7d857b6acde24a232db5ce598ce97847ab62d94db4

SHA512
67db90961b457e0a7b0cad7896ac00428d048f4a43a914af45f8a7464d38d50e094427879f341c8c416ea903258168959f776462a7f1ff92b12719c23a27c5e1

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
45KB

MD5
ca61bf5ed004072b67aea71f668cc324

SHA1
7704e895dd53a2a1206d7c01b70648979f4f8ffe

SHA256
2a4b7294e926421e6b06d2b26e9b0a8a59694d987dccfaab848e34e076a67b6d

SHA512
4e66b130a158b6dcc439bfe73a0a18948e286c0a3a0a35765209a0e7b43808c6f471747356c1d952d444fd0d3c285a747d1d179e6a2100127e7b782c6d6a8d3b

Download Submit
C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
45KB

MD5
aa6cbe15585867b98ba626621a11bb1c

SHA1
f0cc6739c3a6af6a298e89f759f6bbd02e4a3cc8

SHA256
2c9714ad8e331839184b5e0750a24d69d116494e8b547d9563458da3fc1a804a

SHA512
c538684deb37f48a738d1e573365130fe12e580d85744ce332db713bcf7c07aceac8649c6f4af56632d94daf43948203e382ff952d492f82822dc3e570133b61

Download Submit
C:\Windows\SysWOW64\Afcmfe32.exe

Filesize
45KB

MD5
a30bc6c711c0abcfbdcda0554eb75ef2

SHA1
dabca5a6a6c3042c8e0690d6ff51791e32d64d12

SHA256
8d41bf22eba26bc8e33e8dfc9c9a866c223154bc7d7d3959259f827e46517f77

SHA512
fc20c23465c33ee268c77e6347700a311b6e0f31877f50e64a92e2180f96a26c15a39e74fda61143035ddc59f50a387c4c63099b2b959f1043320bd9e768bcb0

Download Submit
C:\Windows\SysWOW64\Afhfaddk.exe

Filesize
45KB

MD5
2b726f388da9676607d13501f5db6ea4

SHA1
0773b1be5d88fa54eea95b3e3aac6f0ce6cb25bb

SHA256
2eb5b6637f6f2f503d1e0d122cdc5c222313219c086cdb45fed57e751048f3fb

SHA512
b07ea1dbc84200c3e2bd4cf7f3ee4113098038bcac2ee7f8d9db76de961de50cd49c6e0eecc011e66e4f50b4bd10427ab3da28f7925153df7d54f9b1134d7482

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
45KB

MD5
a564a4283efa4be5227f291ec93ad59c

SHA1
3991f01565d9230071c40556b43e1b88613ba11d

SHA256
509c1cdc2d8351d6e0dbcd612ac401451b8c255319f3123c58eff62494193798

SHA512
3998b7348bb3e0525dc07a83e5346cb6f241ebbf4e79765fea6a323d7dc1c31fc7119a53c0640a975362478d23275859df84fb63e5ec1f465da8555dce8c87b4

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
45KB

MD5
2f28f20f48545fd428104563fdc6078a

SHA1
53403409522483d3870636d0f97abeb1604ebd19

SHA256
f1c6fbd79962988fbba30507f41bae7b2c93233f9ee3b961b648a3d92a9bca32

SHA512
c9e7419b714eeb8308f758e0fd3a4a7bfe9650e59a0ad75d9f42e8d6867cfb66ebba74acf894d9640f74a89d7a3ef7302f530936714675b0b4a10f51d613c0f1

Download Submit
C:\Windows\SysWOW64\Ajaelc32.exe

Filesize
45KB

MD5
cd7227540f9e9c7fb1ca0f823e931c71

SHA1
aa300e023602de4c0e5e57781f54b33e0d6a4da2

SHA256
3a61c8063ae7f92ae9f00b0cfb8ab940d9f05445adee7e1aa6a4fe7219553dcb

SHA512
0677603bb0767fc03c7bbce1be8bab6b4965db0fb6b8cb1a489ad2dff78fb328104adf78325b15f8617042cf28b26bb39961255f35a6cba049e00ca89686db53

Download Submit
C:\Windows\SysWOW64\Amnebo32.exe

Filesize
45KB

MD5
e2201cf9a4682e1b976992dd00b1eb6b

SHA1
51c2eed1e6b69dc3acf34026ed97d00122363019

SHA256
425f869b6b41a89734a887b8a8e8329482a475cad2cad8b10170f99b5724b62f

SHA512
6280387c6b75716a352f342f0aa19edc5ba4c5311700447b13a7f2d6ccf901cf2c753e7e1ad0a2d066ee7d168f353af32fe8340478ea2ef66de303f0ac509f7e

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
45KB

MD5
02d68783e84d45702459016c83be3656

SHA1
60833aba155712cfd1940c06cdae23da4147df70

SHA256
eea886071b55da3177122f9c01459eefee8a9c94f03a011a5d257eb4aff46521

SHA512
4e7dd732d3e9bbf694329a893256d25e907ebf3dfae14c6a2b2468a1fef468a457e3835f73cbb6d657c99e598d769e61dbdbe3e6e651146ec7c576d97554947b

Download Submit
C:\Windows\SysWOW64\Bapgdm32.exe

Filesize
45KB

MD5
f24d22168db0616cb270b0c1ed6c1405

SHA1
ff1300377c100d3b3beb1c0f6eab78b7bccb2b89

SHA256
5853d56c5a4a1943b8c581efc84b5ec1c660d0de16fa12e3948a8fefda3510b5

SHA512
c235bd30756a845d45cc78c05789cc577ff41a8f4cf486e016a3a6449108734d158a2db99c2d0ad6047daaf42c11629816cc8456fd55cacf8d6dc23278c281ef

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
45KB

MD5
bdb66fe30fd7128b59950ff02bca3841

SHA1
cf431ca20709feb151ef53385453e4d69ddcb1f4

SHA256
3e067d3b8a9d8c4d56b2906962d03edfcffeedbe18326974fdce9663130d6c3f

SHA512
8bab0b4e64eca33e63570ccafd6eb4b6d75dadca9e420d4f06027409bccf1f475a46b0b3bd252898e9a5fd2c45a1c50bca3c043e5e3fa372d9b5945f4fd9a82b

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
45KB

MD5
39ca042085d4d0e06634d789d132c999

SHA1
d72f4096e190c2ee7af68002a4f0a0c63ff42b50

SHA256
4aec1d8c56f6491165df03191e89904b1e460fad78a9d56ae7524537cb700db9

SHA512
8b6494abc3f40a4864c4b195059c51d44551f9018f748e2704c473cf76223995cc5d695ea11f10b40e8a7ef031bea1b49102cdc8035db34d7320f80a52ddacd4

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
45KB

MD5
ce06cde3c9ac8bad0212acf7bb7e6f11

SHA1
65fb1609f4db00639e72f07be738d7ed138a79d3

SHA256
534f61c317d4a98682638955f7100e65034b371bd4d72527d3f7303961dff82b

SHA512
b6dca9dc67533bd6079296eaba9820a8b3b12a736f9f3b1b0f91195d669d6aafdb5aff7110c141802603d4084cf65d10312a234ebcb05be8627b629cd451c366

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
45KB

MD5
921f402465143c3c270ce23dd121bd31

SHA1
076c3de8c47b99a41f9df74008617495a068bbc4

SHA256
a30b990fdb10365903190e52c1ed99ff18b189933e02fa3dcc7fa863b6150569

SHA512
37c6df1d2665603897b498aeae53ad3370e0aad43f7dc7c93708404c1752c9a7a2a294fedda81ae44c418ad748252d5ddc5e65c281923cdf48848cf115acf600

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
45KB

MD5
e8044311e97a39f7b6ed8f62eed49595

SHA1
109ee53e453ff29e2ec583b798b65b7bc6e24854

SHA256
531aa9d249b3c04e1e80e05e2a646a715446737ddd6a06258edd5cd4619358ad

SHA512
aee04c0d4db181d63ff8ed871f29746509daa4e4bfa1193cbfcb1f52e176c79929b545e29d06325cba8bfc710117ec95c5aa48efab8bc9c2b5dcf47d6d04bbde

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
45KB

MD5
a0ac9223e2cd8529eb764389077a3782

SHA1
47b96a202f2619fa2b647ae8442426d283740809

SHA256
0caae0d863a06bdd74588472b008e7f5a58d7e0d9740941c6eb1a7b825f3d587

SHA512
269b42061b37022b9acd9edff6b88af07de09ba5f780ec09f54f8b2be67e59d18e05dc3e18ffa01b82d4cb007f6cd2c34ecebb5d3edc7e341f7a146eb6ccc400

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
45KB

MD5
c804d14b907fc06696fd264e085b52d4

SHA1
f470bd48151a7c811190888de16c9a50b4cd3376

SHA256
c14316cd54b85a6486971d3d3b3d66c2f140a0c8ac6b1fbd1a981238f4bb28b4

SHA512
60a33442e01336a093db926ee58bb520f0401598a6f8a5ee1fa93f7566175dc606202389c2f9f179260dd44a19164f21bbde0003282b1a6baaed5cb6abb28095

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
45KB

MD5
a1b58289d636d336f1563f016780a2a1

SHA1
256c734480d9c7973c35673f081ccd96e56cda8c

SHA256
2662672cb0dc2585825e68cad7749a35b251c08567f799f72bc46ae1650e3d56

SHA512
a03af79e0e149281fb89dc97e51d419fbaeb7d336b7c0221ac295a7e38af9c50894110f4b44ace1c5facee8fd1df3316872b5243ea0021cadc300afcb2996a3b

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
45KB

MD5
4bc22be464580dcec4b6556201511a0f

SHA1
d5eef8b45b5a3d04f06e3ff921a32eb552500d4f

SHA256
773bc891a4b0ce42d0d05d5bbb10a5f3a9391a4f804f6f0471903d7beb40ab5c

SHA512
164796285d8112aecd4f2734e19b9e6f56ea371be78c205679cb51b45e280534c99fd88dd0c984ee5572730f96c7172638faf235f5e8c44c28e99c12eaf20b2b

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
45KB

MD5
247c7fb02d36ad8bd7c164ab90c33bbd

SHA1
6971718fd56a04307037c1d90b66b6a816f1c3f7

SHA256
c0c0089f4a30dbaf447009e634a66c0d5145f36842794b5b268ebe1ced713b9f

SHA512
d9c28b178e8cf79b27a2d3ef9bf4e32d387eb09cc5649046451ec4e6b1b72955abd0c19ffe5a82164d45fab93b9f5b3ab5ed1eeaa51687cbdb87f2d87e65c469

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
45KB

MD5
29ba35ded5f5727faf0c4bad493283bd

SHA1
438f30884230a540f2e30e39db34dfa79513d4a2

SHA256
990a981745eba83a0e3ec2fb06584bbd712929aaca7fea802065f93426ff1229

SHA512
1602ee4be55e32cf9f9d87582fcb28786130b2428912f60ba5f9ff0391bd860ddc355a1e1f372a141b154add98f521f695cb5c32cdc7d976f551fe314d1148be

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
45KB

MD5
72fc110d3a5d25ac4ad9c3043cae14eb

SHA1
e0a5311170c6d9d677fd44e3997e897b7f80318d

SHA256
b4734cd8b906f006a53c755bbd674336752a4fb63927abdd455c52eca19117c6

SHA512
4d98158611f39c372ed3b186419d7b044fa86386f26e69c7083db05c8677989aebf39e3dd35d95b363ef507179b5cc0c3be37e4129b06ad06eb6d4256957b777

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
45KB

MD5
7f51d3c80e9dc9c4bc83e1feaf366193

SHA1
cb36b3624788a17984c024ba8d3c6392526fe97d

SHA256
172c387b509e46b57739c724d246fdb2bb15f9068e247bab6cb4f8a6bbadf9cb

SHA512
82f3ceac614c971db888ace6c3087267d7f8791999606095a7112e1e3557366bb70ad7a6109f5278739e42dbd53c1e7760b732910d9f1a5c39c19042421a911c

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
45KB

MD5
5f9cba4b9d6ec863897fdbde478c9816

SHA1
08e368be6dad97409b1efb03c3aa29baf99e36de

SHA256
a54af6625f682a39e5e3cca396da96f73247aceadc7b9a81f10fdc8f301fc96c

SHA512
d90143fb2433abfbb67cd25fdd8a4788c8dacadbb83db01f1331e4063b4f40958ea077ed16dc48d35bcb3c392c6b784b6422a91520ae282c45d8a78848e5cefe

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
45KB

MD5
8fe0660ba96663a29c605ad1dd352533

SHA1
dc0ee7e19738e2f90dfc07cb74d379e10390cb98

SHA256
06e8948f5050bfa98cb3766dd8e9d7b85d3962b133a63533c33ee8d2e06cfc32

SHA512
ec3b5f3a51877826c8d65554d77af28f337d2601a51c7845c14e2798af6379ddad5817d8a72a30eb90ef89d85716f706665d6475777dafde42a50a5a0bf24d56

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
45KB

MD5
177d0135121870bc93fd363906f87c73

SHA1
32eb414fa99946f37def9262cdc78165c3d5624d

SHA256
285e011231a42c5c14e0a52ed3bb813758da227b09a44146671bb6e1416f7429

SHA512
38283a1e64090a2b7ea5a0dd4d24b3b3d55b40d75f10e7f10f5b753cf7c57b624bff4bab7d792c96b4c6c3a2e50bdcd24ae4fbc136b4d234529ace503ed98dcc

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
45KB

MD5
ba76d43af2b59bd0b5b0b56fbc8ac8bd

SHA1
311280326f5d42171aff83db2d622d4036d0f236

SHA256
7a0462e98c99bc3eac627a466cadc2916e352f247f2fb35bbdb076bacbb500ff

SHA512
675b9f6f239af9db4d361c89086977d49c46815f02691a99cbfe07e6a70680f7bca98c5c5ec123f371e0a9bc0140f5cc87454d33db74cc7bcda22bf9f1c45695

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
45KB

MD5
68cf7714a4e4170ffa71365f196f283d

SHA1
f624e1ccc6dcb6492718e66c9cb2fa443e0d6a0c

SHA256
b725a760503780d27b9da6ff2aea1e8112f59dce9c6e69f23dfad1857753fdd0

SHA512
696af90fe37a1a7eabb2aa479a3e4c0173b73c561aa7f8e9a2ee184200d7cd62e3fbb874b6609c21b2c19607a6a83f084d543e7af2b05257f65763bb030f987e

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
45KB

MD5
9deb5dc14860e7b15993b000d00e97fb

SHA1
197d4fd1197e27d26b557c746a54568486af848f

SHA256
3bc1f96a20dfb53016986445cc0f00a5338baae6862280e64e9fee8f35a4d52c

SHA512
21bafa6275a9eb7656a586aedca0ae59ebd1c70666d36d403c7fb63acbd13294d360230bfa5e2689fe006819c181d1f94da70e5e386b6e5b9f4ce02a171440b5

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
45KB

MD5
ab40bb88fbd36a54b041e8983e143950

SHA1
d6c3b3383b6257e2930db1f4c3f3499e1e4987f5

SHA256
f65f37c33909eea6febde3a2b6dced722a346ea6641c61e9b68200f63a9083f7

SHA512
3e5136ab656a48b20dc02c1755ec8082d2e0d44bf871a881f1bc3935c209bc42216146258e76408b9f5c0e70e6fcb5440fabac5c5b87b957df2944c2bc94a304

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
45KB

MD5
bd0439737c305b60dc3346f79b795602

SHA1
9e5b2372a91a67b6dbbd2e03518680a15af132dc

SHA256
396d5463629ab9776ddc329616234c3a070fa35d2e5c0eed3f721bee37beab6f

SHA512
c856b4304efdc8cf1ecd0f285ac11aa40c46ea0e398e4c9007590ef838932ad4306985c9949fe9b8e2bf655061081436cca0c001a2bdcf013688ad123bbd1c7d

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
45KB

MD5
0ae63cc0456c070f014147c5533eba84

SHA1
9e209e3609f141c4bfd5fb2b51f1b4b5a490dc96

SHA256
36a8dc6a3c815f353429d31c090a3c755ac5e9f76967646a2ffbee2f501faf48

SHA512
998850f12c662d91a1cbce39499e0c45fa634929d7df0d49b2fdb2707c627bddbb84a215aa4215dff912ed77309251ac90ab763a6a8327cc8224f6e138a17398

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
45KB

MD5
9665288acea7700ee75b1935888be703

SHA1
3d59ddbf89974df0bf356f15af5d215c57b645b8

SHA256
07812bc5cbc2e29bca9bee1bb84236f6ff302c12a71e6e0fb47e0003eafdbeb1

SHA512
669d8556f231cf2be0726fa6b19e129e3c3416227d4e4aeafbd9b2c4cc6e98dc3fbbb3b8c85a743d048ed4744559ce2074fed4b8d70fc50bec2f87163b4d020c

Download Submit
memory/184-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/788-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/940-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-624-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-618-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-610-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3468-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5224-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads