berbew | 446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
Size

219KB
MD5

bd4a7b8e31cf5f04c5039068ec596860
SHA1

e42ffe58d506bf6e688c3b196bd8052d9ada427c
SHA256

446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1
SHA512

bbe21e5dbcb42f532f9eb4fbaa3850e6becdf8fb917314ea24a250b139c3a17a18f67eb0a8bc2009f1917f0e4750c6b285b3c3f937fe8a16fcfe8587566694bc
SSDEEP

3072:oOEZJcdPzwuZkO0aDb/IBPCOQvU6z314EXrjvwSfYrwBt:nCqNzDOO0aDD4PCxdXXwSfYrwB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khkdad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmodffo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggccllai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3860	Bdlfjh32.exe
2864	Biiobo32.exe
2180	Bmdkcnie.exe
1040	Bpcgpihi.exe
4536	Bpedeiff.exe
2192	Bfolacnc.exe
3344	Bphqji32.exe
1736	Bkmeha32.exe
3084	Bdeiqgkj.exe
1584	Cmnnimak.exe
4812	Cgfbbb32.exe
736	Cienon32.exe
4860	Calfpk32.exe
1752	Ckdkhq32.exe
4392	Cancekeo.exe
1220	Ciihjmcj.exe
692	Cdolgfbp.exe
1820	Cacmpj32.exe
3652	Dgpeha32.exe
64	Daeifj32.exe
4540	Dgbanq32.exe
3960	Dahfkimd.exe
1248	Ddfbgelh.exe
856	Dnngpj32.exe
3784	Ddhomdje.exe
2880	Dalofi32.exe
2460	Djgdkk32.exe
4316	Ekgqennl.exe
1828	Enhifi32.exe
644	Egpnooan.exe
4404	Egbken32.exe
4840	Eahobg32.exe
4748	Ejccgi32.exe
3824	Fkcpql32.exe
2620	Fqphic32.exe
3440	Fgiaemic.exe
2952	Fdmaoahm.exe
1652	Fbaahf32.exe
4264	Fcbnpnme.exe
4824	Fkjfakng.exe
884	Fqfojblo.exe
3884	Ggccllai.exe
1412	Gbhhieao.exe
3648	Gqkhda32.exe
3944	Gjcmngnj.exe
744	Gnaecedp.exe
804	Gqpapacd.exe
2056	Gbpnjdkg.exe
4332	Gbbkocid.exe
2964	Hgocgjgk.exe
3536	Hjmodffo.exe
3156	Hcedmkmp.exe
2832	Hjolie32.exe
2648	Heepfn32.exe
2616	Hjaioe32.exe
1436	Hegmlnbp.exe
1172	Hkaeih32.exe
3288	Hnpaec32.exe
4544	Hghfnioq.exe
2108	Ibnjkbog.exe
2300	Ielfgmnj.exe
3872	Indkpcdk.exe
404	Icachjbb.exe
2844	Ijkled32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Odanidih.dll	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Gqpapacd.exe	Gnaecedp.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Khkdad32.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Lnedgk32.dll	Enhifi32.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lojfin32.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Iloajfml.exe	Ieeimlep.exe
File opened for modification	C:\Windows\SysWOW64\Iloajfml.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lojfin32.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfjh32.exe	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Eaeamb32.dll	Iccpniqp.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Iloajfml.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Eemeqinf.dll	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Indkpcdk.exe	Ielfgmnj.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Ggccllai.exe
File opened for modification	C:\Windows\SysWOW64\Gbbkocid.exe	Gbpnjdkg.exe
File created	C:\Windows\SysWOW64\Pncmdhlq.dll	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Hnpaec32.exe	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Khkdad32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Eahobg32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Hcedmkmp.exe	Hjmodffo.exe
File created	C:\Windows\SysWOW64\Bdelednc.dll	Hnpaec32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jnpjlajn.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Dahfkimd.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Hegmlnbp.exe	Hjaioe32.exe
File created	C:\Windows\SysWOW64\Hghfnioq.exe	Hnpaec32.exe
File created	C:\Windows\SysWOW64\Oflimp32.dll	Hjmodffo.exe
File created	C:\Windows\SysWOW64\Ibnjkbog.exe	Hghfnioq.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kbnlim32.exe
File opened for modification	C:\Windows\SysWOW64\Bkmeha32.exe	Bphqji32.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Gbbkocid.exe	Gbpnjdkg.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Dalofi32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Gjmheb32.dll	Icfmci32.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Lddble32.exe
File created	C:\Windows\SysWOW64\Nmlpen32.dll	Dalofi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5688	5412	WerFault.exe	197

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbkocid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaioe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjolie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjmodffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnpaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqpapacd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hegmlnbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heepfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbpnjdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbldfbp.dll"	Gqpapacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjjmdm.dll"	Heepfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiljq32.dll"	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll"	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpabila.dll"	Gbpnjdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoca32.dll"	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll"	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Egpnooan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3860	4692	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe	89
PID 4692 wrote to memory of 3860	4692	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe	89
PID 4692 wrote to memory of 3860	4692	446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe	89
PID 3860 wrote to memory of 2864	3860	Bdlfjh32.exe	90
PID 3860 wrote to memory of 2864	3860	Bdlfjh32.exe	90
PID 3860 wrote to memory of 2864	3860	Bdlfjh32.exe	90
PID 2864 wrote to memory of 2180	2864	Biiobo32.exe	91
PID 2864 wrote to memory of 2180	2864	Biiobo32.exe	91
PID 2864 wrote to memory of 2180	2864	Biiobo32.exe	91
PID 2180 wrote to memory of 1040	2180	Bmdkcnie.exe	92
PID 2180 wrote to memory of 1040	2180	Bmdkcnie.exe	92
PID 2180 wrote to memory of 1040	2180	Bmdkcnie.exe	92
PID 1040 wrote to memory of 4536	1040	Bpcgpihi.exe	93
PID 1040 wrote to memory of 4536	1040	Bpcgpihi.exe	93
PID 1040 wrote to memory of 4536	1040	Bpcgpihi.exe	93
PID 4536 wrote to memory of 2192	4536	Bpedeiff.exe	94
PID 4536 wrote to memory of 2192	4536	Bpedeiff.exe	94
PID 4536 wrote to memory of 2192	4536	Bpedeiff.exe	94
PID 2192 wrote to memory of 3344	2192	Bfolacnc.exe	95
PID 2192 wrote to memory of 3344	2192	Bfolacnc.exe	95
PID 2192 wrote to memory of 3344	2192	Bfolacnc.exe	95
PID 3344 wrote to memory of 1736	3344	Bphqji32.exe	96
PID 3344 wrote to memory of 1736	3344	Bphqji32.exe	96
PID 3344 wrote to memory of 1736	3344	Bphqji32.exe	96
PID 1736 wrote to memory of 3084	1736	Bkmeha32.exe	97
PID 1736 wrote to memory of 3084	1736	Bkmeha32.exe	97
PID 1736 wrote to memory of 3084	1736	Bkmeha32.exe	97
PID 3084 wrote to memory of 1584	3084	Bdeiqgkj.exe	98
PID 3084 wrote to memory of 1584	3084	Bdeiqgkj.exe	98
PID 3084 wrote to memory of 1584	3084	Bdeiqgkj.exe	98
PID 1584 wrote to memory of 4812	1584	Cmnnimak.exe	99
PID 1584 wrote to memory of 4812	1584	Cmnnimak.exe	99
PID 1584 wrote to memory of 4812	1584	Cmnnimak.exe	99
PID 4812 wrote to memory of 736	4812	Cgfbbb32.exe	100
PID 4812 wrote to memory of 736	4812	Cgfbbb32.exe	100
PID 4812 wrote to memory of 736	4812	Cgfbbb32.exe	100
PID 736 wrote to memory of 4860	736	Cienon32.exe	101
PID 736 wrote to memory of 4860	736	Cienon32.exe	101
PID 736 wrote to memory of 4860	736	Cienon32.exe	101
PID 4860 wrote to memory of 1752	4860	Calfpk32.exe	102
PID 4860 wrote to memory of 1752	4860	Calfpk32.exe	102
PID 4860 wrote to memory of 1752	4860	Calfpk32.exe	102
PID 1752 wrote to memory of 4392	1752	Ckdkhq32.exe	103
PID 1752 wrote to memory of 4392	1752	Ckdkhq32.exe	103
PID 1752 wrote to memory of 4392	1752	Ckdkhq32.exe	103
PID 4392 wrote to memory of 1220	4392	Cancekeo.exe	104
PID 4392 wrote to memory of 1220	4392	Cancekeo.exe	104
PID 4392 wrote to memory of 1220	4392	Cancekeo.exe	104
PID 1220 wrote to memory of 692	1220	Ciihjmcj.exe	105
PID 1220 wrote to memory of 692	1220	Ciihjmcj.exe	105
PID 1220 wrote to memory of 692	1220	Ciihjmcj.exe	105
PID 692 wrote to memory of 1820	692	Cdolgfbp.exe	106
PID 692 wrote to memory of 1820	692	Cdolgfbp.exe	106
PID 692 wrote to memory of 1820	692	Cdolgfbp.exe	106
PID 1820 wrote to memory of 3652	1820	Cacmpj32.exe	107
PID 1820 wrote to memory of 3652	1820	Cacmpj32.exe	107
PID 1820 wrote to memory of 3652	1820	Cacmpj32.exe	107
PID 3652 wrote to memory of 64	3652	Dgpeha32.exe	108
PID 3652 wrote to memory of 64	3652	Dgpeha32.exe	108
PID 3652 wrote to memory of 64	3652	Dgpeha32.exe	108
PID 64 wrote to memory of 4540	64	Daeifj32.exe	109
PID 64 wrote to memory of 4540	64	Daeifj32.exe	109
PID 64 wrote to memory of 4540	64	Daeifj32.exe	109
PID 4540 wrote to memory of 3960	4540	Dgbanq32.exe	110

C:\Users\Admin\AppData\Local\Temp\446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe
"C:\Users\Admin\AppData\Local\Temp\446da78cbb371a0b2a636e1677139281c530ef533b29f17783abe9d15f79ece1N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\Bdlfjh32.exe
  C:\Windows\system32\Bdlfjh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\Biiobo32.exe
    C:\Windows\system32\Biiobo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Bmdkcnie.exe
      C:\Windows\system32\Bmdkcnie.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Hjmodffo.exe
        
        C:\Windows\system32\Hjmodffo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        53⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        65⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        66⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        68⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        78⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3596
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        84⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        91⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        93⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        98⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        101⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        103⤵
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 400
        107⤵
        Program crash
        
        PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:8
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5412 -ip 5412
1⤵
PID:5612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
219KB

MD5
235ef0016ac6d6da216601f3c8f6955d

SHA1
616491c38211579a783c8351b8543d967fc80953

SHA256
19dbf769a634d45658b35d6f712b243524de7ebf25a9102cb4f977c0a1035eef

SHA512
70517f3088717d6ce301be6a7a0c3ef6cca0ff1ac16d1a8ec2c63a4425f1ce15e001aa79b0b1a28c36705695032763ee8218f6c34a3bef009227d15d7eeb8c95

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
219KB

MD5
10ea802230965c51f8d0c28c7413cd9d

SHA1
351976fd0125682d03b6ba6fc3044de587bbf773

SHA256
46580aabad30fe1a2cf7a4d7a831dc00dd1ddd6b28fe50736580e2d5bed65e1e

SHA512
7e012e0113e4592af4721312048281f1876e51dc18230a96c689a4ea50459b374553837fcce0fbe02d94bbf5cefa05573ed10b5566cca30fd27531ac60c8858d

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
219KB

MD5
a22af2ad394c9ad09b743c21cdf9f414

SHA1
fe2d62c70be0e66716b1ddce438c6be99ba5871c

SHA256
3b35527feba2d7e80ed2450f4155313e56992a3b84e35c21be311d6c3db218db

SHA512
6d336fa363d40158b44ff75ed7f4d7465b072b9b8ca134939964a845452440f6d5801cbf42919d5e7a6c61c292755ba2396c2ef2966517a77994ad25b1805e6b

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
219KB

MD5
04bb46eadaef66ca4d632609a6092ca9

SHA1
0e8c2ebc650d0d0bbdd0c8aed2903f9f0847d07e

SHA256
36597eebec4ad146d3f9f70a7fa86bcb35966427e1115e3fedec130dfbee2be4

SHA512
8357e0c135520c6c68787d056a0d0cc0a7f806bd6b929269bc39bf9ccfe4e6d6c5dc50e66d8f68a721aac2e317bbc3258f03b84d6cb41171c716f194886e619d

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
219KB

MD5
4a3d112df7a8b1b9694f2f9f49147a9a

SHA1
958b247b25b68f76157e839e3e6c5e7fee3c0b6a

SHA256
3c5c4902cff3867c845513900e0a47bb9f96a46f83bc321bfbc42956742acf23

SHA512
e21c4a702aa9dc15a37b7dc931c2e3607a08d13d9002a7dee34c98f7f6e1a3e8ee2e4d441bf06d497e5eab4232e72f9692c4c671969195e9eb1c3ea752c20c76

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
219KB

MD5
498c65e1ed31fb672ec0ebaa622a9872

SHA1
47c836176a0c4184a4a6c6fcaf32faab6134a169

SHA256
de33b6bf806340e2840a7b8a4fe192d0c0c0ca6df81c615c2916a0ee1d77b405

SHA512
6298596e01e08099e0a74b7e716f11b4324b7ec6d956a97c9f9490aded613e5c02417167ab574fdf77c33d364c8a57bbaaaab23b1b97cf47ef70117f7a745400

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
219KB

MD5
92a66faec5ba6e1f3b8d646846b2489a

SHA1
564f2216c2ef8b6dec39cdbb8e4f4bed98e9dec7

SHA256
e2adf9a260964e3806db4a3caff875bb98f32cde7dc05dbcba02ce8d6de02acc

SHA512
707c20854d21cc4706298ee000883b0242c1ac94569756bd1a9e15f7c838dc7c0f942d0578e337af69e36b4fd1c5e14ddd41a3613bd676193dfb59be3e77df9d

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
219KB

MD5
71f99961f8cff559fe33e098b1c7e2b6

SHA1
79d3208b95c7ec55ebf2947da937dd9feb1cc9c0

SHA256
c7dd25d7a9666d1fd5d29a37ce8c2cb322c3edbfb63d478addc92444016ea8a9

SHA512
f64127fcd1a12db691128cfda7f4979b800d4f183695772c9aa0b1fef43d93a5f9f99da73240fecbdf9e9a67fa3afa2750ce667bae335a6dfdb247a2e51b9436

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
219KB

MD5
6bf7904d15fdd9233922e8e702361bab

SHA1
730ed968e4dc3e69918610fd12608ffb94039d5c

SHA256
101a7b5a447b6f7c0e98442cc407ba54d023285f1e18bcbfb0dbd881e3b557e5

SHA512
14592bf7cc4bccacc367a30f4c22e7103ee042e8de0e656ed72e6773732b337c092061da455da75f34d39ab5e207d0ad52e7dd9f3b008330f32bebc536d566d3

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
219KB

MD5
9e52bd144adf76e7ffe03856f1d9a648

SHA1
4e27fc3bfaf57b30e55224371198500b9acdb173

SHA256
f6e389c3d454f863582678df8be1c49cd81d931b6509d5c3665571f73cade7ce

SHA512
a310759f61babe0369e190d6ce1906503c2d225b7204564d392b80ef23f0bd722d4e9944d498d27581a7366ce0e08d0e9fa591bf88b7c37e1672818889bdc4df

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
219KB

MD5
87d05698e7ef85208666d1987754725b

SHA1
e9ca51f512da82f42f5ddc8589ac004ce3398e62

SHA256
93cc1b39fda01dc0362794badf921c4b1c7263226c357c3754786317c4bf21de

SHA512
5cb30fc5f219bb6683b18e4aac697393cdca258d1a016eeae282c0a423bbf5efe42b3697d554cf5d5e0da4a44ff5fc5763b50edace333b28d1d20a57942c0df9

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
219KB

MD5
b24b64cfd0017aabacef824c72dd31b0

SHA1
798b09ebb67e2f64a474dcc21d4ce820661b4ffd

SHA256
737fc9aa55eae04b7849569390fa09eee17f66b9bd66286e5e95c7d82dda6c2c

SHA512
e7a4f0b9a3dd13755e151927606e8ac30b55e8fb79c6e11f3e0ec6dec58a26c84cde954b37a064942fd16262724661d7702f2423aaecca09e33ede3f8ec6a677

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
219KB

MD5
ea649f6cb3db18e764e8691392addd3b

SHA1
47e247b53d8807c572b18f3bd7511023c662b8ff

SHA256
5a533a1570999345c4d392821fed869a1adcfc0af8e2f23571527beb6b9b84a2

SHA512
d060e71254cd013ff3124d1c02c052746f5f2443bc42e349ae44ff58c5efc0cc23672ed145db1b7775c9822184017e8c766fe877737c08c5db880e4cd4c091d8

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
219KB

MD5
c637264d05f0f1af20f9f412f7368548

SHA1
4159fc01bfad98caf5ff63f5ff1f5ae4d87a08b3

SHA256
58afed66ffa84fa9dc349b2b054f68d3c99e03bb1ec6af78b91b6dc3f9f00654

SHA512
2890a30019ba654aa3ca2f860251a9d883845e058bba335a6060906451b35e49be591043a77b6cb26b0587724b49f0e3980cc271afd52fdd9644e8a186770f59

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
219KB

MD5
7e15c6d38e37592d726e45a898b0fe4e

SHA1
916275112752b5a8c91831d218a855a7b395da22

SHA256
3eb5dbee0bf809dd44a442494d33ec31b7945047da6c9768f69a594620d85dac

SHA512
14757099152863c6af56c570cae57838083556f3a8e4eaa16708e70ae36374648addf8e74295a0c03d5fad5fa4046dd77153ef60c74d6acb9379b65d3c3e67ff

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
219KB

MD5
5677deaae61ae0b678b65e120596fc7a

SHA1
80fe22224baca205299d4496b4c6b18a8b7eb11a

SHA256
39d233714c990d7c0e7117d3a38db1e6cd04d81ec80b7b406ba71702831787b0

SHA512
647ee07bd4b481ba31990c5c03caa95af7d2e4a8eb53d57acacd6320514091c71baf2f0229532b0c54d6971fc98577a758da72b2a87236b3610e3edfa4978cf4

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
219KB

MD5
8dfb638294615c95043cfe67eff717d2

SHA1
db38aa53d15226e2786b7c7fd912fe6a7eb35b1b

SHA256
6719bd147d82a2f2084bf1092d74b8009ed264632715cc5fb8c6d89a16e835ff

SHA512
bba2e4c0aefc8082cf878aee3b100c5f8a55f503c80ea4840d2d100d75f5c8522246c0c1bca2f03156979984743e20be7a24807d50be7eed7a88e47fec231645

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
219KB

MD5
654c497c319cba16369c631e9ff3173c

SHA1
1ae6b60f37fa9c3883f7df0d88c86fd3fba9e86f

SHA256
e90dbb55b50317a8c4a596b6749ac13d20ec155d765d9aaa98cd17a8c2119628

SHA512
8187fa796595a39ec3898e4e9abea8cc11f88299f9b24e8e15d6c18478fe4be0b691f0f1c560a49476af74a1b249b647c790160b0e6127c3d5b10ba5966e29c9

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
219KB

MD5
0e7a5a73ebf8f9e817231347da361e23

SHA1
a4e89f46fd01779b7a98ea7f1da17a62741973eb

SHA256
5dfe832cb696211003c6cbf3a39560e9eacbfcb1c5e9438cbfdebc2bdc3ea346

SHA512
469a085e47c38d21ea064b124c50764dcdcc0fbf8033b89edbc7a124259df9aa2d62504bc479c7738a09952f320f833bafa0ba08e096510845dde5e61c98d2dd

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
219KB

MD5
bcefdf4620016f090bffe29436c5d5c2

SHA1
d4d8f342ea610a27dcd4a0e4438c1e7ac229b910

SHA256
283d1994277d320d64f650b04bc97765c5dc8156d84e60a6d0fc00278b444977

SHA512
e0465304840244b8d0fd5a309d800260eed9d9c9742a51a1e9f59305fc7ea5437f08e55a7b35fc3c154efc19d8aadaae36df9efe499d64a1580180d4f912bcd4

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
219KB

MD5
055aca9ab6f245c6418207330df9e2e3

SHA1
2acbe4e0ee4a066ab80b8fc60ee89e21176921a0

SHA256
1c5ecb0fedd427dfe9ee77f51ff19ddc604de37cef3c64e477eccb525cbbab4f

SHA512
e710d9ec7b30968a8f758d44f2bbf57854da0610595c3fea736f236bca8915654ed90a2ff1d08b2e50ed5523d476d146b0196a5f1ab39a7416b662332900d85e

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
219KB

MD5
629477a72e0eff2d850108774e5af594

SHA1
cb5bb540cc85be51a3febbd20ad2f2d84c066d66

SHA256
7bc4a80ce02e4cf8455e74b1d653a2d2cd994677848cf73c9a7dfabfd4ee7270

SHA512
549e1a3e1d44bfd51be1a8feb6f284505deea69b0074ef347c8a9a39eb9157693672ecfc4ed521257b256f4815a399e66db082ac86ed2edf137e6326ea18c647

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
219KB

MD5
81aee8ad68ed5d7a0233b352f8c9608a

SHA1
7c12bb509854cbaac697f0648c71d52bf517eccb

SHA256
f76d04593ff866aaa275df5c542c3ba40f13420c330553c624f06cd7b5e013be

SHA512
0b06c6bba0ccfa1cd2bc63d4250a525b6b6b71c935e17e37b00d74c9afab0068f86c8c475a84c6717090e1b936da1ea72032ff20aa82b118b46a931dda334cc1

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
219KB

MD5
3db64f9da53b124fcbe0c2421d370d26

SHA1
746160781aa5d02befa623bc7039fe96d219cc70

SHA256
ccad18fd3711eac8756d8f00f4a377a0d9ac0d1a8692eb003ef8212b4f22cb52

SHA512
508facc1e999d8b90442455d0ce7881f2104e0b35521cf99e393955c0516d9b476213d374b1e4808d65e7c1c1fd1f07f8f14befb7df682c605882b5461027253

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
219KB

MD5
8cf32835add36969457b47ba9fe96f43

SHA1
6f6e626eb212ec9385f18f9b639712aa613f542f

SHA256
4fe3835c1b5b1f890cff589dfe45449e8d622703d9faccdc6c2f626c7e50c07f

SHA512
c732ef0b0318cf3af8bff4f3699c3175fef663bb319098b6718ae6932fe391d11748cbbc464fb8698344b7a1ff6b8164376beb74a6769fcc94984803fef0fc20

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
219KB

MD5
63d762c8ba592020782b7201d3e49a34

SHA1
3edce5323c8914c2275219a36dc4eea360e9cd84

SHA256
4b50e1ac19489ab52ce1892510b7ae0cfcdef8839cc342e8f8750e396dfdeb63

SHA512
c9650c840fefb980377ba9402b56abf04ad63baf4802561d331c28c903d2a26dbb56370fa28a775291d4c27ca61c68eb010a8a127c89d6b401f2765bf5e89779

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
219KB

MD5
e2beefa8ad3f4be7089f925afe6209a0

SHA1
e80164890a8954f06cea21827fc9abd2c9f23976

SHA256
e1186a99b3e8c88ecff7fd84bd327657542719b4de05a7ac178683333f5245bb

SHA512
6739172d0489b2af484a11f53be19cdb2e4ecd9819e01eb511853cb75f71659c99b19b0dd5689c0021a68a926bbec631791685e8999e194f9502f941205b02aa

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
219KB

MD5
71b468b416ca9db8b97ac51d33bef52e

SHA1
d414a97c1e15df29fb33cb00654834ff6040dc9d

SHA256
f547433a10f696c7ad6ddc1949e12576ad086d72c7129777a72c9200718776fe

SHA512
6a90c25931d87bf9dcf1edffb069cc062c45e7463d77c5ac059cd34a3213bf9b73dc5227882bef5c9eb84340681331e5d227dda9b426804c4b7be975499b75c4

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
219KB

MD5
bc6eb229dbc824cf5fb5237f45ad2370

SHA1
71493c46154dcdc6a2e3c62103f24c9b4adbb324

SHA256
0ce490db18002d56282d42b03133cd2eb9e5f22badda6fccfc2f0971c70b76e1

SHA512
c6d4546c24d1f526b63c7ae4ef6be01a46716ae2afb7c4f3eeb38b07923d9d711b68dab7baeac166037aa6c8a46e74878a678481126dd92e233e06c3e55cf567

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
219KB

MD5
86873fb498099d22352fb5a5bc5ec660

SHA1
0f6bd75d64a4934596e82e40ab3f1b62c347ee45

SHA256
34006d1bb144207b77703d29ceef0ae55b0a2909442413d2e090cdcd7d0d2ac9

SHA512
24cf294b9c2cc9e793d49adaf4b68bb9a117f1c49c8e66206c9aeae485233b588224197e2c85e6a25df1da9108e282876a84976941f8e1ec828efb40e0babc8b

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
219KB

MD5
429a06c2beecb6ad721ad5cf41105df3

SHA1
a1611031ef0e1a8e417d23522384508d6568f13d

SHA256
ca2ee8a397658afc1acc37f66d16ada0631450a8534b970ff58a7d04b15e0615

SHA512
472a0e9db1512e79a8811fa494abfb6e4785db3a0f49009d20d0ad88f1582537647c6af55309fb15ae1de323ebbfecfa7fa6a7ca988e691d75c6aebf0d53807b

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
219KB

MD5
4d25002a4820a477c4a6a4164b9ae9bc

SHA1
011312bfcd167de2bf46ffc74ce36b135e7ffa24

SHA256
ae06fa0b629bda1bf773c15630c7cec6e34281fc4d965ca87d831fd830fd2d74

SHA512
356a5d59b098f3190e3c46adbfd8b7a75059655ecd73d773a2e186dec6f134784e3e8b97c666b9f0b32ae6e73a93285d63ae0d6512a28fc80069a9745d6d7ad8

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
219KB

MD5
0da724fc61303aa0771c928c9c0fd5e6

SHA1
d07239120bac8358acfb3738b6aab912acc968a7

SHA256
0eee529e5b2ab9a295d588d797ac0cd53e5b9561d9fe581a348efbdc170b91aa

SHA512
227dddbbf27dea36dad061502ef852a87a844fd8c8f8434fca2df0b47aae228a4b3bc1a46ac3318fec7409cdebfc05c694d4f252b32afa93ce1c160bbccf6dce

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
219KB

MD5
4d88294c406a4b2b3373e2b7f2ab0c3c

SHA1
abea1cfb9110d218feb221ea4e7d2e120d808c6d

SHA256
3afde00f865d1a75000090ecab2283701eaa767faeb4d06551ef8b2fd2cdce12

SHA512
eb7177c5bd8ec537b6ad9ee07563f0ff6c48e459293ea2555c24d73024bad9d0cdfdd5f0ece8ae3866e371065ac602703137dec10becd2860661a0bcf4bece5d

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
219KB

MD5
6e22be6a0f618906d308426efa977759

SHA1
74c25cb8db69b3121a8ee2238312a3e064ca3977

SHA256
407a576f9f09b1d5abc9bb3040864dbeac24895d78f646276151ce6a2ce8830c

SHA512
0b7693d9b9c2e84d0096a3058d22ae786954e6e235da8274eb7b10144ee9495e13eb9f85ef1946de02b7d55d90168e79d5f5699218fd1a03fbda2453104dbc87

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
219KB

MD5
46462835566b7944c8f0bc7eb2965b52

SHA1
1562fda49c13052cc5f15247474aab6df1a8587d

SHA256
f46e193129c84e1f156d168e2aa93208df70b322e782f380affc30244f6c61e3

SHA512
1ebe959036511e06e39e5b635969a9a158ce44bf5ebc52d4eef610d0efc2ea5053cd707e6eb9c13ae7893fc90263cfb135a296c9b7e69d2c88370e5420c74bcf

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
219KB

MD5
246ce5d13716cb62b2108bc9b3da32ae

SHA1
e03bbe90be68a4a23fc7306a5db22c94a3a53cc4

SHA256
16438766323b678454a2448b773ff025c6197f780821c72af75644cab45d3f6c

SHA512
f5ab490b72b150b98a0f8d31c95fc3759e034242941034a11c9acb0ca3d5acb3cd2aae12da85205e9cee21cb2e8d99268e3e83e98cf48fcfdf8d9ba4cc47d8e5

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
219KB

MD5
1d54c33ade321b905e8c216ae8068eb1

SHA1
837aa6389f9bf1b79ef26bdfeaa506035b86c40b

SHA256
eb27fad9aca5735721d2f9dc15363b97a13057c85293251aa997f616b8606e3f

SHA512
8df3ca46142b8007880646e4b4586abe2e8793ed8b04493346329c6a1f81b363a1a2f0bffdf6d22a134cc44fc9c64e19bef59c5e6ad989a962fd633c419e03e3

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
219KB

MD5
043e4939cdc23747d430ef9d26b55d47

SHA1
0b7034166ee2c21a07cd8498a656d8920cfcb26f

SHA256
d5a4cdee12e5be97562826681b9ad816129e717e51e60eea9be1826a51d9e957

SHA512
9a33cd75ae412f3f4d9a92ac13f57d4c91bbb36931c0f654ace801092fb15bf7067a38aa3d25e3b3ce231d48f6c546f88f02deee7e27ba70d0d903d7b0ba2ee0

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
219KB

MD5
8376fde5392cc67fdb377adaa40f55ac

SHA1
7f0ccc7834e6eb582a1930b32ec7642de04181bf

SHA256
c9614cae8ce3046e20e9d3071c71f2aed91f657c56488c2e72332028d66cdf6b

SHA512
74e52ddd6c14fc4e6ea7064c7fa96ce22de902747aafd5e6d2729194e2231f2c7b597840123f76a1bf2b0820a1a26d7993fa95768fb80f8b9abdb585a2396b4e

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
219KB

MD5
470073f66c8cdfccb9a0aeebf148f3aa

SHA1
0611fb5bfab91a5fc810d1b930023e90fc9c3284

SHA256
1c5e8261df98873f7fedb7b79fce37e5564e24de37fd07c01d67911e96a0ceba

SHA512
fbb3bb54388cdd3e7ee3d8eeca1a9e57582c5c4e0b4f1595e10f5fc2075e91f653cba65ee818f2f06853b4d1498d06c014d5813c1cbf5919a127e3d80881901c

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
219KB

MD5
1b9fffb1fcff8764e184deb7d3b0cffc

SHA1
9520b11935dea734a7472602df8b7fecbec0c3da

SHA256
5f1a1aec8f62f9bd06a04851db62f21a7fc51160f3b6aa62d1b6fd938d00e707

SHA512
e1436ce386a735de6655e994322d1e2a1d7a6e3275a61da4bd78346f41f5da7ee0d977e2b68bbf4c5e97d5624c45548edfcb04aed2ebc0e259110810618fa33b

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
219KB

MD5
f6806244fce47886039aaf7734b9d060

SHA1
030e0285b21eecdda1414ed96f09c58fd8b27528

SHA256
439e410aafd26186e65b8ccf0a4a48a135d310dd5555207023d8ced445947034

SHA512
a2b1e553a1639bba9184a2d9cb7543dd6d0ef8e7962f5da8ed7902356fc253a328609307336fc4473a77574a406d56914bf8141507b0d566bce723fda9720345

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
219KB

MD5
6817b50ede215c0277e4e2c01573d7cd

SHA1
3b65dcf8ecbee89e776f2dd1c503110d24d3ab17

SHA256
a683f9c29c6971d76994da3a56de16845a18f205cd6f77606aff7097ff3c8083

SHA512
8c6c31491237d9740467e7ee57acfd3d876fe6de5ab16c539bc86ba222102b28390aeaaec6a65bd2671ee5115c6f9afe59da92e1fcc28d0a89b9a0b24a0d41fc

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
219KB

MD5
54f8895c7d579901100ca8d64257f50b

SHA1
54745fab3938854f3a5abda19c71f94549d66a84

SHA256
7e76254d69de197f58ab60c472973003e51ee189a2432f68c95c76d01c032563

SHA512
312afaa3b388781b59514dfff567f42de529ab8eb9ccd20440b97f94d4715fae68182cb29addcf6e58723fc3cb693edf01e1d98e5b4e53cabd5b2dfd0383877c

Download Submit
memory/64-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/804-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-801-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-804-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-786-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5212-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5272-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5312-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5356-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5404-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5448-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5536-748-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5708-741-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6096-726-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads