berbew | 360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738a

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe
Size

72KB
MD5

ff90c9ad26990aa291a1b55902ea0960
SHA1

32b6d3b1324a568020799a36e715d34686116ab7
SHA256

360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738a
SHA512

5cc2f9f070b32cfa3ee133085d8ef4253db0a609cedcf505a5ea96922325e9efd1fd9d7b7914610180edf67bd14ae9422a82066fea5b57eed26ed6f119496921
SSDEEP

1536:WsAwZIzfbpWPe7jr07cXsK0ix2pcitl7Jc7atJnr8GEW5ije8b:W3aIzfb0WXr0oXHB2dD7Jcathr8GE7z

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmladbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqbeoc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4684	Ajmladbl.exe
744	Amkhmoap.exe
1812	Apjdikqd.exe
4280	Afcmfe32.exe
2028	Amnebo32.exe
348	Aplaoj32.exe
1924	Affikdfn.exe
3716	Ampaho32.exe
4020	Apnndj32.exe
4844	Abmjqe32.exe
2732	Ajdbac32.exe
1656	Bmbnnn32.exe
4808	Bpqjjjjl.exe
2692	Bfkbfd32.exe
4644	Bmdkcnie.exe
1732	Bdocph32.exe
2716	Bdeiqgkj.exe
556	Bgdemb32.exe
5072	Ckpamabg.exe
2424	Cmnnimak.exe
788	Cajjjk32.exe
2120	Cbkfbcpb.exe
4136	Cienon32.exe
2084	Calfpk32.exe
2764	Cpogkhnl.exe
4680	Ccmcgcmp.exe
1420	Cmbgdl32.exe
4360	Cpacqg32.exe
4804	Cgklmacf.exe
3112	Cmedjl32.exe
3784	Cpcpfg32.exe
880	Cgmhcaac.exe
3576	Cmgqpkip.exe
3228	Cdaile32.exe
2572	Ccdihbgg.exe
4884	Dinael32.exe
3032	Dmjmekgn.exe
3572	Ddcebe32.exe
764	Dknnoofg.exe
5092	Dnljkk32.exe
3468	Ddfbgelh.exe
784	Dgdncplk.exe
5060	Dickplko.exe
1908	Dajbaika.exe
1444	Ddhomdje.exe
4192	Dggkipii.exe
1740	Dnqcfjae.exe
840	Dalofi32.exe
1356	Ddklbd32.exe
4188	Dkedonpo.exe
3764	Dncpkjoc.exe
4900	Dpalgenf.exe
1148	Dcphdqmj.exe
4952	Ekgqennl.exe
4736	Enemaimp.exe
2336	Edoencdm.exe
3324	Egnajocq.exe
4740	Ejlnfjbd.exe
1936	Eaceghcg.exe
4348	Edaaccbj.exe
4380	Egpnooan.exe
1552	Enjfli32.exe
4428	Eafbmgad.exe
2644	Ecgodpgb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Afcmfe32.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Ghfqhkbn.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Bpqjjjjl.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Egegjn32.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Ggccllai.exe
File opened for modification	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Ohgohiia.dll	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Egegjn32.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Oahhgi32.dll	Gclafmej.exe
File created	C:\Windows\SysWOW64\Ampaho32.exe	Affikdfn.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Dalofi32.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Ggccllai.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Gnohnffc.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Cpogkhnl.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gkcigjel.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Bbjlpn32.dll	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Affikdfn.exe	Aplaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Edihdb32.exe	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Higplnpb.dll	Apjdikqd.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Fofobm32.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Enemaimp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5220	6036	WerFault.exe	191

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmladbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggepalof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcigjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnebo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Affikdfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkhmoap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjdikqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghiiea.dll"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apjdikqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjficg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gqnejaff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4684	4552	360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe	86
PID 4552 wrote to memory of 4684	4552	360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe	86
PID 4552 wrote to memory of 4684	4552	360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe	86
PID 4684 wrote to memory of 744	4684	Ajmladbl.exe	87
PID 4684 wrote to memory of 744	4684	Ajmladbl.exe	87
PID 4684 wrote to memory of 744	4684	Ajmladbl.exe	87
PID 744 wrote to memory of 1812	744	Amkhmoap.exe	88
PID 744 wrote to memory of 1812	744	Amkhmoap.exe	88
PID 744 wrote to memory of 1812	744	Amkhmoap.exe	88
PID 1812 wrote to memory of 4280	1812	Apjdikqd.exe	89
PID 1812 wrote to memory of 4280	1812	Apjdikqd.exe	89
PID 1812 wrote to memory of 4280	1812	Apjdikqd.exe	89
PID 4280 wrote to memory of 2028	4280	Afcmfe32.exe	90
PID 4280 wrote to memory of 2028	4280	Afcmfe32.exe	90
PID 4280 wrote to memory of 2028	4280	Afcmfe32.exe	90
PID 2028 wrote to memory of 348	2028	Amnebo32.exe	91
PID 2028 wrote to memory of 348	2028	Amnebo32.exe	91
PID 2028 wrote to memory of 348	2028	Amnebo32.exe	91
PID 348 wrote to memory of 1924	348	Aplaoj32.exe	92
PID 348 wrote to memory of 1924	348	Aplaoj32.exe	92
PID 348 wrote to memory of 1924	348	Aplaoj32.exe	92
PID 1924 wrote to memory of 3716	1924	Affikdfn.exe	93
PID 1924 wrote to memory of 3716	1924	Affikdfn.exe	93
PID 1924 wrote to memory of 3716	1924	Affikdfn.exe	93
PID 3716 wrote to memory of 4020	3716	Ampaho32.exe	94
PID 3716 wrote to memory of 4020	3716	Ampaho32.exe	94
PID 3716 wrote to memory of 4020	3716	Ampaho32.exe	94
PID 4020 wrote to memory of 4844	4020	Apnndj32.exe	95
PID 4020 wrote to memory of 4844	4020	Apnndj32.exe	95
PID 4020 wrote to memory of 4844	4020	Apnndj32.exe	95
PID 4844 wrote to memory of 2732	4844	Abmjqe32.exe	96
PID 4844 wrote to memory of 2732	4844	Abmjqe32.exe	96
PID 4844 wrote to memory of 2732	4844	Abmjqe32.exe	96
PID 2732 wrote to memory of 1656	2732	Ajdbac32.exe	97
PID 2732 wrote to memory of 1656	2732	Ajdbac32.exe	97
PID 2732 wrote to memory of 1656	2732	Ajdbac32.exe	97
PID 1656 wrote to memory of 4808	1656	Bmbnnn32.exe	98
PID 1656 wrote to memory of 4808	1656	Bmbnnn32.exe	98
PID 1656 wrote to memory of 4808	1656	Bmbnnn32.exe	98
PID 4808 wrote to memory of 2692	4808	Bpqjjjjl.exe	100
PID 4808 wrote to memory of 2692	4808	Bpqjjjjl.exe	100
PID 4808 wrote to memory of 2692	4808	Bpqjjjjl.exe	100
PID 2692 wrote to memory of 4644	2692	Bfkbfd32.exe	101
PID 2692 wrote to memory of 4644	2692	Bfkbfd32.exe	101
PID 2692 wrote to memory of 4644	2692	Bfkbfd32.exe	101
PID 4644 wrote to memory of 1732	4644	Bmdkcnie.exe	102
PID 4644 wrote to memory of 1732	4644	Bmdkcnie.exe	102
PID 4644 wrote to memory of 1732	4644	Bmdkcnie.exe	102
PID 1732 wrote to memory of 2716	1732	Bdocph32.exe	103
PID 1732 wrote to memory of 2716	1732	Bdocph32.exe	103
PID 1732 wrote to memory of 2716	1732	Bdocph32.exe	103
PID 2716 wrote to memory of 556	2716	Bdeiqgkj.exe	104
PID 2716 wrote to memory of 556	2716	Bdeiqgkj.exe	104
PID 2716 wrote to memory of 556	2716	Bdeiqgkj.exe	104
PID 556 wrote to memory of 5072	556	Bgdemb32.exe	105
PID 556 wrote to memory of 5072	556	Bgdemb32.exe	105
PID 556 wrote to memory of 5072	556	Bgdemb32.exe	105
PID 5072 wrote to memory of 2424	5072	Ckpamabg.exe	106
PID 5072 wrote to memory of 2424	5072	Ckpamabg.exe	106
PID 5072 wrote to memory of 2424	5072	Ckpamabg.exe	106
PID 2424 wrote to memory of 788	2424	Cmnnimak.exe	107
PID 2424 wrote to memory of 788	2424	Cmnnimak.exe	107
PID 2424 wrote to memory of 788	2424	Cmnnimak.exe	107
PID 788 wrote to memory of 2120	788	Cajjjk32.exe	108

C:\Users\Admin\AppData\Local\Temp\360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe
"C:\Users\Admin\AppData\Local\Temp\360658ea9faae3db2f309fda2310f2abb9261d0a7117736a69ee5adb510c738aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\Ajmladbl.exe
  C:\Windows\system32\Ajmladbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\Amkhmoap.exe
    C:\Windows\system32\Amkhmoap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\Apjdikqd.exe
      C:\Windows\system32\Apjdikqd.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        75⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        91⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 424
        104⤵
        Program crash
        
        PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6036 -ip 6036
1⤵
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmjqe32.exe

Filesize
72KB

MD5
965cabdc48d577e3f4300e25bee050cd

SHA1
87d8a483846fbc89621c5626d215ae5c9a4b25f7

SHA256
b60bb64df550829d79069b2647107775de59e73843a2cec7c117fa11860fa9d8

SHA512
48cb5a09d9521c1308ba4245c2fa22cd1f257fc8bd209b27c9481ed6d70e67994c7ff926f183a97c374578427edd4d1ab24be0ab36002c3cf7e60b53b5085e64

Download Submit
C:\Windows\SysWOW64\Afcmfe32.exe

Filesize
72KB

MD5
1d1a8ab2cb7f83486cf89956b4a75d0b

SHA1
c72d55eaa55727fe8ed4c84d05d77eb6c73b1642

SHA256
65aa22086446cce871fa13369934763d37a07e88169d5bd9732a82ff7106df43

SHA512
7e07bb434e4fca0ec5b7823a1f5f3e9a11581ad3ae00830443db8199b711f821d96c15923929713169b9c018b40056946206224122406734f1e9538c3dc4aebc

Download Submit
C:\Windows\SysWOW64\Affikdfn.exe

Filesize
72KB

MD5
07f3732fde7b8ddee8f3fc88fe3361e0

SHA1
59c4aa6621822fe0666b60ff5a90f37693a1d985

SHA256
a04063cf3d060f69d3ca306efbd028d836abb508b3a486a4fbf5cb72983236c1

SHA512
59c1ef865f44ddc6ca5ad525dc388851575e5824ba123fad4df114f73bec253dd3e7cd6205310af7a754cab15b687a530bcc9056cc4bf43128d7655194ad4d31

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
72KB

MD5
76d5a33f5a5d834c6b73cd1786b74cb9

SHA1
ea2f5e60952202f18a1a7e5631bf7db1b8edc5a0

SHA256
176f30825263d1c96b87dc0ef6784f31c4e27b6c2534fe560119d66481b83d44

SHA512
46639e28ae8cb52f6250632984138d69d19bcac61a17b265832ee47f6e6d49e29d06953e7df1ed390ee813be1ace18368dbc142de8e630be6e71c089ac0c3f68

Download Submit
C:\Windows\SysWOW64\Ajmladbl.exe

Filesize
72KB

MD5
de9c5558137fe02371513843fbffd198

SHA1
12cb18fee79040ac588d649b7e283b4ebd9cc190

SHA256
9fbc28768a8a7ead215201ab14b0b27afb38463727ba8f2c5cef4e54442850d2

SHA512
2d518d7573546d39af91d863df56373a4615ca091a45a9ef68b83707f0071b175a9e09b60d4942827d2ba71f13f1f689b11dcf8c4ee58507cfb97ff012c8985b

Download Submit
C:\Windows\SysWOW64\Amkhmoap.exe

Filesize
72KB

MD5
41a96471926f01dfedfc867d17bd06b6

SHA1
83fdf959a799414ccbd023826a002ddb926a4a42

SHA256
6fec7eb65b29b61f93e04a23ef8f5a3b75e8dcc74763127667171fe10ab87ebb

SHA512
cd3b71bb963d37b761b45fd4cc75bc8e4c216500c1c6c76bf12e217a00382c0827497452f910120cf9bdc0385d0e2da699b892fe4c7fcad2979581092c13bb2f

Download Submit
C:\Windows\SysWOW64\Amnebo32.exe

Filesize
72KB

MD5
e07e5428bf230d4a38178766ed57cf6a

SHA1
8d68a694fe03af94d8b8d74325d531117caf75ff

SHA256
ba16e29b1aaeb6472dfbb2d3580d07495145293a6e9304d25ebe8ee718c03ee7

SHA512
4881a939d3fe942b10a63411f4b1172da1c974fe134b346d6d8e9e6250755c2e930e7c7e2ff0a44c35bbd6a38c29bcda81a079118a1a251702fb2a8e8d1f6daf

Download Submit
C:\Windows\SysWOW64\Ampaho32.exe

Filesize
72KB

MD5
d6c2936a6fe13636f49d0451ac2c9b2b

SHA1
ca58dbcadd0e3f3471b8d95b628b158e64011480

SHA256
913c75a55a68cbf65ea296f1021251ff4bac0028d97f5bb8d13dc300663d6e00

SHA512
9903d4192aea734996b83ef795556a476ba91bde90cefc127e71cbc18e0f8f5f8c4a22e707fe3191bbabbb059d9cd11f03e392bc64ee4193b88d3c88c59669bf

Download Submit
C:\Windows\SysWOW64\Apjdikqd.exe

Filesize
72KB

MD5
488c1d4ec8bac4b93ad5bec7152f82a5

SHA1
5ec37f4cdd76778a8057f17b51b2e7875bb266f2

SHA256
907c57ffcb98bb82ee43008a9ee6bbe42a1a875ed4dc08a0dca13c8af59b66ab

SHA512
98d27d2e8c7686fea8182695e7ce6ddb2d980a7647f9cf635f79383481a2735e7a4b04534a65dc5329773b7599ebb393fd0c89a06d4f4ad5b20f33335d6539ec

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
72KB

MD5
3b0575adfa7521adbb1503c8e2b624ca

SHA1
0ae7e99faef669e171afdc3af325a19b74cae66c

SHA256
92842a54b380df0f6a0504cd551f65d62f9b5d3c5d1e35dbadae950049f27d66

SHA512
51438e79417cb5a5b4f4a1ece62d648ca3efe99b16f115177e90c01094dd9f2c9cd72c3d354a0af98f14949aa587e194c24f750edf9bbf443a87f00ac72cc50a

Download Submit
C:\Windows\SysWOW64\Apnndj32.exe

Filesize
72KB

MD5
9fcc394a5bb0e7e045a157a8aae92c73

SHA1
1451fb45f6d7adf2f19c71aeae733183f40b340b

SHA256
8d063a02abd97cce989c974cf5fca97ef7b53a650723114ae7b4c7e4deb95603

SHA512
5d7ffcc32944fdff54d044e865f42b37687fa05889b00a19c792b5054dbb990e4522a5fb3bffc898cfffad74af1947db46007cdcde81269eb88260ef95d38125

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
72KB

MD5
56476beb47e92e091f0b990e53f67a2a

SHA1
6b47474d07085add6d1f8179bf4d1ddf53121bc3

SHA256
2d99ea664ab516aff5f1f57311022bb8100258ae2629777a178c0f784d45dfb4

SHA512
dd90db2a79d68228105424cb5bdb877b1d6c145f548a2b746bd8e78ecf9109ef54d694058ad28f521d5b8a4185bf8b990ad7f924c3ada447ca23f6e4835f3dd7

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
72KB

MD5
2308e46889a0aee75894c2544a97def6

SHA1
08bd0f1ae7a4e6bb3b341c05682a99916cfe1c99

SHA256
aa0fd729f288267f3081b59a86274725fc0f93c6f93513e9342ad92e49f21a3d

SHA512
dd4cb5d452ac5e43bf5770979e8f58b3fc609b3d91f71ae220cba50a99ca5621b3fbcb0f020e4ba691f6e4ea59712c9d07d75551ab413bd1b7546a48b559d3a9

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
72KB

MD5
2ab419bb9bdb4d9f4aa67e2878d29bcc

SHA1
8e7afbd54312e6c371fe8dd108c2772c33f04a03

SHA256
99b07197a74127e37a3e5d082131c433534bc8684d51df53c70aa1a25bb6d009

SHA512
7b6ff1fac715813bbc84f094f3e9298903fdf65a06a37a3fd21707da44f4d1c2711c1fca0823da692a25a0abb33b2f0eae62b5c96aa171656c48626eb6985f89

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
72KB

MD5
2e1287735e96b2ab01f42b4fb297125c

SHA1
d3c7bc46fcf8963ede7af8d4e95c4b7168de5bdd

SHA256
ee4ef9d71b9716280e629046220026993abe04f77d515100f8d59d2624e4b5df

SHA512
ab9456cb4600bdce33f3f84311d9b5c636af6caf3dac178bb9315f9eaf0ef045d88dc90318eb55b98c281d9599ee08cdccd58bf919d28110d2f771bdfd1eb6e6

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
72KB

MD5
6e1d9336de71a3bc727fb2272a4b6235

SHA1
2eb71faa882c137ee098d80ae992a3899da0bfe5

SHA256
70964ab0042acfb54df0a00b466a69d6fc191a484bc83e2fcf2670bd41b2b1fc

SHA512
bb58a98fbe8fb8ee089bdf893be5ff6d8231fc57762d257d6c169cb5eeb75b7ce06aaae9c1a0a9bf6bfdcd8d1ad6f035683e9dc7f28b0d7dd54788219b6c8377

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
72KB

MD5
90c94e5115ea17f47354e6ec8184e2a5

SHA1
9c1024c963c54381597693b2696f6974559e4a4c

SHA256
2e51448456db06143d3e82dffd4e6a9d0c80cf11d1f2c2d036fb111320f9e962

SHA512
3672cb884ee152c23f292b684d82d23e50bfd2a10c97072dedb4c006944d06c1f64441ca46b3326ab9ca7d2c93eb98bc5fd919429472d5dbe7830db0906b934b

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
72KB

MD5
13528e1690e9e23e31d6750d0bde2376

SHA1
fd7b0cb242d341388de72b849a95c07dca27e4f0

SHA256
c38184dca124017e7782d7aa7346874c2513ab9c638af6a6fddad83d19158cde

SHA512
13cb5a3b123b1de4d5641714587e452400e168614422699f38e1374b945d112543d33eedb46d17236c8d3bf0abc3882fd63511ee718303a75cbfe29b167b20b3

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
72KB

MD5
2c8228a628afe653efed4bfa7d021c73

SHA1
b15ed2c3b6475e29617d38dfbd801816ce232ce4

SHA256
f2b8a110f266b60601a5c1d4cf00954e052d8f470458e28c25af580a3467f7bb

SHA512
e9771f359f0aa4d46ed517992ea016e86c76f1737c1193c3539bc1ca4a5b2dae418003ac22044918ab6d53e8e5099e19da2bce97dde45120e1320258a14b045c

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
72KB

MD5
a0c7199eb4fefdf6cfc7c4176018013d

SHA1
95038a2cb7cd90e89bab5637cc2a002dcb1bda8b

SHA256
f5e9c2497618956dff2cf512857319318c0fc331a2b2e0cd280fd183bcf4c96b

SHA512
133235d8bff5b313e4ec7f9f99fee851988f9b45e9aba21c9cbbc116d1fef0b7cd81dcb310cbe128b830bc079ef8d9b95fc1103d266db9a6d861def5c564fd27

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
72KB

MD5
60e4598fb9b687d856ac1e6769622848

SHA1
b161bc7f6f734db467629de746ff9b509f6fdec4

SHA256
bd440fb09bde6cb43c9c4032756a20b8d611f7532fd2e7ae5e42215e1b2d0e02

SHA512
d291483b0ca3b67f253964cf28f70e521d6433a8cd51219ecb0d412a23d1ddba42372445ad2ff7e48c1a483910dfe799f88620f23c56b427aca9755830c45f6b

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
72KB

MD5
b2e521694b7e1dd4311049f86e387c1e

SHA1
16adb194782876f57ba6e49d16e63c10d5e4a581

SHA256
8291583bfa5297d0fa748e54771173151cd376de359d14346f838054f80ea567

SHA512
a883a77860a01ea75814d93e247741ace5e5fe7f030ac3f571f2c0e3c2a3c7e7b147b7804ce58928c36ca4a865ac5bc12ae999bb15e3bd82497c9225556d9ee1

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
72KB

MD5
72871b7176191c7c30cc3444d730b631

SHA1
d72e3c5bf1554b795a0d81fd0e25359a403d8b43

SHA256
efe0be7f47092cf785cadd77afe45ef63c90b9a0aa1ede0d2a5dfa3a53eb6e8b

SHA512
b12c530f440f5d379c9fda683954967f2b35442a4ec1cc0b2ed9ba73e98fa03f7bbe7a4583fbf76ff96cd63db4fd0d333e549a40435e0f169d1154e1a363c913

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
72KB

MD5
01aae9b30a12886ab6761307cc12af5d

SHA1
35b9c319d0a99a1beb545b7694e3791326c09c7b

SHA256
c82d7285e44eb497a5769020b12b552385d91348f23fb2ea87f30b8c9d8886e3

SHA512
3cfdcdfc006aeb074fdc1cb16475655e013cc1c7bf5b76aec7d0dd02b7305ead7dc00ad28ef9b0b967bd89d6d67b15e0405460af5eb192f179f74a365f9faad9

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
72KB

MD5
73dc715e54098087b9a1029fdcc7e484

SHA1
4628b41ffdfaeee6018661b7b6e67996414a9c7b

SHA256
72be3e4fd1c010947dcf47f820dc7e24ae0c6d75ea1f9bf33cf09d6e19581cc0

SHA512
ca6bc82d62cdfd61322e1e7f8c232792ac824192fba83305aa8c3ed39cb5a1cae87ec12b047e99161ddf2d625e3bbfc0f7ee9e9e2a67190d93b3c00a4936c26d

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
72KB

MD5
2be2e404b6ddf8eb256cd4aaab2de94c

SHA1
1a6ad3ffa2190f0cf6387f6767160265bdd2f20a

SHA256
74ab942e20e12370178a9b3599aa8587a70ed68fea7e740f77e2662bc8f613a7

SHA512
0d6e9f4a32e7605260a762f49ed3f558c5d46e647c3c4e2f360cdd376f5f5c9ccdd7fcdb1f6c213445b39405a0cbc75caf3c2c6a95345de694d458d55cc4428c

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
72KB

MD5
d8e8fb609148e74934cae9df441f1202

SHA1
b528e116fec39ce9fbc6d3241a78064164d72a4a

SHA256
62e5562fc734871d1f37f03da987f65cee1eb384106235a0f79a7b30a8d66190

SHA512
e8e60965ac21e5989b07a088c50e9380715e447ab2de0c96281b131154e6191d66ed24386b1551a27dee05e50c1c1087425482d962bc579da0f4c716d4e7187d

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
72KB

MD5
8ad059f01fd8ffa2600186ccb6cb5181

SHA1
f03361a9ce5cd21961f3e73083ef7c3d62cd3f81

SHA256
ceb3f06dbb347f5d9c62a59091f5e28b8974e6037016e4d8ecbeb47cbd34020c

SHA512
0729240a2d4aee40a45b384e4c942d0323c420b3a740d7f7d430ac1da2b870e43965c65cf71b9d92ec5151f70e080bf00aae996deb53b46286061066e19bd5d7

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
72KB

MD5
71f6cf2ffd0e6158d542ec5ae7e578ed

SHA1
3646c334aaf4b9b730cc4e1c9a5bdc5159de2f30

SHA256
2f87ee4265d2b218fcfb2561ae0a67aac79e352ec10714b196e0d68a8c4ebd65

SHA512
f3e5c2b9b6e06621048ab68acb933c94314e836b90b0dfc2844c344827990f1ec88aa2b5e0dd4c1b80d330484c81bf779b3e21113c0c9d0c0534ecc2584ca92e

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
72KB

MD5
f64b71f826f4f21fef9ed8d10732919c

SHA1
5d5245309f19c77563914c468fc9e507b74f2a7d

SHA256
6ca8c78464b1e9ae94834e749e38ed45cb5f45a7980cf4bcbdb84bc3f84b7a97

SHA512
581273d45a335913c9b094841892e9077da81b4a638025fca2d77cef8cdc16876a576c397e0cc1715f32dd24f654f39a0e2f428c2b33a06dfbf5f067325f8281

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
72KB

MD5
a44813f2d7dc7976584d307c8f6d0b6f

SHA1
e582bcba0f933d2ac9dd5f430b62f76600eecb46

SHA256
205de006e97b0df14386d0eec0b201d700d1d433f7f3cbf7b8094c0a6cf445c6

SHA512
9ddf924a51f2bcb06f57defaf6e48c2c8c0d2daac1982cbb7b9048a83806f6f2936822fe4cb567ad95ed54fee031300b8d7a2c561194f749fbb3e06683fa2587

Download Submit
C:\Windows\SysWOW64\Cpogkhnl.exe

Filesize
72KB

MD5
89141f1613e2922bfabf02b63414cf61

SHA1
23ae4aadcb43ef8739b8cfffa15c8190299579aa

SHA256
c886432e09929ad8702b5c11fe721931b4c4271a4c44bd83ea7a59daddd03d35

SHA512
0ba77e312cbc41b863d2f8e84115bf9cc0eb5e5666722a0a5f36dd0f82d9f3af7d3eaf958533b9a1fc58c9a418d73a5a51300299056f59e84ea30abb2d55346a

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
72KB

MD5
0ce4f1372a5f174e101010a11bca6821

SHA1
1c7a9f8e080ec71018e83845ff679eddfaa14306

SHA256
f34481242a80b7d2b6ddbfbf265ed918ed088b53126b8944fa897aae42fb25f4

SHA512
f9b8e8089b2f3bc5777fd1387bc9faaf19a236a5ade7451c74710b04a93f565a756c1b7ef06a3f05197556bdb39d2491c373d56a51bdc7d520d6ef9fb39595ec

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
72KB

MD5
963fb82db123240e453499d6cd18a9bb

SHA1
2326421bf15c0a72406d5359021b864319e7c14f

SHA256
fac8c85f1b764a4508c4b31243202b6b523adb6b6df9ec78776cdc9eca37979e

SHA512
8d4b3ef88618ebec7ec51a37eea1e7fec517bf911245a2baeb6d1f99fcc548b5760efec5b59bcff50e13d5092f5a5a28a67506dc45acd5f187815b5da6fbf1f8

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
72KB

MD5
e2672e44f3640c740ce4204eb5e59434

SHA1
628b77b2b2a176bd425887350427a978dbbca1d9

SHA256
f9ab0e6769d22718ad1b586c6df4590e5abc8a24124a240bad95e4597b145ebc

SHA512
b8cb0eff13398c01beec8cc5ef5eb74088069a49bfc980b3eb4d5350cba29d6d46a81832c7eb8ff5850ce9e67ad3c85a8084c1cbc1015d3f4ea494071c11ae34

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
72KB

MD5
b3b6bf78610d44201bc3a3fc6218254f

SHA1
5564c6a32ec07dca6cf044cae124c0dd0edef562

SHA256
87e7ce2f52d5342df418e7601628b6415c5a440106e32e958c0ddadfbabf8a0a

SHA512
af1fcad68db55ad16ec75f04b2383ea4d0d758b20c395669cade7d9fd92002f20c44651ea2f6e89a14d01d4e70ae3f804217d424510b7a05c5691a7123cf08d6

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
72KB

MD5
64874354b7c25a97bb0faa2c81d1ecf1

SHA1
e9f8530a769f34c22a7bf5a347cdd29310c3a438

SHA256
732e6c5c5893c336cb4ae5687a720e65246cd272c80f4c35d7e4695e304508a2

SHA512
88fdabf02a78c2162e0eb2696c3a0c3cccb6730cddc9edce5ec71245907f7729e15fc3020889ccf8262d8f42470e5b87de05b0476d804870952fcc44b107e2d5

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
72KB

MD5
fcf1412470eb28fae8e9687c707df575

SHA1
65d594161710696856aba16268a543ed1bf1cca6

SHA256
8de76337ca7726039c85c4bd700715682741b82f530fdc92a1dc8b4b888d4855

SHA512
8a3e453d99c6b73ed0b73cfe1674d50cf9d1e1d3eab32ce4ae494933ec2335346b73f4d684dd52d54899ffab9f876b735cc2064abc9edcbf1199aa2001310161

Download Submit
C:\Windows\SysWOW64\Fjhmbihg.exe

Filesize
72KB

MD5
654773985fbe534b7a37ff88aa1eda43

SHA1
12ee9eb91a7668d0110278a0d74e7751b77c96a2

SHA256
4a00096699de404c623eb86ea97ec54633a047248da15dd0022e6c9fba25759a

SHA512
d18256183def5a47eb4ee58bf4dfe2b0868717f7d682a51460855cbf7aa9d65eeefaa7a344d48928250545f2397f559b36b9acc42cdfc97d1501b35365a33fc5

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
72KB

MD5
0a19b9f7e0311748557996ccd5b0e2f9

SHA1
4ca4ff9e447bd65ac12791133c51ce1f3136d9eb

SHA256
9c287fe030a9886dd70e77f53a8d94ef9b300daed7ef83088963b557f1eeebac

SHA512
8710540676f47b010d69934447fdbf74c02acecbc195d47b549677f657d15ef5f869a6eccb2e96a52038bb26daace50f841d1f3c578826fb6fea420f0babed66

Download Submit
C:\Windows\SysWOW64\Ggepalof.exe

Filesize
72KB

MD5
de698b8743378fad412ca9ae806703a4

SHA1
28acf3ab51b6c0f43a64af203c0192a8f925c9cf

SHA256
103fe35a08225d17cff52c876654e7dc5134290cb4a2cd8c961f05a0fe444740

SHA512
3472dd893d8543993c3c75240d6a9af260b698a2f717475c3db647f707f667a13926f403902e214040a78229614e3d9f2bbdad55ba7f09dd68efd2528f2ce8cf

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
72KB

MD5
73a846ae47c48e2ed8af2f0f5a889bfc

SHA1
57beb3162e1d5468e9eb431127490d492395558e

SHA256
f37c6a8a02d711bcd5f234fb2bb852ac1b7461a46a4dd4dba1a05857f2db32a0

SHA512
e1598e388281f7698ebbd7303759d5665bef46ba5007be4f45dd267c2507220a471f85ce00f44ff5b1d88fcb4b6b3490de81e464ebd5f6970088847876c7df70

Download Submit
C:\Windows\SysWOW64\Gjficg32.exe

Filesize
72KB

MD5
b1d68f4859c4764b4a823927746d1e5b

SHA1
07f2aaeb45a9f0a171bfab9894784cdb965f3ccf

SHA256
640cce8e02a99d0873e5417fa0ce4c396e99ca63221692ccfa223cc17b0b8e3f

SHA512
2f5a2b6eb5e7351cb0b1c0a5364bafda3eef8ec76f57c409d96f3fc04771510eabaa14b05d87cd1588c415938de7c68c3039ecc97fb6d6506a019a799189a776

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
72KB

MD5
46227c2ce51e2bb0bc3fe56379677406

SHA1
a87e39d205e6dfe1f7040b9fb881a9ccff1d61bc

SHA256
78ce748d5b3167b2f04c2293a08fc8fa289e55a334026389a7b0f6b89dde6709

SHA512
2c5a80ddb00d57c53a4f60e2bb50b31de5637f12a98df0eeb1e95e71ddfd70a83af80dcac93b4b9c28e86c75475a61912f51309b8908cc8e549523ab783baf08

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
72KB

MD5
e7ad1ade805f90140305a5ae6c47cb0c

SHA1
b8d13670dc9f9cdde56ccc90a923916a9a2f7258

SHA256
38b8ffc0ee1f0e19d7fae8f537e22ab08c2b5be35eac29615861050c12b3d6cb

SHA512
48fa9989fb65b3071fb28eb106c1e724924242225e269ac2bb71510e955d90da4c70097e94a99287c6b64efbc352a0389c115315fe6df8f85069843d366a0c7c

Download Submit
C:\Windows\SysWOW64\Lcckiibj.dll

Filesize
7KB

MD5
ccc68ff6bf554d313641b77f7c2b9275

SHA1
725b7e6ed64b05a488de71d8dfdb829b9587aaa9

SHA256
30f9bfef8b106073cc597953c3c5ecef980d3eab035e0145afe3abce409dedb0

SHA512
0eeb665fcd24b5690d4da1bfb1333f43a6d52960e178f879028fc9a71a9d020cb11ba544e7d3f7e358a1ab7efe91eb8ec1a0bfefdd92cdb909270b755232ce9b

Download Submit
memory/348-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/348-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/788-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-799-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-772-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-730-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5364-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5860-706-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6036-699-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads