berbew | 0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
Size

76KB
MD5

de44a530c3a741ad6d65095558b003f0
SHA1

2962347d1ff1fd89459931f827f6c6696f9a401a
SHA256

0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1
SHA512

a5cb86f36921c84ed78092967a92c5c997592b59255313d60587a96250bd9dd44f056984e1a4aa6aaa0db0c492fa9da7ef31b3498031420645365f355b3a9a21
SSDEEP

1536:K9rw308vyZlKIzNM9Cdwdz8zEfrRXX1RyoxbOHioQV+/eCeyvCQ:Ur/PJM9C2dz8wfrR1FbOHrk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemgilhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bidjnkdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdgafdfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bidjnkdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkmdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgafdfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkommo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbjffad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhndldcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cadhnmnm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 56 IoCs

pid	Process
2752	Bhndldcn.exe
2844	Bjlqhoba.exe
2604	Bmkmdk32.exe
2608	Bpiipf32.exe
3052	Bkommo32.exe
276	Blpjegfm.exe
2452	Bdgafdfp.exe
2076	Bidjnkdg.exe
2616	Bpnbkeld.exe
2924	Bghjhp32.exe
1720	Bifgdk32.exe
860	Bocolb32.exe
1860	Bemgilhh.exe
2212	Coelaaoi.exe
872	Cadhnmnm.exe
2232	Clilkfnb.exe
1416	Cohigamf.exe
448	Chpmpg32.exe
2992	Cgcmlcja.exe
1664	Cahail32.exe
760	Chbjffad.exe
268	Cjdfmo32.exe
2312	Cpnojioo.exe
556	Cclkfdnc.exe
2208	Cghggc32.exe
2592	Djhphncm.exe
2956	Dlgldibq.exe
2600	Dliijipn.exe
2628	Dogefd32.exe
332	Djmicm32.exe
604	Dlkepi32.exe
2188	Dbhnhp32.exe
2336	Ddgjdk32.exe
2860	Dolnad32.exe
1932	Dbkknojp.exe
3056	Eqpgol32.exe
400	Edkcojga.exe
784	Ejhlgaeh.exe
2172	Ebodiofk.exe
2248	Ednpej32.exe
1788	Egllae32.exe
408	Enfenplo.exe
768	Eqdajkkb.exe
2068	Eqgnokip.exe
2216	Eojnkg32.exe
1920	Ecejkf32.exe
1232	Efcfga32.exe
1928	Ejobhppq.exe
2716	Eibbcm32.exe
780	Eqijej32.exe
2580	Echfaf32.exe
2668	Ebjglbml.exe
1424	Effcma32.exe
1432	Fjaonpnn.exe
2644	Fmpkjkma.exe
1624	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2756	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
2756	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
2752	Bhndldcn.exe
2752	Bhndldcn.exe
2844	Bjlqhoba.exe
2844	Bjlqhoba.exe
2604	Bmkmdk32.exe
2604	Bmkmdk32.exe
2608	Bpiipf32.exe
2608	Bpiipf32.exe
3052	Bkommo32.exe
3052	Bkommo32.exe
276	Blpjegfm.exe
276	Blpjegfm.exe
2452	Bdgafdfp.exe
2452	Bdgafdfp.exe
2076	Bidjnkdg.exe
2076	Bidjnkdg.exe
2616	Bpnbkeld.exe
2616	Bpnbkeld.exe
2924	Bghjhp32.exe
2924	Bghjhp32.exe
1720	Bifgdk32.exe
1720	Bifgdk32.exe
860	Bocolb32.exe
860	Bocolb32.exe
1860	Bemgilhh.exe
1860	Bemgilhh.exe
2212	Coelaaoi.exe
2212	Coelaaoi.exe
872	Cadhnmnm.exe
872	Cadhnmnm.exe
2232	Clilkfnb.exe
2232	Clilkfnb.exe
1416	Cohigamf.exe
1416	Cohigamf.exe
448	Chpmpg32.exe
448	Chpmpg32.exe
2992	Cgcmlcja.exe
2992	Cgcmlcja.exe
1664	Cahail32.exe
1664	Cahail32.exe
760	Chbjffad.exe
760	Chbjffad.exe
268	Cjdfmo32.exe
268	Cjdfmo32.exe
2312	Cpnojioo.exe
2312	Cpnojioo.exe
556	Cclkfdnc.exe
556	Cclkfdnc.exe
2208	Cghggc32.exe
2208	Cghggc32.exe
2592	Djhphncm.exe
2592	Djhphncm.exe
2956	Dlgldibq.exe
2956	Dlgldibq.exe
2600	Dliijipn.exe
2600	Dliijipn.exe
2628	Dogefd32.exe
2628	Dogefd32.exe
332	Djmicm32.exe
332	Djmicm32.exe
604	Dlkepi32.exe
604	Dlkepi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cohigamf.exe	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Mfacfkje.dll	Djhphncm.exe
File created	C:\Windows\SysWOW64\Jchafg32.dll	Dliijipn.exe
File created	C:\Windows\SysWOW64\Ajfaqa32.dll	Djmicm32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Bmkmdk32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Bidjnkdg.exe	Bdgafdfp.exe
File created	C:\Windows\SysWOW64\Edekcace.dll	Dlkepi32.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Djhphncm.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Qffmipmp.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Bpiipf32.exe	Bmkmdk32.exe
File created	C:\Windows\SysWOW64\Jnhccm32.dll	Bocolb32.exe
File opened for modification	C:\Windows\SysWOW64\Bifgdk32.exe	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Cpnojioo.exe	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Djmicm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkmdk32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Hokokc32.dll	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fmpkjkma.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cclkfdnc.exe
File opened for modification	C:\Windows\SysWOW64\Dbhnhp32.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Hoogfn32.dll	Effcma32.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Cghggc32.exe
File created	C:\Windows\SysWOW64\Ddgjdk32.exe	Dbhnhp32.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Ddgjdk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjlqhoba.exe	Bhndldcn.exe
File opened for modification	C:\Windows\SysWOW64\Bghjhp32.exe	Bpnbkeld.exe
File opened for modification	C:\Windows\SysWOW64\Bidjnkdg.exe	Bdgafdfp.exe
File created	C:\Windows\SysWOW64\Keefji32.dll	Bidjnkdg.exe
File created	C:\Windows\SysWOW64\Obilnl32.dll	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Qfjnod32.dll	Chpmpg32.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Egllae32.exe	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Bhndldcn.exe	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
File opened for modification	C:\Windows\SysWOW64\Blpjegfm.exe	Bkommo32.exe
File created	C:\Windows\SysWOW64\Cadhnmnm.exe	Coelaaoi.exe
File created	C:\Windows\SysWOW64\Elgkkpon.dll	Cjdfmo32.exe
File opened for modification	C:\Windows\SysWOW64\Cclkfdnc.exe	Cpnojioo.exe
File opened for modification	C:\Windows\SysWOW64\Djhphncm.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Dogefd32.exe
File created	C:\Windows\SysWOW64\Chboohof.dll	Bpiipf32.exe
File created	C:\Windows\SysWOW64\Blpjegfm.exe	Bkommo32.exe
File opened for modification	C:\Windows\SysWOW64\Cohigamf.exe	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Bkommo32.exe	Bpiipf32.exe
File created	C:\Windows\SysWOW64\Agjiphda.dll	Bdgafdfp.exe
File created	C:\Windows\SysWOW64\Ebodiofk.exe	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Eojnkg32.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Bpnbkeld.exe	Bidjnkdg.exe
File created	C:\Windows\SysWOW64\Oakomajq.dll	Dbhnhp32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcmlcja.exe	Chpmpg32.exe
File opened for modification	C:\Windows\SysWOW64\Dlgldibq.exe	Djhphncm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	1624	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhlgaeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkmdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpiipf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bocolb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilkfnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bidjnkdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifgdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chpmpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebodiofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecejkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgafdfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpnbkeld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cohigamf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbjffad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkommo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmlcja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnojioo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednpej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhnhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmpkjkma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemgilhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blpjegfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cclkfdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgjdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bghjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egllae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjlqhoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coelaaoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhndldcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadhnmnm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll"	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll"	Bocolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bocolb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll"	Cahail32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkommo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll"	Chpmpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll"	Cohigamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll"	Coelaaoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coelaaoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkommo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chpmpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll"	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll"	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2752	2756	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe	30
PID 2756 wrote to memory of 2752	2756	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe	30
PID 2756 wrote to memory of 2752	2756	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe	30
PID 2756 wrote to memory of 2752	2756	0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe	30
PID 2752 wrote to memory of 2844	2752	Bhndldcn.exe	31
PID 2752 wrote to memory of 2844	2752	Bhndldcn.exe	31
PID 2752 wrote to memory of 2844	2752	Bhndldcn.exe	31
PID 2752 wrote to memory of 2844	2752	Bhndldcn.exe	31
PID 2844 wrote to memory of 2604	2844	Bjlqhoba.exe	32
PID 2844 wrote to memory of 2604	2844	Bjlqhoba.exe	32
PID 2844 wrote to memory of 2604	2844	Bjlqhoba.exe	32
PID 2844 wrote to memory of 2604	2844	Bjlqhoba.exe	32
PID 2604 wrote to memory of 2608	2604	Bmkmdk32.exe	33
PID 2604 wrote to memory of 2608	2604	Bmkmdk32.exe	33
PID 2604 wrote to memory of 2608	2604	Bmkmdk32.exe	33
PID 2604 wrote to memory of 2608	2604	Bmkmdk32.exe	33
PID 2608 wrote to memory of 3052	2608	Bpiipf32.exe	34
PID 2608 wrote to memory of 3052	2608	Bpiipf32.exe	34
PID 2608 wrote to memory of 3052	2608	Bpiipf32.exe	34
PID 2608 wrote to memory of 3052	2608	Bpiipf32.exe	34
PID 3052 wrote to memory of 276	3052	Bkommo32.exe	35
PID 3052 wrote to memory of 276	3052	Bkommo32.exe	35
PID 3052 wrote to memory of 276	3052	Bkommo32.exe	35
PID 3052 wrote to memory of 276	3052	Bkommo32.exe	35
PID 276 wrote to memory of 2452	276	Blpjegfm.exe	36
PID 276 wrote to memory of 2452	276	Blpjegfm.exe	36
PID 276 wrote to memory of 2452	276	Blpjegfm.exe	36
PID 276 wrote to memory of 2452	276	Blpjegfm.exe	36
PID 2452 wrote to memory of 2076	2452	Bdgafdfp.exe	37
PID 2452 wrote to memory of 2076	2452	Bdgafdfp.exe	37
PID 2452 wrote to memory of 2076	2452	Bdgafdfp.exe	37
PID 2452 wrote to memory of 2076	2452	Bdgafdfp.exe	37
PID 2076 wrote to memory of 2616	2076	Bidjnkdg.exe	38
PID 2076 wrote to memory of 2616	2076	Bidjnkdg.exe	38
PID 2076 wrote to memory of 2616	2076	Bidjnkdg.exe	38
PID 2076 wrote to memory of 2616	2076	Bidjnkdg.exe	38
PID 2616 wrote to memory of 2924	2616	Bpnbkeld.exe	39
PID 2616 wrote to memory of 2924	2616	Bpnbkeld.exe	39
PID 2616 wrote to memory of 2924	2616	Bpnbkeld.exe	39
PID 2616 wrote to memory of 2924	2616	Bpnbkeld.exe	39
PID 2924 wrote to memory of 1720	2924	Bghjhp32.exe	40
PID 2924 wrote to memory of 1720	2924	Bghjhp32.exe	40
PID 2924 wrote to memory of 1720	2924	Bghjhp32.exe	40
PID 2924 wrote to memory of 1720	2924	Bghjhp32.exe	40
PID 1720 wrote to memory of 860	1720	Bifgdk32.exe	41
PID 1720 wrote to memory of 860	1720	Bifgdk32.exe	41
PID 1720 wrote to memory of 860	1720	Bifgdk32.exe	41
PID 1720 wrote to memory of 860	1720	Bifgdk32.exe	41
PID 860 wrote to memory of 1860	860	Bocolb32.exe	42
PID 860 wrote to memory of 1860	860	Bocolb32.exe	42
PID 860 wrote to memory of 1860	860	Bocolb32.exe	42
PID 860 wrote to memory of 1860	860	Bocolb32.exe	42
PID 1860 wrote to memory of 2212	1860	Bemgilhh.exe	43
PID 1860 wrote to memory of 2212	1860	Bemgilhh.exe	43
PID 1860 wrote to memory of 2212	1860	Bemgilhh.exe	43
PID 1860 wrote to memory of 2212	1860	Bemgilhh.exe	43
PID 2212 wrote to memory of 872	2212	Coelaaoi.exe	44
PID 2212 wrote to memory of 872	2212	Coelaaoi.exe	44
PID 2212 wrote to memory of 872	2212	Coelaaoi.exe	44
PID 2212 wrote to memory of 872	2212	Coelaaoi.exe	44
PID 872 wrote to memory of 2232	872	Cadhnmnm.exe	45
PID 872 wrote to memory of 2232	872	Cadhnmnm.exe	45
PID 872 wrote to memory of 2232	872	Cadhnmnm.exe	45
PID 872 wrote to memory of 2232	872	Cadhnmnm.exe	45

C:\Users\Admin\AppData\Local\Temp\0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe
"C:\Users\Admin\AppData\Local\Temp\0fe8678ab17a03ada46c6e5d3aaad8c779947be21fe559efeb37b506dcc4b4c1N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Bhndldcn.exe
  C:\Windows\system32\Bhndldcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Bjlqhoba.exe
    C:\Windows\system32\Bjlqhoba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Bmkmdk32.exe
      C:\Windows\system32\Bmkmdk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\Bpiipf32.exe
        
        C:\Windows\system32\Bpiipf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Bkommo32.exe
        
        C:\Windows\system32\Bkommo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Blpjegfm.exe
        
        C:\Windows\system32\Blpjegfm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\Bdgafdfp.exe
        
        C:\Windows\system32\Bdgafdfp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Bidjnkdg.exe
        
        C:\Windows\system32\Bidjnkdg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Bpnbkeld.exe
        
        C:\Windows\system32\Bpnbkeld.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bghjhp32.exe
        
        C:\Windows\system32\Bghjhp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Bifgdk32.exe
        
        C:\Windows\system32\Bifgdk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Bocolb32.exe
        
        C:\Windows\system32\Bocolb32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Bemgilhh.exe
        
        C:\Windows\system32\Bemgilhh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Coelaaoi.exe
        
        C:\Windows\system32\Coelaaoi.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Cadhnmnm.exe
        
        C:\Windows\system32\Cadhnmnm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Clilkfnb.exe
        
        C:\Windows\system32\Clilkfnb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Cohigamf.exe
        
        C:\Windows\system32\Cohigamf.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Chpmpg32.exe
        
        C:\Windows\system32\Chpmpg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Cgcmlcja.exe
        
        C:\Windows\system32\Cgcmlcja.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cahail32.exe
        
        C:\Windows\system32\Cahail32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Chbjffad.exe
        
        C:\Windows\system32\Chbjffad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Cjdfmo32.exe
        
        C:\Windows\system32\Cjdfmo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\Cpnojioo.exe
        
        C:\Windows\system32\Cpnojioo.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Cclkfdnc.exe
        
        C:\Windows\system32\Cclkfdnc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Dogefd32.exe
        
        C:\Windows\system32\Dogefd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Dbhnhp32.exe
        
        C:\Windows\system32\Dbhnhp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ddgjdk32.exe
        
        C:\Windows\system32\Ddgjdk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Fmpkjkma.exe
        
        C:\Windows\system32\Fmpkjkma.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 140
        58⤵
        Program crash
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjlqhoba.exe

Filesize
76KB

MD5
f532e327d839b2e20f7d8bd5ac98cecf

SHA1
3004f0174ca0e4890a2c8dfbe14593a78e1fd39d

SHA256
62a5ca347eff24ba2fe014f9a89f636c54e6acbbffb949f816de83cbad0cb362

SHA512
6b26274008092d0651e6259731344e333ff385161eff4d0084dae575859bc13ef03a476e032428c2b138b543f3bb8c5a1f5d1c8e169997433e886dcebfcbec3c

Download Submit
C:\Windows\SysWOW64\Bkommo32.exe

Filesize
76KB

MD5
a5ab965e22e5ce971395f82e13d7eb03

SHA1
41d8871036bfd2ba2749a98d304cc312139a8fc9

SHA256
7c82068d341dfa10e1bc63d7971b5ab5cd04a23d0cbbbf525e30f35b2327ab3e

SHA512
e127a427d448018c9b98fb7c274e2155dbe54f6bd090db49586c585b5ae04bc0048a80a245f07c5296c2da21a2fcc294c804093bf5e23d4fe2ab4a321a6149d6

Download Submit
C:\Windows\SysWOW64\Cahail32.exe

Filesize
76KB

MD5
c24df072048744793e61dec4d2fe6111

SHA1
c24c987d80ea9e70f18d4dfa2daacc7cebb0a767

SHA256
6204e60af321b399457a2f26f85a80e556e2b328eea2da05b73b289de5195b8f

SHA512
28a752591d5bce0303e83657e6b5feb8301c07d1b630b86264ea8e5741a018c53f304c25ff4972a04a384ab57460e00be9f42ff2a0bd56b62ad1b8b6ac8bc5c2

Download Submit
C:\Windows\SysWOW64\Cclkfdnc.exe

Filesize
76KB

MD5
e6324497045916e389f9bc5a90c422d4

SHA1
934b5aff843f023f045eb433775f3c8602f1462c

SHA256
4580fc030751624b38d84ba6e75f0d181dfdb3d4f17eb41b080c0bad3e0ecb87

SHA512
14900a88cd018bfaf4dc0dd7b5a7a14d3444b80a5532d70f24517f0f3048bbe40b95573d32c0a6d71ece9f604a92670661030ac4782c1312f962d10eb451fdcc

Download Submit
C:\Windows\SysWOW64\Cgcmlcja.exe

Filesize
76KB

MD5
592d3cf6f958c133ea1b50e1f19866d9

SHA1
ca9170400cd6478bcf7f781d8c8bfbef2396725f

SHA256
941d6d2429df012fc7c99996c52de4233a9bec8761c1ebed658f7800e8b9a044

SHA512
863435c3d6bc455c110401eee682fe61e76dd22a8c6cc588999bc860dbd0cb558dee5cf279ae29e45f008f05c4ce19406ab1e9890e8821c465ebcbb456fb6c51

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
76KB

MD5
8cad33623bdda63cd1f2eef15da729a5

SHA1
f98cb2a2f57fbf34e74522c6ba62fcce395e0806

SHA256
6110833ef6fb341458e307543d3a518253190135315cc9400a5084c368570850

SHA512
96c49ebc053f7d84f33a95c396c204535a1a8d9d946a92221058b88ab16d1ea874806900c07146c6b0a475b111c5ef34b55304d19ac5c30e4eff9251c00146a7

Download Submit
C:\Windows\SysWOW64\Chbjffad.exe

Filesize
76KB

MD5
0408111eb3e35ae01c62f4c72b2e4e43

SHA1
74eab191a267843b7885b45fbccef921f50bcb0a

SHA256
da8f71a388fe2da1550f302533a9dceef0868dc22540e45663822a68a14080ed

SHA512
d8b8a2cb68112990ced834fa189066d09d654bf0d1c15de819c81e49478f175d5e2b524a4707090c74689e9cf6a0f904f3907974c155b35e58c9d3cce1fde05e

Download Submit
C:\Windows\SysWOW64\Chpmpg32.exe

Filesize
76KB

MD5
3fe0a4c176d1063002de50dc6cf626dd

SHA1
274c29d4a1bd71490fcd474d8104af7df476e367

SHA256
7b636bfccfcdb7ea58786e8445bb07b015c77f083637d1281a6e39b9afa49b8a

SHA512
5faf475f00525a7ec75b028fdbc6f862c8c656947cb8763cc230bd96b43b582d5c797f160e46d2da30ecd4664d6ca3b013e959be0924977855f8d53f9bc3f25b

Download Submit
C:\Windows\SysWOW64\Cjdfmo32.exe

Filesize
76KB

MD5
41376ff7eb2db740f210aef798ebaa70

SHA1
6fe13d7e78d10183a0698a77b3aec09f341f47a0

SHA256
1740644713237c3f5dbabbd14bc5bac5bd99c76b199e7c40eb58b132d0ca9f8b

SHA512
f553196e74c39b8dbd2f540e0a5f15bb874121b01c7c0d871ba40ae70d3a38f2696db350be7e0f93e66879d384bbe4aaf0447b111a1cc74df6d45104c4a9d795

Download Submit
C:\Windows\SysWOW64\Cohigamf.exe

Filesize
76KB

MD5
d3fa1380550d377e2f3cf85655563f91

SHA1
07f394a18594b3200141f6593adaa4d4f57c15bc

SHA256
5b508d480040600bb7961a359c5bdc942ddf1c3dff18e165576574d584561b14

SHA512
cafbb09b64f416788bf6a1e4de51140ccf655e40010294a364208cc25ec988e1891ce18176ab315a344bee934da14405e6a20702e0b0f97fdfbc4bd1101e1cf6

Download Submit
C:\Windows\SysWOW64\Cpnojioo.exe

Filesize
76KB

MD5
f4bfaf2b322727fd9dd1d0f378b42a8a

SHA1
6fcaea24b1c6393b672e18968820b619238ccf43

SHA256
50092fe8a7f2859091a0ad2136e03ffb110907356d09371b7dabc7df0e18dc41

SHA512
f9feec0f2fd4062801333f46a2b992a5a5111226831f67eae17db226aebda08aa63bfb897dc2af2b2e431c6501a0f125c325f31e7af75cb2a2947796a22e9118

Download Submit
C:\Windows\SysWOW64\Dbhnhp32.exe

Filesize
76KB

MD5
5820de6d47d7050ac0adc71e15859b01

SHA1
3dc9c2a8a00d0e840b4ffc0182a9fec556b601b4

SHA256
26e2a1c2fea26455cd06461b1a8664290e9480f109eed55e3a57cad298220f1d

SHA512
2647fd299bfb4d297f6fe0b88a758e0fefe306ff009a716606d748ff80a29c09dc5dd21821f86cc416e0a56470a29b4a6b7f5c0f3a33c84a5b49cd9678362e19

Download Submit
C:\Windows\SysWOW64\Dbkknojp.exe

Filesize
76KB

MD5
473428640fc3aa42181cec4ab318a33e

SHA1
37354c228a614ab2cfbc23b682aab1c960d7a13f

SHA256
1c7e577ec2546af11af4ab75c082ea8e9ed956948d37bb4a9ba1675046635dbd

SHA512
33d7b069d411305d557a10a8eee77411f8cde2789c34fba51134d5b9f4db9a67c3c5f5f21ad4b07911b004379a37ff852abb4d6768e93f92f4d416e6dfb4d007

Download Submit
C:\Windows\SysWOW64\Ddgjdk32.exe

Filesize
76KB

MD5
9a59e2c5e4e468f0e3b393389bd37805

SHA1
f5fea4bfbdc7f6ba18f7207b9d5d718f1bbd59fc

SHA256
be9d8ced68c03c445c9dc691205fd5183b28ebe0f1dde2aee3462a28e0dacf18

SHA512
e1555196066d0c3d59507513c1e5de7a3f2affbdf664acbed6ab20b43f769ae5f2a816ebf90c8cab3d94749adeddd43a93e70cce99534fab87ba6ec8a50af353

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
76KB

MD5
46b8970011429b13d989e3f51864947c

SHA1
b6e7849c34ad122f146871feeebd854917fe2319

SHA256
dcec65dd83a32c76cba6387bf2c616bf10dfcadd87e4104a13b87d5c28e3e15f

SHA512
b4bdfdd3388b832932f78b38b7efed62cc85357ec51c80f6b7aa4031c01272dd6f843ff9a6b92599e5a5c5cb001c1f82e099a37cfdff3fb57a13e27f7bb218d3

Download Submit
C:\Windows\SysWOW64\Djmicm32.exe

Filesize
76KB

MD5
a457146dbb6c9234e20d1739d184e30f

SHA1
fa10a69599117bb2d69d9dd246061fbf75ca0eb9

SHA256
abc792dbdc3734f5c95413c88eb12d11ca3d3ebda3197d44b21b3842b9fdd712

SHA512
8df0690816e86d5972499d723329dab57c3964ca168b3dd53b1efd55f17c06aad551476aa0d2b68cbf3edc4f765c9ea60fa27d87229baa61deb7d6b6a00fa61d

Download Submit
C:\Windows\SysWOW64\Dlgldibq.exe

Filesize
76KB

MD5
138372c2ca9d1ee386b903d77dbd050a

SHA1
38e892926bf58fa4f77706decead45a79c4ceb2b

SHA256
f21891473b54d07a151403e41e376225b7bbf866b1036fc2a0e47f4442dccd73

SHA512
b2b4ea43f0f91d294c035a93b23a4c9dc841aaf2bdd14b7319bf74fd921f8ed7969648393828f0ab6bf60bcd386803b1c06a55e7a7206bfcf70b3bb5524e0bf6

Download Submit
C:\Windows\SysWOW64\Dliijipn.exe

Filesize
76KB

MD5
1da66dc90ceb7abaf4c8f12ca2f095ab

SHA1
bbfc8046357946d21ce10bbf940edc8f7c1aa818

SHA256
00b5201a00f4daca2370c8c6d4167817de73397f6af8ead932feda270f4329cb

SHA512
c0930f75bd5642fcdf9318c468a8047acf823da42d0556ecd7017a1f1d2a85d3055f5cb356ebcdadb29d76d2ac620e80155b555c7f7bfa6e5df8721401b6987b

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
76KB

MD5
a32e27ff6c393f8b8984a7677ce5096c

SHA1
5bacbb946e34aa00e6915a02845d90048cb7e1e2

SHA256
1d2032e72b3c0f1b34e526f9e48f8359cab9a2721e210e7eba87763dc44c55d2

SHA512
86b7426f58587f56fd918617e3dfa396f87fa5fff1d03c57a2933b4d5b493d7a7623de128bd515b4d6adc2ec8e72ab45bb463f5c5b3da7939758a8f3a807217c

Download Submit
C:\Windows\SysWOW64\Dogefd32.exe

Filesize
76KB

MD5
3b81bef129b1e4e8f849b4177b02bb69

SHA1
f51b0cd287f8c0d63430d9543d24f8926cc27970

SHA256
d95fa52f8f9bda2534c4083384058c5ae30a1938d29b2f661c0ad798fed91297

SHA512
cc23048643a591f060157fe9f1af8e66fa0381af897ab5ada68bc15bc3aec00b107952370f8b7344bed574c7a3f803eb280c4ce75e0d1bd275e58a69391bb22c

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
76KB

MD5
78fab187486b947dad8700458d7384af

SHA1
13278185febd9f2c676df752a4d69d56fe2c2cd4

SHA256
d2394361cb7ddad10adf6824ae824940a19d976596fefff46c3243ac913ce5b8

SHA512
7d93485cd84cb8ebc095d1f102387bb8d934e7def4cf7173e0ddce110782e655946cd00748c070b35e0be39df5080370f86c539995011046af51103b756e0842

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
76KB

MD5
7e99c23723d51402ed08ea45b3dd217d

SHA1
a6ee149ddbd365aa97303fbe964fc7eff0892942

SHA256
5550993047f3e004bae3d5c235f6e56be35c7f3e0d4f97d8d82f26fb1d2774bd

SHA512
bfa80639b27736ef840d3249274e059a657f4ef9c7ae6d49e7f46fd7453a0245f6a7bb9f30e88ae50ecf0414b7d66548055d6f547fb71a4ef3dcb6d644b5406f

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
76KB

MD5
747143e92ae6a7c8eb36bb470bee07d7

SHA1
a459a61d83e6763eecd0e2312c266fbe20a9cead

SHA256
4027dbd3542957f4884b5014a72b02e6e802fa3387bd2173a67f576dcc7be583

SHA512
e01eda468ca48db8442af2cdc25f8e92def9416191874925755c754ac59784a55d1812c187045fcfa8f22e3641043b48227b7de7796dd90816d0246f19278d5a

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
76KB

MD5
5b9d1c8005007093db74a98edb31d6aa

SHA1
c23ef1504df844d06c76d78a952d2e743a145a4e

SHA256
55b1fea701b90b3d2ac72e0fc11be8081777094f6180df0e188dc8b6afb591f8

SHA512
b5d7c01775279b4d26b391782e0670037f0eb2b56eca5d2211831aa4aa663385f6ac028575a99b492f66d898403ce34c985d1ab4f8be6310001c9355b4dbc338

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
76KB

MD5
a4a5ca6e49bf9f04d33dcedf32f5855b

SHA1
384748baac957e9fcfd14b8d8b6aa417e6fa9c18

SHA256
6fc13829bce1435fdfb0190d995f2400c86e8829fa004899414290af444e294b

SHA512
471d315d7d9bc6bfcca53fde3feb47a4761eeecd6637d5de73f4f7137db5349ae5e9fb298eb2bf55d4dd4733bab4b19c58a74bbc1042c811975c803410383e1f

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
76KB

MD5
85b399788bb8125aa6b9931c04f69984

SHA1
88d5516a4975f51dd948f7fbff952333ee46cff0

SHA256
eeaba32bbaa9fdec56e67d46ddbaea1bbe36a3b9158649127bf5563cefabfe97

SHA512
2ab30d413a8df06925fcefed55f70038768f2dafdf4f63a5d5ae5193f6d57b75b9258fc40135adb73f147b7aa256a7a2957915ff00998cf661f4bcddf02fdb35

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
76KB

MD5
43fd5d54f6db547aeabc445a2e923a53

SHA1
639fa61526fc88ed26ab26d7e8167ee54156bf0a

SHA256
a9bfc58c06722a6edea142c843593ebbc69537b9b1da6d8e4104eb9d4a58bfaf

SHA512
91c36353c9d61513f3fb5fde6f4883a0f4d7e77ae95728c25a5a7aa4f43cbcb606399ce781c2e1c7da48551540b1495c065853f7a7899da507a796b4c4f8efb5

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
76KB

MD5
e8e3a510ab283480b844e464cc5f5724

SHA1
d4bb01650816f1d761cb71408605ce7277c2d572

SHA256
77bd90230fb6d60d228b03756883f9b5c23adbd7390e7ccaf83ea4450b0c1fdc

SHA512
15e4c52bc8cc65e767f19847e7b1c5ad9a7292c4c8ccec6d2c78909d0f87c91f78c2b72ad33fea8cab3b0be3c943e24b02f78b23439daafd092512b07d549b42

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
76KB

MD5
9fa2eecb3bc54eab532859525502d804

SHA1
3ec5966d2cd09166b892008a676f71891e7ca876

SHA256
23980119d01b07558f8298dc874c339f025e4ed65a299abfc1d380e4679457bb

SHA512
50419ef5dac1a7bc79a01667d9f84cfa4b8a48a45bd5c61f4ba10c527a6c569b925889383c8d9e05b5036eb0211a0a0ec5ccf2f2e2f6a70e6f27db6096fae418

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
76KB

MD5
2f793e599d0bd04e29889d350187cdc2

SHA1
00236361180423ac1dcf6fd8cae1c908c475ac47

SHA256
48f18a2625205b83617783a311d9953378e25e24710490b364edb7d2696e6090

SHA512
8abe287e8c8ac2c536129cf75c362b8fb1184ac533b8c09ccd4e82d9744c5613aedd6a5c668c3968ccbc404a1ff1216f73118494c2b3ec2371e487c85c459811

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
76KB

MD5
87fa187f184f606a1368a4e0a14747dc

SHA1
bf6232f9c61d32d26136f78ece90760fe7d58e61

SHA256
26025d52aa5976724f25ff9daba69481211a210e7cd319e19316ba4554fb7f34

SHA512
19cbee1b5db683763f297ddd52d1f849837bfd9fdccbc84fda5d17551caaeb7598d7e9b4ed57e0cbc8c648b3e6e261ac2944f2ef84142df939e3c5fa605eeb43

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
76KB

MD5
0686ce84c4e686b992b7ba9505f85891

SHA1
39bd2a788c835cc433a5ce183fc231362efd1341

SHA256
a49725dca519d04dcc97dcbcdfa4c4dc6c39a1b67f3d2f35159b555fa679ce80

SHA512
db696955ee6d9dbf64074d28d2e83d1ae10d63936a57b0b796af900bdebb5b28bf7cc9c28f93f29c975c49ba269f8bf020883f3c449b1892a404485abfe92472

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
76KB

MD5
c6d7560313aedeb7832a97af664db582

SHA1
0efd1e0e578191024530fd8ef573d58c2173ae23

SHA256
77b139f47cdcdd1f6e1e044f71d6d54e437750ed5316acbcaf473650fed8a10e

SHA512
d43d74f8960519d9dfe4e97e219f8527fb260881491adcde877506277296b6474e9c0c78d3cdb93938ab773c8bd6d009bc12f18d0f26d6c02d140635b518450c

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
76KB

MD5
6f6d85aa622357978dc736ac7aadf1bc

SHA1
b296411f158168e60a4fb0d7ba190c926a58b9e5

SHA256
710f8808cb0a9ca7a071e0a44a83fcfc761332c70bbd8bcba82d1e0b0c2aeda2

SHA512
1b0e499d5737b933efb51a267fa4d47fbb9d38fbe0b497ab297d91260cc72bc67fb667d42512a50c0cbe5e2dc31f7a56d293ec189854b08f19edab1d7b9133f5

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
76KB

MD5
1962c2a24442f5afea00eedc6f0eb7a1

SHA1
1fe7f30d98800d42d50c26d55f212e05b563ec04

SHA256
1f9d82b613d89023a0819fa2b74db37385c7df6853a62a122cdd6d1a1834376a

SHA512
26ffad72e5adcdf17d8e43e6f7e00205ce1c0097367e662e2ce71d0770ebad841f85607072718555e6c9cecee6b8636cd88b372d3900f9e9fa2f9d98fb7c9042

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
76KB

MD5
3b027b57068d75f8fc4b8b7d9f915fbf

SHA1
892346719905ddfd25c7ee325fb48ab6b0fb549b

SHA256
ec83cc842911d909d81637fab70b59fb20250ae53d05e416ba7ddf2e2f80b3f7

SHA512
5cc34dd65219fde7962b29daafbc696105387fd71bcaaec30906bc0eb753bd26d3d0432ce356b9ac42704c6d5bd0089672b2827cf0080459d3cab8f62a354bcf

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
76KB

MD5
e208ff44b412e8a33c0e5f3f5450b6ce

SHA1
855c4b28dae0b1299c24380bd67fcb93333ee452

SHA256
473f52f2d5812e83aa12495e140103a4cc4a71b8ce970c038979f1c8c6253b93

SHA512
3c0da3181a47ef373709a9ca514f17061415e505495e065d2ddcacc58acc009268bde63c571927c409a9f37dd9c38e6f7260256e475a2c70b25657bdb9c0b841

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
76KB

MD5
62e3ef0a0794ac2957faba76b8165492

SHA1
39b91b18da089067e10ebe3a14eb371a7f45a3ee

SHA256
53ca51569c5ddb7a29058af4038a27d9c79ce86f1ba9d4a8e7ddf8f78e5805f4

SHA512
87944976aa0ab1aaf954612531502950808b83e5e6f8355ababca30b8dfa5b4eeae4e28c413cab0a444c10854cd608da7264d68d920c0fabbdb3d80a4504abb4

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
76KB

MD5
b75e8b54537efc03a6cae692f3fe8df9

SHA1
bbaf6eb8292b2ca137a2b6b9bf1d8194e4f22c14

SHA256
d34479d5951a4adaf792a5d863141e11a90f8396443ef50d8b23ac96fbfa435f

SHA512
f002ff9d84fb2f1f8dfd420f564b4edce39be2ac1ad776758ab6383996436a7ef0363efeeb9383dda9534cef37a9f86b582e4454d7a664d589905eeb05ad0d6e

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
76KB

MD5
0dfdfe6300900d7ef1a609a05171d45c

SHA1
18be41c6d2666974950ab3609027767f2732337e

SHA256
5ac3568b26302ada6f36856ba576e299a73eccac4dea967c5c5b0e5cd1f4b0f9

SHA512
50939b3998c144c3c70e5cd8a6f79ceeec6860c8064ca033d384685de7ac7ef14d20fd864219c99278de3aa6c693836067abe76c8392b7962a03062178f38b69

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
76KB

MD5
0218e8421d83cbaa113873a3157b16a1

SHA1
ffdbbd01f0d3013c9c3a55a14f0eaf480435983c

SHA256
193f4442eeaaf813b745e06b4bce89b2d4e95bf50dbe7e04d2ad56d742ad2706

SHA512
4db186d40ef2a93d1dd7fd124ff29b8a9fd0c502d98e5f5859fd4aae6cea522f5658405d33b8173811bb83bf48ba57aa4a196c9e136ebe8acbba577432888a76

Download Submit
C:\Windows\SysWOW64\Fmpkjkma.exe

Filesize
76KB

MD5
bae4983d688530d72de264470742d552

SHA1
b85fbf7d5b3a19ea7a765154a2487bb77f91754c

SHA256
24653082f1bb099d4918fb5085e084d75be4e13b7357aba1f6d1947cbf694ea1

SHA512
b59f4f5d10bb2cb464c8a5d0cce4759325e1dc6774c86401c440c8756d47d8016a8cacb87fd78e1227f9c06ee0d6603ca58adbc324b01607c959d87eddfe142d

Download Submit
\Windows\SysWOW64\Bdgafdfp.exe

Filesize
76KB

MD5
5129ba3815ef097cc4381fb48c61da9d

SHA1
0ae57295166498926db6804b833acbbc3b6e7496

SHA256
1205306b3d8339c39409e1ded001ebaad53b3cafc9e7a4ae0ad58a15a00afa87

SHA512
ee2398adb75ef04e0fcf6930f883e67bc1e6bb7b3394839f3b1a14a312e52079e44b30984ba9520d6a63ed6126eec5da2faa6ba802a16d6fa3498778c4a2e221

Download Submit
\Windows\SysWOW64\Bemgilhh.exe

Filesize
76KB

MD5
9bb84e7725c874977c63b0c77e264492

SHA1
8f5b6a29b0ba4a5c9859b29e3e6b57659ee2d635

SHA256
8e50099ef108800bc10d8e8ebe90cc2f10f187ad258d3ce28d451a685318378e

SHA512
2387c52562736f2f6f0bd241735d75a9eff8199ea1d93d88510e096e5059f3fd6b8e394e83af9e5bbee73f6a4c9339adc1145991ec7b3f08b807bd2681c52cfe

Download Submit
\Windows\SysWOW64\Bghjhp32.exe

Filesize
76KB

MD5
fc8d62449382cec0b6cc12b78502e940

SHA1
3fe19c45f78efe6b84344b602c4ef45b0ee6cb1a

SHA256
fe21eb40263ac8f862c288412455d2f8cdef94d130a0e8c89424dcc28926c0f2

SHA512
07bf0dd8a119551c48aab33b949d84e6e99aaa03478b5e95ef2f7f91efc11ca46514be9b55af4e284ba356b878f903fdde9e9324281c3b63615ce211e774e6c7

Download Submit
\Windows\SysWOW64\Bhndldcn.exe

Filesize
76KB

MD5
7492c05e8fd884f7eeaf23e1f855f9e9

SHA1
d2af4dd2a8ff9ef74786102f69cb856035144781

SHA256
1e2376f5fe748f4b1084d1c6351978988041504dd8f63468991cfb4b160c10d0

SHA512
ca342b4341c8751fc55b374eb338dffd73f5eca7ba0eaeda7e604f314fd0e98299f89845801271cfa8ad0d2f7e23a22101a749238115986b74d50f92d6572561

Download Submit
\Windows\SysWOW64\Bidjnkdg.exe

Filesize
76KB

MD5
5552b7b7e4af4b18b1b19158b193d7f4

SHA1
d4084d4581e8d3fc4b0d8d7e4942bfde485fb4a3

SHA256
e82467b54142adbe29598010993d1370eaddc4224bae20782c4450a0c4f27a32

SHA512
38d3359e81465d9923a62da675ac14fd2b67f066e86b693955901779178593c42f40111fb7b224d2de85db4849d90d54030110a7f2fe08eb034282f5ff827a25

Download Submit
\Windows\SysWOW64\Bifgdk32.exe

Filesize
76KB

MD5
a3d24c532ea0f7ec6ef2eb972a0d0f93

SHA1
70a382bef4036a6f0a15d3a4538d64dc3ddc1a2b

SHA256
647e1bc061e0c66a12d757ae911bcca0e4db67ee382c23074730ab0d0b791496

SHA512
57c55b84dfa5724318902effa86b0294bec9ce4df5019c669c1a1f38fab8d38b3e56f15d38ba81f010dd8f755586dbaf81525503e5cf3d4b9364b7bbb1a60389

Download Submit
\Windows\SysWOW64\Blpjegfm.exe

Filesize
76KB

MD5
db951285de46ac83fad4b555a8bccd71

SHA1
0f41bcd212095eeed8e9d9b745432e19b85846f9

SHA256
a225a28f2b531369a4713f7d3f8ec310fec86d59a693dd1790be4fea11360870

SHA512
f2f561d7ecff1c9a5618644b44aa39ace45bd2b3349a4eb9d0dea984140e2cc6e039e758c7fd98d016e293d497e189e7ac0ab8c9d5569504381c3b1a86df04f8

Download Submit
\Windows\SysWOW64\Bmkmdk32.exe

Filesize
76KB

MD5
dfbdafad96e31c0d78f977eda9cc6b94

SHA1
af7dfec6b7e51d02a757fdda9af39c5be82d6ab8

SHA256
8840be4180ce1cdef392d1d61f090df6a55b28ccad08708b37b159f0c8b38ba2

SHA512
bfb6a67de9d1de602b66a222c3c099629ec9878f7c10aa4a53b3bdded547762c764b205d29103a4deccad9e32d6325ae2360506b22f0b7a6a2d299f019718af4

Download Submit
\Windows\SysWOW64\Bocolb32.exe

Filesize
76KB

MD5
d5f5f3bffe0447ad9b692ca2d1d87eef

SHA1
d70bef89db613cb4dde6075088618480400225e4

SHA256
4db7c85cd21b69255c90c7e6adad7395a233ec1c3eeb9ffbb22288f9b9ca6bc1

SHA512
285ff9533e1c74987b886b7881a0d0127355bc0d8e2d4d396e8b69cd974d0aed70280f60dc63163befec9a9a045c3f18ef7ae57781fe1faee790ed01476a327e

Download Submit
\Windows\SysWOW64\Bpiipf32.exe

Filesize
76KB

MD5
bb9b947a6cf956865826194a2569361f

SHA1
ca430be40e9e26b20b5de4c8e51c550379b0a2a6

SHA256
f97410f31e3ad5d6fbe81e12f6c87443431df26b15ea98a11da27090b8f4b1c6

SHA512
da00f6d1c95802cebc6e0bb1cf3a70e81d4bceb19063ad9d06d778c1f81d9eef42abfa95564478dbf80808a469a6f70b14822fa7e651e39b6ad4aba5df4a398f

Download Submit
\Windows\SysWOW64\Bpnbkeld.exe

Filesize
76KB

MD5
8d53990351b92f27a6ce4f05ecfc47c5

SHA1
de28534c529b00335d84cdd6d20b3ad2bdba859c

SHA256
96f9030133d432dfe9027bdac93433212e0e4862ce1cb98be2da36055a74365e

SHA512
60a88f6b2621a1aa9de7df6713425ad3a6ee5eac70b3c7ee6632fd43f3d03640c19bad5283bafea79af447fe29fb5b0ed7869cf9426a74fcb5e17b9ea8b3f0e1

Download Submit
\Windows\SysWOW64\Cadhnmnm.exe

Filesize
76KB

MD5
423e77882a15add5c237ab86d3b5d176

SHA1
c7aaf8ed429a67d81e742f26bf0d801f1115e98b

SHA256
2fe5713a02bfa2b8ab7b7dd884ab6411fc065183ddf21e1beaa4378764e5a10e

SHA512
a38134473ead109cfa6f4dd633941ee977fa82a7146ec60834f8092c497ee0ea3c562758114201840fc17a7c14839e87902db18809f61988e7c82ecf5a95b2e2

Download Submit
\Windows\SysWOW64\Clilkfnb.exe

Filesize
76KB

MD5
06b00db42871094a9cb2e86152bdc1f2

SHA1
1d2f3898af7012e606056601714f9fbd8d6ae07f

SHA256
94cbf4d982862affa5bf76c35def49d1568b7663f2d6177b63f1adb0766c02d8

SHA512
b4dfb1ce8cccd4eef779a8a825881b1dbf8fcb4e2128391eeff5073f1a0f8337a7fd671fe8a7330345afad1050dfb1e423718428c5bedf8fd6d4fabf041edd0e

Download Submit
\Windows\SysWOW64\Coelaaoi.exe

Filesize
76KB

MD5
f728bec8bcd8daf8fb07ab76c48f3a5e

SHA1
457e40d87e17de96c5e0539b0b3358d80022b9d9

SHA256
5f6adf054e73acf82dfb38340b2e5154c0cb8cdfd4f9c8d14181fd5159d34bd2

SHA512
3d05d3c3bba940d2908bcb7825edd39b7042f1617fe3b4972c3b49423ca97cdb5712555ea25f5413a5abd43613a7a67c47a4f2e11980ea9f414585faa0d32142

Download Submit
memory/268-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/268-282-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/268-281-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/276-87-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/276-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/332-370-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/332-369-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/332-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-238-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/556-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-304-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/556-300-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/604-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/604-380-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/604-381-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/760-271-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/760-267-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/760-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/784-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-208-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/872-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-227-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1416-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-260-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1664-259-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1788-491-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1788-492-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1788-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-429-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2076-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-400-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2188-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-393-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2208-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-318-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2208-319-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2212-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-485-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2312-296-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2312-292-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2312-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-405-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2336-407-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2336-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-326-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2592-325-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2592-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-347-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2600-348-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2600-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-47-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2604-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-66-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2616-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-126-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2616-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-355-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2628-367-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2752-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-395-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2756-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-12-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2844-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-418-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2860-419-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2860-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-139-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2924-500-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2924-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-336-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2956-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-337-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2992-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-249-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2992-248-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/3052-79-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3052-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads