berbew | d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
Size

67KB
MD5

66795014c931024a97d9e0dd5700b2e0
SHA1

20f2b670a1c50f61316dbe80f1fb5f9206b035d9
SHA256

d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767
SHA512

172918705f6904282722edd50bd6d5b8602e21e0df89a817a60740a09a05b6b0c77851afadc008a3bd37756e69c35782e713f07a74b346c894041744e55553b0
SSDEEP

1536:1vP/MgpKuAUaShYThER3fzo0sEN3c4A9BFsVLyRQy4R/Rj:BP1KV2YThwz9sEYkGenVx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boleejag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cccdjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dglpdomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boleejag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccdjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chggdoee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhpqcpkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eikimeff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bafhff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhbmip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiilge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbbcail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cglcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnjnkkbk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 55 IoCs

pid	Process
2696	Bafhff32.exe
2692	Bhpqcpkm.exe
2572	Bceeqi32.exe
2556	Bhbmip32.exe
3000	Boleejag.exe
1796	Bakaaepk.exe
1568	Bhdjno32.exe
2932	Boobki32.exe
2064	Cppobaeb.exe
1656	Chggdoee.exe
2324	Ckecpjdh.exe
1372	Caokmd32.exe
1976	Cglcek32.exe
1324	Cjjpag32.exe
1216	Cpdhna32.exe
1348	Cccdjl32.exe
908	Cjmmffgn.exe
1096	Clkicbfa.exe
2972	Cgqmpkfg.exe
1540	Cjoilfek.exe
2072	Chbihc32.exe
2488	Ccgnelll.exe
2764	Djafaf32.exe
2256	Dlpbna32.exe
1208	Dcjjkkji.exe
2752	Dfhgggim.exe
2552	Dlboca32.exe
2544	Dnckki32.exe
2624	Dglpdomh.exe
1844	Dnfhqi32.exe
2272	Dqddmd32.exe
2340	Dkjhjm32.exe
3060	Djmiejji.exe
1852	Dqfabdaf.exe
2644	Dnjalhpp.exe
1420	Dqinhcoc.exe
536	Ecgjdong.exe
2376	Eqkjmcmq.exe
1776	Ejcofica.exe
2040	Embkbdce.exe
1100	Efjpkj32.exe
948	Eiilge32.exe
832	Epcddopf.exe
996	Efmlqigc.exe
1752	Eikimeff.exe
856	Emgdmc32.exe
2396	Elieipej.exe
2456	Enhaeldn.exe
2920	Eebibf32.exe
2700	Egpena32.exe
2548	Fpgnoo32.exe
2668	Fnjnkkbk.exe
2868	Faijggao.exe
2732	Fhbbcail.exe
1764	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2656	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
2656	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
2696	Bafhff32.exe
2696	Bafhff32.exe
2692	Bhpqcpkm.exe
2692	Bhpqcpkm.exe
2572	Bceeqi32.exe
2572	Bceeqi32.exe
2556	Bhbmip32.exe
2556	Bhbmip32.exe
3000	Boleejag.exe
3000	Boleejag.exe
1796	Bakaaepk.exe
1796	Bakaaepk.exe
1568	Bhdjno32.exe
1568	Bhdjno32.exe
2932	Boobki32.exe
2932	Boobki32.exe
2064	Cppobaeb.exe
2064	Cppobaeb.exe
1656	Chggdoee.exe
1656	Chggdoee.exe
2324	Ckecpjdh.exe
2324	Ckecpjdh.exe
1372	Caokmd32.exe
1372	Caokmd32.exe
1976	Cglcek32.exe
1976	Cglcek32.exe
1324	Cjjpag32.exe
1324	Cjjpag32.exe
1216	Cpdhna32.exe
1216	Cpdhna32.exe
1348	Cccdjl32.exe
1348	Cccdjl32.exe
908	Cjmmffgn.exe
908	Cjmmffgn.exe
1096	Clkicbfa.exe
1096	Clkicbfa.exe
2972	Cgqmpkfg.exe
2972	Cgqmpkfg.exe
1540	Cjoilfek.exe
1540	Cjoilfek.exe
2072	Chbihc32.exe
2072	Chbihc32.exe
2488	Ccgnelll.exe
2488	Ccgnelll.exe
2764	Djafaf32.exe
2764	Djafaf32.exe
2256	Dlpbna32.exe
2256	Dlpbna32.exe
1208	Dcjjkkji.exe
1208	Dcjjkkji.exe
2752	Dfhgggim.exe
2752	Dfhgggim.exe
2552	Dlboca32.exe
2552	Dlboca32.exe
2544	Dnckki32.exe
2544	Dnckki32.exe
2624	Dglpdomh.exe
2624	Dglpdomh.exe
1844	Dnfhqi32.exe
1844	Dnfhqi32.exe
2272	Dqddmd32.exe
2272	Dqddmd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kcacil32.dll	Ckecpjdh.exe
File opened for modification	C:\Windows\SysWOW64\Djmiejji.exe	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Fnjnkkbk.exe	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Dglpdomh.exe	Dnckki32.exe
File opened for modification	C:\Windows\SysWOW64\Chggdoee.exe	Cppobaeb.exe
File created	C:\Windows\SysWOW64\Chbihc32.exe	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Eikimeff.exe	Efmlqigc.exe
File created	C:\Windows\SysWOW64\Fpgnoo32.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Chggdoee.exe	Cppobaeb.exe
File opened for modification	C:\Windows\SysWOW64\Clkicbfa.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Cgqmpkfg.exe	Clkicbfa.exe
File opened for modification	C:\Windows\SysWOW64\Dnjalhpp.exe	Dqfabdaf.exe
File opened for modification	C:\Windows\SysWOW64\Efjpkj32.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Bceeqi32.exe	Bhpqcpkm.exe
File created	C:\Windows\SysWOW64\Ckecpjdh.exe	Chggdoee.exe
File created	C:\Windows\SysWOW64\Cglcek32.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Ddbdimmi.dll	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Kecfmlgq.dll	Clkicbfa.exe
File created	C:\Windows\SysWOW64\Bedoacoi.dll	Boleejag.exe
File opened for modification	C:\Windows\SysWOW64\Cppobaeb.exe	Boobki32.exe
File created	C:\Windows\SysWOW64\Cjmmffgn.exe	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Djmiejji.exe	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Dqfabdaf.exe	Djmiejji.exe
File created	C:\Windows\SysWOW64\Eebibf32.exe	Enhaeldn.exe
File created	C:\Windows\SysWOW64\Bhpqcpkm.exe	Bafhff32.exe
File opened for modification	C:\Windows\SysWOW64\Ckecpjdh.exe	Chggdoee.exe
File created	C:\Windows\SysWOW64\Ccgnelll.exe	Chbihc32.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Djafaf32.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Caokmd32.exe	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Lbogaf32.dll	Ccgnelll.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Embkbdce.exe	Ejcofica.exe
File opened for modification	C:\Windows\SysWOW64\Fpgnoo32.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Kbqebj32.dll	Bhbmip32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdhna32.exe	Cjjpag32.exe
File opened for modification	C:\Windows\SysWOW64\Chbihc32.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Djafaf32.exe	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dnfhqi32.exe
File opened for modification	C:\Windows\SysWOW64\Emgdmc32.exe	Eikimeff.exe
File opened for modification	C:\Windows\SysWOW64\Bhbmip32.exe	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Boleejag.exe	Bhbmip32.exe
File opened for modification	C:\Windows\SysWOW64\Caokmd32.exe	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Akomon32.dll	Eikimeff.exe
File created	C:\Windows\SysWOW64\Opnphfdp.dll	Faijggao.exe
File created	C:\Windows\SysWOW64\Bakaaepk.exe	Boleejag.exe
File opened for modification	C:\Windows\SysWOW64\Cccdjl32.exe	Cpdhna32.exe
File opened for modification	C:\Windows\SysWOW64\Enhaeldn.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Bhdjno32.exe	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Bdohpb32.dll	Chggdoee.exe
File created	C:\Windows\SysWOW64\Ifhfbgmj.dll	Cgqmpkfg.exe
File opened for modification	C:\Windows\SysWOW64\Ccgnelll.exe	Chbihc32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dqinhcoc.exe
File created	C:\Windows\SysWOW64\Eiilge32.exe	Efjpkj32.exe
File opened for modification	C:\Windows\SysWOW64\Dnfhqi32.exe	Dglpdomh.exe
File created	C:\Windows\SysWOW64\Aoqbnfda.dll	Dglpdomh.exe
File opened for modification	C:\Windows\SysWOW64\Dqinhcoc.exe	Dnjalhpp.exe
File created	C:\Windows\SysWOW64\Epcddopf.exe	Eiilge32.exe
File created	C:\Windows\SysWOW64\Gkbokl32.dll	Eqkjmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Bafhff32.exe	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
File opened for modification	C:\Windows\SysWOW64\Bafhff32.exe	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
File created	C:\Windows\SysWOW64\Enoinika.dll	Djmiejji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	1764	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boobki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccdjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnfhqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmiejji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpqcpkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmmffgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clkicbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjjpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbihc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikimeff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bafhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boleejag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlboca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbmip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpdomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqfabdaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbbcail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppobaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejcofica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofapq32.dll"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhbmip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll"	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll"	Dkjhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljamifd.dll"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll"	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknjoj32.dll"	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bafhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cglcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcij32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkip32.dll"	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqbnfda.dll"	Dglpdomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhpqcpkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhpqcpkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfbd32.dll"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnphfdp.dll"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbige32.dll"	Ejcofica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoinika.dll"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfhapbi.dll"	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkooael.dll"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlboca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bafhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll"	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdohpb32.dll"	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eiilge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnckki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhbmip32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2696	2656	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe	30
PID 2656 wrote to memory of 2696	2656	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe	30
PID 2656 wrote to memory of 2696	2656	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe	30
PID 2656 wrote to memory of 2696	2656	d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe	30
PID 2696 wrote to memory of 2692	2696	Bafhff32.exe	31
PID 2696 wrote to memory of 2692	2696	Bafhff32.exe	31
PID 2696 wrote to memory of 2692	2696	Bafhff32.exe	31
PID 2696 wrote to memory of 2692	2696	Bafhff32.exe	31
PID 2692 wrote to memory of 2572	2692	Bhpqcpkm.exe	32
PID 2692 wrote to memory of 2572	2692	Bhpqcpkm.exe	32
PID 2692 wrote to memory of 2572	2692	Bhpqcpkm.exe	32
PID 2692 wrote to memory of 2572	2692	Bhpqcpkm.exe	32
PID 2572 wrote to memory of 2556	2572	Bceeqi32.exe	33
PID 2572 wrote to memory of 2556	2572	Bceeqi32.exe	33
PID 2572 wrote to memory of 2556	2572	Bceeqi32.exe	33
PID 2572 wrote to memory of 2556	2572	Bceeqi32.exe	33
PID 2556 wrote to memory of 3000	2556	Bhbmip32.exe	34
PID 2556 wrote to memory of 3000	2556	Bhbmip32.exe	34
PID 2556 wrote to memory of 3000	2556	Bhbmip32.exe	34
PID 2556 wrote to memory of 3000	2556	Bhbmip32.exe	34
PID 3000 wrote to memory of 1796	3000	Boleejag.exe	35
PID 3000 wrote to memory of 1796	3000	Boleejag.exe	35
PID 3000 wrote to memory of 1796	3000	Boleejag.exe	35
PID 3000 wrote to memory of 1796	3000	Boleejag.exe	35
PID 1796 wrote to memory of 1568	1796	Bakaaepk.exe	36
PID 1796 wrote to memory of 1568	1796	Bakaaepk.exe	36
PID 1796 wrote to memory of 1568	1796	Bakaaepk.exe	36
PID 1796 wrote to memory of 1568	1796	Bakaaepk.exe	36
PID 1568 wrote to memory of 2932	1568	Bhdjno32.exe	37
PID 1568 wrote to memory of 2932	1568	Bhdjno32.exe	37
PID 1568 wrote to memory of 2932	1568	Bhdjno32.exe	37
PID 1568 wrote to memory of 2932	1568	Bhdjno32.exe	37
PID 2932 wrote to memory of 2064	2932	Boobki32.exe	38
PID 2932 wrote to memory of 2064	2932	Boobki32.exe	38
PID 2932 wrote to memory of 2064	2932	Boobki32.exe	38
PID 2932 wrote to memory of 2064	2932	Boobki32.exe	38
PID 2064 wrote to memory of 1656	2064	Cppobaeb.exe	39
PID 2064 wrote to memory of 1656	2064	Cppobaeb.exe	39
PID 2064 wrote to memory of 1656	2064	Cppobaeb.exe	39
PID 2064 wrote to memory of 1656	2064	Cppobaeb.exe	39
PID 1656 wrote to memory of 2324	1656	Chggdoee.exe	40
PID 1656 wrote to memory of 2324	1656	Chggdoee.exe	40
PID 1656 wrote to memory of 2324	1656	Chggdoee.exe	40
PID 1656 wrote to memory of 2324	1656	Chggdoee.exe	40
PID 2324 wrote to memory of 1372	2324	Ckecpjdh.exe	41
PID 2324 wrote to memory of 1372	2324	Ckecpjdh.exe	41
PID 2324 wrote to memory of 1372	2324	Ckecpjdh.exe	41
PID 2324 wrote to memory of 1372	2324	Ckecpjdh.exe	41
PID 1372 wrote to memory of 1976	1372	Caokmd32.exe	42
PID 1372 wrote to memory of 1976	1372	Caokmd32.exe	42
PID 1372 wrote to memory of 1976	1372	Caokmd32.exe	42
PID 1372 wrote to memory of 1976	1372	Caokmd32.exe	42
PID 1976 wrote to memory of 1324	1976	Cglcek32.exe	43
PID 1976 wrote to memory of 1324	1976	Cglcek32.exe	43
PID 1976 wrote to memory of 1324	1976	Cglcek32.exe	43
PID 1976 wrote to memory of 1324	1976	Cglcek32.exe	43
PID 1324 wrote to memory of 1216	1324	Cjjpag32.exe	44
PID 1324 wrote to memory of 1216	1324	Cjjpag32.exe	44
PID 1324 wrote to memory of 1216	1324	Cjjpag32.exe	44
PID 1324 wrote to memory of 1216	1324	Cjjpag32.exe	44
PID 1216 wrote to memory of 1348	1216	Cpdhna32.exe	45
PID 1216 wrote to memory of 1348	1216	Cpdhna32.exe	45
PID 1216 wrote to memory of 1348	1216	Cpdhna32.exe	45
PID 1216 wrote to memory of 1348	1216	Cpdhna32.exe	45

C:\Users\Admin\AppData\Local\Temp\d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe
"C:\Users\Admin\AppData\Local\Temp\d0febce99dfcbbc576d4de433d2f1094976e806e1d114b6ee68301876182f767N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\Bafhff32.exe
  C:\Windows\system32\Bafhff32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Bhpqcpkm.exe
    C:\Windows\system32\Bhpqcpkm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\Bceeqi32.exe
      C:\Windows\system32\Bceeqi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Bhbmip32.exe
        
        C:\Windows\system32\Bhbmip32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Boleejag.exe
        
        C:\Windows\system32\Boleejag.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Bhdjno32.exe
        
        C:\Windows\system32\Bhdjno32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Boobki32.exe
        
        C:\Windows\system32\Boobki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Cppobaeb.exe
        
        C:\Windows\system32\Cppobaeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Cglcek32.exe
        
        C:\Windows\system32\Cglcek32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Cjjpag32.exe
        
        C:\Windows\system32\Cjjpag32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Cpdhna32.exe
        
        C:\Windows\system32\Cpdhna32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Cccdjl32.exe
        
        C:\Windows\system32\Cccdjl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Cjmmffgn.exe
        
        C:\Windows\system32\Cjmmffgn.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Clkicbfa.exe
        
        C:\Windows\system32\Clkicbfa.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Chbihc32.exe
        
        C:\Windows\system32\Chbihc32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Dlboca32.exe
        
        C:\Windows\system32\Dlboca32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Dglpdomh.exe
        
        C:\Windows\system32\Dglpdomh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dnfhqi32.exe
        
        C:\Windows\system32\Dnfhqi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Djmiejji.exe
        
        C:\Windows\system32\Djmiejji.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Dqfabdaf.exe
        
        C:\Windows\system32\Dqfabdaf.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Eikimeff.exe
        
        C:\Windows\system32\Eikimeff.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Fhbbcail.exe
        
        C:\Windows\system32\Fhbbcail.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 140
        57⤵
        Program crash
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhpqcpkm.exe

Filesize
67KB

MD5
8a6c36ab47b3e6f9640f63e215a93d06

SHA1
b8867e128f89622b077aaad3ddd4669721cc24e4

SHA256
b7a137851c5b259a473fb0c229a259e8dbd2e88dcaa2b734020c8a29f3d539b7

SHA512
9a908ab2ab2d5d2798cc59da14ee993a2db8eaffbd978534ab28da3887867d19ecb3679e30b419ee8d95a1730dbbd724b5eb1a53dc1438692886416050230452

Download Submit
C:\Windows\SysWOW64\Boobki32.exe

Filesize
67KB

MD5
22a473add1757e2f5a9c396985a73d86

SHA1
b096dc6421212f7cf2ff6711d1d644d9b3d0dea2

SHA256
e3455628a6b75ed2fdd193afbdfd1aa942545c5b991f8219447b0fd80e37da60

SHA512
76bcf5a7379b25b0868dd5b77d927283fc201f2810299585b051f26d1b34632ae208907c387c08682d94556944c8a0525d905c482e6a32ab37de8ead2874f58c

Download Submit
C:\Windows\SysWOW64\Cccdjl32.exe

Filesize
67KB

MD5
e6ded3e95335a353a4e321bac097de25

SHA1
de4bed34872b3c2bd0e17e2fb27a5131b155eede

SHA256
d8d74bc670017c64eebc74ca602c7547d4e3c1c6daf611e04a061b0c1145b025

SHA512
70007cac8aa769c0ed9a7060388e4d5fddadc20fab5a1333fe1cd2400bff18f9028b7bc4bece64dd8d2f340f1c783ea87de3b0432d58be4a5e9d20cc5fa6bc5b

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
67KB

MD5
cc502e807a4ba716323e2e7bfa13846e

SHA1
6cb03e44513ca5cb424bd3a44134af0225dea3f1

SHA256
c8c5837f9ce209c5cb0675bfdf3df5e20cfc8fdcd617e39e05793765bff4d5a4

SHA512
ab2c2e00b7ceaf3bbe79433427746edd9ceb14a86e5aecfb23873b1f3964262fc79187a5bc2b71af9b835b00561f9d2965e8bbe5ff5052a4a9e28b00da47d51a

Download Submit
C:\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
67KB

MD5
fbef39349857d8d24018a8c3c91ec21e

SHA1
3158853a81f85c3cb64e5e60e2b9e714ed7a4f19

SHA256
ceb19ddc7421c6039cf937440e23d0a61e8ef69866c70b65537ac3c42c376409

SHA512
19dd26ba784cc7a6eaf8a6050cc51c8eee94db1dcd157ad1ab08e258787f2c1e31ea8f3d53377f625e920b6656da95c1f017240aa0f87e1b069de2a7894f5eac

Download Submit
C:\Windows\SysWOW64\Chbihc32.exe

Filesize
67KB

MD5
10a9a41cb2d9b5ead3c8107e189f1bf2

SHA1
c20119d925b62239202e4ee8f0ac6ab59de7b5f5

SHA256
7d4f415e0aba4a8d1678035887088997bb475d7346bd63a3b94069d762fd3077

SHA512
8b1ad2451c3db53e8e096e87493ca029732dbc7c44c1e44053594100507b0b1cb36eb734b0f4d94291edba355c7dc5a2404732b89f4f5e6fddbad6b72fc888bd

Download Submit
C:\Windows\SysWOW64\Cjjpag32.exe

Filesize
67KB

MD5
f9d665f0ebd6d7274bb366b1666a5216

SHA1
7e8845c147b560f12b1fa644327f2316e8bc2957

SHA256
ac67b2a9e7d048b7ebb2e4f4e003384e13cbef634788ffcb1d5f005593fa3083

SHA512
58ab2c4acee9c49e2c011d6bd8ae11159711b6dc13f5e3f59dcdc1a02ad702d2b32374c8f91d4c9afaa9fc86c9062385a81304a5ddddd991e415b5cff610292a

Download Submit
C:\Windows\SysWOW64\Cjmmffgn.exe

Filesize
67KB

MD5
dd4e8e4d344714fb64638b05a4e3e7fa

SHA1
af2d8eb1e50a7ec1debee3c42c16df10ed52d3f4

SHA256
58eceaa805015cb369f11e70140d652c13bc68b0224ac9f099ea0c1bccd9feee

SHA512
2bc7a3201bbf3201bc7ffbc08279e3cbdfc715e25b654be487e40d826a7816553fd84dc752d0163a647f6900e4012698e1e77f2701320cb83bf7901c79957a57

Download Submit
C:\Windows\SysWOW64\Cjoilfek.exe

Filesize
67KB

MD5
48e809b501800db499e31fe55110b2b5

SHA1
cc9e8ccf0833549bc18ea955f8a84fb7a9ab9773

SHA256
1b6fd62376a50bbd02650765619adad839df81ede6fff66116db5dba6526f49d

SHA512
51c49776d519f61ffee6267249153d1c5ba3c0de7522dc633e93d3a6dd171fd51030e9e4ed48c40305ec4e8e17b69c753e6469a67875d801854c2e68f6079f6b

Download Submit
C:\Windows\SysWOW64\Clkicbfa.exe

Filesize
67KB

MD5
44bed68eb7b6a73aadbf78e062ff6aef

SHA1
f3fde45f318d22452a2292894708df0f18dac305

SHA256
aa2cd8b26336c7d72eb2b911fbda5f72d9297a5579653b897eb8de504f7967d5

SHA512
8df79d0c1dacaed9d26f0247da96ca9931b435c5a618a94d5865d3e4df2b9c21c1465de87c7b84ca0c201b9cdc07067dc8d5e38ba5f4daf67481c5cc642cefea

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
67KB

MD5
6956486614c927a313035604f7d3b18d

SHA1
8c90e6aef56ed51fd044045521bfa5fcb377b77d

SHA256
b20834d2ee201770fb41d86720fb477b160c83ddb8d8d8070717f880bc7a62bd

SHA512
1c42b0750bfe250722837e6a49a76701929d6aba5776e3e30abda8a0b888f6069c2c046bef1e8a2ac9b6b2a2f30b686b6142d6ff3f7c3f61b5ab6fdb61cbabf5

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
67KB

MD5
294c07a8cea1b26c933bcbba945ae3ec

SHA1
51d719560bdd44d4c73460f7192c149e185f1f11

SHA256
74376092169b5f255ff4867ab7d02a26c87df3d9904635ea0cfd39e31bfb48cb

SHA512
b75fc16494f0dc7b0d6cde863723c2713e89b96bdaa83d592c81edac37ffa52eb4917ff468b0150888ca9dd0168973bf78f7b32a7fc3eef04f8f846153290c52

Download Submit
C:\Windows\SysWOW64\Dglpdomh.exe

Filesize
67KB

MD5
0024610fb0139d083a32f0d398411d35

SHA1
ce7a389b1efdd41f1389cd8d667e67f8419c3de6

SHA256
af7d541861c024ed24f90b2b386e4646acf5913ef960e7da9893bdac4c30a7e2

SHA512
70ca82032328001eddbcffd6fe9340aa8af9f175da8e61a7e3aeb9c3756dc59d166c47325146502f2c1bae45404679ea08a1af5b2738fc4b021512299c94b8a1

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
67KB

MD5
e21d86b67f3107accbf09e502a80dbe9

SHA1
170c20903ed26c876b0176ecf188bb152a9016be

SHA256
b6df4d6d73c45aaf3dad040dd30078703ba2857e9031aefd86b66ca46ff95bd4

SHA512
493c0679069142f2778d7914608b9b3743b0da9e67a67e24c96b1b228013a39346ad6e7f308c4e8cd6ddc5709de657774f8672da651803c547972c1fd37fc7c4

Download Submit
C:\Windows\SysWOW64\Djmiejji.exe

Filesize
67KB

MD5
47fe3085b4193ce017d4d55d080d8e18

SHA1
ddd243d2dda3efc33ba3806f9d31f9de6b7f60fa

SHA256
35ab30e607f62030a53db9896afae49346594b12fb817cb21dcc0d6846779edf

SHA512
a38f10946505795d3400b5a3ebdb1723832f2e84d5f082c480990c2354ad65ca2e84bf658e91a80f9a1802a41f2b87f2ff4ad332e9465afa9b8b98a45294740d

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
67KB

MD5
e3a6535c4b58371aa3e5f66fde7e75c7

SHA1
893f687e7c6007f7e66768ddc0b1ee6dfce882a9

SHA256
03b51ee6eecd965d95bffd8979bd7a26521e9ea9a0869ec105e04bc862de7026

SHA512
bbbf231f09acb1ede13dba289379d894ad282e11ee0a51f8284e518f55625838f2a0a8071620e5a3f9511aed704ecad512c9674fe3c02b322f9a84633fba82e5

Download Submit
C:\Windows\SysWOW64\Dlboca32.exe

Filesize
67KB

MD5
a90513bdea69069790f403960d9404f2

SHA1
0c4e056a3f2d32bb5d54a2d569642bec3b0f6481

SHA256
e3c2f22b789845177088818ef84c3031bd2f93591caaf43ba476c4f52292b085

SHA512
2882ad3b7e561ae6cbc8b4d4a47343974d30c390465a909c1bc647038572333985472819a7f92ca257c7100312311f5bf14cb247de587f4ffbeb216e056c9a51

Download Submit
C:\Windows\SysWOW64\Dlpbna32.exe

Filesize
67KB

MD5
95b96ff515b59c28b85bbf870273f5ff

SHA1
e55dc6d201a9767c91c4748a8caadebf39a8ebe2

SHA256
643907d54168434f5564702749fb3c86269414a3f3fc7860c1ab8349761c313c

SHA512
380be39d22d4b423829efdb44d55e8eef1f5f2345acc0ebc5b746ef7716ada4999b7f81d9183e55b8e82914a0aea0f0ec9331974da88ef707a2ce3aad86a9645

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
67KB

MD5
9cd6e2a796ca770f49b656b6e7b73da4

SHA1
664cf5ed502136ea8f4a928adb585d4472c416d0

SHA256
34f31d0bac136720bd7bc860b20f9a9cdc20aca9e5991ea9f01d6bbf0f495981

SHA512
edb48edb3c30e0bbb2a77022cb49d2d7fbc5a0b9b90c442d8403cec199799362ee5c3a671fc5946d6c3cbd05f24ea932e1c310424ccd660d3d9be1336ac7149b

Download Submit
C:\Windows\SysWOW64\Dnfhqi32.exe

Filesize
67KB

MD5
8172d0bff04edb0012e8b9984bc82541

SHA1
bf503f4f3ac970ff163c0e8adaf84294d6be4a17

SHA256
75be91e5d695008d6af6dd6abc14debd13d708b2b3d73c883e5006c6d89f265d

SHA512
195ff5b7db850aeb21e0e025c121a889f588d734409192ac031c7a42e0993d3612667453600f31d5dd9ac1c43cfd7424ab1a3901104cf35199521330cd467638

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
67KB

MD5
4bcbbd3ec99d703e72a802384de4bdc7

SHA1
4343e0712197cf2edd9568b6c2e972b9dc7df220

SHA256
f1eacb921dbf20c8e9cbce3a95fa2e4a79e61bb3ed013299c961a2a5fe280293

SHA512
87283f937bd97f48d0daa6a54ebe6a5d030bfa65c6e26e62a347f4ef60b1694e88713131c41f429d2f930f1a16d6d978d19aa6a6fd3aaa2c357c82e1b8c66aa7

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
67KB

MD5
9146e022567d4a72cd6d9c614ea75a42

SHA1
617c5aa41017a1c8ddca20b3b6092a6956e711fa

SHA256
d509a1a01a3f55b173f70fce43a024ecddc6b6fd851e43fb3940dfcf166660a2

SHA512
100a3b5b06af563951a9cefe7f70ad006aef0d6f664893a258bc12addb696c115f1e98455f277df5fe98c05b671d00d59efe2f276de433fb6e1571da520f99a1

Download Submit
C:\Windows\SysWOW64\Dqfabdaf.exe

Filesize
67KB

MD5
2e44625b57ffb25682515a56802e4264

SHA1
9e8cc3d5d3a30acb9be74810abb2367cb1c0bc3e

SHA256
e70aba47d92feb02f492064423429eb6115d1f3ae43bb6bb84cf97113f4bb061

SHA512
b038c9c6dffc0aaebb8cf6ca69485cf6e71daaa2a612d7505f50987b51558a640e802195f086f59119947a3b1d412a614ad73e378d5eae74f2c97b2520640802

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
67KB

MD5
645c9fa9e6a43b1389f15695a892fed4

SHA1
375cc85fa32918ca62ce8c4aef7af173a75d698c

SHA256
d3e32fd3e590c99f77e2ca7d3fe22f38de32362643b09d5217cc496a89c789c0

SHA512
2fd0a9e13741342b42d59910cb8435ff5a407b3efc4d2e119525744a7d085b0f848d7890050e0f809e49e25614c82e77cdf96aadf7e3971e42d8f3664839c7d6

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
67KB

MD5
33ee84bdee288d004dcf1147cef303e4

SHA1
d86879382120ee24f9cabec62eff358bf094177a

SHA256
9d48e0377b2c5eb1037aa68d16b17cb9e1c63ef9f41840b5217e557f9a47c139

SHA512
36a891d2443962c65587c1a086403803ebd13597597460a1d348b395c7838aed184a584ecd7c7ba41bab301693a53c2bfdabba51728844b13db5d535369ae31a

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
67KB

MD5
ff8306dea43d61960845bcd4d8a90d72

SHA1
bdc3969ec81b0f9e8b1de442a72e3d63822c56b2

SHA256
52774cbdaae8a3819daac53e7124cf8e98823811eeb4ee34c5db465fdb2b3938

SHA512
1a8a403567cf9aeb7999021e1f75c29a78ffb140a9b6e00f0dec03125285ed67da6b2b5edc5dc53a1a7b72877c1e29b24fea7b0c8853f496f819222a9331daa9

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
67KB

MD5
cfd158abd9102f09fe0852e58ef8778a

SHA1
5a24f8685f76a71845b662b8629074473c79e283

SHA256
3aed846c5bd4b15c74c934a93f54a2f3e0c1a614a144faaca937e030b07f88b3

SHA512
bd85def0c257078494ee1c0c109fd3771bfc40104674ebbc916b73b2de515ebc19e8ffe576ebd9be2881ecd90d83a20d01bc1fdd672482d3d83954575d8acdfa

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
67KB

MD5
f5f331a814c9b35d96bc48c2a1af3cdd

SHA1
9fe4d0d9e5923e23f1482f6538d428785757dcf7

SHA256
f14aa44c552bb040b35d3a0a95f17e71bc4654d62629d05ba2607beacabb00e2

SHA512
738b342c947b4420a5644553769eb8ddbc309de9bf199d8f7e0ffc2648b08e35977e40a874caf6d374e428679a8af7268faf2ccddd74bb045fcb7eb416f81ac4

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
67KB

MD5
7ecd9163307a30cb264ec9f141919adc

SHA1
b77ef75feabcc77731ee2760cc055d0c15e0dee5

SHA256
835702c81ea3c7495365a2809b9ed012aeaa65c2899fd4fca2141a8d4e109651

SHA512
1301b2f9b7c2961dc320e83e8595139ec6ece61bd82af1336bc9a511bd2c719707e061eee8ccc769877d7eca2399d6528985a963dc2a895def53029d59f6b8c7

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
67KB

MD5
7135c609b7983c28b348e59e3ba84c2c

SHA1
3ecab8ffa27258fd021f46b1b481d8978d69001e

SHA256
937cee97361bb13fd35d0974182fd891ecb4652e174ff2b67d99d9a9dddb69ac

SHA512
1600a7ca2b6197c00490185bb3d55ca25a6ebc0ee14329c4deecc57482aaa8b2fbb40b7c0f7e5332e061cbdc0ea9e35c43dc43f64b12e0bc4179f28774887940

Download Submit
C:\Windows\SysWOW64\Eikimeff.exe

Filesize
67KB

MD5
1d5d959fedd10d3ec58743d2beaf065d

SHA1
92c5746689bcf7190cb0049d97067abf66929205

SHA256
d58e30bffcc8eeffafca7153393dfd779481693ce279bcb5c1abded852d0b5b0

SHA512
100c91aaef8b6d10fbc55a6e662365df15561b2bf871ffface1546b668e5f6b4d78684f1c0bcc313ffcb6a461429c15f2087e483e78004761bf654aed35df223

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
67KB

MD5
e0ded26c59e2d299298981286fecdc17

SHA1
ce74a760b74aaf28186a38d26a1eee5553dc8205

SHA256
4bc0d68dae048711c9071090b3f8a9da09a930c450fa464a8b21d3b3755bbaf8

SHA512
a7d8189edc8b48e5ec024aa6212e67ac8ac80e7d07fc49ea316d3a9f28ef2032ad647f412d293def8c1274f971af1a161a70a1d0cfe2c8052c49131af60a24b9

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
67KB

MD5
56c24beb7853e537d01c416ea190201d

SHA1
f1ec916cb38a94141de3a0e6bb9a55c078646bdc

SHA256
6fc6f2e74d72acf27408afeacad45bb56d4dc7de53484d6e1cf77dd3e2fdf04f

SHA512
a75674f62ebe2e72f3d312246ecd432d92af0ba3c7b5f7c88289608c8205bb48c5ff53653eea5f3654f2a9f70426c0a724f275f59ad5788c0c2dde170135f805

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
67KB

MD5
6b38e2807ffb22922621ce28f4015a99

SHA1
dcd394a4e9f98ce85e18bad775d94915cac68980

SHA256
b58249e901b46b59fa16da1da5259beabdbe8bd5e2c7b11ddd4cfd036fe76eed

SHA512
28254db371735be0cad46d7b6aa0d3778a1f54f9c8feec01fe51242bea87a96dffadcb6d9e83a15eb79ab2c3704bc404962b469b28005f47e3b61208abe6da66

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
67KB

MD5
81ebf10890efdbc99408613310447a6f

SHA1
a9198b6aa70aea87f215f24446642b0f250d534e

SHA256
34f3b43f257680ba7f818316d36709237ce31a98728598694eb43e2cdd191f16

SHA512
f9914950429d50000dbd78ab0d3f4ca8562f8a4fe3733abe3305fb8f849ad9cdc91c0245634f5a24d064815a6b85f6a23a246a987067185c1238c0800d193486

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
67KB

MD5
2492ef5ca71c7ad8ba5d3c62eabb5ab4

SHA1
ef50ea919e535892d9c226a18fb631ac4bc0f1f9

SHA256
06df3d9e34fa0fa77f1f4c1d13b1a24180420f1faf22049f6ee8264ab3991e31

SHA512
7b56cba1c5f77df957c22b844aedb3dddc085c292fa2f97278ff4363d2853d3c18927863835dc63066cc5c4dffdc20675f38c13ff91ff312c644ac6effd7f9b8

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
67KB

MD5
e25888b66205886e28660a5379605f26

SHA1
5c3060d6082692d7f6412a7e5b862bf161d2bdb1

SHA256
1e44805ea81194e2a37a1d532cf18ba138a7ba9f07b887fbafef84b53e1d9b0d

SHA512
619ae78a605395da370726c5a815033051e0617a9f5d482db477f1a4451e495cfc9659c9724e2f5717f12e0ddd5dd8d4d9ed2c92bb6dbb9145900e57ff651dba

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
67KB

MD5
b72796da104a0756c7101ca5a093ade6

SHA1
b6da334c7f8da4b63cdbd5810a057955621d43d0

SHA256
2adaa36f06869d81689e7e27a5b0ecba299dfdca7702145f9dd41b99320f29ed

SHA512
f20b45ba6d12e05d2a41f9cff34137ddb5f6f22ef5462c0c9bbb97359f029c755f49d04dd07a944abb95b3a4d4284172506fda30668d8e730c4437158d89958c

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
67KB

MD5
51ba7d56a2331c99a946fb48eda04d9c

SHA1
963170e1af2a96a495f0f4786dc948e2f0c9010d

SHA256
8f8ed62e623ad9c80e0b350439f2aa4975338039476bf237f3afe46598eb0c10

SHA512
2897f74bddaad5aeb7408598f10815eacc676ce4a5939258f8a6b12a8f73a21aa37d2f285d421b6b0cd52e82ea940a837d92884733d6324e852e3d8e3b3b4339

Download Submit
C:\Windows\SysWOW64\Fhbbcail.exe

Filesize
67KB

MD5
192414561e47d6e21130c2b6e43c8948

SHA1
d9c3745f179c610e5b9617b52231ca8587f05835

SHA256
c3ea99a999bc19b023be25762af3b81ece0acfa2fd5c61a5b04f6f6fba6ff25d

SHA512
b4c594b89907fafb2d1cc00492e5e83d2de4780420932493cb5dfe465dfdc9316d4e1de72423b37eedd25d4be694de83b61626eeefc6352ff23af24d710a37a8

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
67KB

MD5
0ee86c5990f84a656c0fb9e3a37703de

SHA1
798ff9c0894e6332d0f27677385143e50bb40345

SHA256
4fb85f5657d2ba702daa8706e4bac3c3a2e221bb4f79de53854504351ecbf1e5

SHA512
ef5a5915b03a8f1b2b4fb16a594bd3bf7a02c22af4147c32a21f0940307144ab07d188bb170071dee7bbf2475c59d6d91f008d09f44d47d14b9fc9bcbddb4536

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
67KB

MD5
5e51c8e0fa0b70916a93901a271538e3

SHA1
3adf7cff611427057f5ad8dab4fd1d5c978356b1

SHA256
5f9f0db7b2e12f6ecc9e261ec3c50532c0433cb1f09f13f2fd6a7d0bfbb396c3

SHA512
23a0bf68a2ac4d74d45de3e841a15bb4c850e73f3018d4804d1f34a2aa55950d45e2527de612196b7305437d6a0a6a5525c8f2e8c334be8ddad4b0b29862eb64

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
67KB

MD5
fe212bfb23a9cd046aee8462fbcaf07d

SHA1
1a917e11e0026296241bc267e1d6748d79de01fd

SHA256
29fb60d6e62354ca63c56a22397fef5e7adfcb246bd63e673562bce258d831c6

SHA512
f6f3c39ab90125723b79e415df884302fab1a741e5547056effaf882308dba7c017b144d3bf37a9063b6824ad0cc2180eba6a5d4a68cbbe243f68b07c22e2e87

Download Submit
C:\Windows\SysWOW64\Kbqebj32.dll

Filesize
7KB

MD5
7596778febf7b2cfb325f9ae820811b8

SHA1
2e80c77fe9d258a7539258473342e65c5df204d0

SHA256
6f3297ea9471692a9e9f5a0a8b030eccd22d4c06e0c3f977b6448939d5f4c6e3

SHA512
e5a2f7d8de362bfaba9d36ab2ef4a4b81b52fe772ae6093d876379f5cc6a53ed794aae173431af6e7477c64c239510b1736f49cb77a67da79c37ee12e5c30d38

Download Submit
\Windows\SysWOW64\Bafhff32.exe

Filesize
67KB

MD5
9f36b56dde71c47ad5c83ef9d159210d

SHA1
1a58f622bfe44c61d03558bd1faaa20f74bebf33

SHA256
8b1d97f5d3071474e553f8551b7ab29d011c36eac3a88eedf7fdbd1f350bcc5e

SHA512
29aefc73f363e4d3a4492979f5ff0d45769cabed2eb7bb5e9116916a4eabe03b2e98825eb2a9d7a70d1ddf88560209933aa6c38ace40fc94d59dbcb4ea0a9fb5

Download Submit
\Windows\SysWOW64\Bakaaepk.exe

Filesize
67KB

MD5
da762f96ab6f3dbe78cb0ec1850b47c4

SHA1
0bf6ed8f3ce5c401f1c5db011bde199a6bd26780

SHA256
ad4d81a603008a93a99685cfc22d73eb3d083e2a59c472466065434166e4ea5c

SHA512
6d518609afa11a37e65bfdde20e19d404379ecca1549b935d47e6c2ead5a143cda850fb47ab54385dd97c3777dd3830f5e4cc9ecede6af9e8d5953050c705149

Download Submit
\Windows\SysWOW64\Bceeqi32.exe

Filesize
67KB

MD5
b36f726734dda5f0b93cc36722949bbc

SHA1
b01bb76293232097595ffbfc0530d6f763a56d4f

SHA256
0a9e797983875b5a257074cdfc4b2c0fecdfc2f4a47011a37569bce75db0d279

SHA512
b2aa381a7a0143e683d700b1a8f898e0582387aaa9285f8d2906e0787cf39a158febdb0ff04cb096f05055ee40de94c0de0c8ea2701830d49ca3669719a17ac4

Download Submit
\Windows\SysWOW64\Bhbmip32.exe

Filesize
67KB

MD5
ea2b529d44b75c47baf9ee67399bb590

SHA1
0adfc2b43ae1d8684c6f2cfe35e0fb23c6998683

SHA256
80b64cf1cd362658e916770168ba091feae627990c85f5a7a98df86da309e6f7

SHA512
bb45a0edbe4a44aca043af10cc04a6d09a9e5109fe0df4ab817d4635b5ce1ce268f843595fde7934ec94dfd4e9fffaae21c745e810c6dd953576dc6a6e34ee6b

Download Submit
\Windows\SysWOW64\Bhdjno32.exe

Filesize
67KB

MD5
9f3e11772e5f4f5c2503e6411f22915c

SHA1
b2c4538309ae4376d55966e2ceb64935f69bd9e7

SHA256
8c8cc642bb7f749a9cdd7d2467e4eb170dba763bc2979d37598ceeebe3285478

SHA512
d04ef8821bf375d8136ef7c8adf09838e3dfb6e17adf3cf31cbd4a365ec6c51e32e2376a51a1fcc1c633b38adba4cfb0681a14e9c9d76e41147670525b903923

Download Submit
\Windows\SysWOW64\Boleejag.exe

Filesize
67KB

MD5
09da266601a47953bb1c60e558f520a6

SHA1
6c75f5c8162d91ed7afe3d106b023273d4422a14

SHA256
0c44ba6f664a2bd9707d01d2051589767af5492bb76e67ee7f12d74e9efd4bc2

SHA512
065a46f454e4765c8b244034fa589f47c2956490252762ff91621e7a533a08b1572539b1a42c32906732e5862538aafd0fbed35bbecafebb6c898fedc3ee44da

Download Submit
\Windows\SysWOW64\Caokmd32.exe

Filesize
67KB

MD5
f21f9521440275329f13874538beb177

SHA1
bc03c023107501a19c4823409e56067840496893

SHA256
3915cbd0eddde8891f71bfd397566fa2306161f8f26cd509cb04b07ced0b537c

SHA512
8d262ecf403d053826c1455aad3ab49659af7fb17da76ec5c4e943847e04565d52e0b5f9168c5e45e87d838893156ee0ac21a4cea33d788d34d5002d1688f5f6

Download Submit
\Windows\SysWOW64\Cglcek32.exe

Filesize
67KB

MD5
e5e3871b0cfc1964281d606b023054f1

SHA1
375cccfccac3decfed329e39ecdd615e129cf3ce

SHA256
448255864a4c534d89b59677f47ccb325002553ddc6130ea397f99565d2d40be

SHA512
b39d7d3e44b6f1a7ca7b697a944e6472e0b29c2c9be2660849963938594ccf59770fda04f56c514ff9edabf41219d8f7cda7d454f94e812f5504da1b598739a5

Download Submit
\Windows\SysWOW64\Chggdoee.exe

Filesize
67KB

MD5
5a06295469875fbb9115b2884cefdf40

SHA1
28329618df02cb05adb6dd7f909ad88682bbe0c3

SHA256
800ec8be2e14234e947b5e068c39f350dd0424218f3d86c930966e2ddd4392f3

SHA512
f59f91bd746c2a3ed6e6f4bb2b8035d73eb524e41e074530d920ec78350ad18b2feb5736428a33b473f669d2e30b6b576734e4b801739c05c406b0222c34a62d

Download Submit
\Windows\SysWOW64\Ckecpjdh.exe

Filesize
67KB

MD5
db45d279bf79d3ffbacc8ab6491a3693

SHA1
a515703ccf6d4f4cfe591e2b50c462705f9e9189

SHA256
8d5f10139dce0ef9849d2fbd683f25434a9379f67425629c0c8a83b38800c0a0

SHA512
4c03fe83501abf67f7a5c68dd0963af1150c34b75ca045c4111d2d96cd2fc0748182ad5a7a69cc34828a0117f7f49cd8ba8284f2251f6a4376a6caf16230324c

Download Submit
\Windows\SysWOW64\Cpdhna32.exe

Filesize
67KB

MD5
b0135c070919f3db7811cdbfeefcf6eb

SHA1
438b01081bc4c5f801d8c3d7685d2ad3c43ebf41

SHA256
023613ec0d5950df4fd54b2a69b0861f2b64491a5b28570c3409201a7d637e4d

SHA512
6d3f0bd889561fb80e2aea8a6fd3e6b86b96017d4c21be0054cc8717933ffcc539c7b554dc9e71e021b23e96fdf46775d771e59b32313e6983566e2eb2e98818

Download Submit
\Windows\SysWOW64\Cppobaeb.exe

Filesize
67KB

MD5
a9e4fac1b0c5b0e6cba3f1daea0273bc

SHA1
a96e3ae05dc5553169b4b5852134cf5db8c358a5

SHA256
3e14aea2bd2d302f60b9806be034615e41203a9e65177076739e12201b7a3071

SHA512
ca787b81fe0ac987c9ff380a722ca989fd2eae0c423f940cec3bbb6b595568092afc6d7b5f8e4f22404134e49aae1d71c9817f796d60b726700b066a545fc036

Download Submit
memory/536-448-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/536-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-447-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/908-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-493-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-500-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1096-241-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1096-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-489-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1100-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-310-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1208-315-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1208-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-196-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/1324-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-225-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1348-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-481-0x0000000000490000-0x00000000004C5000-memory.dmp

Filesize
212KB

Download
memory/1420-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-433-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1540-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-259-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1568-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-142-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1776-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-470-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1776-469-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1796-89-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1796-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-482-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2064-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-303-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2256-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-304-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2272-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-381-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2324-160-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2324-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-392-0x00000000006B0000-0x00000000006E5000-memory.dmp

Filesize
212KB

Download
memory/2376-459-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2376-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-282-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2488-278-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2544-348-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2544-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-335-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2552-336-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2556-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-63-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2556-393-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2556-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-361-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2624-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-359-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2644-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2656-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-13-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2656-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-370-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2692-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-39-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2692-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-40-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2696-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-325-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2752-324-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2764-292-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2764-293-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2764-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-115-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2932-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-405-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/3060-404-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads