berbew | ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
Size

96KB
MD5

56968afd01195886fb849b14054eb870
SHA1

99de16fc392078ed832de051bf5ca6c5516728d6
SHA256

ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487
SHA512

6503b0f654ea84860bb94df9f426b4ec2b02465eb428de164d43141aa5028689b2fda91b5fefeb378ed5a2e9bfba6516edcfe4e3d87934dd062527737d918909
SSDEEP

3072:hp19Vg6aEboQhfn229aXBHRpqYd69jc0v:hpzVg6N3hfn229AxpqYd6NV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkqiek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnflae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhbmip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cojeomee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkeoongd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efhcej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dklepmal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dklepmal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdinnqon.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 50 IoCs

pid	Process
2696	Bhbmip32.exe
2676	Bkqiek32.exe
2988	Bkqiek32.exe
2172	Bdinnqon.exe
2548	Bkcfjk32.exe
2788	Cnabffeo.exe
1540	Ckecpjdh.exe
2400	Cpbkhabp.exe
2380	Ccqhdmbc.exe
3068	Cnflae32.exe
2012	Cdpdnpif.exe
2336	Cgnpjkhj.exe
2424	Cnhhge32.exe
532	Cojeomee.exe
2504	Cgqmpkfg.exe
2296	Clnehado.exe
1748	Cpiaipmh.exe
1824	Ccgnelll.exe
768	Cffjagko.exe
2292	Dhdfmbjc.exe
1560	Dcjjkkji.exe
1984	Dhgccbhp.exe
3048	Dkeoongd.exe
2652	Dboglhna.exe
1636	Ddmchcnd.exe
2684	Dkgldm32.exe
2560	Dqddmd32.exe
1720	Dgnminke.exe
2224	Dnhefh32.exe
2596	Ddbmcb32.exe
2200	Dklepmal.exe
2892	Dmmbge32.exe
1324	Eddjhb32.exe
1956	Efffpjmk.exe
2416	Epnkip32.exe
2880	Efhcej32.exe
2472	Ejcofica.exe
2376	Eifobe32.exe
1152	Eqngcc32.exe
2356	Ekghcq32.exe
2132	Ecnpdnho.exe
2152	Efmlqigc.exe
996	Elieipej.exe
924	Enhaeldn.exe
1060	Efoifiep.exe
2028	Egpena32.exe
2492	Fpgnoo32.exe
2240	Fbfjkj32.exe
2656	Fedfgejh.exe
1352	Fipbhd32.exe

Loads dropped DLL 64 IoCs

pid	Process
2168	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
2168	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
2696	Bhbmip32.exe
2696	Bhbmip32.exe
2676	Bkqiek32.exe
2676	Bkqiek32.exe
2988	Bkqiek32.exe
2988	Bkqiek32.exe
2172	Bdinnqon.exe
2172	Bdinnqon.exe
2548	Bkcfjk32.exe
2548	Bkcfjk32.exe
2788	Cnabffeo.exe
2788	Cnabffeo.exe
1540	Ckecpjdh.exe
1540	Ckecpjdh.exe
2400	Cpbkhabp.exe
2400	Cpbkhabp.exe
2380	Ccqhdmbc.exe
2380	Ccqhdmbc.exe
3068	Cnflae32.exe
3068	Cnflae32.exe
2012	Cdpdnpif.exe
2012	Cdpdnpif.exe
2336	Cgnpjkhj.exe
2336	Cgnpjkhj.exe
2424	Cnhhge32.exe
2424	Cnhhge32.exe
532	Cojeomee.exe
532	Cojeomee.exe
2504	Cgqmpkfg.exe
2504	Cgqmpkfg.exe
2296	Clnehado.exe
2296	Clnehado.exe
1748	Cpiaipmh.exe
1748	Cpiaipmh.exe
1824	Ccgnelll.exe
1824	Ccgnelll.exe
768	Cffjagko.exe
768	Cffjagko.exe
2292	Dhdfmbjc.exe
2292	Dhdfmbjc.exe
1560	Dcjjkkji.exe
1560	Dcjjkkji.exe
1984	Dhgccbhp.exe
1984	Dhgccbhp.exe
3048	Dkeoongd.exe
3048	Dkeoongd.exe
2652	Dboglhna.exe
2652	Dboglhna.exe
1636	Ddmchcnd.exe
1636	Ddmchcnd.exe
2684	Dkgldm32.exe
2684	Dkgldm32.exe
2560	Dqddmd32.exe
2560	Dqddmd32.exe
1720	Dgnminke.exe
1720	Dgnminke.exe
2224	Dnhefh32.exe
2224	Dnhefh32.exe
2596	Ddbmcb32.exe
2596	Ddbmcb32.exe
2200	Dklepmal.exe
2200	Dklepmal.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pnenhc32.dll	Efffpjmk.exe
File opened for modification	C:\Windows\SysWOW64\Bhbmip32.exe	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
File created	C:\Windows\SysWOW64\Fpfjap32.dll	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Cpiaipmh.exe	Clnehado.exe
File opened for modification	C:\Windows\SysWOW64\Ccgnelll.exe	Cpiaipmh.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Iidbakdl.dll	Cpbkhabp.exe
File created	C:\Windows\SysWOW64\Dhgccbhp.exe	Dcjjkkji.exe
File opened for modification	C:\Windows\SysWOW64\Ckecpjdh.exe	Cnabffeo.exe
File opened for modification	C:\Windows\SysWOW64\Dklepmal.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Acpchmhl.dll	Dklepmal.exe
File created	C:\Windows\SysWOW64\Efhcej32.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Ejcofica.exe	Efhcej32.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Enhaeldn.exe	Elieipej.exe
File opened for modification	C:\Windows\SysWOW64\Cnabffeo.exe	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Ppaloola.dll	Ckecpjdh.exe
File opened for modification	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cojeomee.exe
File created	C:\Windows\SysWOW64\Cpiaipmh.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Hclmphpn.dll	Clnehado.exe
File created	C:\Windows\SysWOW64\Cnflae32.exe	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Cffjagko.exe	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Ddbmcb32.exe	Dnhefh32.exe
File created	C:\Windows\SysWOW64\Kmpnop32.dll	Fbfjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cpbkhabp.exe
File created	C:\Windows\SysWOW64\Alakfjbc.dll	Bkcfjk32.exe
File opened for modification	C:\Windows\SysWOW64\Ejcofica.exe	Efhcej32.exe
File created	C:\Windows\SysWOW64\Fhoedaep.dll	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Ddmchcnd.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Dgnminke.exe	Dqddmd32.exe
File opened for modification	C:\Windows\SysWOW64\Efffpjmk.exe	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgnpjkhj.exe	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Clnehado.exe	Cgqmpkfg.exe
File opened for modification	C:\Windows\SysWOW64\Dcjjkkji.exe	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Bpmoggbh.dll	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Dkeoongd.exe	Dhgccbhp.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Ejcofica.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Eqngcc32.exe
File opened for modification	C:\Windows\SysWOW64\Efmlqigc.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Efoifiep.exe	Enhaeldn.exe
File opened for modification	C:\Windows\SysWOW64\Dilmaf32.dll	Bkqiek32.exe
File opened for modification	C:\Windows\SysWOW64\Cnflae32.exe	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Aankboko.dll	Cnflae32.exe
File created	C:\Windows\SysWOW64\Ddmchcnd.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Ecnpdnho.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Bjcmdmiq.dll	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Nceqcnpi.dll	Dboglhna.exe
File opened for modification	C:\Windows\SysWOW64\Dnhefh32.exe	Dgnminke.exe
File created	C:\Windows\SysWOW64\Dklepmal.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Hdpbking.dll	Eifobe32.exe
File opened for modification	C:\Windows\SysWOW64\Epnkip32.exe	Efffpjmk.exe
File created	C:\Windows\SysWOW64\Eqngcc32.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Bkqiek32.exe	Bhbmip32.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cpbkhabp.exe
File opened for modification	C:\Windows\SysWOW64\Dkeoongd.exe	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Fcphaglh.dll	Dkeoongd.exe
File created	C:\Windows\SysWOW64\Dkgldm32.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Ccgnelll.exe	Cpiaipmh.exe
File created	C:\Windows\SysWOW64\Gkbokl32.dll	Efhcej32.exe
File created	C:\Windows\SysWOW64\Efmlqigc.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Dhgccbhp.exe	Dcjjkkji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	1616	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbmip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbkhabp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpdnpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdinnqon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklepmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhcej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmchcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpiaipmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnabffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojeomee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejcofica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdinnqon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okobem32.dll"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efoifiep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll"	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dklepmal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll"	Bdinnqon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclmphpn.dll"	Clnehado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efoifiep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecfmlgq.dll"	Cojeomee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpcfn32.dll"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll"	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll"	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clnehado.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2696	2168	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe	30
PID 2168 wrote to memory of 2696	2168	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe	30
PID 2168 wrote to memory of 2696	2168	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe	30
PID 2168 wrote to memory of 2696	2168	ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe	30
PID 2696 wrote to memory of 2676	2696	Bhbmip32.exe	31
PID 2696 wrote to memory of 2676	2696	Bhbmip32.exe	31
PID 2696 wrote to memory of 2676	2696	Bhbmip32.exe	31
PID 2696 wrote to memory of 2676	2696	Bhbmip32.exe	31
PID 2676 wrote to memory of 2988	2676	Bkqiek32.exe	32
PID 2676 wrote to memory of 2988	2676	Bkqiek32.exe	32
PID 2676 wrote to memory of 2988	2676	Bkqiek32.exe	32
PID 2676 wrote to memory of 2988	2676	Bkqiek32.exe	32
PID 2988 wrote to memory of 2172	2988	Bkqiek32.exe	33
PID 2988 wrote to memory of 2172	2988	Bkqiek32.exe	33
PID 2988 wrote to memory of 2172	2988	Bkqiek32.exe	33
PID 2988 wrote to memory of 2172	2988	Bkqiek32.exe	33
PID 2172 wrote to memory of 2548	2172	Bdinnqon.exe	34
PID 2172 wrote to memory of 2548	2172	Bdinnqon.exe	34
PID 2172 wrote to memory of 2548	2172	Bdinnqon.exe	34
PID 2172 wrote to memory of 2548	2172	Bdinnqon.exe	34
PID 2548 wrote to memory of 2788	2548	Bkcfjk32.exe	35
PID 2548 wrote to memory of 2788	2548	Bkcfjk32.exe	35
PID 2548 wrote to memory of 2788	2548	Bkcfjk32.exe	35
PID 2548 wrote to memory of 2788	2548	Bkcfjk32.exe	35
PID 2788 wrote to memory of 1540	2788	Cnabffeo.exe	36
PID 2788 wrote to memory of 1540	2788	Cnabffeo.exe	36
PID 2788 wrote to memory of 1540	2788	Cnabffeo.exe	36
PID 2788 wrote to memory of 1540	2788	Cnabffeo.exe	36
PID 1540 wrote to memory of 2400	1540	Ckecpjdh.exe	37
PID 1540 wrote to memory of 2400	1540	Ckecpjdh.exe	37
PID 1540 wrote to memory of 2400	1540	Ckecpjdh.exe	37
PID 1540 wrote to memory of 2400	1540	Ckecpjdh.exe	37
PID 2400 wrote to memory of 2380	2400	Cpbkhabp.exe	38
PID 2400 wrote to memory of 2380	2400	Cpbkhabp.exe	38
PID 2400 wrote to memory of 2380	2400	Cpbkhabp.exe	38
PID 2400 wrote to memory of 2380	2400	Cpbkhabp.exe	38
PID 2380 wrote to memory of 3068	2380	Ccqhdmbc.exe	39
PID 2380 wrote to memory of 3068	2380	Ccqhdmbc.exe	39
PID 2380 wrote to memory of 3068	2380	Ccqhdmbc.exe	39
PID 2380 wrote to memory of 3068	2380	Ccqhdmbc.exe	39
PID 3068 wrote to memory of 2012	3068	Cnflae32.exe	40
PID 3068 wrote to memory of 2012	3068	Cnflae32.exe	40
PID 3068 wrote to memory of 2012	3068	Cnflae32.exe	40
PID 3068 wrote to memory of 2012	3068	Cnflae32.exe	40
PID 2012 wrote to memory of 2336	2012	Cdpdnpif.exe	41
PID 2012 wrote to memory of 2336	2012	Cdpdnpif.exe	41
PID 2012 wrote to memory of 2336	2012	Cdpdnpif.exe	41
PID 2012 wrote to memory of 2336	2012	Cdpdnpif.exe	41
PID 2336 wrote to memory of 2424	2336	Cgnpjkhj.exe	42
PID 2336 wrote to memory of 2424	2336	Cgnpjkhj.exe	42
PID 2336 wrote to memory of 2424	2336	Cgnpjkhj.exe	42
PID 2336 wrote to memory of 2424	2336	Cgnpjkhj.exe	42
PID 2424 wrote to memory of 532	2424	Cnhhge32.exe	43
PID 2424 wrote to memory of 532	2424	Cnhhge32.exe	43
PID 2424 wrote to memory of 532	2424	Cnhhge32.exe	43
PID 2424 wrote to memory of 532	2424	Cnhhge32.exe	43
PID 532 wrote to memory of 2504	532	Cojeomee.exe	44
PID 532 wrote to memory of 2504	532	Cojeomee.exe	44
PID 532 wrote to memory of 2504	532	Cojeomee.exe	44
PID 532 wrote to memory of 2504	532	Cojeomee.exe	44
PID 2504 wrote to memory of 2296	2504	Cgqmpkfg.exe	45
PID 2504 wrote to memory of 2296	2504	Cgqmpkfg.exe	45
PID 2504 wrote to memory of 2296	2504	Cgqmpkfg.exe	45
PID 2504 wrote to memory of 2296	2504	Cgqmpkfg.exe	45

C:\Users\Admin\AppData\Local\Temp\ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe
"C:\Users\Admin\AppData\Local\Temp\ab991910c2672b483e7087a3edf663a033cc5b7dab8ba18b7def9c4e4875f487N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\Bhbmip32.exe
  C:\Windows\system32\Bhbmip32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Bkqiek32.exe
    C:\Windows\system32\Bkqiek32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Bkqiek32.exe
      C:\Windows\system32\Bkqiek32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\Bdinnqon.exe
        
        C:\Windows\system32\Bdinnqon.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Cnabffeo.exe
        
        C:\Windows\system32\Cnabffeo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Cpbkhabp.exe
        
        C:\Windows\system32\Cpbkhabp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Cdpdnpif.exe
        
        C:\Windows\system32\Cdpdnpif.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Cojeomee.exe
        
        C:\Windows\system32\Cojeomee.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cpiaipmh.exe
        
        C:\Windows\system32\Cpiaipmh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Ddmchcnd.exe
        
        C:\Windows\system32\Ddmchcnd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Dklepmal.exe
        
        C:\Windows\system32\Dklepmal.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Efhcej32.exe
        
        C:\Windows\system32\Efhcej32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Fedfgejh.exe
        
        C:\Windows\system32\Fedfgejh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 140
        53⤵
        Program crash
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhbmip32.exe

Filesize
96KB

MD5
7a2320597c1fa1f5c30d44aa28a16b26

SHA1
8c5672434ee3f30eef159d1e07e654a553996334

SHA256
fb2c72f4fa306b18bf07825235155a9dcecba81a7e5f2f57472dab824e9407c5

SHA512
b47149c2f79433527a87b23aa92d609f51b4d312c81f528e6e1ada23e2b1b4eda195404e7f0833b2df92a38717d3147b9df7740553e59834e3bb3c58b5b1ac1f

Download Submit
C:\Windows\SysWOW64\Bkqiek32.exe

Filesize
96KB

MD5
8121cde06050e31e58c81019befb396f

SHA1
9b1bb05292027e694adf4270918f18a0bac8e3fb

SHA256
1ae9fab2399f4deefd577b937a89dae0f6cdd3c68a529ac7a52b77fa96c6e0cd

SHA512
53dc7ce75f088f3d41fe8a2f29117c791236f9c3e5a81ff0d38211d20d40853d5478381fa41dadd940e7571b1211bc3d1fc033fb63601f1e677ad3bb2d067c54

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
96KB

MD5
b1033cce7c0dcfda4ff9cc5e0374c18d

SHA1
35cc6ec1e5f405e724d257398658fedb90c15622

SHA256
8594a76d7cc49785e1ed381c902b402266a5803ce84ab69ac94a3c1b7e626d10

SHA512
94f5a179e49f3cd7ab05fb7723f49a700eabf9ce0261848e2c5418ec96f9ba519dc22a2fb5dba4e5bc42fa6f0d6cc3650defe0f4f5c89efbd024474619333b85

Download Submit
C:\Windows\SysWOW64\Cffjagko.exe

Filesize
96KB

MD5
73e5a705fc255b22168cb53dd7cc5afe

SHA1
62dccae463384bae8fd0eed0451f7177d315e64b

SHA256
3b1cb6eb91dabc1d2dc496c46b05cd2f6248f8e5ab21c34189740e0a29336f68

SHA512
4e742c8c38067eb8b07738ddd6c5c421a0878e08dab4c63eee35ccfdaefcb7c4dd07c2905c280e28b55cd82a59020cb28dcdbb2d61a790849d084efcf0238201

Download Submit
C:\Windows\SysWOW64\Cpiaipmh.exe

Filesize
96KB

MD5
eba574cb7ed08d29b335f3f953dedb03

SHA1
dfa9388ade0e965b8c1d9806484d8b49299a3d5d

SHA256
0b432c31e861284b95195b274fbb5e18a7d8f3a7707f58413a27daa250d36ef2

SHA512
582de1df7387368131b6440bb81af39796889410e5841e63067e8e57a582a0ae0b492c4c79e8a2596d265e33215cfb5c204dc7894529ed4f11cfc6d42fa04a70

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
96KB

MD5
9f00057f1c1527aca2ea54920ac604b8

SHA1
988a30b8be0647b68fb58ff5b1aa3e4af860061f

SHA256
bdc57011b0510774135da9c377b619098a3fed337a8e64bb5664ab807404743b

SHA512
93deafc3a6e9400064e0e28c4c36076c173c7f7dea596880ca475caf6dcf5bc5f44e30ca6ecacf2bf9b9ced7ccfc5cd228be561556c636aeb70b4d221e8477eb

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
96KB

MD5
814794488e193d9fc76426c36db9c991

SHA1
284689782e70a9db6ad779b4be9b1f57f88e6d3c

SHA256
f493bd31d409369c6b443e57d9875fa45f6a32bf764bd1d57e7a3c74f24c71fb

SHA512
d6c74e07deb57c352936e7c5da0729f7c961bfcd4b75c98f648d471efa95f2a422415e309d2b89b3205cefaad6facb252fb1828217cd0a5afd6f6fd16103ffab

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
96KB

MD5
5237764350027b4c56db94fbc7b2d9be

SHA1
4c2db35071b545d497f61d10484cd8e11a46c2be

SHA256
05d3e6689fd1a5652f3ff8dd5c53e9a7f2011421a4909da963b88eb930c688b8

SHA512
eabd98d5bd81388931ac41bac25588501dd6fe8ea3623da7e18a2e99fffe6fd6a84515596ec7f8abde647fc30cd3a27f328e6cda65f89cb598d230ea86a28902

Download Submit
C:\Windows\SysWOW64\Ddmchcnd.exe

Filesize
96KB

MD5
417e700c0d75f2a1cdb771bfad5f8964

SHA1
13d5d70ed5ed2e5b97215fc20bc0d65e765765f1

SHA256
20d142838aa79b8519b6cca79d81b5335832cc1e6602e1af4f22c8bf9fe9faf0

SHA512
0ecbe625f87d22a172509084c325bff87640fbddfa737dcbed199043438c6c8addd95cfe6d526acdc09b304172736f0c12347b2a79255245bf6067f20b1031f1

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
96KB

MD5
b745b20a7f2b3110961003e12906323b

SHA1
f31beab501601901f1233bb13f0d54e87170793d

SHA256
51e3220e4b9c4e4ec28f42c40e2472506e8bf0f1e268143af6da40b07c36a367

SHA512
9b553fc6486a727916430760e82af0038294cff2ffb4ea6f5185da0575648cb0b0b12be26c739ab3c1be3839f105341084cf9fd9083d3bf11b34b6bfad32be5e

Download Submit
C:\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
96KB

MD5
ea91f34d49d47f60ae4d60b1a791d487

SHA1
c19e248e95e27dab1bc43d9037f43b22f7985fe8

SHA256
525941d740021da2dea645063b85932617715ab018f3c1519141884ca5384710

SHA512
d3dd9d3dd000ff98e04826e1de18b932f42c8c4c4001305941baf54d0395e8e0d854c30321e3281bed2b97520475f111dccd105f7137707a702b2ac97d19b631

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
96KB

MD5
e7c3d2963d9321a4b9e79d33eb95d408

SHA1
95ac323b3e922a64c5c4bcb2828005997e333175

SHA256
e582fa5b410c62087d51be0e99c52b7a57b6c6e94aef0d879e59d39b8d3062c9

SHA512
610171c093a964db3953eaba7d2c9bebbd6827e5c28b8da744c0def34dc06ff9b0f63b2074e763cd536674687ffd98505b3c03da20dfdea87a6ed119c221ddb6

Download Submit
C:\Windows\SysWOW64\Dilmaf32.dll

Filesize
7KB

MD5
f5026074de0ef8d611cb86f865d19ac8

SHA1
4534320f250f293c95d959f0f1b707bde2ad8815

SHA256
9505e0cb6a844a12a22e059ae2c236f950ba58136dd88895f09e3c23ad7e290f

SHA512
6d9a2073c9d5758e7f072ea7b1f55451ad15c1158101b06bd3b3d1349065baa40808a1ead35f951eeefd67659aa9f0419b8fbf8b19deb1be14e1c5d0d55da867

Download Submit
C:\Windows\SysWOW64\Dkeoongd.exe

Filesize
96KB

MD5
1a5ce2be89581d2f03b18d0e1eec84dc

SHA1
d47564795ca19d41f1b016c19b9747d69fa3c998

SHA256
48edafdb468219edeac0794037f06dce2110f7b8f9bf759cdddbc5bf93d4e51c

SHA512
b2a19e86d1acd3dfbcc24ca65eba3f3ba6d6ae724cb87dc2f2cb99ce86d0a000fb4179397c8dea05beb6a016b386e05e16870c0e295bc1ce5251fdb570b340a5

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
96KB

MD5
46dd7196fc613c2da918bc9656000933

SHA1
e32eef364d0acd7f0b0e24fb6c85a3286f606904

SHA256
a33d588a4b42631cf92d9ebe77accff6669967828fc18f2445013647157916eb

SHA512
cd3d49b8a5ffa0c35e1031aaee2fe5f89e73e97686eaa71d021abbf59656742afb1ba888171da38b8f14ddbcb379268d31ba4e719c2eebe0094496aa1871787c

Download Submit
C:\Windows\SysWOW64\Dklepmal.exe

Filesize
96KB

MD5
bc04ff3cbf8182f18f8a58d867bfb25a

SHA1
93c125c918e4e3182fa55145ac7523746823d131

SHA256
4eda8281edd5ebcfb10ea519eda77db7d906aded9f65945f822b3e6ff07c6b3f

SHA512
49d58b924a4753c1ab234ae578b9fd93a5654b86a8caafe6a23bac1f9d81607a9b62e208701fd272a2f5dc66e3a5c36b2748acc761b0dbc080bd539d5b606107

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
96KB

MD5
7dc3c0f192768ffd962c7abc12b402c2

SHA1
769f96ec8de342cb21cdf97e1c5e15dcac58363b

SHA256
c59824cf9fc9855dd19b4782bc4efe695ca3309fc94bdaabc51f43970a915c98

SHA512
4c558de9efb017586ffe6625f0ccab38a9869659125ff7d01257062a835115f96d92ca46d2d8a2990517b135793e7bea5449ebef62f9d5ec94d067e52c59d4ff

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
96KB

MD5
8144d95f3192cd39d5dd3770ca73db51

SHA1
3e05012fec81e275192214dff6d119e472ce5e22

SHA256
34799feddaf5b3b0f5ff260915f22a81726ab67717f2463b2fdc44f03bb245e9

SHA512
43f5656a808e529835cb437b01adfae2e2587751a5a798ef143277536c67838807d76b097ba30a45fc87d2ab528273720252a3ec2c0e134bc1f2f5411c858a9f

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
96KB

MD5
5e9ed9f7c013eb8fa4292f1ee9c8f275

SHA1
b223b8400547e70606f2743151de0b372ec92485

SHA256
edf96ef764936b233f8c411b3b06f2fb588d56c0462aebb30a9346fcb5410453

SHA512
0eeefcb02976b3dc97663476c3c34a624b1bca9889c472313d4a610c5ec3bbc80815dca8d9e4b83abd8c923d2fb75fddf62e6ccefd4682732e1aadf92143b134

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
96KB

MD5
52f71d8d0ee54978bf125dd093b1f777

SHA1
e1ea8c37a5ce3901018d69d615f6a05a01f1b530

SHA256
a0dfba51791efb105cfcc8f94fc362959562e547dea6aecf6e803f1c53e64133

SHA512
69213207fcb6e7a56749fd18a4ac2e80ed43e2d6b91d0f2c625e0e1f935a3a0cfbc99b93e172ebde94cb2fb2cf5d430738648477a858ba68f0e76790389d1554

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
96KB

MD5
b533fa94034dc7db3baa19f567bce80e

SHA1
cb36e140febe1b2dc922df9bf65bec3e1488980a

SHA256
60aa4f3b7781087f86af3fa1a344ba1abd4bf73a07f4998d216102a9c844b7ca

SHA512
6cedf416743f6104fcca8c8af97b75118596cb8931b0a7307d24b8f91bbf33d27f56eb10573656eee17a4f9f0198d2a05644cf348d6a14a7424087d34d8f5de9

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
96KB

MD5
61f613c5c24793fe598a1c6002edcaa1

SHA1
261f91253796a156c2514f3458042c73ab7a6130

SHA256
0b31841440c219e61055142610422be0a0246d23cc4019c0f05110626b936ba8

SHA512
0655307bcdfd1ae68c2fb82f39598caa898887b55538d0a3cb8f4aa368acd2f55a8571a88acd0ba80cadaaf581e2f3ecdea1d11581f18fabbe50de3a0cdddade

Download Submit
C:\Windows\SysWOW64\Efhcej32.exe

Filesize
96KB

MD5
5d0b178e47e7511d7ece5ef660a78d0f

SHA1
abe07b611743197b987be6058bc8305807857f40

SHA256
e64baa9ddebaa4d45cefcb07ea4e3e022ab5256cb9a1c67f76baf30fda1d6894

SHA512
5ffcdf49f0558a52706d88963c040b01e46a44e9a339640cf5a4b23755ed16df6c5e947fbd0b64046b4a7affaddd7c4e1c31ddc9069cf52a367e103a476d7562

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
96KB

MD5
7b1236596f070d6fc6eef725b2f3f82b

SHA1
007910d599cfe36a9044530c01607942a7126c5c

SHA256
8e128749d244a635380106148127049de81ff0e3dc23ded573ba4117a16cabd0

SHA512
afe01564e436c645d036d6a98448cd411053e09e0025fa386642cf12e1dccc06c57831da0d79230f735907e3f358f30171d152f1510e1071e1503d5507afe970

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
96KB

MD5
89d6e58be03fb027c07da86928e82800

SHA1
f9a18049c21b3f26394c92c652436e863b313491

SHA256
5751e00048e6fab028340937a7f0a745ef21782269643f3811353e25e602987c

SHA512
613656ee227a278092bd4c310b73e64d04906180b98a46f23f8e75b29fa0c16edf0f72a3712273a95a835c8d6a90b0459d2ea4bae02c90253e73acd4208bb7bd

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
96KB

MD5
aba8e41720f3a91500545a76d8f114d0

SHA1
a6ab402a3eea056b352db98b80a19bb5f2f15262

SHA256
356960f37c9ca07b93d84314efb2ce033694bc616182ff3e4a87b037ca0adb40

SHA512
71392f0b743e2482180ca4bd7d2842af48f9a0ae887acfedc703df9071ff004e2b1d411f41eab12e4c73f9acacb4ac07522cf7cb61521a83a44500653bde4553

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
96KB

MD5
8a1270a47284909225c22528ea119c12

SHA1
6c7a2d5d427e6687cced69d02ca99620e16293c7

SHA256
cdf9ede8ef6506a33242a41619be6828d7604a07910bdda3ffd24dba36a2d911

SHA512
92971377eeac1238f91e321670b1156383ee2e5dcfd73a12cd94a23930c4a3a0959adde5b1da00528126cf872250c02b14cb3b181a7a56abbe8f97c330b7b5d8

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
96KB

MD5
0edd3872f7778721879868420704b8a8

SHA1
c9bff585830ba13a0e58824f7f36ee372a569479

SHA256
4e1480f608a4ec9f83dcf286315844da2242b06a33d8c098f8efbc167f4d1d6f

SHA512
8126d218d6af15d1ad972c9e4f9623874671bfbfc803d5a43b1772ee4c171e87252dd0c94916f9964552841f087ff5408680fed6f6e0f30bc1532b4d688f4665

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
96KB

MD5
f3fe5d00623901227a7a3558859cdee8

SHA1
6d2bb9b5f2a0ed7d32168fa510a2344f4f51c7e5

SHA256
74476f59e19b667e0cb45488d79a7f070e0433e976c71b68ff2af1d6544b54ab

SHA512
a56fbba14fdf02f6b5a8ecf10b2bcc723f2c8253c81a752a546514104ddf5f38d096973916afe5ac8acbecae78740d06c4584010e77a65a6589e53765051bd98

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
96KB

MD5
e719e4e3939da9c697d02800a399d197

SHA1
203ce9085ae42d440f568f2e4c6d1274bab4184b

SHA256
2136be032405b487f0dea91025bb6088bf4a34a7616978e866650a20dbd46f62

SHA512
e685ccb92850d39897e8903eb81485473d17dd188c5c845d618a6bdd2826e9d9d734dc43285303c26363f6fb582e63fceef4847da02746ac925c1e0d5a1f5d04

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
96KB

MD5
520aadcbd15c63d12671a2fef74c036f

SHA1
009e05db7c08f62480754d56ee36d137dd5500d2

SHA256
b38ea75ede1c1279172643ce4c7885263160d2850103ffbd17b8385ca53f68da

SHA512
fa63c14f310ae5a3ce053c57076f7abb5df5d23ef25d713a9c2adef17301adfaa24ec5352a751d57cade64d8a35a19ae3f08cd29b59ce9bbee5a75df2502b819

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
96KB

MD5
171fe214e85662849b55ac0fab32b05d

SHA1
84b6a1d739578f1185e8d43ad6d11452e7b5595c

SHA256
9cb5e089d82619a8994387d029b7867513544eb2515a9e09b97e235add31f714

SHA512
fbe7e5b0fd661552fa33c3c39992389d6ab6a8c53da95ccb0d164c60d6076776df6b5b9b124d99ff9befb591f7cda035e5aa672154ff7d866a7349862c2abf30

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
96KB

MD5
96718e9ecafd137ab5baed4f21fdaf63

SHA1
e7b12d5c54fb5d34a5c2bc252c1231e6fc88bd92

SHA256
92f94e4c6c800305f617b19596fac3efb3368b0a0b76cab2653e78f50dd6fb0a

SHA512
cea651aef7dbe092802f7064c193b8bc48c944f5ce695b27cb4773fbab656e8458e1d43941573f3ee7212ec67ec5213a299029cb074cae5c9253eb8059d228de

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
96KB

MD5
30d70bc068704762b7994b41eeb8c8f6

SHA1
9232409a0d9b3d76a01ad37b39d3144669eedb82

SHA256
16083a9de1c961e960c1dcc72dda06c18cb1e1f39bfc94987532f4f7fd394850

SHA512
51ef2fb514f42bb25f3b11de96c82f1fe229a20bc98f4c4043654497f9fcb55c7f60dfc034a6bb9266711b0b298bf6309d841dd0b7c85f2b38ebeda7dbfc74ed

Download Submit
C:\Windows\SysWOW64\Fedfgejh.exe

Filesize
96KB

MD5
0639125c32171388bce50a2d332dc7e8

SHA1
0066f57661f1e9aa20805d33b202516fdb8fdada

SHA256
f6d96639264ca1afc7eb9c4a62a9cd5e23f1537f51d5006d0cfa33a25652ac5f

SHA512
1dbaca4e85e40df321eeebd605a3b2b213f9f6fdb9b442d4e640af9191616e04c003f88b8210ea1be4382d0da5be4859e545d115b21cbf87827c1512f25fd29f

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
96KB

MD5
3a09de3e2422a15d871fcbec2b669f11

SHA1
b744d43285baf29a1b338900bdf7bb93c7d7d07f

SHA256
e8d12d3ab8419d98beebc8bdae47aed201e37135205a7e834403dfbb712015fe

SHA512
533a513835b67c7b8a9657afbf1c19c8fad04db857f8c1409329116eb9cf9ce1aa4731512a3c26b9b882395774a5fa9490c97c19912d3024c5400a2b293b8245

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
96KB

MD5
83118cb3ce6349ee7b846a387879655e

SHA1
5f2f491bb632da168e5ef87b8296776a4291a01e

SHA256
f9a97acf84c693fe4a19bac9d5109eb88565a8792f712545d3834c3b1f1bc8db

SHA512
18fcdaf39232c5d9578265ddb89c540ba9f4d4d8f00c11ff832f367c188678c07ea4104aff5878bb86408207d7bde5f3a4da7d915df74a66df458d69bb3a13e6

Download Submit
C:\Windows\SysWOW64\Ngeogk32.dll

Filesize
7KB

MD5
8e7443f07c7357f55d713ca619d9d633

SHA1
b0664083eaad902d8cb7c2c9bc144d984a7114bc

SHA256
77ec90c4d06e15a932793d78ff470ba9cd26edc9220dc4f18b0521c0c8f67742

SHA512
3f08bdd8c41cd0035b87c7205742af205062e0938c337a739d31340c362447f5498dcd184a9964e7f5a40d55f2476f5896b9b59d3cca93e1a6dd91206d4ac07c

Download Submit
\Windows\SysWOW64\Bdinnqon.exe

Filesize
96KB

MD5
9b346b02d76a5c40a728f5f946162687

SHA1
181fe04d4c6feecbf287ccc4a6253d9dea3e87f8

SHA256
8385234783762f79ab3b9189124f3ac62b9d2b8bd9e7d3da2f70b9cfb8f683a1

SHA512
c2c98be58d56943c375cdc2bd6cbb687f528d9c922c1ac5f24b6438f1a8a9a3b96b5b2b950b7b3ef58084b7d0a8dd0cf9de52ad9e257c50c4b8e9e6ab31c37bd

Download Submit
\Windows\SysWOW64\Bkcfjk32.exe

Filesize
96KB

MD5
87c17394e382ae1c013bd906e6282adb

SHA1
741fcfec1441bd5a44632f4828d085aaab067086

SHA256
7199be9b601689a1085828fbf5dabda63f85582e7217c4576bfc22564f4f9f42

SHA512
da3eed4b68550212952b0d63e75f1d8865835964863b0fc74caa92c92841e305d597fdd583a1dada085ca1fa1066fa1a18e9c955493ff3fa7efeb774fd72ab75

Download Submit
\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
96KB

MD5
4b201d9b1aa22982157119ef52b7268c

SHA1
e05c81040acaa112f8177b80d4877424b27428cb

SHA256
e9f2fdbb3b802df3d4cba06891c22f1639739c4efe7666a76c6b166eb9c629fb

SHA512
c138c2b86d08b2ba9890e67abcb54a0b852509cab8fbee0e2b4642b3bf80720576dfca03a27aff35ec3942f80176650d65fe21051cb5911f6e10d15074962418

Download Submit
\Windows\SysWOW64\Cdpdnpif.exe

Filesize
96KB

MD5
37a9fb20887e7d72e57c4673b5f12023

SHA1
a66e2a1eb56bc8f607b50f7fd993ef7b3d0b7da6

SHA256
21c4d4065cd76c9762400596c438fa032b98bed4ef291ccb86f9e68be3c0c9fd

SHA512
69d61acd9a3f9fa8643d4294894e0fe8d2cda3919c0a12a8b1156f731ce8d7573b3ec64ee75905836a0a6538428fc3769936b28a4e868b755497e4417c425a3a

Download Submit
\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
96KB

MD5
b7fb750f0aefd8bc2f4767af2c4a2dc5

SHA1
7bd5c0bc6c1d0237c3491fde11e1ce611df0439d

SHA256
cec4e5cf1239cf359a4232eef58394a3d58c90e6101444d7c5bf6f22258ebcf6

SHA512
45af066f2cc28b3b978f498299f677d61d6141fdf3459d7ce19f412fe3399f1eaf3d3bd14f25db235ecdb3afa9dff0405d40a97290044001db2973452fd4d6b5

Download Submit
\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
96KB

MD5
d85c662c0aea31ef2b5513f5f5762bfd

SHA1
13ac8ca0872a705ebab2777f8c5bc237d316edad

SHA256
7156957b80b0519ec5e2c1bd9c947ddebcbbf4a8c5c3bf7c570d5a2d58a2973f

SHA512
2656740ffc2446f956e15fe4bd71da5ac7346ee3387c59602aaf0ee9c376303ed98d6beed253a440d6f45b953aa4d6b0864d21d1fca879b158159044f6ecd8b1

Download Submit
\Windows\SysWOW64\Ckecpjdh.exe

Filesize
96KB

MD5
92c96f7dc82fd919df221f9b811c8f5e

SHA1
356f0adea939e9be06001f19da5297df72cfc680

SHA256
8994f42cedc7beff4b7d769cc86f59e6f12450dc0355db8321e95886ef97c6ac

SHA512
8b462578c41607df9b1d3275b1305153b58dc146e04f9a040f2ee07803cb6cd2b1a6b31da94ebb0b6950995e9799f5408131bdaa5bf2b9630c035ec2c66b9879

Download Submit
\Windows\SysWOW64\Clnehado.exe

Filesize
96KB

MD5
9d3712b369ed4613d199110ed019c304

SHA1
7a2eee6ad7fe38f0f87fc960fc8f3ad62ca1699d

SHA256
ba222e4ddc2ab763d54392cacd9ab4482afe8865d2cfa92be02d9aed4d133eb3

SHA512
147cfbc141b7d2a98622ec4ac0807223831be7d346b7408f7c1862ae3e380bf882bbe05f37c4d1bf00a99a95424c9ce3fe0f4ce75ca1e5dc7fbc5f3ff798342b

Download Submit
\Windows\SysWOW64\Cnabffeo.exe

Filesize
96KB

MD5
3fa7eaeb893b9dca23be1209a5a7c5c5

SHA1
18d684956a42094e5b9e752213d6821e2ddf7271

SHA256
e085fc7eca9c736a07a379277a40f709d46bd5a4de0d54c8867d5b94af490c32

SHA512
02b1169f5d1692eae2d067e91394e8b58d44afb672a5acd3c21d74dffc860ba227c25cdc7e5bc0998e7b19ed96ecd36f71ec603a13af438de103f6a3618e2f15

Download Submit
\Windows\SysWOW64\Cnflae32.exe

Filesize
96KB

MD5
4623bc5dcd561ebdce5a98e1a71bd3dd

SHA1
1fd0cabb0403341703f8f4c02c57131913a81e48

SHA256
f31a521d9da4c936a63a4938674d8975bd1b58cc4d8688db6b17b813bb1b1f5c

SHA512
1e0103f08f956bf22fbab4b8a4c80e24cc5c3921d980c27ae87a1bd4cc47ee53fd8f2fe24e44faacb0149ddc7225d8783f9d3d806932478000b617fe5d81dc4e

Download Submit
\Windows\SysWOW64\Cnhhge32.exe

Filesize
96KB

MD5
17f856abe64263014b2f8906f72260d2

SHA1
655af1a1bb84bdcf5f01b45c85812d25b1b1e366

SHA256
e3724e516a00417b66d42f649d2e264be2c7c4592e0fb3f08ff65308329be42c

SHA512
a2b985e094edafb91bf9409b8debc955dd35422114e0f6a144376ea8da10b907e1f3dbb2e0ac88b725aae020c7f0fdbdaf1103270ad7425f17072ae5a9d34e48

Download Submit
\Windows\SysWOW64\Cojeomee.exe

Filesize
96KB

MD5
617fe500ac0ccded68e57ac0aadbf329

SHA1
9b07ca3aeef08bf9b2bd541fb0a80c1eeae002fd

SHA256
6ebbfdc48cc62bee22ef260b38238fd7fc29df403aed332cd583eae87ea20a1e

SHA512
490650a314124758f7999dcc5ad9472a761e8c1e1436b6c9afa0b1075cd0efa15e2bc0f88469455f57bebad28b7d1e4799289d35201d8c2582b2dd1ec551da39

Download Submit
\Windows\SysWOW64\Cpbkhabp.exe

Filesize
96KB

MD5
e90c9181e5e53530fd54c1c441a2e7ed

SHA1
09e2ab5fba51e7461d9b1ab56ef42f6542724a2a

SHA256
2377301ca1dbcf2a3826c507c45972ef139f8292317f36a78d97d973332bae6d

SHA512
363fb068d764157b2f3393448120c2a80d7eb81285095ec71115b2ac50154cef61d0a697f5c5c616eb4e893d9bf11fd04d1672f9751b56aec74740f722d24b03

Download Submit
memory/532-186-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/768-244-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/768-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-243-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/924-506-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/996-504-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1152-460-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1152-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-394-0x0000000000390000-0x00000000003D2000-memory.dmp

Filesize
264KB

Download
memory/1352-582-0x0000000077310000-0x000000007740A000-memory.dmp

Filesize
1000KB

Download
memory/1352-581-0x0000000077410000-0x000000007752F000-memory.dmp

Filesize
1.1MB

Download
memory/1540-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1560-266-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1560-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1560-262-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1636-309-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1636-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-310-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1720-347-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/1720-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1720-342-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/1824-233-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1824-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1824-229-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1956-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-276-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1984-277-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2012-493-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-151-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2012-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-482-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2132-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-483-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2152-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-12-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2168-18-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2172-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-59-0x0000000002000000-0x0000000002042000-memory.dmp

Filesize
264KB

Download
memory/2200-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-382-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2224-354-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2224-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-350-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2292-251-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2292-255-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2292-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2296-214-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/2336-505-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-471-0x0000000001FB0000-0x0000000001FF2000-memory.dmp

Filesize
264KB

Download
memory/2376-448-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2376-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-449-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2380-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-121-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2380-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-177-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/2472-436-0x00000000005E0000-0x0000000000622000-memory.dmp

Filesize
264KB

Download
memory/2472-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-438-0x00000000005E0000-0x0000000000622000-memory.dmp

Filesize
264KB

Download
memory/2504-203-0x0000000001FB0000-0x0000000001FF2000-memory.dmp

Filesize
264KB

Download
memory/2548-415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-72-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2560-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2560-332-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2560-331-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2596-365-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2596-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-298-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2652-299-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2676-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-321-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/2684-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-320-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/2696-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-87-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2880-425-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2880-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-384-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2892-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-287-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/3048-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-288-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/3068-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads