berbew | 0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
Size

90KB
MD5

4c2a296dc92d1a0b7663f1a579282540
SHA1

997d4178c275723d8e6ed0da558a6b09d32021c6
SHA256

0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8
SHA512

e862577d73c30df8b20a5aa440a399beadb096d40595b0226fb549745b65fe94c3aa1751f041c5c86fcb8016b3731a7e4c6e78f6796123a34b04775463883f59
SSDEEP

1536:5CrHZuPbqVeW0k7VTa5eUbvuyw3ZtwMEvAjF59LTr4QX6fOOQ/4BrGTI5Yxj:2ObbWjTIeaPQjF5pTr9WU/4kT0Yxj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blkmdodf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efhcej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkmdodf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blniinac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlboca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkgldm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqfabdaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faijggao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklpjlmc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bimphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bklpjlmc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkeoongd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epcddopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blniinac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnfhqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 52 IoCs

pid	Process
2676	Beogaenl.exe
2760	Bklpjlmc.exe
2716	Bimphc32.exe
2600	Blkmdodf.exe
1512	Bdfahaaa.exe
408	Blniinac.exe
1376	Bhdjno32.exe
2732	Boobki32.exe
2756	Cdkkcp32.exe
2648	Ckecpjdh.exe
2312	Cglcek32.exe
2028	Clilmbhd.exe
2132	Cgnpjkhj.exe
1904	Cnhhge32.exe
1080	Cgqmpkfg.exe
296	Cjoilfek.exe
1940	Cbjnqh32.exe
1676	Cffjagko.exe
1864	Dkbbinig.exe
1812	Dfhgggim.exe
1564	Dlboca32.exe
1684	Dkeoongd.exe
888	Dfkclf32.exe
2448	Dhiphb32.exe
1584	Dkgldm32.exe
3000	Dnfhqi32.exe
2868	Ddppmclb.exe
3008	Dnhefh32.exe
2932	Dqfabdaf.exe
2872	Dmmbge32.exe
2892	Ecgjdong.exe
2888	Efffpjmk.exe
1996	Epnkip32.exe
264	Efhcej32.exe
1976	Eqngcc32.exe
1776	Epqgopbi.exe
1348	Ebockkal.exe
2916	Ejfllhao.exe
1100	Emdhhdqb.exe
2056	Epcddopf.exe
2252	Ebappk32.exe
2488	Eepmlf32.exe
856	Epeajo32.exe
2104	Ebcmfj32.exe
1328	Eebibf32.exe
2460	Einebddd.exe
2796	Fllaopcg.exe
2808	Fnjnkkbk.exe
2552	Fbfjkj32.exe
3016	Faijggao.exe
1076	Fipbhd32.exe
2824	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
880	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
880	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
2676	Beogaenl.exe
2676	Beogaenl.exe
2760	Bklpjlmc.exe
2760	Bklpjlmc.exe
2716	Bimphc32.exe
2716	Bimphc32.exe
2600	Blkmdodf.exe
2600	Blkmdodf.exe
1512	Bdfahaaa.exe
1512	Bdfahaaa.exe
408	Blniinac.exe
408	Blniinac.exe
1376	Bhdjno32.exe
1376	Bhdjno32.exe
2732	Boobki32.exe
2732	Boobki32.exe
2756	Cdkkcp32.exe
2756	Cdkkcp32.exe
2648	Ckecpjdh.exe
2648	Ckecpjdh.exe
2312	Cglcek32.exe
2312	Cglcek32.exe
2028	Clilmbhd.exe
2028	Clilmbhd.exe
2132	Cgnpjkhj.exe
2132	Cgnpjkhj.exe
1904	Cnhhge32.exe
1904	Cnhhge32.exe
1080	Cgqmpkfg.exe
1080	Cgqmpkfg.exe
296	Cjoilfek.exe
296	Cjoilfek.exe
1940	Cbjnqh32.exe
1940	Cbjnqh32.exe
1676	Cffjagko.exe
1676	Cffjagko.exe
1864	Dkbbinig.exe
1864	Dkbbinig.exe
1812	Dfhgggim.exe
1812	Dfhgggim.exe
1564	Dlboca32.exe
1564	Dlboca32.exe
1684	Dkeoongd.exe
1684	Dkeoongd.exe
888	Dfkclf32.exe
888	Dfkclf32.exe
2448	Dhiphb32.exe
2448	Dhiphb32.exe
1584	Dkgldm32.exe
1584	Dkgldm32.exe
3000	Dnfhqi32.exe
3000	Dnfhqi32.exe
2868	Ddppmclb.exe
2868	Ddppmclb.exe
3008	Dnhefh32.exe
3008	Dnhefh32.exe
2932	Dqfabdaf.exe
2932	Dqfabdaf.exe
2872	Dmmbge32.exe
2872	Dmmbge32.exe
2892	Ecgjdong.exe
2892	Ecgjdong.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kppegfpa.dll	Bhdjno32.exe
File opened for modification	C:\Windows\SysWOW64\Cjoilfek.exe	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Cbjnqh32.exe	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Dnfhqi32.exe	Dkgldm32.exe
File opened for modification	C:\Windows\SysWOW64\Epeajo32.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Bimphc32.exe	Bklpjlmc.exe
File created	C:\Windows\SysWOW64\Mlanmb32.dll	Cbjnqh32.exe
File created	C:\Windows\SysWOW64\Qgfhapbi.dll	Dkbbinig.exe
File created	C:\Windows\SysWOW64\Ebcmfj32.exe	Epeajo32.exe
File created	C:\Windows\SysWOW64\Eepmlf32.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Bdfahaaa.exe	Blkmdodf.exe
File opened for modification	C:\Windows\SysWOW64\Bhdjno32.exe	Blniinac.exe
File opened for modification	C:\Windows\SysWOW64\Cgnpjkhj.exe	Clilmbhd.exe
File opened for modification	C:\Windows\SysWOW64\Cbjnqh32.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Pnenhc32.dll	Efffpjmk.exe
File created	C:\Windows\SysWOW64\Clilmbhd.exe	Cglcek32.exe
File created	C:\Windows\SysWOW64\Dnfhqi32.exe	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Cdkkcp32.exe	Boobki32.exe
File created	C:\Windows\SysWOW64\Bdohpb32.dll	Cdkkcp32.exe
File created	C:\Windows\SysWOW64\Qleikgfd.dll	Dnfhqi32.exe
File created	C:\Windows\SysWOW64\Dqfabdaf.exe	Dnhefh32.exe
File created	C:\Windows\SysWOW64\Bgnjpcle.dll	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
File created	C:\Windows\SysWOW64\Kfadkk32.dll	Fbfjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Emdhhdqb.exe	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Fopknnaa.dll	Blniinac.exe
File created	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Dlboca32.exe	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Panfjh32.dll	Epnkip32.exe
File created	C:\Windows\SysWOW64\Ejfllhao.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Okobem32.dll	Ddppmclb.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Dkeoongd.exe
File created	C:\Windows\SysWOW64\Dnhefh32.exe	Ddppmclb.exe
File created	C:\Windows\SysWOW64\Diaalggp.dll	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Mqpkpl32.dll	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Epcddopf.exe
File opened for modification	C:\Windows\SysWOW64\Eepmlf32.exe	Ebappk32.exe
File opened for modification	C:\Windows\SysWOW64\Einebddd.exe	Eebibf32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Lgdojnle.dll	Blkmdodf.exe
File opened for modification	C:\Windows\SysWOW64\Clilmbhd.exe	Cglcek32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhhge32.exe	Cgnpjkhj.exe
File opened for modification	C:\Windows\SysWOW64\Efhcej32.exe	Epnkip32.exe
File opened for modification	C:\Windows\SysWOW64\Eqngcc32.exe	Efhcej32.exe
File created	C:\Windows\SysWOW64\Aoqbnfda.dll	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Ddppmclb.exe	Dnfhqi32.exe
File opened for modification	C:\Windows\SysWOW64\Ebappk32.exe	Epcddopf.exe
File created	C:\Windows\SysWOW64\Fnicaj32.dll	Beogaenl.exe
File opened for modification	C:\Windows\SysWOW64\Ckecpjdh.exe	Cdkkcp32.exe
File created	C:\Windows\SysWOW64\Acpchmhl.dll	Dqfabdaf.exe
File created	C:\Windows\SysWOW64\Eqngcc32.exe	Efhcej32.exe
File opened for modification	C:\Windows\SysWOW64\Eebibf32.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Ckecpjdh.exe	Cdkkcp32.exe
File created	C:\Windows\SysWOW64\Kecfmlgq.dll	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Dfkclf32.exe	Dkeoongd.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Epeajo32.exe
File opened for modification	C:\Windows\SysWOW64\Fllaopcg.exe	Einebddd.exe
File created	C:\Windows\SysWOW64\Cgkqcb32.dll	Boobki32.exe
File created	C:\Windows\SysWOW64\Bjcmdmiq.dll	Dlboca32.exe
File created	C:\Windows\SysWOW64\Epcddopf.exe	Emdhhdqb.exe
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Malbbh32.dll	Dhiphb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1764	2824	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqfabdaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkkcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhcej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beogaenl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddppmclb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blniinac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlboca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeajo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkmdodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boobki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnfhqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklpjlmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdhhdqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Einebddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnenhc32.dll"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efhcej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll"	Epcddopf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlanmb32.dll"	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll"	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bklpjlmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blniinac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beogaenl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfhapbi.dll"	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll"	Bimphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdojnle.dll"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhcgajk.dll"	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpcfn32.dll"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnicaj32.dll"	Beogaenl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecfmlgq.dll"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blkmdodf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll"	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjnkkbk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2676	880	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe	30
PID 880 wrote to memory of 2676	880	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe	30
PID 880 wrote to memory of 2676	880	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe	30
PID 880 wrote to memory of 2676	880	0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe	30
PID 2676 wrote to memory of 2760	2676	Beogaenl.exe	31
PID 2676 wrote to memory of 2760	2676	Beogaenl.exe	31
PID 2676 wrote to memory of 2760	2676	Beogaenl.exe	31
PID 2676 wrote to memory of 2760	2676	Beogaenl.exe	31
PID 2760 wrote to memory of 2716	2760	Bklpjlmc.exe	32
PID 2760 wrote to memory of 2716	2760	Bklpjlmc.exe	32
PID 2760 wrote to memory of 2716	2760	Bklpjlmc.exe	32
PID 2760 wrote to memory of 2716	2760	Bklpjlmc.exe	32
PID 2716 wrote to memory of 2600	2716	Bimphc32.exe	33
PID 2716 wrote to memory of 2600	2716	Bimphc32.exe	33
PID 2716 wrote to memory of 2600	2716	Bimphc32.exe	33
PID 2716 wrote to memory of 2600	2716	Bimphc32.exe	33
PID 2600 wrote to memory of 1512	2600	Blkmdodf.exe	34
PID 2600 wrote to memory of 1512	2600	Blkmdodf.exe	34
PID 2600 wrote to memory of 1512	2600	Blkmdodf.exe	34
PID 2600 wrote to memory of 1512	2600	Blkmdodf.exe	34
PID 1512 wrote to memory of 408	1512	Bdfahaaa.exe	35
PID 1512 wrote to memory of 408	1512	Bdfahaaa.exe	35
PID 1512 wrote to memory of 408	1512	Bdfahaaa.exe	35
PID 1512 wrote to memory of 408	1512	Bdfahaaa.exe	35
PID 408 wrote to memory of 1376	408	Blniinac.exe	36
PID 408 wrote to memory of 1376	408	Blniinac.exe	36
PID 408 wrote to memory of 1376	408	Blniinac.exe	36
PID 408 wrote to memory of 1376	408	Blniinac.exe	36
PID 1376 wrote to memory of 2732	1376	Bhdjno32.exe	37
PID 1376 wrote to memory of 2732	1376	Bhdjno32.exe	37
PID 1376 wrote to memory of 2732	1376	Bhdjno32.exe	37
PID 1376 wrote to memory of 2732	1376	Bhdjno32.exe	37
PID 2732 wrote to memory of 2756	2732	Boobki32.exe	38
PID 2732 wrote to memory of 2756	2732	Boobki32.exe	38
PID 2732 wrote to memory of 2756	2732	Boobki32.exe	38
PID 2732 wrote to memory of 2756	2732	Boobki32.exe	38
PID 2756 wrote to memory of 2648	2756	Cdkkcp32.exe	39
PID 2756 wrote to memory of 2648	2756	Cdkkcp32.exe	39
PID 2756 wrote to memory of 2648	2756	Cdkkcp32.exe	39
PID 2756 wrote to memory of 2648	2756	Cdkkcp32.exe	39
PID 2648 wrote to memory of 2312	2648	Ckecpjdh.exe	40
PID 2648 wrote to memory of 2312	2648	Ckecpjdh.exe	40
PID 2648 wrote to memory of 2312	2648	Ckecpjdh.exe	40
PID 2648 wrote to memory of 2312	2648	Ckecpjdh.exe	40
PID 2312 wrote to memory of 2028	2312	Cglcek32.exe	41
PID 2312 wrote to memory of 2028	2312	Cglcek32.exe	41
PID 2312 wrote to memory of 2028	2312	Cglcek32.exe	41
PID 2312 wrote to memory of 2028	2312	Cglcek32.exe	41
PID 2028 wrote to memory of 2132	2028	Clilmbhd.exe	42
PID 2028 wrote to memory of 2132	2028	Clilmbhd.exe	42
PID 2028 wrote to memory of 2132	2028	Clilmbhd.exe	42
PID 2028 wrote to memory of 2132	2028	Clilmbhd.exe	42
PID 2132 wrote to memory of 1904	2132	Cgnpjkhj.exe	43
PID 2132 wrote to memory of 1904	2132	Cgnpjkhj.exe	43
PID 2132 wrote to memory of 1904	2132	Cgnpjkhj.exe	43
PID 2132 wrote to memory of 1904	2132	Cgnpjkhj.exe	43
PID 1904 wrote to memory of 1080	1904	Cnhhge32.exe	44
PID 1904 wrote to memory of 1080	1904	Cnhhge32.exe	44
PID 1904 wrote to memory of 1080	1904	Cnhhge32.exe	44
PID 1904 wrote to memory of 1080	1904	Cnhhge32.exe	44
PID 1080 wrote to memory of 296	1080	Cgqmpkfg.exe	45
PID 1080 wrote to memory of 296	1080	Cgqmpkfg.exe	45
PID 1080 wrote to memory of 296	1080	Cgqmpkfg.exe	45
PID 1080 wrote to memory of 296	1080	Cgqmpkfg.exe	45

C:\Users\Admin\AppData\Local\Temp\0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe
"C:\Users\Admin\AppData\Local\Temp\0b2903d4f2dcdf5b30b3d0ad128f6ad70b96813fe64b77397d0a4b1b672a0bb8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\Beogaenl.exe
  C:\Windows\system32\Beogaenl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\Bklpjlmc.exe
    C:\Windows\system32\Bklpjlmc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Bimphc32.exe
      C:\Windows\system32\Bimphc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Blkmdodf.exe
        
        C:\Windows\system32\Blkmdodf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Bdfahaaa.exe
        
        C:\Windows\system32\Bdfahaaa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Blniinac.exe
        
        C:\Windows\system32\Blniinac.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Bhdjno32.exe
        
        C:\Windows\system32\Bhdjno32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Boobki32.exe
        
        C:\Windows\system32\Boobki32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Cdkkcp32.exe
        
        C:\Windows\system32\Cdkkcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Cglcek32.exe
        
        C:\Windows\system32\Cglcek32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Cbjnqh32.exe
        
        C:\Windows\system32\Cbjnqh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Dlboca32.exe
        
        C:\Windows\system32\Dlboca32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Dnfhqi32.exe
        
        C:\Windows\system32\Dnfhqi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Ddppmclb.exe
        
        C:\Windows\system32\Ddppmclb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Dqfabdaf.exe
        
        C:\Windows\system32\Dqfabdaf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Efhcej32.exe
        
        C:\Windows\system32\Efhcej32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Emdhhdqb.exe
        
        C:\Windows\system32\Emdhhdqb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Epeajo32.exe
        
        C:\Windows\system32\Epeajo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 140
        54⤵
        Program crash
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beogaenl.exe

Filesize
90KB

MD5
6ee219358425e14c417c7d4fe79f2906

SHA1
b694e664d6a665711faec668c6d64db0248ffa76

SHA256
180d139b2eeede3ab95652ca76c26174e36d8f7f6c0e4cf75b394e52eec7afd6

SHA512
4ff342eb83f3d7d7d2e1e983cd5f302c0be617aa211ff06c9b9ad62613b00ea5d2c97340792fd808b8fd0b42a8d9eede697ea335f7cb26d6cf7b050e21486ffd

Download Submit
C:\Windows\SysWOW64\Bklpjlmc.exe

Filesize
90KB

MD5
82fb1d79a0bcf6f847521420a016a2ab

SHA1
8595949cb4c36bba2c56f6035ab31af27063932f

SHA256
c92a96476f061fce72db7713f29af31076d6d595fbc9c88f7f6596ab59e15070

SHA512
92ed0a3b017c5e8dbed5c8541e3b6c2ef21c36f52c5b66ae10de8e97aff963f421e5532bd01214f5a0086c3710c3ca8ec7bc195d61ded9cfd1a923e808fa9c1b

Download Submit
C:\Windows\SysWOW64\Blkmdodf.exe

Filesize
90KB

MD5
402f7df9e1aed0d2c8285102c2cdfd2c

SHA1
d558cac1e8c89ebc20750cbb9b512dbb7310e4f2

SHA256
fcd68e012dafba990bd5dfdb1e25063e9eea250081b6895fdd1cff2912cf5f26

SHA512
d34769c718b4310fe7215e6c275fc68bcf829209375e2a1f24ba76b57bbc4dee4b50dfb8592d55acc83fc77de6e536e1b302b18fd3480e6399fe60f5ef194423

Download Submit
C:\Windows\SysWOW64\Boobki32.exe

Filesize
90KB

MD5
926ef506d203fa15a106a55b4697cf89

SHA1
8c126927b3e869dca796289673a2f8f4733c2820

SHA256
e1c502efa0994e278b723d970c50bde8e599b1156345114111d149da4ee5442c

SHA512
6f1417349643eb758d8297693dbb8de78a73b7f56cb726c01e918442640c447b4b43e97309de1b237e824eb1d620c8ef76f0f045fec03b3ce55605e9552f5624

Download Submit
C:\Windows\SysWOW64\Cbjnqh32.exe

Filesize
90KB

MD5
485a35313a64c3f1858770b6f0b81a4a

SHA1
27875db9af6fc87cf2c23d9ca8797d09ebd408d1

SHA256
b32132fbfbe1a78100b67bb070cbd9b21802438f2b8d680d1d9df158de190b25

SHA512
8c68e2f8b051175e494b9f308f0bb94d35f7b057e639d97a65e4efcc3ccb41dd4c04d43ee41f2585a9da5b84ec2c9fb4e0158127f2ab0750ee06031ba930df89

Download Submit
C:\Windows\SysWOW64\Cffjagko.exe

Filesize
90KB

MD5
9173840b6db7c4207c51fe1caf08d79c

SHA1
8102e4410f34d5fbadf0e2504ccc3a0db544695a

SHA256
73321d1320816cc95ae7dc61d1371547724c42654bfbbfb240bf708c1ce615b6

SHA512
759b3d98f76d61cb1ddc615b463ae3b445f92b98e4e217268f2deca3ab878fb08f3ba6639137e530aa9986f2bc93ce843a93023bf7dcb0fb2c61a6201e2de6e5

Download Submit
C:\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
90KB

MD5
8699572d00827bb66630857f33a8406f

SHA1
e74b5b56d7825b657d9718c9f32971ee53e32451

SHA256
05b7f148d5f91abe3db98d0bfb384c3dbd49cdbfc887403973645854ce20f8b0

SHA512
e870fc81e4e056bc1b87b77d2bf7e4093ee68f0342fa8712ced9350a8e584ed29da7fdd805300ef13f14e51d2d1480b9f67427079c48e9f503a5aa1f78eaa366

Download Submit
C:\Windows\SysWOW64\Cjoilfek.exe

Filesize
90KB

MD5
82df42dd72011ab473e6141968ee4358

SHA1
7a8de00964c659e9297b58a988fc8bd45a4108b5

SHA256
86ebcf4cc90196864da9639b8ce03aefdd8ab9775aa222d8176109571e7c4fa2

SHA512
194f64597ca4f46143ff3d8f3bcf8957b68d14eab81e78045607271e4d7af5094eb7e28b11b31175316e32146cb3738a98a10dace0679db73eb87f42380e5b1b

Download Submit
C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
90KB

MD5
293685c8cd354f94f5cebaa1118e6422

SHA1
c65b92428819147089d6fdb020c732956c88ba86

SHA256
a94a404e62db1c6d55abc20f074730a7d2433bd16b91b255e0be7eb18ecdeb56

SHA512
bcb0a0235c3a729919a8898797ad3709ac12edf381aa432348c550571cd7f600e562664c153cf28892e214cdfa4e513c410ae0723768fd901cbdb1d8b06cb117

Download Submit
C:\Windows\SysWOW64\Cnhhge32.exe

Filesize
90KB

MD5
b6ab8581d236bd569b3b2f639858396e

SHA1
7afd2b4edb1146ca97cc744def947772cffa887d

SHA256
ac394079d3fdd87a81409dc8a34c34637ba3e976791dbadbff6d0a3600fcfd71

SHA512
24996844461f23b424e916357a4a3aefdaa0f3cf6729239447c5a5fc2100ffc08abfcfa3261be123d97101eeb52d26c8fe527ba9f255ee0626f27b5f5d2d5ee0

Download Submit
C:\Windows\SysWOW64\Ddppmclb.exe

Filesize
90KB

MD5
2c27f4ee0c4a25d6cf0f5d14f135a7c9

SHA1
ff38e2bf700b92135d494fd1cb8ace0c52626298

SHA256
d4f1c90bbdb3b560e53b2676447f2f504030154b3177586233d5eb6a32159e39

SHA512
80cde6a8ccd4c6288f6ba09b30a41f869e7354a3eefe5817712279ec2972f5e6aea84f93d404459de01c64397457a19a112dfd0e215235ba4a073e89832a319c

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
90KB

MD5
3bd018e1516944ff0ea8503d7f28b840

SHA1
6cc3f3e9d6df5b87d2879f964e08bb0b4894794f

SHA256
3a90829a9263867b1e824fa48a93d91bd2d85e577785076b446c79df3d180ca1

SHA512
b717c456971afda5f590702bf6a00d2b1187e1a8ded5235107a25e01a581e1dc4658cbbff9991abe7fc305ce1a31c450a3b1c78efc15be2f8d9fdf6fac7f1c42

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
90KB

MD5
f653696e8b86fd7a4a3b362b9e637bb1

SHA1
2ca0eae7fb06ddc583baeb139a77e9f82b35fd8c

SHA256
ef87ebe024ae917a04e698627961af5560d45f7ba02d07badcbb571ddf2506ac

SHA512
dd60d6930754cfaac1f3e72139f025b69b08d5318f996d6591e075b8b5c9227b8cec3c96202d934a52c1543bf2723b96380b9f45d4661bbe0c98641b69242aff

Download Submit
C:\Windows\SysWOW64\Dhiphb32.exe

Filesize
90KB

MD5
e5c5a18ffbf50b749d537c9bdf912e28

SHA1
dd2261a160bd69193f96299f05de90d52fbd0e3b

SHA256
87bfe4c4a8ec3af14a77d064b5d8239080f71ebb9195c9b1cec7f9489eb0c3b2

SHA512
dffc34f7f36fe9d3fe226c5a2b6dbd767330f5f80f4c94ae9cc353cb57434ef841a48d600fc4124a63928b931ee38be265498812e1c192a17aef14d44ff2ea72

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
90KB

MD5
d7e14d3798bb440602176630c70255db

SHA1
5aec80da87ebca313eb88e2555de35a7cecc1512

SHA256
ac4544ad12e5f80ea9f8da0bd8a54459b045588689ca9f25d7b50d76f2839f49

SHA512
5d789293c309ef2c641becaf89d0c4d26f128577d5c24ee4c2c70e7cae5fbef98ceec805128bfed07e609d9777c1a1843144dbc88d116053c4ef061774fd94bd

Download Submit
C:\Windows\SysWOW64\Dkeoongd.exe

Filesize
90KB

MD5
6275ddfcb32ad4d039e6f88c38ed4580

SHA1
0a1611e4bed64a6071a8cf5d3b0817ec69ca8d55

SHA256
185e93d9be9e4cf0cd016d88326d616df320623dfe7ea151f0c5c4c110f67cc4

SHA512
a6903043c1f8811285d0f7cdbd9089990953dc3f2be0bb0bf6f59d32ceaece8d2c26e265ea7e1e6c689696f9713662116142dda632c1fb2fad5fed6d0a2cb05b

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
90KB

MD5
ccb18cbc3c679b9b02ac099949361987

SHA1
41b26924fd3c6030cd54086b7b4bb076132bb311

SHA256
eca2f36d53d826682497b45fd5bd7a26ac910171e135ad7247f19d7b9312613b

SHA512
90cae08e40997a80e77116b3dbea43131cfba94dc9fb603aa44723ce950fec668cee5c31c8ea4f390ad6b27164403d31c79a4856d5754a9fc1ed9fbf33bafda3

Download Submit
C:\Windows\SysWOW64\Dlboca32.exe

Filesize
90KB

MD5
a644f639afa88f0a0272c0b3808f6aaa

SHA1
66aa2f92a7c0bff52c523552465881b0681acd98

SHA256
1481af9d72cba020e4461c16655d5511ce4eca186f923ddaca7471399e5e8073

SHA512
12f9870c43d6ddb1a3326cc7364962c4ae5b183afb42b20bdfad162857687b6f53a2831bdb54e552a6aaeaea893d03483b6a96ad005fcc31139c638dddc4bbc0

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
90KB

MD5
ec7b964b44052f60117e48f64c0c49ac

SHA1
accb994d3ffa98b7ebdc76f7df96d5027b93bca5

SHA256
389ca07d55dce93b753f3e8ba680e6789303a6bcd3ab356c36f37e7b4151e98b

SHA512
65d1ac305b7339c047ee3a95b67ad746bccc872470684f078c8e6a18f44e13ef6b97bcd41833a2561a6b6f3a3dbaf645078b213141eedcef6b00aae87cc0bc51

Download Submit
C:\Windows\SysWOW64\Dnfhqi32.exe

Filesize
90KB

MD5
acb540d540e7db9f9a658ca9f5fee9de

SHA1
7202ad70e865db95fe8d1e10fa08bd4124e9efb3

SHA256
a73b4a1be70e708ec532bb817ca3db87d835060e3a8e6e9089e30aa3f7aabe38

SHA512
2a2653dfa4da2793cadb856b799f170b494df0cb991fca77ac2519c0fec0d603336d8de07989960e1025f9a514a1221ebbd2e4e61dae8d7523648e51d1a80f1e

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
90KB

MD5
0e3068e4a7cc90f08c92b367cb0d4f8d

SHA1
f003689abc805bc11529329b76b904ccd42203bf

SHA256
7722479deb9f9217c806a03e5b76a6ce3833013c7cf061aa2184a94212c8b4b9

SHA512
9093f3be418eef165a073388253f31292c3bd22ffa9817a40f1b44c164311e6497bfa1d4da397935fb7034171fc8f61ac324c95e4384609579c15572976f9b48

Download Submit
C:\Windows\SysWOW64\Dqfabdaf.exe

Filesize
90KB

MD5
4edb257074f54ea44379fd360cbd4296

SHA1
ee39a024cff5c539cf846fb836ceb3521635cac8

SHA256
e747929d12344d985312f0cae90a23d05d214c8ebda0d2eee58849cdd2578cf8

SHA512
46dc3c8c98c5ce2e5bf92c31e206ed3d141dae418d446d5f7bf4b8f4f932c824ff67125193904d6d45b6f55a5e4478d6fad8fb38921b683282afc8fabeb67d51

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
90KB

MD5
5ae2e5b2333ea8243f182b195a06a29d

SHA1
bc72a3ef0567783de93790db53f804c10e26d40c

SHA256
528cd423dc486b72c4fd2a00fbe2294c51ab10cc608b04550c30abf3e6efd7a5

SHA512
a86dfa64e8869f0160fa8baa8cd6a96bb9983f829181412839d1f4e46262898c1d04855448ee4cbaac97c6f6b9b51547c1333a9fd7c840dd93734aa8918c0e13

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
90KB

MD5
c054338a207d17ffefcb749a9098bb65

SHA1
faa9f5701e8200ca3e1808bcc62484730e671382

SHA256
a225bc3ce76ad7ad260233bd7fbddc2a139a781b839cec089da5adf1117ab7ed

SHA512
157322e18bef660c05e23ffa89718292c5679ff2aa357871739edcc05cfc3c8d98f1e738181994fc90afcc9bf15c96fd4327362c303623aefd7a89f627250ae7

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
90KB

MD5
49dfe6fe82090d95cc95ac640f2c8c9c

SHA1
2319106c8d6db1e8db58f72141bd344b04abacb9

SHA256
11776be5cfa885f13be62b5d3edfe1838a33228f387686e6a52d78e5514c1cfe

SHA512
5006f4f066f954f1938eaea6f0d779714ec8f86ed14efd2ac4406459060ed055deb7bb4b03857e6439a6f1a423915eea4c206f02fa9ccaa3bd835c9a675f716f

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
90KB

MD5
c2aa35cc6ea9a611e62bd85d96fcdf02

SHA1
203da9f1359e23495ebce886c017ac58ce20e96c

SHA256
18d0d00bc410cdd347d145235a1dfa5d5918fa84a69b715cc40ed221830b5548

SHA512
425fd8e3558028661690a391bbceb411c88d6ff8885f4c787843c96b4b458c7a0892d8b3fe1f4e43003657630516307b8ebb2e9ecaa5818abd39b0a3c7af406b

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
90KB

MD5
7ce95e659151a08f9ceef1a670a2e3a9

SHA1
aad2c5b56fa52f488c0126dd632d4e78a4b6afce

SHA256
02e5c2d789b06450480388040e7a7515eb3f147aa894642519747244754d8cff

SHA512
472038bd58b5d6f44cbec53319d29145537371302fb4cbb38ffdc7e8e740978f5e87a186815c87d8a730dcc737dbbf2458eeb63b855b0cd811c444bc4c4bb2ad

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
90KB

MD5
3df9530f0e9466b0da69ff3dd701f1e5

SHA1
069e5806c6042b3783f6260189ad517c057fbe2e

SHA256
e17949efb57aff43a76b6091799ff28e164cbacac9435e8128e1652889a4c3c9

SHA512
393bc41e38b0cfe88d9a1bd46443bd74c5e442ddba9b8d14b23e141171d9f7f55e411a17c99cecf4e9f95bc67e96c07175eb7b1b6c41f25b65578e73875f5675

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
90KB

MD5
759f3179893637e43f3862174c3e1608

SHA1
486566a9578283b63cb6c53efa275e0be20cecca

SHA256
6748695addd2ad0c19d99022aa1aaf7f1736c74b4185489b4e1198800b3d995f

SHA512
00b5f6ca8f1d9ae4547257e9bf4e4821b7c624362aa7f459c19439b81cbb7d3829819d750532aba0863b4a9ebaba581287fb1ef74b66914ae26b3bd71a0f5457

Download Submit
C:\Windows\SysWOW64\Efhcej32.exe

Filesize
90KB

MD5
d49c0483c05beeba71b27f23fc0db6e1

SHA1
35e2f51e4b5ad02f464c8c2fafe92abcb80a4584

SHA256
45c4ca068bcaf673908247af1e324ad96920a42b9a2c2d3e8809f1a206ca6f0a

SHA512
cbc9c92801d2da2e07278629e28d6698109c4cba3664bda8bef481663b58164d9d568fdf5ee22bf22c788251050b5737aac5779f5f6876a07989b78915f9034d

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
90KB

MD5
8800915e5b873cb55a5614b92f4d1686

SHA1
f38288a3af2ee6bc1b0331ebb153008084309c79

SHA256
22209232131b91a8b3f6be2efc7c5ee6c6c7fa1ba05c08ba956d10e121161eb3

SHA512
e4c37681a9fadb84e85f9d29a85a0ebb2f3b8415c8e45fe40c072b1992dcfb9290255fff558f6d91b64b43c395fadd5337a943a22448e03ee4fcf6d7a4a4d279

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
90KB

MD5
8357f5800f3e9cd1fa756bd49c6ceb93

SHA1
05ffade01914579580fc790203b1cd9aeca250e3

SHA256
9463c282925120b154dd3b81c3044e494bb1f444b9a977a28ae310b9ac636bf5

SHA512
b369ba9b2e9b01fa37e710ba8033a17d040d1e09240b98f3aab13cc2024d266fb456cb33356915aedeed758a007444742e9f3546e44974342f36b5dadd7165f4

Download Submit
C:\Windows\SysWOW64\Emdhhdqb.exe

Filesize
90KB

MD5
01380bece67947c39f3ce960253bbab5

SHA1
46308f9bf2af07b03d0709dcbbd4d7d92ea5152d

SHA256
c473631202fe0dd6949d980971466ba5f1d0d417cf7cfdff690860e68e4de6af

SHA512
5386b4efe0b7ebf3c79946832b408dceb7dd25b4af7f77d03cc5e9dfb4e7e37264e85853adcc47e40fbaacc6b7e214dbb26cea2c09b52f73fca63385bf701d5b

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
90KB

MD5
c9cf7780c3b2b6bab6d0a2c25cbf9552

SHA1
4a768cc711e196e2ac327696b2df981bc19cab6b

SHA256
3d373a2e40712df2510f7b1c1cdafc17886bc650a33affd4a1348fe6560cfce7

SHA512
be2ea18c757493777b578315b95c6a4ac34690d715089c19034df9d2a45cc504f47d508934cc509dbab5413a88d219ebacc81d10530ac6a753cf52b7a8ef9256

Download Submit
C:\Windows\SysWOW64\Epeajo32.exe

Filesize
90KB

MD5
2e4be358f65df50e5129ad4510f8f1ec

SHA1
5097a10eae92d6907cb565b064a75002cff8cd59

SHA256
5c309d4b2408c0cbdf1fcec478593e1f90c44c1beea13b5df95eef1c904670df

SHA512
dcd581560c0df2f1c1812d8ce35f1a22fd6567c27bd9c7f0ef70a45d1746a7fcf9a18b128cf6fc5951bec08e704d3fa8fb9b616720bfcbba4c0c5ae93daf7363

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
90KB

MD5
4a5a9a0c6b3a8fd2bf5b07ba0481366f

SHA1
01becbe3903cc0054e2575bc444e9815b513bb26

SHA256
ff4c35bbbfaaeaa83031d4eb59e6a8b5b95dac087588afdf6a25dc9559b53cbb

SHA512
7265591f33a308246f6dd716579ee2a93f8907c2c844661467d3938cd879f719d8fff81c662ef4e55ad05dd513f17860173cb30e090367675a1c07dcb412e334

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
90KB

MD5
c68d63b7b36f06e883face6f54a1a48a

SHA1
dc66401911c8445d280c9b8ed572c163da34e624

SHA256
00aef7906881c66a451f09fc161023210769f645e7706b8c8af20d06239ba24e

SHA512
c5133f70030318b70c72915ad1c513e9e2a3c1fcc53065ef12c63359f41b8374a1263e515378148d690ea6c76f677fb61fdba033889f578ccbc4e906c85237d5

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
90KB

MD5
295ee5a7a17b94b26b288e520bf268d0

SHA1
566ff13c90199c84546e225a26c9531eb76f5caf

SHA256
d1305ab879f5d701cf72a707eecc058dac3a4c51a23300de297ade85508c0d8a

SHA512
9a725100e0d3ec06bbf6f26af101155e61ac8591f368b5afe8b3ec040209919ccdda9caaefee17d44381e664966d4393d931aa97d1eb27df535ec60817886567

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
90KB

MD5
1a8980c595aa6244378898623e30be5a

SHA1
e37431f63c665e6d40bfaaa0700df84c28a2bb63

SHA256
e0ce2b630776e302c8823e9141b540738440c8a1d0dee6b4730032451d765eeb

SHA512
ef9d9c88356e0bb8136c10c25b90097774f88587d5f9c8ce215bab7191ce4c8a668f2641c2f42387d158514232a19ed9d84d3881d4b5fe1cacb64278d2d6c2a0

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
90KB

MD5
541d73a11cf16ad42cc9d80e856f7019

SHA1
d901cf098d37802f7301ced4cba3a4c696dea177

SHA256
de4fee570281e70f286629aa0fa9c352ce33a9e0878a2b717214f01a793ab04e

SHA512
b90916364dfe87c3e69229d64cf1035871ba64011f8963c3731009668018cdda432a77d2abbcc2b848c7de4a6fb2fe6dd5ab576d673fc38e235b76917e8608bf

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
90KB

MD5
b23f8e9ea8685848301bad757e5868bb

SHA1
8ee177e450cce86212368e4da60334e808431bd3

SHA256
92d867f78849f17eeea952769575343fe8a771c8e36e90b0ca12e83b8d4f876d

SHA512
5e505bf31753670380ad9b1ed0667d47a7af97bde85a501a114c390d7a9a7df8feb814a2b4472813a89e20330b2a7d3c147f252a37f9afbb5d6a66e01d491125

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
90KB

MD5
ab66053bfd169a1ea5a4653129ecb502

SHA1
81643e72d2b77de537797dc537eafbf37b0f49c1

SHA256
6d32a8570c54d9d003a63140749fda2a99aedebcde18109c9770fd258592870c

SHA512
23b5ee4ada17c5902df6b12d043bf1bbc3697401a008e3ba273cd0b41a93c7789fbe42894d8c798e148a2b3bb2810f60433c18d05cc59826ad3f1709b06452a4

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
90KB

MD5
3597fd378550823aadb55bbac59c8645

SHA1
eda5c7f73fea1f0b866d3d9d97b06c50122ff2b1

SHA256
3850938b9d1d557168caf4369d78f3866510f0117cfbaae0645bcced05dbced4

SHA512
72f771df8f526c225860a900d1143056e84b0c8debf67b71957af809958a4a566c5215cbad385460a5962aa43f72fcd7e8fcac27c3c484bf1f8a67b4bdb93c4d

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
90KB

MD5
8901e67d0a62a91094f581e648b21dfd

SHA1
414203bb931e81d33e62c0334401098c3b48e682

SHA256
f7244baa53334be5dc8e10d128022526d5d12629e3bc1c6b5c68bff0416cb868

SHA512
fe90a1d3d80ef8584d29d4467d52759458ffde36fce54d10e0a3fda1540b52cd366e600107bd2b8d8252827a53a23b121dbc1ec0cfe60dccbd6dfc782730e055

Download Submit
C:\Windows\SysWOW64\Lgdojnle.dll

Filesize
7KB

MD5
e0dbfc59ce603e2a3ff79819d2b07ada

SHA1
21651709c68ea52d3bf0463ecfc725dbdb9ca867

SHA256
5b546c8115f3177b549e1034daf02b88fa6d8be34d9b21dea0691cf3c1266c33

SHA512
7b66a1342bfc7a6150be8ac33ddbd0aa57b9f5d6f174810d9b55ffc2871f1a42b861bcb6635f941e361a39917b2b50e331a1a09e2c0b07b562a52c47edef327c

Download Submit
\Windows\SysWOW64\Bdfahaaa.exe

Filesize
90KB

MD5
b80b5d02a112eb17ac908a5a8d265119

SHA1
6c291b31b503968644bcc06d52f120058447a07e

SHA256
83ef2a022962b764e0ee8f6bf37089e979eab760c940628744f18daa42321968

SHA512
01a25756295883145cdb47830062c9ccd34f719c9751807d83f3bcd02a9f4596eedf0b904ae5ac0740ddfe31bdb4728e0a810b1f09fb433c877bb932e04a00a9

Download Submit
\Windows\SysWOW64\Bhdjno32.exe

Filesize
90KB

MD5
3a06b693cfe350bf1f6767fa8e9ee6e4

SHA1
a33ac36c45b325051c119228998f56d15b19a48e

SHA256
976546aed9038518d24a1d6f8e701ca83fd0a0388f3b067eb9ccda7fe21e5fb6

SHA512
e49603e1125adabfbd541dafcbfc7bc965ee0063cd8633015459d4aac6f630462d2f3cca2ae5453e5a3dde2a42e1a39d76174fd4be2b1ef5da4ebad1db29a3ff

Download Submit
\Windows\SysWOW64\Bimphc32.exe

Filesize
90KB

MD5
555d652148d5b8620c33ee8840c7b608

SHA1
be7687b98e3e559f487904ca27670d25cf75737e

SHA256
89f55e6678e7bef196258b0a1692a3bbabb9dbc7cf484dd785b7e46e1222ec02

SHA512
5d9da148af26d1b265a59a699070d1e57c742c90fc248cde0a08d88241dfc5aa8c0833f8b565ac486f9182fa9437f3bc987ca895779599121e33c7ce81dff4e8

Download Submit
\Windows\SysWOW64\Blniinac.exe

Filesize
90KB

MD5
5bfb94f0258267928f5644c3142b698c

SHA1
59d20bbdca5e12cb90e071239b2fcbc98d0a8753

SHA256
059bec6d26adfca184af88083cdf8190bdbfcd646f0be1ab0ee2262125fd581c

SHA512
5b5d8ad914d56b69a41b45a4ff039f8ed4e73d9f55ed9f7c0bf598c51c28feb2bbb3e2107772cdb56c64ae3647d81aad11fd04765791dbce08de742f0f02ba9c

Download Submit
\Windows\SysWOW64\Cdkkcp32.exe

Filesize
90KB

MD5
72c98fd9821e94692528a1afea465490

SHA1
6bce5666cad86e1bf66688a2f6d5b246db0541d1

SHA256
6ab6c828e67b1b4c21b34485e607d1a5b6db83a984ba9ba4fc071369e90e8d94

SHA512
98911a7977a4ab0b5db4e803b6cd4a08fff037d14375959e76fab54bb5e616e9670402ef105c5da29713cde3b1cd173cd26d02932670c83ba896c6a395e38cd1

Download Submit
\Windows\SysWOW64\Cglcek32.exe

Filesize
90KB

MD5
99e34a210f01a7125f0ba69538ef472a

SHA1
c3b2d06b44e8bfc9d3ffe26228d87e58adb63e2a

SHA256
bec2a9edacb688d4061b2d14a63627a6a7e350eef5102fda802e0b6314f9284a

SHA512
eedf61135889790519415c8e08a44e7e93879b813f78c444036f96e4bdbacdf4f98f4cb2145164080978fb463ef796dff1fe99be66e130c5b326f7b026b2f07d

Download Submit
\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
90KB

MD5
03584b6c1994f9389eb81c4b43dc8893

SHA1
67cba344bd5b023fa1a70a69f1828a630778ae51

SHA256
4cba3dd13ebbcefc74cb6c6a75eb8e889ab74f195078e3d8baed2620961634d8

SHA512
193a2417fe821cec93c8a8f115d5313f916b0d68760849a901a09f431489666a4d55f21c1e36a972346d23ee866fc177c92b9d98e459918d4eec44eb1fc01b2d

Download Submit
\Windows\SysWOW64\Clilmbhd.exe

Filesize
90KB

MD5
ed1c5f63bbc461b1159be419330462eb

SHA1
d44fb47d670229cedd07b9760845c10f502a15bf

SHA256
c62dc826a1657bc9040e3aa980c0758c1154e88ff832ebeab3475fb9b9d43ebe

SHA512
ec6cafe82f603a2d19ac5e2d3a29faff12578c8b6e96502b0274dd71d88278a9ddad0f71c2c0d297fb6b6e119de555b28f11e9693a17e410bec7a073d1f5918a

Download Submit
memory/296-286-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/296-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/296-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/296-246-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/408-92-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/408-85-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/408-145-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/408-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-69-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/880-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-17-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/888-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-329-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/888-365-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1080-275-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1080-236-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1080-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-112-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1376-111-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1376-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-160-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1512-79-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/1512-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-342-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1564-307-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1564-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-349-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1676-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-271-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1676-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-314-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1684-354-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1684-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-319-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1684-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-293-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1812-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-282-0x0000000001F60000-0x0000000001F9E000-memory.dmp

Filesize
248KB

Download
memory/1864-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-220-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1904-262-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1904-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-297-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1940-263-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1940-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-258-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2028-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-184-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2132-250-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2132-203-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2132-204-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2132-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-221-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2448-341-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2448-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-336-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2448-382-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2448-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-60-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2648-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-206-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2648-154-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2676-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-70-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2716-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-128-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2732-176-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2732-123-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2732-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-143-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2756-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-189-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2760-38-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2760-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-372-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/2868-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2932-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-360-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/3000-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-384-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3008-389-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads