berbew | 3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Size

92KB
MD5

730cdef2e35714a4ebedb76e878cdc22
SHA1

885a76c8dffa2a4219412db3ea3191e8d01bb43a
SHA256

3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5
SHA512

ea903d3e2666de9274778b9752c3b966399191b40d06e3c31257e51ac3201917f8a1635c48fee021aa5dcfc8bd8aab7a36d37c50e7d1d1a6bf7ebbfe17b2b200
SSDEEP

1536:GzMOVg/8bqhp8BUFUNSV2dG+eo1xC0GZFXUmSC2e3lO:QS/5H8BU2024ho1mtye3lO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biicik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blbfjg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccahbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biicik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpleef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojald32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohigamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cohigamf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bppoqeja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 58 IoCs

pid	Process
2712	Bjlqhoba.exe
2812	Bpiipf32.exe
2668	Bbhela32.exe
2632	Blpjegfm.exe
1980	Bpleef32.exe
1064	Blbfjg32.exe
2180	Bpnbkeld.exe
2720	Bifgdk32.exe
2868	Bppoqeja.exe
2004	Baakhm32.exe
2356	Biicik32.exe
2408	Blgpef32.exe
1588	Ccahbp32.exe
2736	Clilkfnb.exe
2276	Cohigamf.exe
2000	Cddaphkn.exe
108	Ckoilb32.exe
768	Cnmehnan.exe
1308	Cdgneh32.exe
1908	Cgejac32.exe
1056	Cjdfmo32.exe
1920	Cdikkg32.exe
1448	Cghggc32.exe
1648	Cdlgpgef.exe
2708	Ccngld32.exe
2844	Dgjclbdi.exe
2448	Dlgldibq.exe
2556	Dglpbbbg.exe
2676	Dfoqmo32.exe
376	Dogefd32.exe
2520	Dbfabp32.exe
300	Dojald32.exe
2644	Dbhnhp32.exe
2788	Ddgjdk32.exe
1724	Dolnad32.exe
2916	Dhdcji32.exe
1800	Dkcofe32.exe
2968	Eqpgol32.exe
2320	Edkcojga.exe
2460	Ekelld32.exe
852	Ejhlgaeh.exe
856	Eqbddk32.exe
1480	Ednpej32.exe
1492	Eccmffjf.exe
2012	Efaibbij.exe
2240	Ejmebq32.exe
2092	Emkaol32.exe
2772	Eqgnokip.exe
2672	Egafleqm.exe
2552	Efcfga32.exe
3036	Eibbcm32.exe
3016	Emnndlod.exe
1424	Eqijej32.exe
2124	Echfaf32.exe
2892	Ebjglbml.exe
2308	Fjaonpnn.exe
3056	Fidoim32.exe
1576	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
2764	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
2712	Bjlqhoba.exe
2712	Bjlqhoba.exe
2812	Bpiipf32.exe
2812	Bpiipf32.exe
2668	Bbhela32.exe
2668	Bbhela32.exe
2632	Blpjegfm.exe
2632	Blpjegfm.exe
1980	Bpleef32.exe
1980	Bpleef32.exe
1064	Blbfjg32.exe
1064	Blbfjg32.exe
2180	Bpnbkeld.exe
2180	Bpnbkeld.exe
2720	Bifgdk32.exe
2720	Bifgdk32.exe
2868	Bppoqeja.exe
2868	Bppoqeja.exe
2004	Baakhm32.exe
2004	Baakhm32.exe
2356	Biicik32.exe
2356	Biicik32.exe
2408	Blgpef32.exe
2408	Blgpef32.exe
1588	Ccahbp32.exe
1588	Ccahbp32.exe
2736	Clilkfnb.exe
2736	Clilkfnb.exe
2276	Cohigamf.exe
2276	Cohigamf.exe
2000	Cddaphkn.exe
2000	Cddaphkn.exe
108	Ckoilb32.exe
108	Ckoilb32.exe
768	Cnmehnan.exe
768	Cnmehnan.exe
1308	Cdgneh32.exe
1308	Cdgneh32.exe
1908	Cgejac32.exe
1908	Cgejac32.exe
1056	Cjdfmo32.exe
1056	Cjdfmo32.exe
1920	Cdikkg32.exe
1920	Cdikkg32.exe
1448	Cghggc32.exe
1448	Cghggc32.exe
1648	Cdlgpgef.exe
1648	Cdlgpgef.exe
2708	Ccngld32.exe
2708	Ccngld32.exe
2844	Dgjclbdi.exe
2844	Dgjclbdi.exe
2448	Dlgldibq.exe
2448	Dlgldibq.exe
2556	Dglpbbbg.exe
2556	Dglpbbbg.exe
2676	Dfoqmo32.exe
2676	Dfoqmo32.exe
376	Dogefd32.exe
376	Dogefd32.exe
2520	Dbfabp32.exe
2520	Dbfabp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ecdjal32.dll	Dogefd32.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Ddgjdk32.exe
File created	C:\Windows\SysWOW64\Bpbbfi32.dll	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	Cnmehnan.exe
File opened for modification	C:\Windows\SysWOW64\Blpjegfm.exe	Bbhela32.exe
File created	C:\Windows\SysWOW64\Bpleef32.exe	Blpjegfm.exe
File opened for modification	C:\Windows\SysWOW64\Bpnbkeld.exe	Blbfjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bifgdk32.exe	Bpnbkeld.exe
File created	C:\Windows\SysWOW64\Blgpef32.exe	Biicik32.exe
File created	C:\Windows\SysWOW64\Ckoilb32.exe	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	Cnmehnan.exe
File created	C:\Windows\SysWOW64\Blpjegfm.exe	Bbhela32.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Eibbcm32.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Dmkmmi32.dll	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Fjaonpnn.exe
File opened for modification	C:\Windows\SysWOW64\Eqbddk32.exe	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Bpiipf32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Baakhm32.exe	Bppoqeja.exe
File created	C:\Windows\SysWOW64\Iefmgahq.dll	Baakhm32.exe
File created	C:\Windows\SysWOW64\Clilkfnb.exe	Ccahbp32.exe
File opened for modification	C:\Windows\SysWOW64\Cddaphkn.exe	Cohigamf.exe
File created	C:\Windows\SysWOW64\Jhgnia32.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Oegjkb32.dll	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
File opened for modification	C:\Windows\SysWOW64\Cdlgpgef.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Bneqdoee.dll	Blgpef32.exe
File created	C:\Windows\SysWOW64\Bpooed32.dll	Biicik32.exe
File opened for modification	C:\Windows\SysWOW64\Dojald32.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Eqgnokip.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Fgpimg32.dll	Bpnbkeld.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bppoqeja.exe	Bifgdk32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Cgejac32.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Apmmjh32.dll	Bbhela32.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cdlgpgef.exe
File created	C:\Windows\SysWOW64\Jchafg32.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Bpiipf32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Mpdcoomf.dll	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Akigbbni.dll	Cdlgpgef.exe
File opened for modification	C:\Windows\SysWOW64\Dglpbbbg.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Dbhnhp32.exe	Dojald32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Egafleqm.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Keefji32.dll	Blbfjg32.exe
File opened for modification	C:\Windows\SysWOW64\Clilkfnb.exe	Ccahbp32.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dglpbbbg.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Dogefd32.exe
File created	C:\Windows\SysWOW64\Dojald32.exe	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Baakhm32.exe	Bppoqeja.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Eibbcm32.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Ccahbp32.exe	Blgpef32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1860	1576	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpiipf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifgdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddaphkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkcofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilkfnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efaibbij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emkaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojald32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlgpgef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhnhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cohigamf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpbbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhlgaeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednpej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eccmffjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blpjegfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgjdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhela32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blbfjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baakhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biicik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpleef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgpef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpnbkeld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmehnan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppoqeja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdikkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoilb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjlqhoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccahbp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll"	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll"	Bppoqeja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cghggc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll"	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll"	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll"	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll"	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhela32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll"	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll"	Cohigamf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biicik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biicik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll"	Dojald32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bppoqeja.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2712	2764	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe	30
PID 2764 wrote to memory of 2712	2764	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe	30
PID 2764 wrote to memory of 2712	2764	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe	30
PID 2764 wrote to memory of 2712	2764	3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe	30
PID 2712 wrote to memory of 2812	2712	Bjlqhoba.exe	31
PID 2712 wrote to memory of 2812	2712	Bjlqhoba.exe	31
PID 2712 wrote to memory of 2812	2712	Bjlqhoba.exe	31
PID 2712 wrote to memory of 2812	2712	Bjlqhoba.exe	31
PID 2812 wrote to memory of 2668	2812	Bpiipf32.exe	32
PID 2812 wrote to memory of 2668	2812	Bpiipf32.exe	32
PID 2812 wrote to memory of 2668	2812	Bpiipf32.exe	32
PID 2812 wrote to memory of 2668	2812	Bpiipf32.exe	32
PID 2668 wrote to memory of 2632	2668	Bbhela32.exe	33
PID 2668 wrote to memory of 2632	2668	Bbhela32.exe	33
PID 2668 wrote to memory of 2632	2668	Bbhela32.exe	33
PID 2668 wrote to memory of 2632	2668	Bbhela32.exe	33
PID 2632 wrote to memory of 1980	2632	Blpjegfm.exe	34
PID 2632 wrote to memory of 1980	2632	Blpjegfm.exe	34
PID 2632 wrote to memory of 1980	2632	Blpjegfm.exe	34
PID 2632 wrote to memory of 1980	2632	Blpjegfm.exe	34
PID 1980 wrote to memory of 1064	1980	Bpleef32.exe	35
PID 1980 wrote to memory of 1064	1980	Bpleef32.exe	35
PID 1980 wrote to memory of 1064	1980	Bpleef32.exe	35
PID 1980 wrote to memory of 1064	1980	Bpleef32.exe	35
PID 1064 wrote to memory of 2180	1064	Blbfjg32.exe	36
PID 1064 wrote to memory of 2180	1064	Blbfjg32.exe	36
PID 1064 wrote to memory of 2180	1064	Blbfjg32.exe	36
PID 1064 wrote to memory of 2180	1064	Blbfjg32.exe	36
PID 2180 wrote to memory of 2720	2180	Bpnbkeld.exe	37
PID 2180 wrote to memory of 2720	2180	Bpnbkeld.exe	37
PID 2180 wrote to memory of 2720	2180	Bpnbkeld.exe	37
PID 2180 wrote to memory of 2720	2180	Bpnbkeld.exe	37
PID 2720 wrote to memory of 2868	2720	Bifgdk32.exe	38
PID 2720 wrote to memory of 2868	2720	Bifgdk32.exe	38
PID 2720 wrote to memory of 2868	2720	Bifgdk32.exe	38
PID 2720 wrote to memory of 2868	2720	Bifgdk32.exe	38
PID 2868 wrote to memory of 2004	2868	Bppoqeja.exe	39
PID 2868 wrote to memory of 2004	2868	Bppoqeja.exe	39
PID 2868 wrote to memory of 2004	2868	Bppoqeja.exe	39
PID 2868 wrote to memory of 2004	2868	Bppoqeja.exe	39
PID 2004 wrote to memory of 2356	2004	Baakhm32.exe	40
PID 2004 wrote to memory of 2356	2004	Baakhm32.exe	40
PID 2004 wrote to memory of 2356	2004	Baakhm32.exe	40
PID 2004 wrote to memory of 2356	2004	Baakhm32.exe	40
PID 2356 wrote to memory of 2408	2356	Biicik32.exe	41
PID 2356 wrote to memory of 2408	2356	Biicik32.exe	41
PID 2356 wrote to memory of 2408	2356	Biicik32.exe	41
PID 2356 wrote to memory of 2408	2356	Biicik32.exe	41
PID 2408 wrote to memory of 1588	2408	Blgpef32.exe	42
PID 2408 wrote to memory of 1588	2408	Blgpef32.exe	42
PID 2408 wrote to memory of 1588	2408	Blgpef32.exe	42
PID 2408 wrote to memory of 1588	2408	Blgpef32.exe	42
PID 1588 wrote to memory of 2736	1588	Ccahbp32.exe	43
PID 1588 wrote to memory of 2736	1588	Ccahbp32.exe	43
PID 1588 wrote to memory of 2736	1588	Ccahbp32.exe	43
PID 1588 wrote to memory of 2736	1588	Ccahbp32.exe	43
PID 2736 wrote to memory of 2276	2736	Clilkfnb.exe	44
PID 2736 wrote to memory of 2276	2736	Clilkfnb.exe	44
PID 2736 wrote to memory of 2276	2736	Clilkfnb.exe	44
PID 2736 wrote to memory of 2276	2736	Clilkfnb.exe	44
PID 2276 wrote to memory of 2000	2276	Cohigamf.exe	45
PID 2276 wrote to memory of 2000	2276	Cohigamf.exe	45
PID 2276 wrote to memory of 2000	2276	Cohigamf.exe	45
PID 2276 wrote to memory of 2000	2276	Cohigamf.exe	45

C:\Users\Admin\AppData\Local\Temp\3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe
"C:\Users\Admin\AppData\Local\Temp\3666e1349c6514f4b2fbcd604e6933f7b28db669d0273acf2f9c1c81834b40f5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\Bjlqhoba.exe
  C:\Windows\system32\Bjlqhoba.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Bpiipf32.exe
    C:\Windows\system32\Bpiipf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Bbhela32.exe
      C:\Windows\system32\Bbhela32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Blpjegfm.exe
        
        C:\Windows\system32\Blpjegfm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\Bpleef32.exe
        
        C:\Windows\system32\Bpleef32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Blbfjg32.exe
        
        C:\Windows\system32\Blbfjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Bpnbkeld.exe
        
        C:\Windows\system32\Bpnbkeld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Bifgdk32.exe
        
        C:\Windows\system32\Bifgdk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Bppoqeja.exe
        
        C:\Windows\system32\Bppoqeja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Baakhm32.exe
        
        C:\Windows\system32\Baakhm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Biicik32.exe
        
        C:\Windows\system32\Biicik32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Blgpef32.exe
        
        C:\Windows\system32\Blgpef32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ccahbp32.exe
        
        C:\Windows\system32\Ccahbp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Clilkfnb.exe
        
        C:\Windows\system32\Clilkfnb.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Cohigamf.exe
        
        C:\Windows\system32\Cohigamf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Cddaphkn.exe
        
        C:\Windows\system32\Cddaphkn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ckoilb32.exe
        
        C:\Windows\system32\Ckoilb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\Windows\SysWOW64\Cnmehnan.exe
        
        C:\Windows\system32\Cnmehnan.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Cgejac32.exe
        
        C:\Windows\system32\Cgejac32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Cjdfmo32.exe
        
        C:\Windows\system32\Cjdfmo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Cdikkg32.exe
        
        C:\Windows\system32\Cdikkg32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cdlgpgef.exe
        
        C:\Windows\system32\Cdlgpgef.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dglpbbbg.exe
        
        C:\Windows\system32\Dglpbbbg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dogefd32.exe
        
        C:\Windows\system32\Dogefd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Dojald32.exe
        
        C:\Windows\system32\Dojald32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Dbhnhp32.exe
        
        C:\Windows\system32\Dbhnhp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ddgjdk32.exe
        
        C:\Windows\system32\Ddgjdk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Eqbddk32.exe
        
        C:\Windows\system32\Eqbddk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 140
        60⤵
        Program crash
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpleef32.exe

Filesize
92KB

MD5
19be594ef28872b9b1a13a55e578695d

SHA1
8479fdb053a0957f2a71445fd2850affb2067447

SHA256
339334a07fe9b5ac4bcfe1ea2b4c2d1448782dc5ee65f6d7dfa1072753facf88

SHA512
cff80a2652509459ef1ce548393bb67e855b40b88551290f218f08bbbc94189a1fa7231327639ce5d6d183e0166c52b931e531a459705b5cd5b2f7ab8d2cae93

Download Submit
C:\Windows\SysWOW64\Bpnbkeld.exe

Filesize
92KB

MD5
a4eea559a88ca29a2f2f9641c0ac0b28

SHA1
cde9a7a68046f2a44f3c0ebf7b9fe91d72f6cdaa

SHA256
fa702bcb961fdcaa84bf06262d5e1ecc47f320d94588481249552221e3b633d0

SHA512
f832b94c84ac8053eecb1cee314e61dd8ee4c2b9a8add12cf28cfb8581fc9d120cfd452d24668dae85185fd4eb101bdd7b550b0e1038cc37d979bbc84a34a208

Download Submit
C:\Windows\SysWOW64\Ccngld32.exe

Filesize
92KB

MD5
1f69f52d8c2b3e642fb73b176f6d09a5

SHA1
15622a33fe1aad10e13e7df121282c96e5ead6f6

SHA256
33d94631c78af33de1582b0a357e699d940c220aadedaa3c5c53efc4c3c8e076

SHA512
7b3d3f9e8569def0a9d4040a573be7c49634f9a591f6115a01162452d1dcb0f39c5cb0ddcb557dab532ce6bb85e6e1df8a33f2a3f0f167f38de47f1b7aedcbbb

Download Submit
C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
92KB

MD5
d72498b88acc244405ab4f3449216816

SHA1
a999188f001c7faba32e5c35e8762f35192fd2b9

SHA256
c0087d9a6697ca4dbdb231ccdd421b8796b44cfe72accbdf4eb54afce90b0474

SHA512
a3b02a3d92d3e0e57ff4861075007c082aa22009b2f27e1fd4de8bf1bb09cfc1ea07dd82bb58c60e685061ece30212a876048e4401c98b83a77f5ee19829aede

Download Submit
C:\Windows\SysWOW64\Cdikkg32.exe

Filesize
92KB

MD5
46cefc2fefe1b46e844f5ddd4e78bc80

SHA1
d6254a5943a46e6215c187305da0c8d087eafd51

SHA256
53c4eed656c5cdd6cff6f2db9fd6f2b0f663a9c369540e31d7cf5582d52225e9

SHA512
55239ea84a0d3083097978adb2c44604fce2c8fe066848a393236819078fcf35de141cd880980fa0536e03107709c3db827c946d27e23a6dd5116b9be09b4600

Download Submit
C:\Windows\SysWOW64\Cdlgpgef.exe

Filesize
92KB

MD5
5158a3f77865f3a54ff96e51e6dd16be

SHA1
6fcaa02197c2d3d56d8c59a3133be467ad0d1a90

SHA256
ddb302a5f9819da40b43bc8c1e70ec3185ea5bdb2e1ff971e6eab96daf37159f

SHA512
1a1c3b05cf57f7c07de800a1e174820b0a06dbfe2d7ec63e5909f463a3af401b22d9525a7effc65a714c8b552dfb61e3a33ef1ea9ef577539657c34477265895

Download Submit
C:\Windows\SysWOW64\Cgejac32.exe

Filesize
92KB

MD5
eefef2d06f62a8919270addc2e901381

SHA1
46012063c6328b08b2623452d6f28bbb27e0d99a

SHA256
142a52440deee45b17a1f017997c1f97467da3527f87c0b10f7e0c38d224f47b

SHA512
0218ac1beaae03deb203da34dbbc4525138be9ee211d28f51235d6c521876f04a3745ac390bc92c30ed40414cc7c6ec40d74b70cd295b826de3b74f73550ac73

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
92KB

MD5
2c636e72474338a11319610d6128d1e9

SHA1
df18e8141613ce27e6184211e8e5cb128bd36a2f

SHA256
4047062759ca98a4f577c51d61b22c4ee40a77e10623390fbdd3041cf00b7b1b

SHA512
67f36148d0c8776e7aea27a0f8d28980722e68f9474ffe175ae3b678651c2840873a2199482143e4357a4ccca5e7a7463187e30148c8bf0c3b52cff5039570f3

Download Submit
C:\Windows\SysWOW64\Cjdfmo32.exe

Filesize
92KB

MD5
fd4483d7ce961e27e2ee47269f3a6996

SHA1
e266c6ece57c93c0f7bd25a0a80b549d23969352

SHA256
6fb2ee48e414e7ff18c4a748d57506b80f6c11962e0b470b6366ead90c960bcb

SHA512
77948c4b94066a8a852d07eb7036f97d7ab7bf8270ef8a0d8bed050dc1fb67faac106cfed92c7fef13958fdc67c06f7c96c9315d020a17e9bab88082c6798c58

Download Submit
C:\Windows\SysWOW64\Ckoilb32.exe

Filesize
92KB

MD5
bc2f7e4646eb8ab6b500af7fa9382062

SHA1
c9cd2b294a44a5e253e34c04dceabc5e227ba10a

SHA256
919f1f8416dc3702ffd626d3c04b77ccdd11f5d29747fb8b0895f6adc0eacf86

SHA512
58b3fa59c1c2ce630c2325d6310898daf5ebd734cdd8c5306f6b8ef28f4f0900af2280ceaea01fcbea3af7faa9689333bac63f599e159a401f7a801b4455a8b1

Download Submit
C:\Windows\SysWOW64\Cnmehnan.exe

Filesize
92KB

MD5
3b1f184cb528dbd4326dcc6bf0aaa662

SHA1
9dc1d9b715b741192f72de8aac88751cc41c2862

SHA256
937416531739bef94a95a9c084ff7a3a7cdf2628d3972b9f428e664be1844491

SHA512
968f3216990d9a0346eb90f14f4a1ed9bf195d999ae41bcf681cdc87e7537465ae0ac4bde76c26dc3f3133bdb8b9562819e3984273512f9f50830482a2b2e99e

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
92KB

MD5
1dd57bf1364ca6ad19d496c770cb52d7

SHA1
3f8a3f6efadf60af1365e27cac3bc152998a7a33

SHA256
1f40f905158f9ffdf5e70263bb2b845acf17f1bf6b587895eb7ba04fc775e40d

SHA512
40cc360bab1e4aa1dff7d224ee8e11285be7ef14579d55a01cd35e5287906faa03291c866c23e9a7e4057647373c5f96de3fbdaaa3ce0bbff8587d71de7a4e79

Download Submit
C:\Windows\SysWOW64\Dbhnhp32.exe

Filesize
92KB

MD5
858e1ddcd83154ba8870c5eb07b7ed34

SHA1
13602eb5c39b03ae86be8d0fdf21e87d9910c326

SHA256
860aaee44e26992df7cf1f2d1837dae5e4f60d3e8247446c3239e87c3f203b92

SHA512
1c0f2f8fe8348d2ad81a3d902c2603f413aa3a09e4664c326db371bd213a3122c8426d18e1433ae5782d297bf78420332ef349f11cb580185cf10dbe61bd5f3c

Download Submit
C:\Windows\SysWOW64\Ddgjdk32.exe

Filesize
92KB

MD5
b55cfb74547b6bf44048f2c4837c0f57

SHA1
27cdaab1b74e165a114505eb47b11ffeab39d665

SHA256
05dee7ac18d3ebf78ed9bd4a1c176c7de953284f4e2a5edd6608cef65746663f

SHA512
c4211d69647f54a59a8591144ed86e6b41f8a12b7e8f86160d02e121b173b10197e354ed40c5bd86af050dae8941bb2732ce64e710ffb28e38cf802bb7215b36

Download Submit
C:\Windows\SysWOW64\Dfoqmo32.exe

Filesize
92KB

MD5
6908f22cbbf52dcb13f659444eb71190

SHA1
27e32f55129299e75ce816b3c83f922d70c62975

SHA256
78c42de41a0863af4af184ec6c2dc957ca856d5ec1fd18e560475bb86ca90354

SHA512
4840f86b1e6ee8bef8aea543dcb4dc23205032b416d7f2f8378f5d6d062d4f1664c1634f0bcbc8b9c468d3eea3c33632b84a38bf2dd601669b27668619c78a5d

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
92KB

MD5
9873e04aed3c813a9857be5f9e175a87

SHA1
a39f36f164f7ca0409e94ddb31c335ab38df9699

SHA256
855e17620ac75a6bd1fcf17f911ab3f64fb5795369063132fa66ffa14fbd3a6f

SHA512
842bef50725b21e6045c3a8fd4b29444df900f2e52a58116e0dbdfa64ff8803bb074150c894736ad437b95c924f10e3b45e84c385e77d183812d30a43bd7818e

Download Submit
C:\Windows\SysWOW64\Dglpbbbg.exe

Filesize
92KB

MD5
7810881d99dbf5a74ece8b530b8d37ea

SHA1
71b74f20ece0b3d9a9c611045c8ea1f9d7c7d358

SHA256
e00ff4df3a0053daa766ff65fc02422bdc5be0cada3ad5e8e343821cd9b95e8e

SHA512
42bc597c5cf1dcd4a933496b088497ed9b32cb51cf1234685a41ce0a5647e866158cff41d764dbed8c7950d426c9d38b578500582d373e3114914918157a167a

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
92KB

MD5
3d7255f676a742bd61c9157c1c9c5bc3

SHA1
c4ab37dc1d4898bd6d944af3fcfc8c1bd8a6f992

SHA256
f58cd9caf543106db3204e177a736a5b6fe510c98366271399369dc701fe8b6c

SHA512
044d215d888390eb425d8b1fa3968cd54c898cb297fe581695717fc7f96f18a9f05f6b1c5f2920b6ab53a20a3f4447ed7a3c28e3afc533334f560ffc5cc83a13

Download Submit
C:\Windows\SysWOW64\Dkcofe32.exe

Filesize
92KB

MD5
3a42c9894035c901bc9f0a37a545bcb9

SHA1
653ef444397ef706e813b300e09e81b52289f27c

SHA256
676bb6ba54e16571331379139808c929b82509eeccb84f70128cfd980d8d7013

SHA512
386a8f4ad61b027f5fc62d443ea848ec3ce8d275fc99776f1b92637b5e8c170231daa0adeef12d84d3b259778b4b102f6319c4660068fe5568fcc3b801d8ae3b

Download Submit
C:\Windows\SysWOW64\Dlgldibq.exe

Filesize
92KB

MD5
f1f2c78494e500ccea430e3871719dbb

SHA1
fd2fefb8e10bcd71b1810a7a93ee0be3b1acb025

SHA256
97ad916362c0b90f3aefe94a506276e3d2b92ec2689c3110d5d3b50f76d00528

SHA512
e8231be237d0d34303682a9e25228fc032a304f9bf3fe2a638fdc90f688db1469204faebb55c237567e0cae0782831f05f2b7d60ded8708822f57c30e22d7aa8

Download Submit
C:\Windows\SysWOW64\Dogefd32.exe

Filesize
92KB

MD5
58b6126d9fb52d61ae82a7bac5c18b6b

SHA1
8abbada329f477a7aab1c3e468221947ed8908cf

SHA256
fb4aeafe5c6c09efdd3ee7798586423a60ed4094bb3549cd84f0449649b43d92

SHA512
e4cdca3831908d8541fe32adf88f8d9dbe3ff3880f041d7bb56051c7bec5965369a94813ae52b19e5fe51ce094b53e977ea518db66267333fa21a5c44647977f

Download Submit
C:\Windows\SysWOW64\Dojald32.exe

Filesize
92KB

MD5
6300405cf5960103651664f1c28d89ae

SHA1
262761d46ea12c3007bf923449e89504f4815a22

SHA256
0db98f2192ed75eb02651d1db1f9cdd323368625be29c397f555e55e6264fa86

SHA512
6d3b0135c2859ff2bf5302bc32ddbab02cac9a8998d28b3e726541d6152237c23aae7cbe5d1891b46a85f84cccaf2420e41d453210a0354af44f55e95f0f4954

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
92KB

MD5
0c88341a92a7ad7178e83fdd3927f0ab

SHA1
79cc269b861eb69fca5865c09456b61634d36147

SHA256
ddc1c718c882746ed918a3b1c0f93fe144de858f0e3ba8b9b1b915ef5f0d198b

SHA512
91cf94ea66e812fb24b0f3ce9e396f742bf67dc3bc536b95fd7418acd09a3dd0e5beb46b575747086a8b0a171ae88d5fabb203be29e732ada03f3410b14e942b

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
92KB

MD5
bcedddadc60e0eb88d756738b96e1c0f

SHA1
8516a3348d2a04ea0ccb2ef7cf38d02ab7cd7d1b

SHA256
601874a3a34c26fcfd12d6280dc9fb4765bb75688927603023e858692c210a47

SHA512
db8f2dd792f8a0ba121ae7ea1f0106bd2003349b051b6d47b054c01714783b5daf264e9e49f9a34c06917a495876d7061df9153e994316671861a30565402ae8

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
92KB

MD5
09f111a1337cf4bce748f8751de78944

SHA1
1eb4feee092d08762c7d28f6341e31862e29230a

SHA256
87601e6086de44b659f45b4d119266a77176a603858baeb9108d29672766d121

SHA512
c48d8ace181cbf983b2a4870e80994424c1f0045540e4ae894677053c41fefd5717adc2ac0d902ceef85dab95e73477802c19b735990c70ec706f2464caa453e

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
92KB

MD5
8cff11483879c1c53126fd1626019c60

SHA1
a8f25ba8308eb1d6e43db81d4479983afb97024f

SHA256
5c6651ea6177c872b165f52b1cd978e3820fa6b61562d9f47cc33ca425f4b5de

SHA512
3b6036cfb0fa91b9db5af420513824192ffb3bbda53eeb34f6a8246d595bfa28bca001805efb646591eff2ebb80d66f477e6889c04b39b8602768d2da72efc4e

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
92KB

MD5
8c70128c069bfda933c9cd7ff27c5ee7

SHA1
1588bb746457ae5a22a6e4b93d31aa06da05421e

SHA256
38766f585edc34d7eb8173019e0225226c479686b9c649a20169ea01186389fb

SHA512
652cf22f93a2af87ea150a19e93e27428a3feba77c10ea11e6a14d5c0029cc5cebf05740b2206bff225e7beb23759ac7e235c31d79bb2c96da04e3229acd8e30

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
92KB

MD5
3520c541ec6f0011528f8dbc3a2987a8

SHA1
a5e7e8a798895b469ad05d7d7ad97243025151f6

SHA256
0efe5e1f5d6b4bbc08d2369aff8b04306f942bbafd28f7f74260fb69a8d9f4c5

SHA512
25dc5713f9568e19eac756198c96402eaae5908e5a563c84c01bd1592eb80b8354bd529dd08650a8e49ba59787d442a1e1cb73ccda1be74f2170722efb9b78c0

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
92KB

MD5
8ae03b6b60734d6796a2180937683fd8

SHA1
49d9ac50e05fe8a531658c7b665f15fb2e6f68c0

SHA256
d647c9160711bcb29ec6d3224011e4d87733b80fb064375342045519b4994db5

SHA512
97693e7e24f7e3674425cc2aa8955669c413cd8aa0056d047272e2ffd5bccee726dab04b431ecb57b707fbff1215809f59d2e598f86a30ad2c50d4501b6d50d8

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
92KB

MD5
49a4be24e542151331f2a60c1214fca8

SHA1
ff4fca4f8e2561b08cdd86ce46f636b709f0c830

SHA256
22ef59114e4e2edbba308670c47e489adf8cd3634b3ecb8aadc0fd82babe66c1

SHA512
a1ac9916452694ca1f3ccafb7914667b8d30b70d2062d3eae0492829f88742182baf42a02c4685aec098b53cb2ec4ec108c31a40682ce19fedd2b1f189caf215

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
92KB

MD5
182d17fba405457e614cdec42dc98839

SHA1
ce90bfdbd734be602afe1ce210d4634ff4e5cb34

SHA256
d6c9e8bac78333695d927f2c480b7859ee2c415dfe7d3a1ad90115847bcde172

SHA512
1253680924886f478dc64b41c3eb7afae2abf61e44c4153b2dff6bd86bba73600e3a9f16ab79a33ada9682b66ea18add8cbb79c41f0bdbd02784ad009f962c0d

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
92KB

MD5
fef747a6d64d198716faa951384c3c56

SHA1
29685ec73d155f32e6d0f419c179673e027769fa

SHA256
0826e394c83e2d7420aaa2c9dd94033f4202150bf8346c04ca5f0d682976c572

SHA512
d69bf7d45d15eb5c0e9922a94d393a28de6d73488caed0e0fdff1a984d70654f9f296bae0c078eeb87f2496631fda26aa0571cadf7b9054fb655756cd657d31a

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
92KB

MD5
e047c4bf8a048c6e3b12362c51c5a3bf

SHA1
028e61df7e402ecbe253f7f5296121563a919176

SHA256
902cbdd02d14faecd8018dec2aca3da06886bd26d46158a99af30c7be9b32696

SHA512
659743a6e79126b948b7bcd50e2a189212a82b914c65e495af71ca5ebedc58c783061e6ac9656a0f18a38f03f37d00adb6f58937728bf73966cd10a3ac6ff954

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
92KB

MD5
e664e80716b8184f0be2ab027b3d7e16

SHA1
647659c90222004989ca2e81bd58b3a676530b19

SHA256
0b699a28731f58b71307e98b370d61e78f8bf80805357b62585b30a94d083094

SHA512
70dfe9b3d83dcb689eb0c8accdc6d4382c8432cde244bbacd861c6963994523c051770876e0bd478e6942d94a188b0f7d4513f60b9b7d5e1d278abc2106d5b4c

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
92KB

MD5
d2878d6b8d9516f3700ea9402098286f

SHA1
bc150a75f1b447fb3c75077e725f37627fca2e87

SHA256
5c58f49b6568132cb49f84bdce1b56ada54bb136d6640bb0a7e1c5aff12f1d90

SHA512
59a1c04c465a2ae5475e12e852ec8c7e01f41e70e961457cbd6af1a9fb02dd3df5aca5878b70e0e80abbc52d8d7ea45bad7125684240ecb7ab169f524adce572

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
92KB

MD5
8b52b6082baf05af946650671a2099ee

SHA1
499f5b62dd2f66caa0454cc33d44f63484f7edb2

SHA256
e7a9a50aa4dbb7f0cc7ad596e188912c86ce206fa1d0bdd1ff9dfb8a33b0274c

SHA512
3c07fa39583aa87f1446e16998f4761e42bc02f57a1572c6473fffdcba7c99727fb4d3095193ddde8262e13ea9ffc83663ba72d0149303c78f0849d23521893c

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
92KB

MD5
34636f2b590f9a121ddef4df51fb0ebd

SHA1
916fb9e0750d4ea03dd4fe172004670f75034ab6

SHA256
9a065796d8c9e0207571c899838059b7ef2bfa44bc0ee639c3bf10fef0703efb

SHA512
f00ca05df28a05e2d27ab20319db3ecf6b9ec6decb150c02292e5aec2950a69b678af3af631dc672559a2109628450a67f45e70e1d58e03b705fb60634bef5d4

Download Submit
C:\Windows\SysWOW64\Eqbddk32.exe

Filesize
92KB

MD5
a7e768c899787188d4cec71ba64c8b63

SHA1
6e0abf502fbecf0a09ad6a1d8617558d5c6380af

SHA256
a68bcdbbf19fa5ec1f51cba19a034243a227b339fe3c495c5c67cf09a95912bc

SHA512
579b650dc0fcb3433d9302008fc70bb28472763d6bf6ec90dbc4e6ecc981322ec9a3b485343fad2003077df2c3c4a3fc348493958a7f86dd75c8401953fbf638

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
92KB

MD5
3f246ffaaa11880bacadb07cbc34c293

SHA1
acabb9437d1ac49e6fa1d62e864796a497987bc8

SHA256
5607e97fbf7b5d76b4b9d0b8ddcc3c8616ccf59490ab02f7a44fae1d09015bad

SHA512
b9a25c89b57a8a3959d5d62786b37c283379d61509bba632e42212ca5f374eb92b67b145ebe3e8b8b6a7aaa48b3167125e535fbb7b4eee307c8f01c457ec79b2

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
92KB

MD5
0665bee55f9e0daebd6c87da61831502

SHA1
5e7bc0f49d010c12affa58ec24f6700424138b0f

SHA256
db2623494ae565898788b49dfc08ec625c3e9652ee89b95396d54d2b93e5b75c

SHA512
ec4c5a2be667eee7555e33f17b3ad51c57039d07e6316cd6bbf65fcf83c42a8b7576dc73d9ea5665b37d5dfd42ca01728c5cc4f05d6795f750f6019095bcd26f

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
92KB

MD5
a2aaaf57bfb9d70530cf7a9d8b031dfd

SHA1
4482021344b20fb44c5e72d619f571ea5025b621

SHA256
f9e082e1de8024d1a5ea641c4b63ccb1988925f77631a9c381bab800ef06ab39

SHA512
ee706e54e5dbf040015b6040edfdd4820c68d8ee7c37e9a74d71d3565d9edfeb94bf4fbac96151744078561490c32684eb1b1ebbdc9e09b14349c0d5e5cd91a9

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
92KB

MD5
a68c55fd208f17e4593bfca917dc9acd

SHA1
de3805a66ce80ffc16528c9abfb0c3c65798fac4

SHA256
f934566b339ea6b32b5a42a2f7728013201a1a0e685afa30260b475785225cc5

SHA512
8679122496e7612176b9f67c42487dcf1414b4c9c3e7b994dbd2b42aab3b0a97d8fcae42d45bba1e553cf4d6081b54313ba5bb7cbb94c4f74a9cdb9a2ca1fc70

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
92KB

MD5
0a00cebd73feae67b84cfd3b61c3da61

SHA1
badd65fa47126d0c041d735ad2874f9797ec3ed7

SHA256
feb0306a7d49eebdb3a7ac2d3f8b6f68734f0c180950292e2b251f08d57e5b87

SHA512
75702f256ac9c0114a451080ecc2db01839e51d6db4ef60cee0bb1777ce4e2d7634db7bea7e23897bb4932a06642384c9739cceb641dba4f62c90c091018b457

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
92KB

MD5
a60f7e34962b722ee68ca5f051ed57ac

SHA1
f1d7793a3451a92c0a9bf9eac83d6f12edc13de2

SHA256
dfb15f5a46dbfe41718766b02549774eb7bd8e16e918205d75580f6a8730ed82

SHA512
305cd5d750e5764b9696acbf75d6dce67b26f3f4991734e868f2325d15f2d997af0f1500251cd0239a118e214278689eba12357afc9f42f986448ae68523e3b5

Download Submit
\Windows\SysWOW64\Baakhm32.exe

Filesize
92KB

MD5
46b052877cf0028b13add7fb7012ce91

SHA1
ead885e35812367793e099792c7f02a5d687460c

SHA256
6362da0775640009a0f6f3cb6642549ff550fdff1bd9600da86fcf0961f06ac0

SHA512
ea87dea61deaeca6fafdf4b87d105f3e94085a06cd7db8c6c10692e45a638258b9468228b1be77bdb56095312b2d1a15b121c845f9ee3cf9080a5df2f22953ed

Download Submit
\Windows\SysWOW64\Bbhela32.exe

Filesize
92KB

MD5
522ead14401781e923b670ccada1b917

SHA1
e4fbb0bcfda09ccc187d2088b56aca43dc8ffd6b

SHA256
82e88dfd1510c07863d835ae6b9e4bf0fb855ec642906e902fd7b04fcc25cf55

SHA512
c72a324577afdfd5bc2bb48210917933e7a19e8a432e9dd96bd24d76ea630721a2635520ef4764bdb764706504edaefad8ba5e75c3eb216f0294d1f6ea4b38ed

Download Submit
\Windows\SysWOW64\Bifgdk32.exe

Filesize
92KB

MD5
224c1437777d3c7f346946482fd95221

SHA1
40797bb0b7dcd421138a1603bc91008e508a80de

SHA256
2e692efc5a152a591a180304e43a759ce36281fecb02110c72dd05508074e42d

SHA512
398b6358c2896775f093197d776f742dfb9fed36a76b3fde9f9258ef774bfe4f28e1876f9e84291b1ad15579a0936b8c55741b87543d3d53d0d448e498487617

Download Submit
\Windows\SysWOW64\Biicik32.exe

Filesize
92KB

MD5
bef85eae7463ef63521464cc513ff3ab

SHA1
878153cb44977507836ef6b91b2ae5eb29b95775

SHA256
4e152a5992afbd5a6771e3e1ec3a4787163ba226c2d99ad81229e91f857e17f7

SHA512
1a756cf8d76a751f0bc107bc444c70c86bae7706da7fcb1bf5258c170c2f69d4162bbe21bedce667137f5505d5a023e41a3c2837137dfc0ef61f0df62b0bcddf

Download Submit
\Windows\SysWOW64\Bjlqhoba.exe

Filesize
92KB

MD5
3098ddf5333a3b0185f0e44dcc1e0d52

SHA1
be2573e99aa1bdea2eb8f85cf24126357828b9dd

SHA256
3972d07babac40f96b74a20d98f78c5284871db1c118c531e8b00e0667d9f75b

SHA512
c0266ce51fdc0d7b17f555537105dde228f0e7700b5338bbea71fc38f8323147b936b795f571b1021488d6d3ce5b8d6f0f0208e09670627b0a00d5d843231aa3

Download Submit
\Windows\SysWOW64\Blbfjg32.exe

Filesize
92KB

MD5
a21403fb4598bba6e2729ab86315e95c

SHA1
ccef2d4dad2b378fca55ec1b1e47e773c2bd973a

SHA256
37401ed840a50cf43da57edc7fa22cca3427c590f6bd8b4d61f2c96a3e336a8d

SHA512
4d5e872f7d8f7d0fe39d770f0d1207314e40be21e35311355b3de8c03673d53ee512e1680ce1277d6dfa78b2bdda7f4a1a6e718198a952a9f1c6891790ff586a

Download Submit
\Windows\SysWOW64\Blgpef32.exe

Filesize
92KB

MD5
3321d7e50be57f66dfd8cb47363a9ddb

SHA1
48847fd6b46b72a3b7c39d0db3f501cca6246b4d

SHA256
789b2f67d3b30da921d25800b369988bfeb5f7b5db2a5eac6760ba1b3c1edc54

SHA512
dd42ac090fd7fa885176e51721cbf7b22f7dba7d833a91ff060a50a9a8ae6697fc179d35ade8ebeeb03b75a33fc68df74e3a89596849d53e736e99b6f511d4dd

Download Submit
\Windows\SysWOW64\Blpjegfm.exe

Filesize
92KB

MD5
cef54a40ab82af1cba557ab0e8a1c5d7

SHA1
917f2376a972b96efd78893fbe78571093c2ac72

SHA256
fccab6cc5dc13de83db053f71190fad2e90698f6e347b4c5bacae6a75993f42f

SHA512
6514c3f64e05062e0ec2f268b7b59705afe0f0e0eeed16e1ed45f0a0820b8c947b51d7a615b09016689ecfe97f923f56acf60e7410f0de15a75b23ad26fd0560

Download Submit
\Windows\SysWOW64\Bpiipf32.exe

Filesize
92KB

MD5
280d8926e2ab3a6141b94c8b8c8ef799

SHA1
47507f8d4359d8af154da991ba95335c6264bda5

SHA256
9ac02f971df9ce9a130b317a8bd10128816e31a2c6f47c66a8c3b7999410ca64

SHA512
bc66181a50d25ed2ee8fda3fe239747b6fcc2c5fd860e95738d987053e1e6d6aa16c0484bb7b92d015c61f6463ca339e98002f3b9bc28cfb277525ba3172c945

Download Submit
\Windows\SysWOW64\Bppoqeja.exe

Filesize
92KB

MD5
58a6fde480ee6a4afe65177c02be6530

SHA1
5be20d43b7c30260b92697f264f64c8dcd9fdd56

SHA256
a007d96ca974d046ee99cacec4c173f2ef362b99ec05e510bbef3cb45456c129

SHA512
880081ce92bd6f1eef04984993172c3179a03862586b300425d5eab6af39e2f76aff8b5746bcfd907fd7894310e1724466a867040e2777120639c737d45bd298

Download Submit
\Windows\SysWOW64\Ccahbp32.exe

Filesize
92KB

MD5
e12006b09641fc399c9e76ff821853c1

SHA1
6744b755accdafcf7f43cf7486e0efd192ea287c

SHA256
33c5d1dc91490ce4fd870fac10a669815a9ff2078b34ba777781bd746554a35c

SHA512
a981febdd5a8489ed3a04508783f4b3c7fb78c77264a454904dda394fd69b4a902a45f201c4ef44f20d39f45f0db1768051791e3c0b2f2226d4b46bd314571fb

Download Submit
\Windows\SysWOW64\Cddaphkn.exe

Filesize
92KB

MD5
5f6c81b199b1181cd4503d8fae55c032

SHA1
e6c7e71f9962f718b881b3e82b1f6b67ef7905c6

SHA256
a56d90c2665e66b19d32ccc58d456adef4deca00ecae7820075e5ae7d8474d9c

SHA512
3a024f272ada3e87e571d561675ac58f8e295f4496b23ecaaa89329b16da829eadf8a1dbc469ac5254a000a5dfc3c916cc5124f985c5f5c7b684cf2ad84126e7

Download Submit
\Windows\SysWOW64\Clilkfnb.exe

Filesize
92KB

MD5
e23efb3f2347cd83f8e475c8b5bd27a5

SHA1
b304dc05f35d8f41ee1d5418fbf7107fea961ce0

SHA256
489bd41198364194848d054e7b2d82291a71463d62e0b52e12d7ddc6040001a0

SHA512
66a6806003d7b2ba315baf8d852f7fd70d13e3478fb02f4b19dd850020c29610dd969e60601f0fd8c175f0d39a559ff4a3e84665600b40fc6ddf2800a3ee7606

Download Submit
\Windows\SysWOW64\Cohigamf.exe

Filesize
92KB

MD5
68454dc2f9886412773159680bd29908

SHA1
99aff04413d8bc653eb3fda10a6960986b8f86d9

SHA256
0bd567b28bae924eb9f4c8b24fe2e7c688199a1059f53a58eec72e16f5065d7e

SHA512
8aabbcb39e744db1fe5dc9d54d69724efff207aaa59cd60be4f942284dc897a628e425c1ff6c955277e1d0d655b4a00328c6877bcefc417e9b666a2df0485514

Download Submit
memory/108-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-232-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/300-392-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/300-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/300-391-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/376-367-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/376-712-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-366-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/376-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-241-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/852-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-486-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/856-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-498-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/856-503-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1056-269-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1056-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-288-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1588-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-181-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1648-301-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1648-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-423-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1724-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-445-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/1800-745-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-262-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1908-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-81-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1980-424-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2000-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-103-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2180-446-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2180-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-210-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2320-467-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2320-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-491-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2356-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-331-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2448-715-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-332-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2460-477-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2460-478-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2460-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-711-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-379-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2556-342-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2556-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-68-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2632-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-402-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2644-713-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-53-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2668-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-352-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2676-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-717-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-312-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2708-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-308-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2712-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-377-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2712-25-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2720-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-196-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2736-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-356-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-355-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2788-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-389-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2812-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-35-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2812-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-318-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2868-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-130-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2868-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-718-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads