berbew | bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
Size

101KB
MD5

fcf1e588755c4ec2a42b33f2f4cc2a90
SHA1

7ffe014ddf841ac4f4d4a19e7794b1df8db53095
SHA256

bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8
SHA512

397e4b1827fd0fe595b906b6ac260ad064cc57605cc0402b5dd6a14d6bed6401c5c072731527e4894502ea89dbf66c9582f8e3fa312b64065fc9894560f3139a
SSDEEP

3072:+RqzYTcKCBeS3wtduXqbyu0sY7q5AnrHY4vDX:+RqzYTB43wK853Anr44vDX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemgilhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohigamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmlcja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cohigamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjpacfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcmlcja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpiipf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

pid	Process
2800	Bioqclil.exe
2808	Bpiipf32.exe
2724	Bbhela32.exe
2588	Blpjegfm.exe
3052	Bbjbaa32.exe
1012	Blbfjg32.exe
2520	Bpnbkeld.exe
1624	Bbokmqie.exe
2544	Bemgilhh.exe
2920	Ckjpacfp.exe
1052	Cadhnmnm.exe
400	Cdbdjhmp.exe
1792	Cohigamf.exe
2908	Cddaphkn.exe
2320	Cgcmlcja.exe
2400	Cojema32.exe
1704	Cdgneh32.exe
1112	Cnobnmpl.exe
2288	Cpnojioo.exe
352	Cdikkg32.exe
1060	Ckccgane.exe
1928	Ccngld32.exe
2416	Dgjclbdi.exe
2316	Dndlim32.exe
1676	Dpbheh32.exe
2680	Dglpbbbg.exe
2896	Dhnmij32.exe
2208	Dbfabp32.exe
2824	Djmicm32.exe
2552	Dlkepi32.exe
320	Dcenlceh.exe
1064	Dfdjhndl.exe
2260	Dkqbaecc.exe
2076	Dfffnn32.exe
2336	Dhdcji32.exe
1932	Ebmgcohn.exe
3028	Eqpgol32.exe
2372	Endhhp32.exe
1696	Eqbddk32.exe
924	Enfenplo.exe
2280	Eqdajkkb.exe
2000	Eccmffjf.exe
624	Enhacojl.exe
2996	Eqgnokip.exe
1712	Egafleqm.exe
1920	Efcfga32.exe
2524	Emnndlod.exe
2504	Eplkpgnh.exe
2396	Ebjglbml.exe
2752	Fjaonpnn.exe
2700	Fmpkjkma.exe
2564	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2704	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
2704	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
2800	Bioqclil.exe
2800	Bioqclil.exe
2808	Bpiipf32.exe
2808	Bpiipf32.exe
2724	Bbhela32.exe
2724	Bbhela32.exe
2588	Blpjegfm.exe
2588	Blpjegfm.exe
3052	Bbjbaa32.exe
3052	Bbjbaa32.exe
1012	Blbfjg32.exe
1012	Blbfjg32.exe
2520	Bpnbkeld.exe
2520	Bpnbkeld.exe
1624	Bbokmqie.exe
1624	Bbokmqie.exe
2544	Bemgilhh.exe
2544	Bemgilhh.exe
2920	Ckjpacfp.exe
2920	Ckjpacfp.exe
1052	Cadhnmnm.exe
1052	Cadhnmnm.exe
400	Cdbdjhmp.exe
400	Cdbdjhmp.exe
1792	Cohigamf.exe
1792	Cohigamf.exe
2908	Cddaphkn.exe
2908	Cddaphkn.exe
2320	Cgcmlcja.exe
2320	Cgcmlcja.exe
2400	Cojema32.exe
2400	Cojema32.exe
1704	Cdgneh32.exe
1704	Cdgneh32.exe
1112	Cnobnmpl.exe
1112	Cnobnmpl.exe
2288	Cpnojioo.exe
2288	Cpnojioo.exe
352	Cdikkg32.exe
352	Cdikkg32.exe
1060	Ckccgane.exe
1060	Ckccgane.exe
1928	Ccngld32.exe
1928	Ccngld32.exe
2416	Dgjclbdi.exe
2416	Dgjclbdi.exe
2316	Dndlim32.exe
2316	Dndlim32.exe
1676	Dpbheh32.exe
1676	Dpbheh32.exe
2680	Dglpbbbg.exe
2680	Dglpbbbg.exe
2896	Dhnmij32.exe
2896	Dhnmij32.exe
2208	Dbfabp32.exe
2208	Dbfabp32.exe
2824	Djmicm32.exe
2824	Djmicm32.exe
2552	Dlkepi32.exe
2552	Dlkepi32.exe
320	Dcenlceh.exe
320	Dcenlceh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cpnojioo.exe	Cnobnmpl.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Fjaonpnn.exe	Ebjglbml.exe
File opened for modification	C:\Windows\SysWOW64\Cdbdjhmp.exe	Cadhnmnm.exe
File created	C:\Windows\SysWOW64\Cojema32.exe	Cgcmlcja.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Cadhnmnm.exe	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	Cojema32.exe
File opened for modification	C:\Windows\SysWOW64\Cnobnmpl.exe	Cdgneh32.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Pmbdhi32.dll	Blpjegfm.exe
File opened for modification	C:\Windows\SysWOW64\Cgcmlcja.exe	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Dfdjhndl.exe	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Bioqclil.exe	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Bpnbkeld.exe	Blbfjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckccgane.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Mbiaej32.dll	Bioqclil.exe
File opened for modification	C:\Windows\SysWOW64\Blbfjg32.exe	Bbjbaa32.exe
File created	C:\Windows\SysWOW64\Eccmffjf.exe	Eqdajkkb.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ebjglbml.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Bpiipf32.exe	Bioqclil.exe
File created	C:\Windows\SysWOW64\Eqbddk32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Ckccgane.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Kncphpjl.dll	Dfffnn32.exe
File opened for modification	C:\Windows\SysWOW64\Eqbddk32.exe	Endhhp32.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Ckjpacfp.exe	Bemgilhh.exe
File opened for modification	C:\Windows\SysWOW64\Ckjpacfp.exe	Bemgilhh.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Hoogfn32.dll	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Dhnmij32.exe	Dglpbbbg.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Aabagnfc.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Egafleqm.exe
File opened for modification	C:\Windows\SysWOW64\Cdgneh32.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Ckccgane.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Obilnl32.dll	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Eccmffjf.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Ahoanjcc.dll	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Cadhnmnm.exe	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Cdbdjhmp.exe	Cadhnmnm.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fmpkjkma.exe
File created	C:\Windows\SysWOW64\Apmmjh32.dll	Bbhela32.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Ccngld32.exe	Ckccgane.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Bemgilhh.exe	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Cohigamf.exe	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Dglpkenb.dll	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dndlim32.exe	Dgjclbdi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	2564	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjpacfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnojioo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfffnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpiipf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhela32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbjbaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cohigamf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdikkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eccmffjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhacojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadhnmnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blbfjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnobnmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmlcja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpbbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpnbkeld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbheh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbdjhmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmpkjkma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bioqclil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blpjegfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbokmqie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddaphkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqbaecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemgilhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcenlceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckccgane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll"	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll"	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcmlcja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blbfjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll"	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpedi32.dll"	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll"	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll"	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjaonpnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2800	2704	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe	30
PID 2704 wrote to memory of 2800	2704	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe	30
PID 2704 wrote to memory of 2800	2704	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe	30
PID 2704 wrote to memory of 2800	2704	bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe	30
PID 2800 wrote to memory of 2808	2800	Bioqclil.exe	31
PID 2800 wrote to memory of 2808	2800	Bioqclil.exe	31
PID 2800 wrote to memory of 2808	2800	Bioqclil.exe	31
PID 2800 wrote to memory of 2808	2800	Bioqclil.exe	31
PID 2808 wrote to memory of 2724	2808	Bpiipf32.exe	32
PID 2808 wrote to memory of 2724	2808	Bpiipf32.exe	32
PID 2808 wrote to memory of 2724	2808	Bpiipf32.exe	32
PID 2808 wrote to memory of 2724	2808	Bpiipf32.exe	32
PID 2724 wrote to memory of 2588	2724	Bbhela32.exe	33
PID 2724 wrote to memory of 2588	2724	Bbhela32.exe	33
PID 2724 wrote to memory of 2588	2724	Bbhela32.exe	33
PID 2724 wrote to memory of 2588	2724	Bbhela32.exe	33
PID 2588 wrote to memory of 3052	2588	Blpjegfm.exe	34
PID 2588 wrote to memory of 3052	2588	Blpjegfm.exe	34
PID 2588 wrote to memory of 3052	2588	Blpjegfm.exe	34
PID 2588 wrote to memory of 3052	2588	Blpjegfm.exe	34
PID 3052 wrote to memory of 1012	3052	Bbjbaa32.exe	35
PID 3052 wrote to memory of 1012	3052	Bbjbaa32.exe	35
PID 3052 wrote to memory of 1012	3052	Bbjbaa32.exe	35
PID 3052 wrote to memory of 1012	3052	Bbjbaa32.exe	35
PID 1012 wrote to memory of 2520	1012	Blbfjg32.exe	36
PID 1012 wrote to memory of 2520	1012	Blbfjg32.exe	36
PID 1012 wrote to memory of 2520	1012	Blbfjg32.exe	36
PID 1012 wrote to memory of 2520	1012	Blbfjg32.exe	36
PID 2520 wrote to memory of 1624	2520	Bpnbkeld.exe	37
PID 2520 wrote to memory of 1624	2520	Bpnbkeld.exe	37
PID 2520 wrote to memory of 1624	2520	Bpnbkeld.exe	37
PID 2520 wrote to memory of 1624	2520	Bpnbkeld.exe	37
PID 1624 wrote to memory of 2544	1624	Bbokmqie.exe	38
PID 1624 wrote to memory of 2544	1624	Bbokmqie.exe	38
PID 1624 wrote to memory of 2544	1624	Bbokmqie.exe	38
PID 1624 wrote to memory of 2544	1624	Bbokmqie.exe	38
PID 2544 wrote to memory of 2920	2544	Bemgilhh.exe	39
PID 2544 wrote to memory of 2920	2544	Bemgilhh.exe	39
PID 2544 wrote to memory of 2920	2544	Bemgilhh.exe	39
PID 2544 wrote to memory of 2920	2544	Bemgilhh.exe	39
PID 2920 wrote to memory of 1052	2920	Ckjpacfp.exe	40
PID 2920 wrote to memory of 1052	2920	Ckjpacfp.exe	40
PID 2920 wrote to memory of 1052	2920	Ckjpacfp.exe	40
PID 2920 wrote to memory of 1052	2920	Ckjpacfp.exe	40
PID 1052 wrote to memory of 400	1052	Cadhnmnm.exe	41
PID 1052 wrote to memory of 400	1052	Cadhnmnm.exe	41
PID 1052 wrote to memory of 400	1052	Cadhnmnm.exe	41
PID 1052 wrote to memory of 400	1052	Cadhnmnm.exe	41
PID 400 wrote to memory of 1792	400	Cdbdjhmp.exe	42
PID 400 wrote to memory of 1792	400	Cdbdjhmp.exe	42
PID 400 wrote to memory of 1792	400	Cdbdjhmp.exe	42
PID 400 wrote to memory of 1792	400	Cdbdjhmp.exe	42
PID 1792 wrote to memory of 2908	1792	Cohigamf.exe	43
PID 1792 wrote to memory of 2908	1792	Cohigamf.exe	43
PID 1792 wrote to memory of 2908	1792	Cohigamf.exe	43
PID 1792 wrote to memory of 2908	1792	Cohigamf.exe	43
PID 2908 wrote to memory of 2320	2908	Cddaphkn.exe	44
PID 2908 wrote to memory of 2320	2908	Cddaphkn.exe	44
PID 2908 wrote to memory of 2320	2908	Cddaphkn.exe	44
PID 2908 wrote to memory of 2320	2908	Cddaphkn.exe	44
PID 2320 wrote to memory of 2400	2320	Cgcmlcja.exe	45
PID 2320 wrote to memory of 2400	2320	Cgcmlcja.exe	45
PID 2320 wrote to memory of 2400	2320	Cgcmlcja.exe	45
PID 2320 wrote to memory of 2400	2320	Cgcmlcja.exe	45

C:\Users\Admin\AppData\Local\Temp\bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe
"C:\Users\Admin\AppData\Local\Temp\bd6e815376395a6353abff469a9f0521e3d933441b9550994353ea9249b8fcf8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\Bioqclil.exe
  C:\Windows\system32\Bioqclil.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\Bpiipf32.exe
    C:\Windows\system32\Bpiipf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Bbhela32.exe
      C:\Windows\system32\Bbhela32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Blpjegfm.exe
        
        C:\Windows\system32\Blpjegfm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\Bbjbaa32.exe
        
        C:\Windows\system32\Bbjbaa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Blbfjg32.exe
        
        C:\Windows\system32\Blbfjg32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Bpnbkeld.exe
        
        C:\Windows\system32\Bpnbkeld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bemgilhh.exe
        
        C:\Windows\system32\Bemgilhh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ckjpacfp.exe
        
        C:\Windows\system32\Ckjpacfp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cadhnmnm.exe
        
        C:\Windows\system32\Cadhnmnm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Cdbdjhmp.exe
        
        C:\Windows\system32\Cdbdjhmp.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Cohigamf.exe
        
        C:\Windows\system32\Cohigamf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Cddaphkn.exe
        
        C:\Windows\system32\Cddaphkn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Cgcmlcja.exe
        
        C:\Windows\system32\Cgcmlcja.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Cojema32.exe
        
        C:\Windows\system32\Cojema32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Cnobnmpl.exe
        
        C:\Windows\system32\Cnobnmpl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Cpnojioo.exe
        
        C:\Windows\system32\Cpnojioo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cdikkg32.exe
        
        C:\Windows\system32\Cdikkg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\Ckccgane.exe
        
        C:\Windows\system32\Ckccgane.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dndlim32.exe
        
        C:\Windows\system32\Dndlim32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dglpbbbg.exe
        
        C:\Windows\system32\Dglpbbbg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Dfffnn32.exe
        
        C:\Windows\system32\Dfffnn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Eqbddk32.exe
        
        C:\Windows\system32\Eqbddk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Fmpkjkma.exe
        
        C:\Windows\system32\Fmpkjkma.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 140
        54⤵
        Program crash
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbhela32.exe

Filesize
101KB

MD5
aae7320363716fd31ca7df3a389e8855

SHA1
6867e3e1ee5304d7d29440f85a28f611e18bef02

SHA256
cef29198207683d7f9e374d9261db823ec5f02c484e7d2d69b2f0ed749a0f272

SHA512
0dd21df1aeac3a1b022b3ca28e11bac0a810fcb3766378a0fedeb7d1c0423e98ce2ca6dde67cf7b3835bc0ad5d80523c3361d02ec902c52d8d639b06a79874ca

Download Submit
C:\Windows\SysWOW64\Bbjbaa32.exe

Filesize
101KB

MD5
0e4e71b1791ece71eef2b7aad8ae6303

SHA1
d4e4d7c3ba81dabb10bcf42b1e233da75413a3cd

SHA256
d0cbb118be68654a1d09500cbee174f032a078a46a0390d702ba42a46a536db5

SHA512
9eeb90a3dd836296cb06c115cda31fd9c2a468a5002a700a6a9159b5b2e6e1882ad7c88be32c6dcc7e852e8441a7758b277e02fadc7d7e434ecb48f8603ff65e

Download Submit
C:\Windows\SysWOW64\Bemgilhh.exe

Filesize
101KB

MD5
f3734ed3385ba4685dc6d5a4f7a93d9e

SHA1
0d211dc606e290f4e3241538b9420879fb1135a0

SHA256
74867f0b3568b0e987787cf3f560a4d2d3226712a23d10de54a10bbe0528e089

SHA512
9a207afd2c569993939742dd0d157bed15bd957290ae110685545e6fb9d6f32bf9f135a6854aa83e32774a02f9f2ba9171939cf7fb245373e039498d3b2056a7

Download Submit
C:\Windows\SysWOW64\Bpiipf32.exe

Filesize
101KB

MD5
00a380c913982bb63082aded1cb91a26

SHA1
2a241fd98ee35fb995cfffff5147ce1299882f65

SHA256
22ad615405ce211553e31e56d26b19d4b3338f10f6c43b7a7f47776505e8ce34

SHA512
76b65162c94baf72e456610b9058c363453fedc1cc7a312a21f1ae4b9a3902b9d27a9d0c83711e78ff923973f87c1517b6a7315ab07c774bbf10b50517177375

Download Submit
C:\Windows\SysWOW64\Ccngld32.exe

Filesize
101KB

MD5
cc602de8fb93c292074c4318d4eae9bd

SHA1
4a65f791dc0c2370fa1f67192e6b408d27038b2c

SHA256
d512ff99a847c92a934faf94f5d18ebc37c8db2eff2b85f2497acbfbbaff61c9

SHA512
9e0e38570cef4a4b33d9071ce7cbe06ad2f60526cc6445a361a29528b4383b55aac5f8e73240e6e07cde12413363eb77160929e0f7fac032a62f286950455466

Download Submit
C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
101KB

MD5
4c985fae9f984bf42bc8ea99bddde5e4

SHA1
72f6fdbb06da33e1f980a66d3d14591f0a3d1feb

SHA256
8e833a401dcac676b67e49e8e2b9c656f1c1ff954d45022d9b13763e9a893d0b

SHA512
ff0b4ec743d8823d455934b1a3c1138cfdd06278b2ac7bd656154abbef6e04e96ab3815405d7d30e2307d0e5f6d25575a9293bc6ad0ff25813aeb35869e79c58

Download Submit
C:\Windows\SysWOW64\Cdikkg32.exe

Filesize
101KB

MD5
90ec9832a50bb97ba7b205e47b058ec0

SHA1
91d484a522b1f5aa782def278e4f4fa6e457825b

SHA256
c2d450336bcafffe3930b47b2d587369b9cbccc9e69bb27fa5af0628a7910f07

SHA512
606b3753d6bb137230e5555b3adb63d4c7397bff904e9166720bb3f6aeceb54d5e6d821fbbd60defc94507e9addae8ab3447e1ddcd8a1760c1531e1758109262

Download Submit
C:\Windows\SysWOW64\Cgcmlcja.exe

Filesize
101KB

MD5
e6f30789db03cde67d95eb3c25ea854b

SHA1
0f6c6f9adff02aada9cace3b015f19b64c87e039

SHA256
33cde56904af0b02bfcae9d1cd643d6f2f9918b92de604998f93b939e60d7ac1

SHA512
80e72b7f9c19047e399ba0631f9f46ab212115095604f1e3d3bf836d94318fba44c2ed022d4a90029a7e7e1c177d7c117f0767db0d0ff07d0d2340ed497af3d4

Download Submit
C:\Windows\SysWOW64\Ckccgane.exe

Filesize
101KB

MD5
9d9eeed7e49874538e3787eefec03d0c

SHA1
28cf6fbae2f4dfb442343f6b4f4dcca71984fc0b

SHA256
8074904dd8fe9b12e534afbcb1aa47bed1f59d1d3818c4c81f96adea622942d3

SHA512
69f49cae8620f8efd487718e49aeb0e561bd110ad575ade00da088f01b8f81400c04359877647ddb1fda2c0e7b08aabe3bffa6410e9c2e86d3d87287f98ad5f9

Download Submit
C:\Windows\SysWOW64\Cnobnmpl.exe

Filesize
101KB

MD5
e0bf1596816d32c8b80607e35da4d9c1

SHA1
bfb3d1eea595c935dcd8c26097cdd57e0ed6704c

SHA256
72aa347b05ef7a0235facb9a0489bfebf1f3590b50d30bc765f44ddf1f61c67d

SHA512
7b1aa428272ccea0e77533198541e20a9acfa7dbbff859b527083c42978d3a273ffab9fec352ec36b4c9f7596e5208222c7b4848cc1ff29c1bb1b7861de84de7

Download Submit
C:\Windows\SysWOW64\Cpnojioo.exe

Filesize
101KB

MD5
9d8e67c7ab407a38a3766ee2a22c3b3a

SHA1
f38042c1931e508fa441ba11b85f8c5eafd9d51e

SHA256
a8f9ce32d2e7363308923b276b167acf14fb9d1aeebbcabdee77d434b0100a7b

SHA512
accba55f36555adc7e8e94b9efe836923dc00a9ccee31609cfa09cf67cc7f8f0268941b5a677a95a4b1698342e9872c401c1f1fba159fc474f4d5dcbba838efb

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
101KB

MD5
7dcc56d10b23d2752b802d886304b3ce

SHA1
bdf905538a4f5e9351bc42c198a0cc5331239261

SHA256
103ec001d2ba16c6c4b10e7cbb661fd8247ac6190b7a111766533191ce489616

SHA512
bff228e0388172ba720a9c5f94a4bff3ede024c301c80fd5c245c58ba21d9165b35f3e77db8ae688a593da97c804876a66c9296b08831901088f2a59a1284676

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
101KB

MD5
a20a9d387de6767b3af4ce117609e9f8

SHA1
b63c43f031d0600c51b7e6155b78dce187df15d4

SHA256
a3cb6314407db097b1b90426279207c08e821406e038c8977bbb6a92d6636d02

SHA512
34c07435f6eed379fa43cd830886c97e9339e93601b934a80f40563fa47cd50aa26a22b5c48b824b113ff48e2b591eda0710bf4715739e6ab4bcdbcb87494ced

Download Submit
C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
101KB

MD5
10d61c7bd7af8f6e21e66ccfcac6d051

SHA1
838484403db9eac152ad513e18b27802e97651da

SHA256
1657ca08e072d674fcc310253da6da3a64a48f447bf93de8281a57b3b1d6d059

SHA512
e1f838fbf68c276aa2efae0981db99f69209669ca049ec5dcf2c2a21ebe082309d34eed20206e6792513cb3cf7d118c9fac7ea3ae90c7829b01e797c865f05bf

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
101KB

MD5
df55f719e2334de8d9e62ec123757083

SHA1
516d5816f15824ed9acd68a199d0302995e14b3c

SHA256
7aa11fee6b71d234486ad46ed8d4c4c72470bb5981963d4a67c156c027f86e58

SHA512
1237629f2fa521c993e0fd27f5f33fbb051a1af17877c7300940aa292ce76e43d6410d205e15629184f477687f802fe91148b5448cf670d0ec0ce8314f7bddc9

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
101KB

MD5
fd68d1189da004fd1b2fabe54c3ebf07

SHA1
a5443768a899b517824fc999d65a01862f5fc82f

SHA256
1b53478614f15965e1af28aed1bb14cc116cbc5563d2b0f537966715d0abe105

SHA512
d8bcfb2a1909224b62d1e14873c637667ec50900c09a091671b237fc7f6e55938c981d36bc6d1adfe8061a838ac0992123683672196073213c47d12bf90ce980

Download Submit
C:\Windows\SysWOW64\Dglpbbbg.exe

Filesize
101KB

MD5
73a77b77f7656339b1ee56bd07020e1e

SHA1
c863f609b2f64d96d537dfbf5075891cfc75ec0a

SHA256
5c9ccf31bcc83169a7f8788f9e30786adf69d8b892fa9e4ca3778ae84702e0f6

SHA512
9f1dcb6bc81bedccb00846258a71135846c697b11ece27a8dff581282d97ced20e84e1d92301fbad724aff31e922df04e587d9e673013a2efc5e7114eed5e8f0

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
101KB

MD5
b04276819d905f2e50d30088f2467a5a

SHA1
d248486b6878c8eef2f4d4e68367c5cead4be527

SHA256
f8dc582183c82214fdb7840db0aed6e0b65a5d9d1f6035b29b573726768fdba8

SHA512
16e8ce32f866dce3d924c001fcc7ef7f1b09155aeeb70ff2cbb7bfad4e24fdf3e4371a0d74e90a88ff3ede9b043f779285851b9c952092fea912b859073a71cd

Download Submit
C:\Windows\SysWOW64\Dhnmij32.exe

Filesize
101KB

MD5
66f478397d8bd7165f9afa7b7c72f5a9

SHA1
09dcd7000cb968464599b7d82f36cf2f039e079e

SHA256
bd6580660949411e99c30f7aa251c43775252a6c3e5287c45288b4498b7c53d8

SHA512
1f616b2513080c8ac3326042a3d13f14ad55dcc72aed3d0631f677c55cce6e771b3918bccc678613cd7bf4beed37a3d118ce6a236d00e63ecb9503733a7155c0

Download Submit
C:\Windows\SysWOW64\Djmicm32.exe

Filesize
101KB

MD5
64b59a9c18cc9aa5dc62ea23370d56c6

SHA1
1ad0ab785235cdd0520697acd9e6a8636a976c2c

SHA256
de11c34757d633dd581507e3856e048c126f8226de9c0f29bad41b7254decee1

SHA512
34db35fb196f6c486f7e1a04f86fb3450197610cca4aba683ca6222f03d723bd2910e842cab53189906e2a4620914c2d6b7035e8fe6e25525100ab70c94987fe

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
101KB

MD5
4dbd382e59efa9453855f6b2dcb41f90

SHA1
2fecd6ab3c79520aef1d3a08d5e2054b437a338f

SHA256
30060e089202105cc1ff564abc014177bf9c7c8eb23b67f712f567b1c4d86cbf

SHA512
b6d1580c26fef446d09083041225237ddf641f718ffcc22496373c8bb21e8a61b86c37e4e3489d1161ebd960a9d36246f1a5c0a87003cfccce26dacfa99f0b36

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
101KB

MD5
98d624c89e33cd51d9aee2ed3b3b5582

SHA1
2fa8c42249bb745b28ade03c25c1e6b947708d27

SHA256
920aee61619d1fed1a91fd9aafcf43ddcd40bcb34540a3f0532996c1d1bd214d

SHA512
ed60b96c086185e1a5dc380485139dd171998d0537f8896170c66cfe1310bd04f8b7d716b142748e1c875578101a65a844471df8682104da4d951760358dc416

Download Submit
C:\Windows\SysWOW64\Dndlim32.exe

Filesize
101KB

MD5
e16a966e9d43b61b8d4b7e0a58ad0f82

SHA1
285d21c7d82e29ee14d0af021eb3379255be2fbf

SHA256
991c262c0a8fa45621f5f025e5d31569d864f445114914fd8cee7630718b7a8e

SHA512
ed1ef98e7bd64e52b48ab87e445e03cb528f9c3529f3bae7b230121f92e0dddd2efc840e238008cb95a1adac0c604a1b1cc18f0e2b3cbf57cbbd03ec8efbcd00

Download Submit
C:\Windows\SysWOW64\Dpbheh32.exe

Filesize
101KB

MD5
dd827d4364da16c4bbb9870cec856383

SHA1
52a74a72a66f03fe9154a8306cae19337f03e9c8

SHA256
5a69cdc783e6ad9de687fd0c1ac25715558341251dae7c829db2e8a8f425b908

SHA512
9becbcced4baa963162a981f9e114faaf0581a981bce1dde6ebcc427c80b9e354849e3a89c5717b1f6c8f155e67d92a97fcf73c9c909a1f7c7f76f47dd519f2c

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
101KB

MD5
84b8f9c20d04694b987c4a25c4d815cd

SHA1
e36ed691c2c7e0e4a631d57f680c6540a0d7372e

SHA256
30a5d50f344006774ea1da793035459361e9bb5a90b86023d40d4ba2c95cdfa0

SHA512
66502f7329410e07bf4c2ac312dd516f7eaeced94c55dac6224b571dd1713985f39b046560df3076ee5d904fcbcd605275be9e3f5c1a0ec5fc40f7927773097d

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
101KB

MD5
3bfc6b0552bf501e72c9cef48b1d3787

SHA1
753c302e25e7e2814ba5c0eace49a4ff81c95843

SHA256
b8982e42858626a1eb326c7aa7d68a52396d7446065e8218495fb69389048c56

SHA512
519d3bccce57f74c35b58fcc3a756e5cf1cc099b9b6bb9c0171675e6085ab78d8ce9ea635323de9e081577c76bd997f7dab50e4806c0f2c180a4f86444306c80

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
101KB

MD5
009d712a97d8c670328fc86e84a3465e

SHA1
8769e4f2f15a6d6f3308ee1ab94c18e15a0bd1d9

SHA256
5451f83d322af716f35ed4d96bc5dd3daee9b241c7c5aff0b8429e109a915206

SHA512
c19026d2fa73ec0716befeeb3a84d0a2346a0d2b1ad09f47fffa6b01bab392aa88070e2b1614dfd071233da4293257843e99e9cf1f8b1fa77dae014504f4f70d

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
101KB

MD5
ebe8d57ca561c9155561d0bf5b3a2050

SHA1
40dcfb1dd5e57fcc602237cbfd92a13f6e92774f

SHA256
ef80fbe8a5cd792d280fdfdde66878a524963d8c3456b8025aa2209cf4596931

SHA512
c02ccf0ef95100ba2b6583d28f69b428ac80d586dede52af954c4959b30bf9a3f5739418551f3b0b7112fc568678ef7af0d2727e66d16746e0d22b763df5935f

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
101KB

MD5
92e15548fdda0e3b18ec6bc42d1241fa

SHA1
1a9a1384f15a57a984444bd36eb5d2b304b79a67

SHA256
9af75d349bbfb418190adf003df9af8cdbb32f5da938fdcda9aedd2addaa7534

SHA512
271996c028b89c727a7fe70dcf3883017b79f339447630bce68c19ae6eadbfefd501316a4c14e471331f8bda1f02cf3b95b174d07f22a705407b24b541b12063

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
101KB

MD5
0e3e35b58d4fdcb3ac73969a6637f332

SHA1
1b667b1290e047882d0287373af79c72e29773fb

SHA256
34ab32e4050fe9a57af994a1b7bc5ebf66de193d120e359052f32056e9943062

SHA512
54fb26a55fd113d57c635c30ed5acd96fcee68b47b1dd5391d53255f974eb67f4dcc281652cd12e7152ad6bc277f81bab4f2b62663c47bd8a891a4ed4f804e27

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
101KB

MD5
5ffb0e447edca9a9204461ca4474bb6b

SHA1
27da141e97d35ada2fe6adab828220bb45814ca6

SHA256
035d404a03afcb29cb56ff86337604bb5c51421746b8bb4f83b95002e78f8ff3

SHA512
cd362868000079856ab1cc43467b3d737bf3ee17c635a99cad4337f8321266a7eee17ab3e4766f6e6e6570ddf89594aedf2dc98ea77e8294bca8750e8e4c4f90

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
101KB

MD5
7014999604fbc4f78093c4ca33f38a00

SHA1
010aec2151c4d6725064319eac09ea2aee219ed0

SHA256
966da7b5713b20635492e526a28ef653b0b932b1cd731d9009cb3589a2ed376e

SHA512
b3d4487f7abf852f064302258cadaf6c84c5baac094ec982970fc47b5cc36219fb093dd3dc0c63d3b8a216ebcf3c5058d9d45e5e51373d3674d9c4f9a5199fe6

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
101KB

MD5
e3c072847303427ce742cef79b6ff388

SHA1
0f9314e866cf17a5cb1b03d0f772a7f501db487a

SHA256
89bac0ea8ff7817ef81b8035139b6fdaf07b8c84b5a59c00d9c008d5d1d78693

SHA512
3d6638c79d7548bb2a5084848ea35d4e97eb6a7e6464c1c2689b3a71fbfc34a3ad2d7139f623e17ce1c77f61e692fd235317f5b3c130682c46372192667fc23e

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
101KB

MD5
2d770bfe1a8d6f0ad9b7fab057deed24

SHA1
7fcb174310b18f9d0d5df27e41caa252319cdd55

SHA256
5c7d71bbc2818c16f31c975ca0595e7a1b6c1b57b1092eb44d97a30ded67a4b9

SHA512
8c1f4bd7d5e06e0c0990bccfd04f8f0566e95387eb144223688f69d6f496737e3f4d5cb34db458bc10bbda7e0a2b2034cf8472292d0a7a7cbb6ddf0ce530e192

Download Submit
C:\Windows\SysWOW64\Eqbddk32.exe

Filesize
101KB

MD5
a7432a754ecf300655f1764bef1ad863

SHA1
718463bc317b9c2a0e773a875ba5218b053f62eb

SHA256
a70b4f339db9f34ce9961d5650609a89bb98250c271314f26ad3a7eb9241e230

SHA512
8eff83784f7aba2a1210df24f6fd75807fd55c777cb553af35bb96c4a7053bdd4de41a942f2388473e36b5be9a5bfa94b7cdc7877fea5f29626cc8ad58c0577a

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
101KB

MD5
d6a65f876ad504ab2ff16d2fad0a1542

SHA1
30e0cfd5b5df61541649a19bebeb5b6ebf0f94e1

SHA256
8acb1e312f6c5ae734b77fe2fefba96063d36d73f1ad990897b2419be83f6b49

SHA512
e895089349c6d3bba60712b966b5cc93e69ad9703f103a9d673d118cbdb5d394f596d032405c64463ee486c045b9a963696f0e364e278ab229829bdfd3ae072e

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
101KB

MD5
f7555be71ccf4ce19c247bb28b89150d

SHA1
188b40b07e58deffde37622083f6612a345db0ce

SHA256
90ba0034837c58554c1b258c4a5686dc87508e2d8aee8f1e2ed1e3220e0b5239

SHA512
2f7fb7abc87b74fc379cd918c010617b1209c5c2b9a28db1ab0a9f589f1aa13aff9e3c551ab001a4ed8fcb673e46bb93fe686d9d4be7e983e697b3645105ef3f

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
101KB

MD5
c4cf958b8b873611fa664261a5538bf1

SHA1
338080e1e936687456710ccf878faeb7d371aece

SHA256
d921e993cfda50a704b9af23b7f0bd9cec9072b661710aa1730077875502fccd

SHA512
819d9ffbb132089148e6a533fb264308398ac3bfd4009b5342089e937cabdbc8096b74fa332c84145a1df549d23b2f94a57cf833bde4945e95cef192e0185c45

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
101KB

MD5
35c0aabeb0f646e1133964b0b74a4c35

SHA1
8b3ec4da9f7dbf019817aa8820e4eec0715da65a

SHA256
e42f5cb58fed5d90123f664b703904cd4d7fd61a8dd7578005618550816f620c

SHA512
0efb5fbce9ef0753a59b8517f9468c3360420ac1514e070fc5701cc2ac93bfd4a23f07707d7c186f13cf51a0d4e533050bb252d2a09ebb51228fbcb4ea0bba20

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
101KB

MD5
9687cf25dc8814963bc58d455478cbcd

SHA1
d6d9fe2feb6758c8f8f2b4772a6a2f22c37e7875

SHA256
19f66f5df4e2de9d71e27ca73b7c29dc4825e1493080e8094e66288196fa2900

SHA512
d47f3f3cdb9dd068d3f2a151d1f37705c885d35a71b8d3c66117889e177d3ce53c96dad8f10cbb78d57fb777716affebebd3b88efff49376c563b09d4254308e

Download Submit
C:\Windows\SysWOW64\Fmpkjkma.exe

Filesize
101KB

MD5
0a0a45616f5b028fc34b0233a4221aee

SHA1
2a45fb9e01d17f17ce4448e2d11a28a4aae0f05c

SHA256
1af87f8f7966dde8d7ac860e95bb6c1b349e9c909a1df1d2920a2f2c31a86731

SHA512
7e3ac3aa4c4313756bb70c247a173b7cb594e44891c7f2cb8b80bb1579a24c4929244fd52cd574ff18d61977924dd5d17d82a1b53bcd90c14f9fe4157b4e7b8a

Download Submit
\Windows\SysWOW64\Bbokmqie.exe

Filesize
101KB

MD5
9ccad5d35fe178df1368e5409be79a37

SHA1
2f0fb72591c51b9152afdca3052b2cf06504341f

SHA256
b0eae328fde714223951bcf23b9e5a1bea4b47d50543c034f58274c951394be7

SHA512
aaf476d574c6806f5c4cc06628c5321898a5e84b96f02ad126ae72506d85c5181ec75a076da15d02714f05af8eb7c2fea1479258f713efbd6127af35f230f797

Download Submit
\Windows\SysWOW64\Bioqclil.exe

Filesize
101KB

MD5
7e3009b7db8c81370427c7f5a5261db4

SHA1
408f2bad4f4082e051c010777770f368cc5d5b28

SHA256
25bc686091522730508865d2f8292f33fa53e7c5f0d5de601ad601ce61992803

SHA512
c861dc3626f419605d07546c37c1e489178d0280496907d05b211ece2318b744c0096b6fba782d2b9658c550baa9ad3b1bffdcae5fdf6fc57c3eb42619742fae

Download Submit
\Windows\SysWOW64\Blbfjg32.exe

Filesize
101KB

MD5
4fcd577d6d2c7ee0f60eafe3247f7ad5

SHA1
70dd30a51dac44b4b291e8aaf3e95d1feefbf9cb

SHA256
7ddff44baa8fbef6fdcccd7de3fc774b9d0c3f3486f4af3e44ae9bc871c61d7d

SHA512
7bc42e7afbe3d2e253354c3db98763c453b7a236f61036f26290e1b06f06bcf6919db2a9d77137467b80eb983bbe37b30b6be08bbffb03bdc9e92564bdac8da9

Download Submit
\Windows\SysWOW64\Blpjegfm.exe

Filesize
101KB

MD5
b53cfe58cce0e5dbaba5f7b3fcb9dee6

SHA1
7c08d45bf451c74b316020c2fb6461e9d8b3db04

SHA256
4454e9bf9eccc78d43dbc34cea733e441312278acdf0662f1c8f6b65d38b3fff

SHA512
61637b4ec41a8bba918c9b7e885756071e5b59008bd66607d8bbee9076239ea822425207e933c7db591b70dd430738617019a768f97b9408c9de934f169bc60c

Download Submit
\Windows\SysWOW64\Bpnbkeld.exe

Filesize
101KB

MD5
5e41db1089eecfd1af58b53a39020b33

SHA1
9a99894fbae759305ee00da94bb86b743adc9ce4

SHA256
64292cb1d4af7edd7c20e439e6e0b1269b712dcc7009c9cc9914cac4613c4f4b

SHA512
0997bef94bb1815d6fbe5caa25b0fadd91b8b8692ac05dfe15a4b5c83cb4aae9fbd31e901ec935a727bfc4142ff3379ad0fe8408c4d0f3e3b007663347336832

Download Submit
\Windows\SysWOW64\Cadhnmnm.exe

Filesize
101KB

MD5
4d989558446a19af5552acabe0814563

SHA1
a79f239cbe35a03e8d9148d64690d235a8a04a80

SHA256
49248e018ffde5663b0f21d7153a30dab2dc704c873670680104268475f42eff

SHA512
3b6c71a1a72b4752ffa89f9bb18e6db7556b8fc43cd14dcfd45a3c1b21b7cc45ec6a58a86808dc98262b9b1f709dd717ce71f725a14ef75fc4da42aaad850d7f

Download Submit
\Windows\SysWOW64\Cdbdjhmp.exe

Filesize
101KB

MD5
98ada17e7d9a05839ee60e8e6a01110a

SHA1
c524cc9cc1ee31c2ad0730c226c48892d87953d1

SHA256
64b53dcaa083b0cccda0596682a036546cc8960251e820ab74640277e3812677

SHA512
2fb65529ba414b2ae2c70c8e497b44b7bae7b0dd358c595abc88b7aee6789133e517c095ea9fc3c77fef125319487b91a507fccc12e5ae2808c0d6b37d2a11a4

Download Submit
\Windows\SysWOW64\Cddaphkn.exe

Filesize
101KB

MD5
1ff9a0de6eabc3f5fcd93628d88a10e0

SHA1
6d9cff28f28a117daa7bab73d962ca2e7c28d371

SHA256
fff6099b9325976218666b2f995a1971cdb507457bc9b277e8572b43a3edbf82

SHA512
bf6097918d65d22702e9d20fc92746eb4f5f8fb508b25bf3bb6cb99d4c83f6899962d88669a54796cc6a4b7dd5b74f64753801fa4b20823f2b476493ce23a418

Download Submit
\Windows\SysWOW64\Ckjpacfp.exe

Filesize
101KB

MD5
9da8f372d63911ea9dc16087de7404fb

SHA1
c452294aa4257b4b6bf63896f7f06b8e5625b9be

SHA256
247b545850ebafb532a84ef97cabf5720478e7bf93907055bbac84c4fb60562b

SHA512
065b87e2a1935f52b01d2c92ddafff0204d32b66d65ecbb1cb154ef653fdd3ccbcad1a5de597e6f00f2d292db9164bce5c0e289c1ec5bde3e9471b1f9143d235

Download Submit
\Windows\SysWOW64\Cohigamf.exe

Filesize
101KB

MD5
a171dda4ef9a22a919cbce0b8fe933fe

SHA1
45f6abe31c8eaa6b0c67acb23e596e9bb3a1e607

SHA256
4f59ec5a0714fb7f7b5bae774db1fe1c6fda1c15577422266ac691d487f0bb4d

SHA512
b13b4b74231a1a99aad573c28721395db32ce48d985b522911e194dd0b55fce0191530830246ddd2f90cddc8d84ea305240d80f45818d8eac774b31a994e17c4

Download Submit
\Windows\SysWOW64\Cojema32.exe

Filesize
101KB

MD5
52f040d116437dd38e1d5fab09570831

SHA1
6c00654ec0c5755f88a956a00099eb2707d77a85

SHA256
cb28da0da01c1c404eb19db28e64c47ef6e9b070a3b4c190a186fc5409963215

SHA512
93415d3f239acf6d1a82cf436a3249584547cb17c1656fbcd75d59d44b7b1d1804a579b50a828f5e1dbdfede5919a09f96f026871106a994374cc172463fd1e1

Download Submit
memory/320-370-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/320-374-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/320-653-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/352-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-475-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/924-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-156-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1052-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-266-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1060-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-384-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1064-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-643-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-306-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1676-651-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-307-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1696-464-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1696-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-230-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1712-526-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1712-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-525-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1792-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-280-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1928-276-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1928-634-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-432-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1932-625-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-627-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-408-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2208-341-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2208-635-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-342-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2260-391-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2260-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-660-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-298-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2316-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-213-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2336-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-418-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2336-420-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2336-621-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-661-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-650-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-129-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2544-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-363-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2552-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-68-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2588-438-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2588-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-640-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-320-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2680-319-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2680-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-398-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2704-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-396-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2704-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-12-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2724-430-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2724-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-53-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2724-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-54-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2800-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-31-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2808-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-652-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-352-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2824-353-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2896-330-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2896-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-658-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-331-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2908-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-444-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3028-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-82-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3052-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads