berbew | 34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
Size

64KB
MD5

eaa5029672e4910691c97c517c20e2a6
SHA1

303650eae02a6739374e6faae3f3d35cd9d99fa8
SHA256

34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1
SHA512

7c3b20f2e7887633a4084dd7b97ef677eebcdcb365623511fce581453f1891092890280ce741a3bc6cac53d355e6df865b81379de03bf47ea492af7796f72d36
SSDEEP

1536:RgZ1DRaQnNnXkPuY9wENWWyjrPFW2iwTbW:itRln1G9w8WXHFW2VTbW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnoomqbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeeqehb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpeekh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccahbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhigphio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkdeggl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cahail32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpeekh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndlim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
2708	Bjlqhoba.exe
2844	Bdeeqehb.exe
1708	Biamilfj.exe
2620	Blpjegfm.exe
2848	Bbjbaa32.exe
1432	Bghjhp32.exe
300	Bhigphio.exe
2900	Bbokmqie.exe
2864	Bhkdeggl.exe
2880	Ccahbp32.exe
860	Cdbdjhmp.exe
1860	Cafecmlj.exe
2976	Chpmpg32.exe
2320	Cgcmlcja.exe
1952	Cahail32.exe
624	Cjdfmo32.exe
2288	Cdikkg32.exe
648	Cghggc32.exe
2328	Cnaocmmi.exe
2416	Djhphncm.exe
2532	Dndlim32.exe
2092	Dglpbbbg.exe
1540	Dfoqmo32.exe
2956	Dpeekh32.exe
2896	Dccagcgk.exe
2804	Dbfabp32.exe
1996	Dknekeef.exe
484	Dolnad32.exe
2128	Dnoomqbg.exe
2176	Dhdcji32.exe
2912	Dggcffhg.exe
2856	Ebmgcohn.exe
2044	Edkcojga.exe
1784	Endhhp32.exe
1800	Eqbddk32.exe
2968	Ecqqpgli.exe
2196	Egllae32.exe
2296	Ejkima32.exe
2192	Enfenplo.exe
848	Eqdajkkb.exe
1192	Edpmjj32.exe
960	Egoife32.exe
2300	Efaibbij.exe
2304	Ejmebq32.exe
908	Enhacojl.exe
1508	Eojnkg32.exe
2700	Ecejkf32.exe
2940	Efcfga32.exe
2572	Ejobhppq.exe
2828	Eibbcm32.exe
600	Eqijej32.exe
2436	Ebjglbml.exe
2380	Fjaonpnn.exe
2796	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2756	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
2756	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
2708	Bjlqhoba.exe
2708	Bjlqhoba.exe
2844	Bdeeqehb.exe
2844	Bdeeqehb.exe
1708	Biamilfj.exe
1708	Biamilfj.exe
2620	Blpjegfm.exe
2620	Blpjegfm.exe
2848	Bbjbaa32.exe
2848	Bbjbaa32.exe
1432	Bghjhp32.exe
1432	Bghjhp32.exe
300	Bhigphio.exe
300	Bhigphio.exe
2900	Bbokmqie.exe
2900	Bbokmqie.exe
2864	Bhkdeggl.exe
2864	Bhkdeggl.exe
2880	Ccahbp32.exe
2880	Ccahbp32.exe
860	Cdbdjhmp.exe
860	Cdbdjhmp.exe
1860	Cafecmlj.exe
1860	Cafecmlj.exe
2976	Chpmpg32.exe
2976	Chpmpg32.exe
2320	Cgcmlcja.exe
2320	Cgcmlcja.exe
1952	Cahail32.exe
1952	Cahail32.exe
624	Cjdfmo32.exe
624	Cjdfmo32.exe
2288	Cdikkg32.exe
2288	Cdikkg32.exe
648	Cghggc32.exe
648	Cghggc32.exe
2328	Cnaocmmi.exe
2328	Cnaocmmi.exe
2416	Djhphncm.exe
2416	Djhphncm.exe
2532	Dndlim32.exe
2532	Dndlim32.exe
2092	Dglpbbbg.exe
2092	Dglpbbbg.exe
1540	Dfoqmo32.exe
1540	Dfoqmo32.exe
2956	Dpeekh32.exe
2956	Dpeekh32.exe
2896	Dccagcgk.exe
2896	Dccagcgk.exe
2804	Dbfabp32.exe
2804	Dbfabp32.exe
1996	Dknekeef.exe
1996	Dknekeef.exe
484	Dolnad32.exe
484	Dolnad32.exe
2128	Dnoomqbg.exe
2128	Dnoomqbg.exe
2176	Dhdcji32.exe
2176	Dhdcji32.exe
2912	Dggcffhg.exe
2912	Dggcffhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjpmgg32.dll	Djhphncm.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Mhofcjea.dll	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Bhkdeggl.exe	Bbokmqie.exe
File opened for modification	C:\Windows\SysWOW64\Cgcmlcja.exe	Chpmpg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaocmmi.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Mmnclh32.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Chpmpg32.exe	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Mghohc32.dll	Cahail32.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Biamilfj.exe	Bdeeqehb.exe
File created	C:\Windows\SysWOW64\Apmmjh32.dll	Biamilfj.exe
File created	C:\Windows\SysWOW64\Ccahbp32.exe	Bhkdeggl.exe
File created	C:\Windows\SysWOW64\Chpmpg32.exe	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Efhhaddp.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dknekeef.exe
File created	C:\Windows\SysWOW64\Dhdcji32.exe	Dnoomqbg.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Qffmipmp.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bdeeqehb.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Dknekeef.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dknekeef.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Jhgnia32.dll	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Cfgnhbba.dll	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Aabagnfc.dll	Edkcojga.exe
File created	C:\Windows\SysWOW64\Eqdajkkb.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjlqhoba.exe	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
File created	C:\Windows\SysWOW64\Iecenlqh.dll	Bdeeqehb.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dglpbbbg.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Cnaocmmi.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Lklohbmo.dll	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Ecejkf32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Bhkdeggl.exe	Bbokmqie.exe
File opened for modification	C:\Windows\SysWOW64\Ccahbp32.exe	Bhkdeggl.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Egoife32.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Cnaocmmi.exe
File opened for modification	C:\Windows\SysWOW64\Dndlim32.exe	Djhphncm.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Lfnjef32.dll	Endhhp32.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Bjlqhoba.exe	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
File created	C:\Windows\SysWOW64\Oegjkb32.dll	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
File created	C:\Windows\SysWOW64\Pmbdhi32.dll	Blpjegfm.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Ekjajfei.dll	Bhigphio.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Cahail32.exe	Cgcmlcja.exe
File created	C:\Windows\SysWOW64\Egqdeaqb.dll	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Dnoomqbg.exe	Dolnad32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2924	2796	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cafecmlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chpmpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpmjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blpjegfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bghjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efaibbij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeeqehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpeekh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknekeef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggcffhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpbbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbokmqie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkdeggl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhacojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjlqhoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmlcja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnoomqbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egllae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbdjhmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dccagcgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecqqpgli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecejkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbjbaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdikkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaocmmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhigphio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biamilfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccahbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egoife32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligkin32.dll"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkdeggl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpeekh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll"	Dpeekh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dndlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dnoomqbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccahbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll"	Bhkdeggl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll"	Bhigphio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cahail32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll"	Biamilfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdhi32.dll"	Blpjegfm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2708	2756	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe	30
PID 2756 wrote to memory of 2708	2756	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe	30
PID 2756 wrote to memory of 2708	2756	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe	30
PID 2756 wrote to memory of 2708	2756	34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe	30
PID 2708 wrote to memory of 2844	2708	Bjlqhoba.exe	31
PID 2708 wrote to memory of 2844	2708	Bjlqhoba.exe	31
PID 2708 wrote to memory of 2844	2708	Bjlqhoba.exe	31
PID 2708 wrote to memory of 2844	2708	Bjlqhoba.exe	31
PID 2844 wrote to memory of 1708	2844	Bdeeqehb.exe	32
PID 2844 wrote to memory of 1708	2844	Bdeeqehb.exe	32
PID 2844 wrote to memory of 1708	2844	Bdeeqehb.exe	32
PID 2844 wrote to memory of 1708	2844	Bdeeqehb.exe	32
PID 1708 wrote to memory of 2620	1708	Biamilfj.exe	33
PID 1708 wrote to memory of 2620	1708	Biamilfj.exe	33
PID 1708 wrote to memory of 2620	1708	Biamilfj.exe	33
PID 1708 wrote to memory of 2620	1708	Biamilfj.exe	33
PID 2620 wrote to memory of 2848	2620	Blpjegfm.exe	34
PID 2620 wrote to memory of 2848	2620	Blpjegfm.exe	34
PID 2620 wrote to memory of 2848	2620	Blpjegfm.exe	34
PID 2620 wrote to memory of 2848	2620	Blpjegfm.exe	34
PID 2848 wrote to memory of 1432	2848	Bbjbaa32.exe	35
PID 2848 wrote to memory of 1432	2848	Bbjbaa32.exe	35
PID 2848 wrote to memory of 1432	2848	Bbjbaa32.exe	35
PID 2848 wrote to memory of 1432	2848	Bbjbaa32.exe	35
PID 1432 wrote to memory of 300	1432	Bghjhp32.exe	36
PID 1432 wrote to memory of 300	1432	Bghjhp32.exe	36
PID 1432 wrote to memory of 300	1432	Bghjhp32.exe	36
PID 1432 wrote to memory of 300	1432	Bghjhp32.exe	36
PID 300 wrote to memory of 2900	300	Bhigphio.exe	37
PID 300 wrote to memory of 2900	300	Bhigphio.exe	37
PID 300 wrote to memory of 2900	300	Bhigphio.exe	37
PID 300 wrote to memory of 2900	300	Bhigphio.exe	37
PID 2900 wrote to memory of 2864	2900	Bbokmqie.exe	38
PID 2900 wrote to memory of 2864	2900	Bbokmqie.exe	38
PID 2900 wrote to memory of 2864	2900	Bbokmqie.exe	38
PID 2900 wrote to memory of 2864	2900	Bbokmqie.exe	38
PID 2864 wrote to memory of 2880	2864	Bhkdeggl.exe	39
PID 2864 wrote to memory of 2880	2864	Bhkdeggl.exe	39
PID 2864 wrote to memory of 2880	2864	Bhkdeggl.exe	39
PID 2864 wrote to memory of 2880	2864	Bhkdeggl.exe	39
PID 2880 wrote to memory of 860	2880	Ccahbp32.exe	40
PID 2880 wrote to memory of 860	2880	Ccahbp32.exe	40
PID 2880 wrote to memory of 860	2880	Ccahbp32.exe	40
PID 2880 wrote to memory of 860	2880	Ccahbp32.exe	40
PID 860 wrote to memory of 1860	860	Cdbdjhmp.exe	41
PID 860 wrote to memory of 1860	860	Cdbdjhmp.exe	41
PID 860 wrote to memory of 1860	860	Cdbdjhmp.exe	41
PID 860 wrote to memory of 1860	860	Cdbdjhmp.exe	41
PID 1860 wrote to memory of 2976	1860	Cafecmlj.exe	42
PID 1860 wrote to memory of 2976	1860	Cafecmlj.exe	42
PID 1860 wrote to memory of 2976	1860	Cafecmlj.exe	42
PID 1860 wrote to memory of 2976	1860	Cafecmlj.exe	42
PID 2976 wrote to memory of 2320	2976	Chpmpg32.exe	43
PID 2976 wrote to memory of 2320	2976	Chpmpg32.exe	43
PID 2976 wrote to memory of 2320	2976	Chpmpg32.exe	43
PID 2976 wrote to memory of 2320	2976	Chpmpg32.exe	43
PID 2320 wrote to memory of 1952	2320	Cgcmlcja.exe	44
PID 2320 wrote to memory of 1952	2320	Cgcmlcja.exe	44
PID 2320 wrote to memory of 1952	2320	Cgcmlcja.exe	44
PID 2320 wrote to memory of 1952	2320	Cgcmlcja.exe	44
PID 1952 wrote to memory of 624	1952	Cahail32.exe	45
PID 1952 wrote to memory of 624	1952	Cahail32.exe	45
PID 1952 wrote to memory of 624	1952	Cahail32.exe	45
PID 1952 wrote to memory of 624	1952	Cahail32.exe	45

C:\Users\Admin\AppData\Local\Temp\34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe
"C:\Users\Admin\AppData\Local\Temp\34bf3653041e7d502471091afd35673b554bc15785c3b647c51cbe884b5bd5d1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Bjlqhoba.exe
  C:\Windows\system32\Bjlqhoba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Bdeeqehb.exe
    C:\Windows\system32\Bdeeqehb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Biamilfj.exe
      C:\Windows\system32\Biamilfj.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\Blpjegfm.exe
        
        C:\Windows\system32\Blpjegfm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\Bbjbaa32.exe
        
        C:\Windows\system32\Bbjbaa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Bghjhp32.exe
        
        C:\Windows\system32\Bghjhp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Bhigphio.exe
        
        C:\Windows\system32\Bhigphio.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Bhkdeggl.exe
        
        C:\Windows\system32\Bhkdeggl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ccahbp32.exe
        
        C:\Windows\system32\Ccahbp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Cdbdjhmp.exe
        
        C:\Windows\system32\Cdbdjhmp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Cafecmlj.exe
        
        C:\Windows\system32\Cafecmlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Chpmpg32.exe
        
        C:\Windows\system32\Chpmpg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Cgcmlcja.exe
        
        C:\Windows\system32\Cgcmlcja.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Cahail32.exe
        
        C:\Windows\system32\Cahail32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cjdfmo32.exe
        
        C:\Windows\system32\Cjdfmo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Cdikkg32.exe
        
        C:\Windows\system32\Cdikkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Cnaocmmi.exe
        
        C:\Windows\system32\Cnaocmmi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dndlim32.exe
        
        C:\Windows\system32\Dndlim32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Dglpbbbg.exe
        
        C:\Windows\system32\Dglpbbbg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Dpeekh32.exe
        
        C:\Windows\system32\Dpeekh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Dccagcgk.exe
        
        C:\Windows\system32\Dccagcgk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Dknekeef.exe
        
        C:\Windows\system32\Dknekeef.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Dnoomqbg.exe
        
        C:\Windows\system32\Dnoomqbg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Eqbddk32.exe
        
        C:\Windows\system32\Eqbddk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Egoife32.exe
        
        C:\Windows\system32\Egoife32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 140
        56⤵
        Program crash
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbjbaa32.exe

Filesize
64KB

MD5
e9235b067413bdd0d8bc5a169dd78ea3

SHA1
c9d2e1b7439db471f062c4fe691f178875c7ca04

SHA256
52df060378beab273b282af9b9a86fd8b8e4cb36fd8837e227348c5e7d6d2559

SHA512
06fcb57eedcce21e43bf9fcda0744f9db9aed46d78a89bc4d2af8e59abfb862deb6dba9ed283bfa0e6c019d63b881e9c8bab20432ea5578b877f468dac8e45a9

Download Submit
C:\Windows\SysWOW64\Bjlqhoba.exe

Filesize
64KB

MD5
fb23f28899fc5e886a1bc37415b4af17

SHA1
dcb36c26a934116be558339f78cfcd18edf3c691

SHA256
e1d252e4505dbbfb036568f2417a7d931fc9ca0256437ed591a862ae879eb8d2

SHA512
808c185401076b5e1067adb03823d08b1d5d13bc75d239f4ad40d14504e13f64a52f65479f2e7b85246b245403a1992875caf43ab4181378c9936c36594255e5

Download Submit
C:\Windows\SysWOW64\Cdbdjhmp.exe

Filesize
64KB

MD5
1188286caaba83de225cb915c9212669

SHA1
7ee6d0f848140726bc33ba1a4328da42b805e2b1

SHA256
58419cef3c594ebd9431f7dc1e282af049a8e0db86d6e11dab0cbdb0ab6adaf2

SHA512
55404cc25ebe0942e044536d4895beebfb8c35fb591c7db2ad87f91af4995a98bf68f17fc2a56d8b2d42effff8acbbef2284b3dbef9974eca9c65d6ce6791c4d

Download Submit
C:\Windows\SysWOW64\Cdikkg32.exe

Filesize
64KB

MD5
1d9f9a64cbd54672c3aded206752f725

SHA1
e8f09ee36f56a01ecb2f351f1eff15e34ea1ebee

SHA256
98536f7c4edf3034c46131af817d289abbc8d3de34c880694103512a6e55d296

SHA512
bf28bfb9a3ec7cda603b2e7fe08e1e5d72da81c25f5049c2b9e339cf11c9bbeac8af68bfc87edcf1af8bc671ad466eb2bdeb2e4892f5c3e070c79f0aa35c2628

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
64KB

MD5
3689bf888fa88a6008fe44ade0bbba18

SHA1
9afefcc00c96a4a0351ce966f8cddcd507449821

SHA256
3b11f143edc7eb395377d5e381bdc1e328e414d99438e6c68dc3c2f287d3b3e8

SHA512
4f97f61de793927987549016d4196b666800ced8c651e86e2acd540c741a8060275bfa3bd43626a94ae930d3b3457df42b057e1402ca68d42551236446816751

Download Submit
C:\Windows\SysWOW64\Cnaocmmi.exe

Filesize
64KB

MD5
28f90ed4a6269c12a87c62abaca0cdfc

SHA1
004a03a609caedc5c3d637a02ce49e462d90b27d

SHA256
36e30726bad9ca9d1eb66d15ca29de2b3cdea9fa458f680b8eda3424a2a8ec04

SHA512
4ef7187f0ced961c884d87d04cb271f0e9ae185b1b0d2b1ef234b909eba8a7c74ed1586a597c4bad52125972bb0590ff25f86b9b9ef2ae8f8ae9ccff234ffff8

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
64KB

MD5
fca062fd63ac3079f5c0d80434b0bcaf

SHA1
4ed3cf692c3317f6bb6a5f8db64d054319651d40

SHA256
1a0c38d42319e7899782923ace0a469a377b5a611dd68581b91b50bb321c56b3

SHA512
f254ed20b16ef42e6cdb4dea6a089f2d97382df3931809f7a709147d92ce5e56d176586f287dbb1e87b85623338e50c38f32b18d10371f5d7310df72cd9a40b2

Download Submit
C:\Windows\SysWOW64\Dccagcgk.exe

Filesize
64KB

MD5
fb3adea7aee582fe6b606bafc08ec253

SHA1
e06d02d3afc33d0f86f2edd155e5e0bebfda918f

SHA256
c4462e6c0a6947df1175f082fe7e4e9e2070e48ba72758643c06d110b8477f4a

SHA512
84fe1503023924969a1aa7d9e0fdd324a3044d16a895c7d133a7611897fc18ce6a2f0485aa0d84627e8f77e5c6c6a04f6c3e53dc1c9f9fb9fe0f40472148ca4b

Download Submit
C:\Windows\SysWOW64\Dfoqmo32.exe

Filesize
64KB

MD5
1ef72fb3db93b8d0b16915360bd7f09d

SHA1
33b0ce653f3e7958a78414d6ea61727859ecd9b9

SHA256
c78e0c59cfb2d15618c1cfdeb911f1e9bdf5aa77f490f43c3edbd21ceeb15d65

SHA512
8bb9b2c6674d4951e543a2a1f85a68a2da02e7153959b23006cf261fb0094d949cceffc7ec7575aa29412d56a32659daa02cb6d20e712bd569828761d22b596d

Download Submit
C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
64KB

MD5
24f76d2de2cec454ea9999992729b341

SHA1
bcc588ef5bc18923ce6dd4a6dd9eb7a956f876ea

SHA256
ac427ae341e07ead372ccef5d7b7da576244c493fadf0e61e203e447534a1997

SHA512
19388c7957c5af83beee7bd95c166259130f81186ed3e94e5ed9471736a8358eb67d603dd663f1d4f5887f140f26420277003df6a8830c0e27a1f387d721f193

Download Submit
C:\Windows\SysWOW64\Dglpbbbg.exe

Filesize
64KB

MD5
f4e07fdafc6ead0cc98988da6628a5bf

SHA1
d22d450e0a9e53fb27ef3d32a2cbb6973b9c84f3

SHA256
aade8323a540e639f67634124cee6c4951b331fc26f7d33f740640d7659b3e5a

SHA512
1c6289fc44b39f566cca0651a91e54f1b66303def8c9b7f5b5eda6c8d65016abc483d2fe05257c6330f3b12c20b9ca885c1f032b2dabc4e308fcc667f3697a12

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
64KB

MD5
e8e9f2dc08c7a5890d94459a6210e2c3

SHA1
4cb7dcebc37f68f280cfbd30044a48f22b5b4f14

SHA256
b60c2d1375a5a83d693c7e96b0f22b4c15a1345857e76bee2af95564e5ebbb7e

SHA512
d59efd45208918a1abda7d8cbbc9fc52cf5437aa090795138b0d2fd6b438c9f2093a89249335f72d432dfc19feeab2e0a0701daea50146302242b0d52b5711ce

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
64KB

MD5
2c3f8e19e0972c30d6e55acb7ee6fa76

SHA1
af68b63e0d4a385b59cce99c9ff261486e565f8b

SHA256
b6df5fe5f2324114b9ba6267fedb6af9f129517f542a6b6d10755393d4706d31

SHA512
a6b1d3150e2edb14f51f911cc69635241081e0d143cfd4b9160996a48f4448b4324f31153b1d07653e2985bedd550035dc52e2e822a35b89d24ce2fdf7eaa3d3

Download Submit
C:\Windows\SysWOW64\Dknekeef.exe

Filesize
64KB

MD5
bbff8fd083ea40a70d13547d9e149013

SHA1
fcbc88ab7655f3229221b3aaa6bf388a23847a68

SHA256
d973ce97e80021e4009d1e0bacb118d13f2d1b4be8f6b4fe12cfe0bebdb6069c

SHA512
640f7c47fc4925a99881de8960188dae2217170ca27798e0f346c0d24b61bf393da253ec1541e5adf4c379582b85479b9b979b45bc5c3e860903dacfbc208df1

Download Submit
C:\Windows\SysWOW64\Dndlim32.exe

Filesize
64KB

MD5
f80c0af4ba31040a59f8f9507b451859

SHA1
8295e65f64e887507f945f6192e788a3083a9af2

SHA256
873e38ea8708bb4d7e2cad96eb56d81e514c15baae9e917db3d658c365b7c74c

SHA512
6e615d5fd7399eeef29f9f849492dd1e7cc220e8e4c68eb91905b1339de711e589bc30dc657c36444d8633285c69fd29c3040c33750c2d67cee465195b73ea85

Download Submit
C:\Windows\SysWOW64\Dnoomqbg.exe

Filesize
64KB

MD5
d4cb5738604cc7fe36af671e2c298281

SHA1
1539ba2121ef7ed24df4cbd1ac1cb5bb080b99a6

SHA256
e21891fc2c3b48c6f5e5f1fee91c2ab1386495d9ff162a03bbb5b3da9884c74a

SHA512
d40203d9de81bbc538067a80a7dea9971d420e895804f4766b908f64d338f606ba3f9c6e5079faa09baba1d804f9216c03ce1c0b82479ab41d8a3d48d82da6b3

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
64KB

MD5
956d311564aa52b87e84c65e5ab30d36

SHA1
7c2d48fc5470401cb6cf60b53f0905e8f0ca9847

SHA256
c090d5a763c99175a427b9b4aa280cbca5773485ce66671996b335fd2b9435b0

SHA512
b3dc4062f6170e2f9837f7470603e2e80129874b24f5c514f084f7a66446dee619f5307b616c867985cc0f8801fc12c78e2e66df9941bd7477b534d616251496

Download Submit
C:\Windows\SysWOW64\Dpeekh32.exe

Filesize
64KB

MD5
80212bde8c490802298dfb4544a4843e

SHA1
c3903b930eff2e8071887cbf181b6d8c143f3349

SHA256
6f3f720728f96459bc2ab769e8b07da64f880ecb30602d4f71bdb6aff27466da

SHA512
b768472d6c18ae94bafcc1b9e8be0f22cf3eb1e0e0421263c3de43541f0aaf41a854e018e36d2f4385d0142a74c98b24ba1ea51148d964193d6c5ff974ba0b93

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
64KB

MD5
b343f7f0041a2138073509df3e68d5ea

SHA1
30e75c629cb095bd84b9a96509ef727e67227316

SHA256
0b06c070233fc1a49ceebe07118af123828b3a59f4949ef3c8e2f09a9c568130

SHA512
c659dcade3c8247558bb3497570c4859959190f172c1ca50a19b58d2f8d9d5b0cdc50bb7091d287667ba75a2e1b4af0a3281827a09a18c3fb605a63b20e3a276

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
64KB

MD5
718e03efa905578ea87bc685ecaa9f74

SHA1
7f76913eb39e4e7a471dd163240e36e976d56de2

SHA256
b0f468f0c350804a74107414a3a8db5619af54b9a4482ccef98602f8999fc4c5

SHA512
27b0593d68e9a5473fc9bcca7dfae53b872c67d5f78ade255cbfc2678c082fb30eeddbb7c34af60bc355e57ed442989f2f7630ca7626b0b396c677f4184d5fc6

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
64KB

MD5
c20170b3a58556066d5575be276a7ab9

SHA1
358870640504d21bdd42f273080f4055fc798fe7

SHA256
ba0c3f852fdb6fb3dbdd6a60224f384ca84ef3643ce7e612b077de3d806b1d78

SHA512
4e19fc91633374fe218be9da37fafebd3c233522be1aa395c1e1af1c9461df1204cd605b63b6bcbc4581c0f6dc93003ceb4b61376210351aea983e9ea1f5414a

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
64KB

MD5
3e96ddd984ed5948ce96f9eeffcd90b2

SHA1
f8a04e6079f1d9b7f08bde51c05e88953492e2f3

SHA256
0c53b9d1b343f39643b2a22994450baff31ddccdf4c4c970dafeda8086ab6356

SHA512
d3a833475fbf82cebb12f176e8ba399a5e41844b0d821beb59460b7c6956f0ba5d9a858aa98efb13bcecd6d58d44e4ed491a81e3f8e1d486f1ca2cf4c2ce9a5b

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
64KB

MD5
c5c255a9bff72b158b89bbee12d93989

SHA1
3e5d0012d02dd856084f032f6775ae5a17f274f7

SHA256
4e4db23a91c410deae98a719f40ecd8b5dd1302fdc183219186265f02edf53f2

SHA512
2b6dc04cb70b9afc0d3b80132f69887f64f641da120ed2d2e2c1e530b0b1df20a0415795f0d93bc29e54ba0ccdc298db7cedc18134ec9dfbf748a6f447a2e903

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
64KB

MD5
95869341b299762a7ddc022cd48cf67e

SHA1
0ddfcf20fb8e4c7de3040b9e7286d823d1787348

SHA256
403c612de4853b9fb3d671170a6c3750bc738ef472cd80c501e8f6028038d682

SHA512
634a8e30c75569c3257ff39bb8565d102416f637c5bafe6e802d687de03e968b7905896a0024264b9bb8cdae783047f1000d5658234e56cc0e65f6bb6548ca23

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
64KB

MD5
6a1532c63b6eac1d58d905143877d62e

SHA1
438ab4b9a880cbc58043a83aace438c835147a52

SHA256
07ad3dfb2ad4a29854f893d3f5020a7a08631a2a53049988c8585c8a8e551b98

SHA512
c98de2c9f4cd99a14b0e59f0d8f8872e801699683959944e1912abe2ceb72e87d3ffa8ccf6cae7ce22ecdcb3b0f89e8de8cf88424f50247d7fd91861186d862f

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
64KB

MD5
c689cb86cf9ceaed4631eab6e81a7a79

SHA1
7e2c50a7c0dfac794770a3385537b674afa136d1

SHA256
b675ea825e10151635919f8aafd30199c8168d9439d38ed4b419371d0b0b3dfa

SHA512
a8ca54b3166daeabc79c8d15c837d18b94b144877fa4fcc233e98f603318493a847135194ad0f00d48244100f55fe837cf506fc5183037fafc1fc7f0312568bd

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
64KB

MD5
50950888720e3e59ff3fb257ccc74c7f

SHA1
f34ed45daf26998aecfb8fa73eede8fa8c4862fd

SHA256
3020d015af1fe0219bf7f3cdfb17c327a1360bff1c1a8eb6869f1d08e1ed270a

SHA512
101dee3eb2f7e8b41c8dbfe96af02f746dd28cc2ee2f728fc67339d2cf27289275fd1347b0b9a02200b83e5f754a7c29ead02741ca053a17bed26c0a37e7aa08

Download Submit
C:\Windows\SysWOW64\Egoife32.exe

Filesize
64KB

MD5
401db5e83077c70210b84e256ed72f55

SHA1
6f6a9196bce8b932901af3a0be026face3322083

SHA256
f4896f0f06d82d96bf682c1944290abf1fd2860b9d4dcd389c067cab5ec411bc

SHA512
f6a849622b0678ae8a28015ab268bf9fbcfbe088edd0449cb031dec80bf72963ee76c237a389e5165258388df91cfe3071f39710d9e8a5ed9139b329ee12fe9f

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
64KB

MD5
a9a9f64b6c2aacbe35b8c92579927504

SHA1
da073403a984fe52a910e99c5fd9406809afc19a

SHA256
57633aabf99e657056aa190e078a5cb48d33af208bd5c203d9d32d3feaa36c0b

SHA512
7163e50f7398224a24f428f74a0c075e9b5e427bd3ef0f315779e94edd2413cf3f3ecc0c0db789ee996633fb5c0615a0adda7d706ed7559e34286df7de41d9a8

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
64KB

MD5
3aab70a00f405953c0276c760787475b

SHA1
0e58d38212c87c38535d6f7490c938ca9c7df9a3

SHA256
4aee52248d8a2f4f073d07460540b9963f6b32da78d2517317b0d157f47e7858

SHA512
6cd28cf12e2cfaf7b7b885ef5ea495c95406a6add6616b1e2f91c5289a0f8675be5c501ff48c950fdfb8067237ae14833d5e8ef4d6026cd96b49d0dffb40db9f

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
64KB

MD5
1336cab3a9a6678dc7076e3b11bb7ebc

SHA1
d21b924f5aebb8d4c1482fbabc788462fa192b08

SHA256
6cd171fd478a073ee6f3758355cc960157d58d0c30bd64d72c1d9453f4f0ee89

SHA512
3d65b5f1ae8de3212023f3e7a8dfe0a1051d69e7c6a1a8b7656df92b641cc33fc78a4ec320ac69bc958fd55a32373f9301a1d73e7e016644c21808fad103f97d

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
64KB

MD5
0517891e6b3987e20623fd75dc9d5e89

SHA1
c95674b6c83499299603e4a1a4342b569a91fbac

SHA256
cc7ae641048d3672c4e3f986d1ffdccd75020d6a94b8003eb36eb238497c9241

SHA512
1ef645f8536e0b5a567eef37c6edaebf9172491f9d97603a119d184f8ab7b6cf311bc50041fbabb5a4437a763475519fbc94a059b99e456e834be6d6fffdc2c0

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
64KB

MD5
844623fea52ed8c66355864e0604ecbc

SHA1
97cde7102c04e5209b7c515171890122b9c189a6

SHA256
227ecc62643c8c2fec4d47102b99205aba03d73e3e700e7c8bb1e249eb5b46ad

SHA512
c3d38e2fb06d6a533ca740bf1983c61cf6f6480ae26ad2daf6efda6953b4235114f3fa9bfeec05f16016aae97f17bec596ea680836d8010462bfb7c383a0ceb2

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
64KB

MD5
6dec342fc24107ff1d6e70ab381144e4

SHA1
7e42ef9c274c63b61386a1f4605c2d9c60cd65af

SHA256
0b8aabb8f2240427c5a9a912e260298754f0a54641a9b5bc195d76dbfe38b171

SHA512
0709aa2e8faf273fa8967c4e2aad39dd0f7ed92a4c8d793eb34d4ecfb6032703ad97b80ea92b5a9b04ac1101db5b63c50d3aaabc39980a686469119a5509638d

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
64KB

MD5
f3d1bd2caaab0a0904ac56f4172b8ef0

SHA1
fea0e8b4979ca685feb9c17067eceb94de08dd1f

SHA256
7bffddfd4818874bb7e10f27625a163d1deee7cc24e1581bf0b5f62fcae9504e

SHA512
82413d8113821f26820c5bb4fbb73b75daf1b8f310a811a719f56ff35eb3c8ef98156bbae03341a15e4462b59303b00a76574df4fc1fb326643f8938fa1262aa

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
64KB

MD5
48696e1faec3e9345c1c37f959951794

SHA1
5b17091b41a750fb93f92314c901bc3b1375eed4

SHA256
b8c43cd00bce90e8a743126e0c632fcab25042a01450e754e51956059dbd5f5a

SHA512
fa7d3ba68d38d3b6b0c4b14a7a0ec6c72cd91577839ea39f8b13358f6f4db5523ad9651fec24e9706cd578a6ca6e7438e6d4541d40db45ad0b3f0274a0f42727

Download Submit
C:\Windows\SysWOW64\Eqbddk32.exe

Filesize
64KB

MD5
c9271244c7854821779ccefa31be1695

SHA1
6da66b6b17d99be031101678a63a25ca6153f28f

SHA256
8a576f843f69cfa7ff5abf278b0d30c6ed10d951cfdfcf3e0f4d3afc7f085aad

SHA512
3885396892f289b844a22171153f8606e6c34d89da6433f0158f2406dac9bc88f134592d2dbd8fc5e650817d9c97b0f0cc358e8e64dca2fb9f6d7403b78b2db3

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
64KB

MD5
e046516a3161aaf3d80c23d455873d91

SHA1
05fcb5b7c2d0b4fcfda55f0bce4f1a91fbd8921d

SHA256
3ede73f2b8f5560d9b6cb8395804880e0662b0b0d47869ccc8ceab05bd975f36

SHA512
85bf48b80fcb5ac6aee92e4c585b829f23c120e4746d9d6560e6bc15e94520b9529b921c5af8a5f7c0af8b25a546d3c2f577f1c04bc1f34cac4dae68fc1d565e

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
64KB

MD5
2949458422c51728268d3ea091fab52e

SHA1
c761be3e71a733a4c1f380923bd4dbf186cd3e44

SHA256
d3c7c9a983f988db2e8caeb686dd9eebb964bb87ece85ae4e36c88097630edd1

SHA512
1c6dbeeb4494733becdab6349208cdb28764b55f2ae333d88da912ad49dea739a1096534114654e4ab229100d0dcd1c8bcaa07e140bd03e4e1513760c87c8ef5

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
64KB

MD5
118cdb834398524a32e1b35899d1ddef

SHA1
09a79bbe17c4f6c99070383dc4e4ceb6580f08d3

SHA256
955336b130220f676cc03c0c70b86a88aabdc1779bb722572e2548ef2b761046

SHA512
e661364a5ac19913860f31559a812a6996c0d9a88786537a6000ae7f4a2a53923852104782aefcc81eda3becc094a01f58498f8b2dc673c7d8b75822ea7bc844

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
64KB

MD5
82eb6611a8da2dcec3c5021beaa00900

SHA1
a923f8d7164706684639b96313cc31a7d02c13a8

SHA256
e7cbbfa40bce10174aad9df0391e9f81ebce0192566a81dbf6c5a5e9c9bad155

SHA512
408485f979ef96ad797587fd6a22c37e8e078dd7b73feccc3837fecb6a06b0ea2ba478a16f976d5fe4bc9e8b589fe5a76114fe93c1beefff2314264261f5bd40

Download Submit
\Windows\SysWOW64\Bbokmqie.exe

Filesize
64KB

MD5
8e6e6099739555bebd575e2fe30f44d3

SHA1
b16d750ad9cb52c04aa6f06f9724574a41abbdca

SHA256
086fa317cfe4480de095ab8302aeb201f402b80b3eb5514d3cab3d91620b7fd7

SHA512
ed603cbd71697600084efcfc24c818bc9d0151b181dfa6ec8561861e8d3ef2e6c01dd9ecfa9215893a8c000d358d6d5214cc13d1a79e2f2c453c6ceddf62e218

Download Submit
\Windows\SysWOW64\Bdeeqehb.exe

Filesize
64KB

MD5
58c590ab547abdd77fefc247fb0d061d

SHA1
ef0ef25ad02d3ca1138a5b94899011a42d84fbe1

SHA256
fe257ace2f12dd94f2a287c8ffab264858fc2180c5d58b5cc35dce7e30c69929

SHA512
70c1dc2247f008f6c00539b003013e0b5780eef982aff4dfa9c5fc5a0e38fb1a230d7fdf4c155230dbb32b3c58d232c49d97e20d74e877c035e7363031ee82d0

Download Submit
\Windows\SysWOW64\Bghjhp32.exe

Filesize
64KB

MD5
18ab7ae145c365054fe1fc9e13547f88

SHA1
f33e534744827939b9169e27cb0ca6a5e4a78ff0

SHA256
086b45c565b0c9090b3b2dcc0ba23158d71ccf173d36fcb314c194633f970bf2

SHA512
dc8ed0cb2268752b45726e9e57fbbfa2118a1546ca2eb50c4ca806bbef29ee63a061899a7c5696614dd129b200ed22e73526ee0c63072f7e3ddbe92f485b32eb

Download Submit
\Windows\SysWOW64\Bhigphio.exe

Filesize
64KB

MD5
bb369afefe611adc614c32330df01948

SHA1
9d9db01a842c59a7fe4ae3ed45a341cc48975def

SHA256
d7bcee93ab6f68936d35ad94077fd2c008917d3fed61a9b1ce2ee27c830bd523

SHA512
45476acf251e5ccc6e62beeae0a90d262e4e83ef1fa8649f80db56f820136ce335c2bead61a70af90fefbfca4a7828cba7fbcf98741d7c2572585df5601f9ea0

Download Submit
\Windows\SysWOW64\Bhkdeggl.exe

Filesize
64KB

MD5
a531757003bef47093e7a7ac36d81cea

SHA1
b0469640b2b781a16d90177c3a82be8363f2c704

SHA256
81b2f376f157f1f84f07ce37816d24b7ee27d2dd813d9ae5e6a17cedbfdefb90

SHA512
110ac868c28d4e4de9a2266e25d09a97879875e9c09235b411ecb1193d4c9918c94ab7d495873a6411227344bf8d23c1cb3b8d6699eb5d866863c92e26d4bc56

Download Submit
\Windows\SysWOW64\Biamilfj.exe

Filesize
64KB

MD5
2f957e0e5bba5066f418aeeaa26fa91e

SHA1
431c0499fa5a7ba3b786b09bfd39284f7dbb4993

SHA256
1811a9ee7715c0a1c4a2ccf4b7681ec891ab3f910599888674f0131690ac6d7a

SHA512
0cf8e130067de01356a715b4e1a00a0c30e30b2383934b4ae20e840c9787c1be679f5ffde389547ada9b9b108114a12631484d022c19a56afd0260cdbcdd689a

Download Submit
\Windows\SysWOW64\Blpjegfm.exe

Filesize
64KB

MD5
62159c4c4064d4788d11d1f4b5f92d76

SHA1
e25fa4ce5527de626b0de4c53bbf9343bc81ea21

SHA256
8ac14ac913e67ac3b800aae87cba13ded574dd7f607b2bd3e181d18427d7d706

SHA512
e2becc9d1c0998ca09a9153dbdd3eae996b6a1f3c8674c6600e36879fb469d44c74b3240c768a140eeb68b7ab1cf2d2e74fe866a25193abfc659ec1c1bcf68a7

Download Submit
\Windows\SysWOW64\Cafecmlj.exe

Filesize
64KB

MD5
fe91064e0cd0397f814d1cfcb2f7dde7

SHA1
ba0bd257e5a5507f03becc7bc0b88b88d2ea808b

SHA256
154fbe0551ad90ae94b1a27e5c762c6a630cc0b9264c84a6c781c6a9770896f2

SHA512
daa59c210ae84bd79840cf7762fcbca785f9a1756be5618ac022a3d833473fa4b18b13c5cb9cce880ef55d082d1c34fbb462ba921abd5fef1e465bda5f01ccf7

Download Submit
\Windows\SysWOW64\Cahail32.exe

Filesize
64KB

MD5
0af17858afabc5b86e9e93f02ac3d676

SHA1
3ef819c13797cbb4552a047f13248b215ef3385a

SHA256
fb5ab7708caf29179791adfa166f66e8b26d755cee3ed9bd9ba7fe73e97116fc

SHA512
de57afe51c62da03233d998a3aebb44a874789be527a8b7621170357a5b4b45425c47ed594552ac48ad7a9c6fed833bdbe951b5644793c68cc18791f02a1af13

Download Submit
\Windows\SysWOW64\Ccahbp32.exe

Filesize
64KB

MD5
4260b8d1d20ac6c7bea149b8a8948111

SHA1
9e429c1fecfe6f903b41af8cb9937dc54c014e8a

SHA256
4c2fb06a020b12caaf3180343a929ee00150df0e539b15c10b8ebc7211307162

SHA512
ae560522999f01e046af1bc3982eb9daff98938ae9105d59959c1d111d2b48f42052f4a3921289770e95876e2d74856793c89951102777b4534725a273725bef

Download Submit
\Windows\SysWOW64\Cgcmlcja.exe

Filesize
64KB

MD5
4f30c90d723e65abdcc073f86c6b3216

SHA1
95c31759fe8dbba87f045f6b8bc6051671bce99e

SHA256
d3f1d85aef85d0e10927236d24901eaa89c3888ffbf51934968beb78cc598ffc

SHA512
0bfb21814eb105c4ea3d4e151624d74104eea1c3951ffb53799a3c4ab9066fe6d914a568c7a9f42e95138f1cd647d03cfc6e473f2564316a0ea87de37dada6c8

Download Submit
\Windows\SysWOW64\Chpmpg32.exe

Filesize
64KB

MD5
d79318be8504647af8147b2aca0d822b

SHA1
cd86c7ce4a073793de903cf9d88609da367b688c

SHA256
5c1173be8ceb480a894c97ad9855058dc017a23b929e94d0f03dbe42375e9299

SHA512
9bba67e2927690f0b1de655dcec0b0c6dc8585f4e926bc97a620c9847c0fe48327a2a2d921570ad5b4ad03b58a86a3b8c02aceef443f6e748a802bc3795d8697

Download Submit
\Windows\SysWOW64\Cjdfmo32.exe

Filesize
64KB

MD5
8b94a2d4960205fba3accfbd72817b1a

SHA1
e686ccc8fbb7a323221056f3a9aeddcaa16480ce

SHA256
60eb65c99bffce7d7f31280ddbcab34ab99e067f11805c0bb5c7d8b572d19890

SHA512
d8870c7b9b49db55e486050fc2252cd00f9f07907813d7941e9b99443fba3b8351b1db37a7cda87141377782a616006a35ae822b48285d30f63fa300ae80e3da

Download Submit
memory/300-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/300-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/300-108-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/484-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/484-416-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/484-378-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/484-413-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-275-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-245-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/648-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/648-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/648-261-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/860-167-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/860-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/860-213-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1432-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1432-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1540-309-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1540-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1540-325-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1540-323-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1708-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1708-48-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/1708-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-233-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1860-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1952-230-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1952-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1952-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1996-359-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1996-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2044-421-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2044-427-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2092-357-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2092-353-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2092-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-379-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-388-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2128-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2176-431-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2176-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2288-287-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2288-289-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2320-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2320-203-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-272-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2416-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2416-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2416-341-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2416-283-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2416-288-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2532-355-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2532-352-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2532-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2532-300-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2620-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2620-121-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2620-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2620-70-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2708-13-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-26-0x0000000001F70000-0x0000000001FAB000-memory.dmp

Filesize
236KB

Download
memory/2708-25-0x0000000001F70000-0x0000000001FAB000-memory.dmp

Filesize
236KB

Download
memory/2708-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2756-53-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2756-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2756-12-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2756-56-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2804-354-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2804-356-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2804-389-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2804-343-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2844-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-80-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2848-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2856-414-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2864-144-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2864-137-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2864-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2864-195-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2880-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2880-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-337-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2896-368-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-330-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2900-124-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2900-172-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2912-399-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2956-326-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-186-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-202-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2976-201-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2976-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-254-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads