berbew | 85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Size

85KB
MD5

0f29e93df45b0f14753d5ff450b849eb
SHA1

c1d7ab064b7562ef074a11b4f6ead9f1fd118166
SHA256

85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c
SHA512

88f23112aa7a75e822130a15000be0fc9e2138b77043c512889c145aed300abf33a61bdb1a0c281099012581265330a77f7e8122fe1d7d9c6815643f7369f2ad
SSDEEP

1536:LxE/xmwZHRUrHfSnmeVPmZs7Rq1no2LH1SMQ262AjCsQ2PCZZrqOlNfVSLUKW:q/4a6HfSnus7Rq3HYMQH2qC7ZQOlzSLQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcekj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabcbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfdjpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogbolep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiocbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijffhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fimclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmighemp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfdjpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhgpgjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcegdnna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnfdbig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnobi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidjfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcegdnna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamjghnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnqhddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifceemdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obamebfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiocbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhdlbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glpdbfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbibli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhdlbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadlgjjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jadlgjjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npngng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igioiacg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifceemdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eonhpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhifmcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkiooocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbibli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njaoeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabcbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekoljgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njaoeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npngng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldndng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdcbjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njobpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogbolep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmighemp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
1244	Dogbolep.exe
2408	Deajlf32.exe
2908	Eiocbd32.exe
2696	Eonhpk32.exe
2728	Eijffhjd.exe
2708	Fimclh32.exe
2284	Fcegdnna.exe
516	Fhdlbd32.exe
2604	Fhifmcfa.exe
3044	Gkiooocb.exe
1252	Gpfggeai.exe
784	Glpdbfek.exe
2248	Gjcekj32.exe
2872	Hjhofj32.exe
2592	Hmighemp.exe
2216	Hbhmfk32.exe
1728	Iamjghnm.exe
1784	Igioiacg.exe
1704	Iabcbg32.exe
2464	Ilnqhddd.exe
2340	Ifceemdj.exe
2620	Jpnfdbig.exe
2348	Jekoljgo.exe
2832	Jocceo32.exe
2800	Jadlgjjq.exe
2840	Kbjbibli.exe
2956	Kidjfl32.exe
2224	Kadhen32.exe
2684	Lllihf32.exe
2744	Lpnobi32.exe
2780	Ldndng32.exe
1116	Mfdjpo32.exe
1680	Moloidjl.exe
980	Mhdcbjal.exe
1920	Mnakjaoc.exe
1832	Mhgpgjoj.exe
2508	Nbodpo32.exe
1748	Nkhhie32.exe
592	Nqdaal32.exe
2124	Nkjeod32.exe
676	Nmkbfmpf.exe
1548	Njobpa32.exe
456	Nqijmkfm.exe
2220	Njaoeq32.exe
2400	Npngng32.exe
2520	Oclpdf32.exe
1676	Omddmkhl.exe
2528	Obamebfc.exe
2836	Ohnemidj.exe

Loads dropped DLL 64 IoCs

pid	Process
2280	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
2280	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
1244	Dogbolep.exe
1244	Dogbolep.exe
2408	Deajlf32.exe
2408	Deajlf32.exe
2908	Eiocbd32.exe
2908	Eiocbd32.exe
2696	Eonhpk32.exe
2696	Eonhpk32.exe
2728	Eijffhjd.exe
2728	Eijffhjd.exe
2708	Fimclh32.exe
2708	Fimclh32.exe
2284	Fcegdnna.exe
2284	Fcegdnna.exe
516	Fhdlbd32.exe
516	Fhdlbd32.exe
2604	Fhifmcfa.exe
2604	Fhifmcfa.exe
3044	Gkiooocb.exe
3044	Gkiooocb.exe
1252	Gpfggeai.exe
1252	Gpfggeai.exe
784	Glpdbfek.exe
784	Glpdbfek.exe
2248	Gjcekj32.exe
2248	Gjcekj32.exe
2872	Hjhofj32.exe
2872	Hjhofj32.exe
2592	Hmighemp.exe
2592	Hmighemp.exe
2216	Hbhmfk32.exe
2216	Hbhmfk32.exe
1728	Iamjghnm.exe
1728	Iamjghnm.exe
1784	Igioiacg.exe
1784	Igioiacg.exe
1704	Iabcbg32.exe
1704	Iabcbg32.exe
2464	Ilnqhddd.exe
2464	Ilnqhddd.exe
2340	Ifceemdj.exe
2340	Ifceemdj.exe
2620	Jpnfdbig.exe
2620	Jpnfdbig.exe
2348	Jekoljgo.exe
2348	Jekoljgo.exe
2832	Jocceo32.exe
2832	Jocceo32.exe
2800	Jadlgjjq.exe
2800	Jadlgjjq.exe
2840	Kbjbibli.exe
2840	Kbjbibli.exe
2956	Kidjfl32.exe
2956	Kidjfl32.exe
2224	Kadhen32.exe
2224	Kadhen32.exe
2684	Lllihf32.exe
2684	Lllihf32.exe
2744	Lpnobi32.exe
2744	Lpnobi32.exe
2780	Ldndng32.exe
2780	Ldndng32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eiocbd32.exe	Deajlf32.exe
File created	C:\Windows\SysWOW64\Opcboqhc.dll	Moloidjl.exe
File created	C:\Windows\SysWOW64\Njobpa32.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Omddmkhl.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Eiocbd32.exe	Deajlf32.exe
File created	C:\Windows\SysWOW64\Hbhmfk32.exe	Hmighemp.exe
File created	C:\Windows\SysWOW64\Jpnfdbig.exe	Ifceemdj.exe
File created	C:\Windows\SysWOW64\Mdjfie32.dll	Lpnobi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqdaal32.exe	Nkhhie32.exe
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Hpamlo32.dll	Npngng32.exe
File opened for modification	C:\Windows\SysWOW64\Fimclh32.exe	Eijffhjd.exe
File created	C:\Windows\SysWOW64\Immbmp32.dll	Glpdbfek.exe
File created	C:\Windows\SysWOW64\Jocceo32.exe	Jekoljgo.exe
File created	C:\Windows\SysWOW64\Iofpmj32.dll	Nbodpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Bholhi32.dll	Njaoeq32.exe
File opened for modification	C:\Windows\SysWOW64\Ilnqhddd.exe	Iabcbg32.exe
File created	C:\Windows\SysWOW64\Cpikne32.dll	Ldndng32.exe
File created	C:\Windows\SysWOW64\Eehkmm32.dll	Mfdjpo32.exe
File created	C:\Windows\SysWOW64\Nbodpo32.exe	Mhgpgjoj.exe
File created	C:\Windows\SysWOW64\Oclpdf32.exe	Npngng32.exe
File created	C:\Windows\SysWOW64\Inhpjehm.dll	Omddmkhl.exe
File created	C:\Windows\SysWOW64\Gbidbf32.dll	Eiocbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhofj32.exe	Gjcekj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldndng32.exe	Lpnobi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbodpo32.exe	Mhgpgjoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkhhie32.exe	Nbodpo32.exe
File created	C:\Windows\SysWOW64\Qncmki32.dll	Eonhpk32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhmfk32.exe	Hmighemp.exe
File opened for modification	C:\Windows\SysWOW64\Deajlf32.exe	Dogbolep.exe
File created	C:\Windows\SysWOW64\Panfco32.dll	Dogbolep.exe
File created	C:\Windows\SysWOW64\Lpnobi32.exe	Lllihf32.exe
File opened for modification	C:\Windows\SysWOW64\Oclpdf32.exe	Npngng32.exe
File opened for modification	C:\Windows\SysWOW64\Omddmkhl.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Gobhkhgi.dll	Oclpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Fhdlbd32.exe	Fcegdnna.exe
File created	C:\Windows\SysWOW64\Hjhofj32.exe	Gjcekj32.exe
File opened for modification	C:\Windows\SysWOW64\Moloidjl.exe	Mfdjpo32.exe
File created	C:\Windows\SysWOW64\Bllndljk.dll	Nkjeod32.exe
File created	C:\Windows\SysWOW64\Fcegdnna.exe	Fimclh32.exe
File created	C:\Windows\SysWOW64\Llloeb32.dll	Fhifmcfa.exe
File created	C:\Windows\SysWOW64\Gkkaem32.dll	Hjhofj32.exe
File created	C:\Windows\SysWOW64\Mhmplgki.dll	Hmighemp.exe
File opened for modification	C:\Windows\SysWOW64\Ifceemdj.exe	Ilnqhddd.exe
File created	C:\Windows\SysWOW64\Jadlgjjq.exe	Jocceo32.exe
File created	C:\Windows\SysWOW64\Mhdcbjal.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Iknkfi32.dll	Nqdaal32.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Obamebfc.exe
File created	C:\Windows\SysWOW64\Lckfbdjp.dll	Ifceemdj.exe
File created	C:\Windows\SysWOW64\Pfhofj32.dll	Jekoljgo.exe
File created	C:\Windows\SysWOW64\Hoakai32.dll	Jadlgjjq.exe
File opened for modification	C:\Windows\SysWOW64\Npngng32.exe	Njaoeq32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Obamebfc.exe
File opened for modification	C:\Windows\SysWOW64\Fhifmcfa.exe	Fhdlbd32.exe
File opened for modification	C:\Windows\SysWOW64\Gjcekj32.exe	Glpdbfek.exe
File created	C:\Windows\SysWOW64\Mfdjpo32.exe	Ldndng32.exe
File created	C:\Windows\SysWOW64\Nmkbfmpf.exe	Nkjeod32.exe
File created	C:\Windows\SysWOW64\Ipapioii.dll	Igioiacg.exe
File created	C:\Windows\SysWOW64\Ilnqhddd.exe	Iabcbg32.exe
File created	C:\Windows\SysWOW64\Kbjbibli.exe	Jadlgjjq.exe
File created	C:\Windows\SysWOW64\Mofeco32.dll	Kadhen32.exe
File created	C:\Windows\SysWOW64\Deajlf32.exe	Dogbolep.exe
File created	C:\Windows\SysWOW64\Fimclh32.exe	Eijffhjd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2952	2836	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfdjpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eijffhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhifmcfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glpdbfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifceemdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekoljgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbibli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnobi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njaoeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcegdnna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjhofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamjghnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igioiacg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnfdbig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnqhddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldndng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgpgjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkbfmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiocbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabcbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadhen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllihf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbodpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eonhpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhdlbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpfggeai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmighemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbhmfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jadlgjjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhdcbjal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npngng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogbolep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcekj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqdaal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjeod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obamebfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deajlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkiooocb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhhie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omddmkhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immbmp32.dll"	Glpdbfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfdjpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcegdnna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhdlbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll"	Fhifmcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnakeah.dll"	Jpnfdbig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidjfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnobi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpmelm.dll"	Fimclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhifmcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkiooocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmighemp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdppcdq.dll"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhpjehm.dll"	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maaqhfpj.dll"	Gjcekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkaem32.dll"	Hjhofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllihf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpikne32.dll"	Ldndng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogbolep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjcekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekoljgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fimclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfhmqhk.dll"	Hbhmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldndng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoemjgn.dll"	Fhdlbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhdlbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjpjphf.dll"	Gkiooocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpfggeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfdjpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhdcbjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjdgm32.dll"	Nkhhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njaoeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igioiacg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjfpmp.dll"	Jocceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhgpgjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidjfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclpdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glpdbfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll"	Jadlgjjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deajlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchahi32.dll"	Gpfggeai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jadlgjjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiocbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eijffhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkiooocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll"	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiocbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfboi32.dll"	Kbjbibli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofpmj32.dll"	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnfdbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhack32.dll"	Lllihf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakqdpmg.dll"	Eijffhjd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1244	2280	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe	29
PID 2280 wrote to memory of 1244	2280	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe	29
PID 2280 wrote to memory of 1244	2280	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe	29
PID 2280 wrote to memory of 1244	2280	85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe	29
PID 1244 wrote to memory of 2408	1244	Dogbolep.exe	30
PID 1244 wrote to memory of 2408	1244	Dogbolep.exe	30
PID 1244 wrote to memory of 2408	1244	Dogbolep.exe	30
PID 1244 wrote to memory of 2408	1244	Dogbolep.exe	30
PID 2408 wrote to memory of 2908	2408	Deajlf32.exe	31
PID 2408 wrote to memory of 2908	2408	Deajlf32.exe	31
PID 2408 wrote to memory of 2908	2408	Deajlf32.exe	31
PID 2408 wrote to memory of 2908	2408	Deajlf32.exe	31
PID 2908 wrote to memory of 2696	2908	Eiocbd32.exe	32
PID 2908 wrote to memory of 2696	2908	Eiocbd32.exe	32
PID 2908 wrote to memory of 2696	2908	Eiocbd32.exe	32
PID 2908 wrote to memory of 2696	2908	Eiocbd32.exe	32
PID 2696 wrote to memory of 2728	2696	Eonhpk32.exe	33
PID 2696 wrote to memory of 2728	2696	Eonhpk32.exe	33
PID 2696 wrote to memory of 2728	2696	Eonhpk32.exe	33
PID 2696 wrote to memory of 2728	2696	Eonhpk32.exe	33
PID 2728 wrote to memory of 2708	2728	Eijffhjd.exe	34
PID 2728 wrote to memory of 2708	2728	Eijffhjd.exe	34
PID 2728 wrote to memory of 2708	2728	Eijffhjd.exe	34
PID 2728 wrote to memory of 2708	2728	Eijffhjd.exe	34
PID 2708 wrote to memory of 2284	2708	Fimclh32.exe	35
PID 2708 wrote to memory of 2284	2708	Fimclh32.exe	35
PID 2708 wrote to memory of 2284	2708	Fimclh32.exe	35
PID 2708 wrote to memory of 2284	2708	Fimclh32.exe	35
PID 2284 wrote to memory of 516	2284	Fcegdnna.exe	36
PID 2284 wrote to memory of 516	2284	Fcegdnna.exe	36
PID 2284 wrote to memory of 516	2284	Fcegdnna.exe	36
PID 2284 wrote to memory of 516	2284	Fcegdnna.exe	36
PID 516 wrote to memory of 2604	516	Fhdlbd32.exe	37
PID 516 wrote to memory of 2604	516	Fhdlbd32.exe	37
PID 516 wrote to memory of 2604	516	Fhdlbd32.exe	37
PID 516 wrote to memory of 2604	516	Fhdlbd32.exe	37
PID 2604 wrote to memory of 3044	2604	Fhifmcfa.exe	38
PID 2604 wrote to memory of 3044	2604	Fhifmcfa.exe	38
PID 2604 wrote to memory of 3044	2604	Fhifmcfa.exe	38
PID 2604 wrote to memory of 3044	2604	Fhifmcfa.exe	38
PID 3044 wrote to memory of 1252	3044	Gkiooocb.exe	39
PID 3044 wrote to memory of 1252	3044	Gkiooocb.exe	39
PID 3044 wrote to memory of 1252	3044	Gkiooocb.exe	39
PID 3044 wrote to memory of 1252	3044	Gkiooocb.exe	39
PID 1252 wrote to memory of 784	1252	Gpfggeai.exe	40
PID 1252 wrote to memory of 784	1252	Gpfggeai.exe	40
PID 1252 wrote to memory of 784	1252	Gpfggeai.exe	40
PID 1252 wrote to memory of 784	1252	Gpfggeai.exe	40
PID 784 wrote to memory of 2248	784	Glpdbfek.exe	41
PID 784 wrote to memory of 2248	784	Glpdbfek.exe	41
PID 784 wrote to memory of 2248	784	Glpdbfek.exe	41
PID 784 wrote to memory of 2248	784	Glpdbfek.exe	41
PID 2248 wrote to memory of 2872	2248	Gjcekj32.exe	42
PID 2248 wrote to memory of 2872	2248	Gjcekj32.exe	42
PID 2248 wrote to memory of 2872	2248	Gjcekj32.exe	42
PID 2248 wrote to memory of 2872	2248	Gjcekj32.exe	42
PID 2872 wrote to memory of 2592	2872	Hjhofj32.exe	43
PID 2872 wrote to memory of 2592	2872	Hjhofj32.exe	43
PID 2872 wrote to memory of 2592	2872	Hjhofj32.exe	43
PID 2872 wrote to memory of 2592	2872	Hjhofj32.exe	43
PID 2592 wrote to memory of 2216	2592	Hmighemp.exe	44
PID 2592 wrote to memory of 2216	2592	Hmighemp.exe	44
PID 2592 wrote to memory of 2216	2592	Hmighemp.exe	44
PID 2592 wrote to memory of 2216	2592	Hmighemp.exe	44

C:\Users\Admin\AppData\Local\Temp\85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe
"C:\Users\Admin\AppData\Local\Temp\85a6fddd70936f4499e1fb762b89e21c10e2af43bff4f0f51ccdfadead9b1f9c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Dogbolep.exe
  C:\Windows\system32\Dogbolep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\Deajlf32.exe
    C:\Windows\system32\Deajlf32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\Eiocbd32.exe
      C:\Windows\system32\Eiocbd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Eonhpk32.exe
        
        C:\Windows\system32\Eonhpk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Eijffhjd.exe
        
        C:\Windows\system32\Eijffhjd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Fimclh32.exe
        
        C:\Windows\system32\Fimclh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Fcegdnna.exe
        
        C:\Windows\system32\Fcegdnna.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Fhdlbd32.exe
        
        C:\Windows\system32\Fhdlbd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Fhifmcfa.exe
        
        C:\Windows\system32\Fhifmcfa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Gkiooocb.exe
        
        C:\Windows\system32\Gkiooocb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Gpfggeai.exe
        
        C:\Windows\system32\Gpfggeai.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Glpdbfek.exe
        
        C:\Windows\system32\Glpdbfek.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Gjcekj32.exe
        
        C:\Windows\system32\Gjcekj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Hjhofj32.exe
        
        C:\Windows\system32\Hjhofj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Hmighemp.exe
        
        C:\Windows\system32\Hmighemp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Hbhmfk32.exe
        
        C:\Windows\system32\Hbhmfk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Iamjghnm.exe
        
        C:\Windows\system32\Iamjghnm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Igioiacg.exe
        
        C:\Windows\system32\Igioiacg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Iabcbg32.exe
        
        C:\Windows\system32\Iabcbg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Ilnqhddd.exe
        
        C:\Windows\system32\Ilnqhddd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Ifceemdj.exe
        
        C:\Windows\system32\Ifceemdj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Jpnfdbig.exe
        
        C:\Windows\system32\Jpnfdbig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Jekoljgo.exe
        
        C:\Windows\system32\Jekoljgo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Jocceo32.exe
        
        C:\Windows\system32\Jocceo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Jadlgjjq.exe
        
        C:\Windows\system32\Jadlgjjq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Kbjbibli.exe
        
        C:\Windows\system32\Kbjbibli.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Kidjfl32.exe
        
        C:\Windows\system32\Kidjfl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Kadhen32.exe
        
        C:\Windows\system32\Kadhen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Lllihf32.exe
        
        C:\Windows\system32\Lllihf32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Lpnobi32.exe
        
        C:\Windows\system32\Lpnobi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Ldndng32.exe
        
        C:\Windows\system32\Ldndng32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Mfdjpo32.exe
        
        C:\Windows\system32\Mfdjpo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Moloidjl.exe
        
        C:\Windows\system32\Moloidjl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Mhdcbjal.exe
        
        C:\Windows\system32\Mhdcbjal.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Mnakjaoc.exe
        
        C:\Windows\system32\Mnakjaoc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Mhgpgjoj.exe
        
        C:\Windows\system32\Mhgpgjoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Nbodpo32.exe
        
        C:\Windows\system32\Nbodpo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Nkhhie32.exe
        
        C:\Windows\system32\Nkhhie32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Nqdaal32.exe
        
        C:\Windows\system32\Nqdaal32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Nkjeod32.exe
        
        C:\Windows\system32\Nkjeod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Nmkbfmpf.exe
        
        C:\Windows\system32\Nmkbfmpf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Njaoeq32.exe
        
        C:\Windows\system32\Njaoeq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Npngng32.exe
        
        C:\Windows\system32\Npngng32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Oclpdf32.exe
        
        C:\Windows\system32\Oclpdf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Omddmkhl.exe
        
        C:\Windows\system32\Omddmkhl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Obamebfc.exe
        
        C:\Windows\system32\Obamebfc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 140
        51⤵
        Program crash
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deajlf32.exe

Filesize
85KB

MD5
18d2272d24d7662131783006025122c5

SHA1
9ae03fc7fb7a6e03634223f1b1f628de4e371b27

SHA256
5b69ef71a2f43fb57febf4497b58dbd91475166442eff86055d0fc16a29f089b

SHA512
e94f966ecacd7630a466ce362ec413f9867ff3fcabbddbcde196805991b7225b382778a2dc014f8c3ac802e6705eba011c05b90e381361aa10292269aa5f7ec3

Download Submit
C:\Windows\SysWOW64\Eiocbd32.exe

Filesize
85KB

MD5
89e3c1c234c39be3fe54d9cfb10bf718

SHA1
8db023ede7a3801d4d07209f89378cc7eebe997f

SHA256
47bd1781e0b263cba1476dea2e4b7b4f704a8d8dea103f589e97dcc1e6a6a193

SHA512
49770864ade6f3b907655d674f33aa2df5c04b59decf61139624ed4cf6e62d61b6c1ce4ca7006382f3de06d5c6e7cbb5fed3bbed1b7ce5a3b975711f9647fa51

Download Submit
C:\Windows\SysWOW64\Fhdlbd32.exe

Filesize
85KB

MD5
e324aefdd6012d481307dc3930bf8812

SHA1
4f8372f97bfc9a17d5882947fddacae586cf60e5

SHA256
3a1d199dcc645295a5750e5b5f385295d41f7ddbb8d038d3604167647d5d2ae0

SHA512
28a1cab46a77802ce3916cc5e23f76b7a4662379d69c5c9c72f9c3eec96d078fe174069fc4e4f5ecce34a8a751cdcd50b9ea28f5182029467676316ffb6c033b

Download Submit
C:\Windows\SysWOW64\Iabcbg32.exe

Filesize
85KB

MD5
ecbcc1d9fa4827c3f3040851443e51bd

SHA1
3f78f1b3e206334f29afc11ee2f7141cea62569d

SHA256
ab3b00658467af0e9500a09755b5056b4caa16967805879d67d7d4b20d8296ae

SHA512
c91370fe12bce57c352946c2d80a3fa295bc1682f832af9e64e5f205aa0eba2a9bf17ea8bae06ae843a8d31921a0cb2c8d66867f14a1094b0464b1c615076b95

Download Submit
C:\Windows\SysWOW64\Iamjghnm.exe

Filesize
85KB

MD5
8610b9d7151ff3827d91b3950f7ea2e3

SHA1
826f2dad6d9dd78915931c5a22d6c7b30796042d

SHA256
d49cc8fa5670f2d0b760e1a8712d357428d9c37e7c28856b5a74993c6edd7a6c

SHA512
583241d5368f33d0e9b226ed84cec85967246a664b55a7ee0b26e48438374818ad794025224c4fffb8a190e27d3a75d400db3d117d8ce327fbcf86d0731b79f0

Download Submit
C:\Windows\SysWOW64\Ifceemdj.exe

Filesize
85KB

MD5
27cc081d7470a551e23db2258b8f3027

SHA1
6a5a711e38d2cb1f67b552c8fafea452078aa24a

SHA256
abade211f584f476976f867f80237803a876aee60abbbfcf43b23b00f7fec10f

SHA512
367d1862c0026b585a3a993c610db0dbb2188bce740d0653c87a6ed4e90b8700bbab262061f8f51093ddcd87c63a41832d86d35e8984fd184e24e0dfeae4c244

Download Submit
C:\Windows\SysWOW64\Igioiacg.exe

Filesize
85KB

MD5
59d17ec7d1529a393033efbd4bd6256b

SHA1
5f7dd7016758eb4fd0c2e64927965ce10ccc8508

SHA256
86b31495fe66843391d08ebf6d4adb1e26549801b6c5372088644d3ad0260130

SHA512
890545f657e8b056de65ecd24773a64782be864bca119668d2314ac3aeb53fbeef68328b324847a99568f33930860e825da813a20a15190904c85734437c80e3

Download Submit
C:\Windows\SysWOW64\Ilnqhddd.exe

Filesize
85KB

MD5
44f360d1fe8e0a2d71b77b4ed47a5fe5

SHA1
d0085e247f1b82bf7f65a01e3c508e0b7f0e03c6

SHA256
173856e9701aaeea7f5416cd6d797695ff216277a44a2eb8083593f31b4b41c4

SHA512
76281e4057d0bf11e37f2552f5c7465014ed7113a4f65213750903ef5bec7451145170ac8874dce3979b1d3ad4588d3b0f9aff163ef7b6830ff1897d8b6133f5

Download Submit
C:\Windows\SysWOW64\Jadlgjjq.exe

Filesize
85KB

MD5
34d385dc2ad87e2d2ef73106d6a56be5

SHA1
e046fbff2503238b294bb41fc0bf5ee5910ca039

SHA256
5fb2242b95980fe3ef84978109814803f73fff653659f41caa8638b7d237cf44

SHA512
b4607c7994b8cbd3ad5e52ce66bed4124195590d88181d9480b569f0634d2fd741883c4d4b9f7a005d216bd13844a312d372f23e50e761cf3f466767ca03d853

Download Submit
C:\Windows\SysWOW64\Jekoljgo.exe

Filesize
85KB

MD5
6decc85d7723f34221b07f9b0b7bce6c

SHA1
a4cd795f30b2b430ba3836de80dcfca43e157f3a

SHA256
f7bd25d681ca499dc64e1dad59ac98c14d2675f88a6f9a2e90cf8267ce1f5c26

SHA512
744640dabbaa8ed5c34ca7da17fc2f3d06ce0d0a6b783bab284bc5df8579d6f75754079a7e87fd7194d92d79914ce9d2534b0fda32bbf6f2e4811b1cd27809e5

Download Submit
C:\Windows\SysWOW64\Jocceo32.exe

Filesize
85KB

MD5
ac717563bbbde7f96a3ce93bd967d210

SHA1
cb7d62bb8d92b83e6a61f70bc280f4ebe689053b

SHA256
1f148e64ce4944fe445eb91e02c02a8c5a536a5e01a930a24d85c069a4e1b295

SHA512
318a9eb28e7ec67d100361630779af6061e5bb1bde37efbe0e38c092bd139ccdcbec9268a1e3c9a79f7194fc769837b6897e44ecd4dd637f93a526bba9765981

Download Submit
C:\Windows\SysWOW64\Jpnfdbig.exe

Filesize
85KB

MD5
a8bdcf75edc45977c36e2765c718e3dc

SHA1
6d2c2e48ddc09cd4ac0418d0f39cc3cc3318f22a

SHA256
4cadefa47716e7a360b0bc7283056dfa3b738209b3f8feb278dd18d6fba3b6c2

SHA512
2d546f2e7fa3e177fa9ca1e49f5d0e11a6208475ef43d2bdd8431d79cf14c2283a6c330870d6fa50e7ea4e4c0bacaf07fc78cf5266620acdb9892bfcc1abea68

Download Submit
C:\Windows\SysWOW64\Kadhen32.exe

Filesize
85KB

MD5
28adbeb658db82ce1545f9ed82811b38

SHA1
917f16e3a4e1df15c38498cd4744e5d811097b68

SHA256
29e476f2b35636cf97ee8028315ae53e3ef9064c4a105c838a6555e4de2a17f0

SHA512
2f66051781564ffe328536224cd22fd79311c8923b6870a2b27b56940b16bd3d7ba10f0f24cd11150c82225d9c2b7903066860359d8d48fcef0a732f79caf5e0

Download Submit
C:\Windows\SysWOW64\Kbjbibli.exe

Filesize
85KB

MD5
c99b1a2f09cf9289a4a891047369e214

SHA1
96b7dad51dc076d4bcdb4586979966f43c2c0747

SHA256
5ac6877ffd3a16352ec6388ee114c03d3f2f5007765b6058a25b824b9ee6816b

SHA512
73cd234b0581ec39780180c2f38e94042243ee811381086e8293aef924e8ed4d2c409efc647bfdfc6aec03b9a374eb4640126eb7c65ba0ff190c98486ebffa72

Download Submit
C:\Windows\SysWOW64\Kidjfl32.exe

Filesize
85KB

MD5
d680405512ac415b12707d7e6394f738

SHA1
713bfd33ef256c3f22aebe71cb8bd52327a40579

SHA256
137184f16e32cb6e7cf074d313555fee247ce0938a6fd5b256983cb259d51244

SHA512
66d4b188e9b0e9a4fe58d5fed32b5d33ac79528a733b8109692880b9db551842d0476797c58a05821abc23d816e0e0a342be5114478119f96a235a73f116f08b

Download Submit
C:\Windows\SysWOW64\Ldndng32.exe

Filesize
85KB

MD5
c885f04fc8d38a3b60701719f8705ca2

SHA1
2320c4dda48155ea944128223dbd8e24d4f38bad

SHA256
07cb9188c63460f9ccba0b1484406fd1f35cfb7e74075110a2a80a70fc7556f6

SHA512
76db0cd48033f93d77771b4f3ecb4842ae988913af2dbb41b0ecefd3c30e4601f5c7980f62908d823b685748acdd688d1bc51dee6c848b5c9cb1083b183527e5

Download Submit
C:\Windows\SysWOW64\Lllihf32.exe

Filesize
85KB

MD5
c96caa0a917341e4cdb08305c5162462

SHA1
031deebab0326c7294990f4c1a8a174e505b4016

SHA256
a93bb3f72ae57683e1895f2c7f8de2ea69316c8b23889638ef7d755f192b6f63

SHA512
8f15d9dc7bb433d5f2d8cc732cb12f523d48816b09b368eb6adca5540c49e480152b3593c7052c4cdb9d24988b24e5aa0af2b75ebc289c04954071babf2752f0

Download Submit
C:\Windows\SysWOW64\Lpnobi32.exe

Filesize
85KB

MD5
dce434c12dd82dbc68a4c9ff681cd6c1

SHA1
feff32909255a20e514be8700f52c0d3ca907c77

SHA256
a5ca4dadf6d5382ec047282597f48af3662d5db7db1514692001e4bc67515b41

SHA512
34ff319f5c305980f0f3c1015dbca9f08b5d8c1a4d78840a02a343072a717cd4fdee02e6d749c8f0f4543edbbcd9f1b37686aa4a97386a3d4926d5487df86fcd

Download Submit
C:\Windows\SysWOW64\Mfdjpo32.exe

Filesize
85KB

MD5
54bad5890df07e061d7e7b4984e93170

SHA1
0872db049a69319dc27f2161a377c2f9e54e9368

SHA256
0f9941583bf91d63af935700e472ea6f1dec5f89139331430e225eb20ca07cd8

SHA512
465a3781677eebbdd1077255266c185fcb4720604dcd72d74125f6a3d8e00ba4207532d4be68ee8b599a296315b10a5a23ed0cf1983bd913395de99b3406ead1

Download Submit
C:\Windows\SysWOW64\Mhdcbjal.exe

Filesize
85KB

MD5
474cb1a22b926f0d3ac8d0b38bcb452a

SHA1
0fd7b0a23d34bfbf52e20c75b85bee9df87f855d

SHA256
668bc9b8b212184ec3900c40aa1c982278c6eae86adce27d8524a9cf17c0e54d

SHA512
7da3580f9d1247f4d37d147ca6399cce70dade144a1aee7be749068e2c1c4878523a15c2f7c333b57498c7334d95d23f9149241a4c0f8d21fb8ebd8ff2683108

Download Submit
C:\Windows\SysWOW64\Mhgpgjoj.exe

Filesize
85KB

MD5
781c85df320024e44e0fd06c6b4b5e6a

SHA1
de81a5bffb400a4aa40e824877a5fdf8960e1bf1

SHA256
23ef7b1b216b12ca55143dff994376c42804d36e2efc4d6ca20569429ba2fae2

SHA512
ac8cf53cc387b68c425a0773a8d86927a2af4240373cbb4d52519fd5f2d7dbde121f869c65b983a05afb8e839022a3a35173a47391d722e699426847a088554a

Download Submit
C:\Windows\SysWOW64\Mnakjaoc.exe

Filesize
85KB

MD5
801a783fb09a8fa78766359e2eb0e840

SHA1
18d055ff51cf311c43d5ee8d2ceb05e447a62e46

SHA256
64e3e9cf5656fffcb139ad9f18d9afb50d3d97c9b6cfe96b8a710aa703635244

SHA512
7c51ac3b94c669b3093c992ad8bf4fe3be2f2b90c9fb62a10cfdde1931bad96af364e274cce8fb3bf87068bda9258b1f835918573d1674bb9c70c01b342bcbeb

Download Submit
C:\Windows\SysWOW64\Moloidjl.exe

Filesize
85KB

MD5
321a28a65c7e1d6b72d0058a58835e79

SHA1
909e007c047a71bd2febaca008ba87b38f1e4e6a

SHA256
f940feb4fb3e89262cce04bc76e69f31df34d7e6dbdd49ece17bcb70ed193e00

SHA512
0a180f01762d91ead22c5fea28deddf4ba135a6c9b6077d8f3da793872d4037ad1ed6eedfbe8bc17c72beba5ff9aeef284a3a22ea3f950108e35ce593f518d04

Download Submit
C:\Windows\SysWOW64\Nbodpo32.exe

Filesize
85KB

MD5
29a45aedfc8c16444664cc173a9277c4

SHA1
d90239d9fb037730522c2534c1fe332d17f98f63

SHA256
12d8cd79b2f660c7547a4d236f88133cf5c4320c7473bb49c46703615074d5bb

SHA512
eee438d27adad9c116f4f4c7a9f8b2a8810676cdafcbc31ad06875016076862eb54ac8523338904ed7688eb00f244e013c0a5648fc0865ce564c9d1ccda074b6

Download Submit
C:\Windows\SysWOW64\Njaoeq32.exe

Filesize
85KB

MD5
f51eda6ac7535bbdcfb176f105f1fa73

SHA1
cdaa58fe90f3da6f4f763ef597067d5712f453f2

SHA256
bee1062a73c74b2f884b0ad52f168f161fbeef5ac9211d0c22e50babc683e79b

SHA512
55fc36440a4950f6ec1af698621d7a79cc3bf95d7a3b05ccd1b1a2867689e832760ee1e76bc88cc7aa1b81e30eff22cc6a436025683f529d175c5412ad2dce85

Download Submit
C:\Windows\SysWOW64\Njobpa32.exe

Filesize
85KB

MD5
88eb33108909153b32ff51bfa902dad9

SHA1
f7130c0a8844a38fa47f62027640bca8bc944921

SHA256
50aa83cc554c94ed6c14511bea88e27d42619346e702fa20d7be4027f58d4004

SHA512
2f322b2fbe843cf9d7e10c84ffb7162ca35b6c7f66e65ed4bc812c8639c44bc8b484472e94c1ecabfa536264aa10f99e0eaa41f34ea7aeefe41ef1ca676c1f80

Download Submit
C:\Windows\SysWOW64\Nkhhie32.exe

Filesize
85KB

MD5
454ab3890aa9243f6e26d21faef1982d

SHA1
9f6b61c6655fa50beb482016fdb99590980371c3

SHA256
7cde6a2c6b20f784b74265298fc5b696603da2052f42ef4c6854906260cec74d

SHA512
05d5468879b32580bd2e0d07de96a9d5eb0f1bc2c89cea5bff59276ec7ee146c6e4a62a1a7fff97185bb43fda7fc1dcef3adb0c54566c8249fc91ca512cf390f

Download Submit
C:\Windows\SysWOW64\Nkjeod32.exe

Filesize
85KB

MD5
fdfbe168baa864ff512108db2af06a8a

SHA1
4cd68ac7fa1dd392c7e3968cf432629c81fb5c55

SHA256
035207837bf8fe7bdedd7197b83e39eaaad152e8540efa9b4195da2a7d26037c

SHA512
e70e73991231174de40e87b2d467f8f7da2aa3227aeb2bc4054805588f595612ecc96f8c28cb798c166ae1c96458e622af77fcea20104d246ccdd0a30e17cb16

Download Submit
C:\Windows\SysWOW64\Nmkbfmpf.exe

Filesize
85KB

MD5
69c52dc0fbba0a7ca435626aab4fbd60

SHA1
23773cc4bdd012a6b1a18a34817370e2e3428ffe

SHA256
3104bb72ae5e8f719fadea496873af5ce21b98a73a4d37c7eb3cfb7b9581547b

SHA512
9d88f2d50ca5f5f89b8bdcf84c1bb9556fa6b4ab39d41f0768513d1f249aedc3f15887fa56febe7a4641ed30c3e68cf4bba0f61707a06ac07732e77be876b4dd

Download Submit
C:\Windows\SysWOW64\Npngng32.exe

Filesize
85KB

MD5
90b1be89bf454f2b2744f1ec9367dc6e

SHA1
9084b9462f7a51979a88637beffdea592b028448

SHA256
4e5f300ab8d9096719946b53ab20df8de959ed0d24fbb35184183950c4056e06

SHA512
155a6e06106c61000175a69157ef3f4ab94131375400fb4e725b877086144f7bbd42942629daae0a28230f22331a2f04fd210b619397492ffa302acfb02550e7

Download Submit
C:\Windows\SysWOW64\Nqdaal32.exe

Filesize
85KB

MD5
e462fb620315bab6e2f00bb35dd5ed86

SHA1
a38d0a4b0e99c049c3f955183e6cdc210c827e12

SHA256
b9d63347006dafe16e6c2ae22be339c6c5641065362a82106b6fdc982c223627

SHA512
50da243701ce928858ad078aff30ea0eff0c32b284d6b115f1b21e430a46838b856ef2a36f681c4439de3f35dcb79b9150378b52723664feae9bf037585a4d42

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
85KB

MD5
8ab7c5fef19e23ffb2807fb6f9d0b898

SHA1
6913d998b8bace9e35487aaaa02256e888e6d698

SHA256
2f53b399418081799409fb6cc825d7d683dee7cfb5e08fa4fbe50b9de138f822

SHA512
d788416f8348b0236f74fbde66c15875bd001393dea60c9281755d5c004fe1666e294d0e7ee2a036f7549f2c7bce011076593c5f565b46ca22b58122333bcbf6

Download Submit
C:\Windows\SysWOW64\Obamebfc.exe

Filesize
85KB

MD5
11377bc7b7ddcd84a384cde270dbaa1d

SHA1
cfcf230f93b0265b401ccd383fcc2911ff18b9ec

SHA256
45a9941dc50a25c34b90398f3418e67d08fc623714a7cf72020b228f2fa66480

SHA512
5c93a37ed2308d0462f4970f3ed73126ca15b175ae1bb230d92faabe6dc2d222479325bd87f9728131191c8dbfbcfd25b589d6ece6fd8b91dcfdb96a2e834f01

Download Submit
C:\Windows\SysWOW64\Oclpdf32.exe

Filesize
85KB

MD5
b7b7849afd16b5141d4b14b77f9dc9c0

SHA1
c6127bde88dc144115310e8d9c2d973c9fb077ce

SHA256
5a67b3f3862cb38b3b09f8ad7e86964f09edb8256f67f26d1f3e3e8b0891f4fa

SHA512
5849dd2d5cadd489a641cbaf34f2b515590a4d79c8ac226e2baa21a69b042995b14b3da91bfa8e8923dfe1ee936bb70d7aa73cd3c1aac56bf35a9d7c9b5276c5

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
85KB

MD5
4af9cefd48a70df57c63d41fb5b15181

SHA1
3b63be88ee8ad2591d603a27579308f8d77a0f85

SHA256
ceaddf2072ff204e2c05bf4f7d41e5e1f21e859cc82437e27590255524680d4f

SHA512
6a02cb5b081acb143eb9ffdc13d292c39b56b87bf6113429777bd830a8eb2bba55d582778dd4ad291a1d6aa9b2a847977105548cca1c0ee664f330398126cb51

Download Submit
C:\Windows\SysWOW64\Omddmkhl.exe

Filesize
85KB

MD5
b26434f9563e13769c6f0edc935163bf

SHA1
cd511a93af2eae99aed62aaf9f0fb914e3b76cc6

SHA256
ac6a29bff766be2656b666c9a8837a5d40720e3238478710e551bc030ffe822a

SHA512
d92620913d53123022529278d3a05d5700ff257b9b6ac753de667aba7eaa5436ea6a3124f91ec02bf7a8b9b2d3c7133c062374f2620779bd7286200280443a61

Download Submit
\Windows\SysWOW64\Dogbolep.exe

Filesize
85KB

MD5
76b40b77890c1a17eb7677edc93cc7f3

SHA1
a20c7fbabbd72153f9834ef99d3f17e1a28f0bd0

SHA256
554ceb4d4ca7af3e7c5699096e1a1a6c180701e7c49e3284bc1dd243f6af6180

SHA512
d9f42f1b4bbb5d6f11f69dcb37c255a379fbaf9519cdcc3a02b13ff8327bc14ee433515e1f06a76aa1f5b99dde678493ebfc9edc86ec6c649570794ac6a1fb33

Download Submit
\Windows\SysWOW64\Eijffhjd.exe

Filesize
85KB

MD5
ed232d905b93f0e2c9596d83675e8ad7

SHA1
c614073e5d0a58b1afc596d84d3a5b65124e4f9a

SHA256
5e4688dfb3f7c7ce428fd15cee2595a7b3e884ea51f7c4ae8bc833b9f4456275

SHA512
bfa448b26fd19e82fa3439e5bc8780c0910b36cdf8480fcc87cd003603e7e9c96f19b81e549493ebc8ca8678579e628c2c959797800ce06b578310ea513cfb30

Download Submit
\Windows\SysWOW64\Eonhpk32.exe

Filesize
85KB

MD5
14247b58ae9ff3e4a93c6b20de9ba566

SHA1
f2f75c86fe0e77cdb5af146db7257f6b355123de

SHA256
bf32534a3705804347dc9056eea739545f44e1df8acd00f2f50a82c514271958

SHA512
4ef8f31b99f96cdec98eee36b0aa64409fdd500ed79372f0a0a3490e4be89bc8b318edeab3ec9815823f6e09d8a26dd7de18535ed2ccaa5428edf9a42fb4e7f2

Download Submit
\Windows\SysWOW64\Fcegdnna.exe

Filesize
85KB

MD5
f55f1285f7dae2654ff03eb998685a5b

SHA1
ae7f11020de29d54859f8e72a24e59bf7214ef0d

SHA256
86214b2c3bec09333c9e81d3a6e09091eb205b1666b5004b786e44bd6fb90b93

SHA512
710f011c83b5d6e7c9e31459e12dd75f69dd9c1d247317e724b7fe8fc5f8e757687611a78985a6adeb28eb72ac025503c790c6e885ef4e66d7156e56b75ca021

Download Submit
\Windows\SysWOW64\Fhifmcfa.exe

Filesize
85KB

MD5
b1a502e7f72cf93f03e6e0e765839139

SHA1
151d7e558dc885251aa34a9cb4387bf8a754896d

SHA256
a44b15b9386db9f6eb99a7f6597ed8e6ab1be1d7dc16bb433618dbf2f177798a

SHA512
918213d234b214547159f02c474ec0417c0dd94f539d8e35fa2d5915f6f6f766d7df5368090a095d5402edc1c5170d6f48dcd5f9a0bdf07a5f75c137b9b50f62

Download Submit
\Windows\SysWOW64\Fimclh32.exe

Filesize
85KB

MD5
4f9af75df61063abd47807e85980a911

SHA1
49f2d0264f3bfb050458c8e1981f359970ee8b48

SHA256
47bfb89156ab1052792c9e16e5fcd25084d8bbf6bde39bf571624f76a53fdad3

SHA512
45837de482862ae5819241ae6493ca23c6e5f7c9449a763f5342711686b1f49c6eafba19dcaa2107ec3346f1ba71f5723621e9d1b332dda049beec13d2a1d0f7

Download Submit
\Windows\SysWOW64\Gjcekj32.exe

Filesize
85KB

MD5
9151a357ecb2a1a0be8688115a0acc2f

SHA1
041c0bf99fe3e66e96ccb4282252d095f2e1ac40

SHA256
478b560ddd6ec181de1eeb6cd73cc64154bcaa66b904ddae742e4ab64371f6dc

SHA512
c4ef570e6357d29c3bb2f82b11c184cf4cb0c73a7618af245952961eda529f3d7e95c6773efc866cdffa8cf137dbe622db9c56982ef4e841e0eb5c43871da84c

Download Submit
\Windows\SysWOW64\Gkiooocb.exe

Filesize
85KB

MD5
469fdbbbd98143058ac02ddc107d2067

SHA1
078cf901b070b893bfa987a018bf40729c7abde6

SHA256
0ecb9ec114d9919f12c6cd991a5143468e0b8c33a7918c78168e44c5b0c81c1b

SHA512
764fc283bc98f3e201b684dc6f98be2547aac76c66bd139fd70a65e34f5285d45944d6850ff08e1b460d13065fcc46317ca6fbeb26cb80addb80897f883216f0

Download Submit
\Windows\SysWOW64\Glpdbfek.exe

Filesize
85KB

MD5
788da23256d387ac7aa69af9508597f5

SHA1
543458a2eedbdda238145e6922891e737230750b

SHA256
10cb42e21b9bee8f44a34f353c183e73a0986658083b06286d0d026d7e846d4a

SHA512
6ae8dd31998c6e7e9301c9169a3ebda64c1446dfc051d4923a1a432fc16cc289bb0e3b90404e573eb60c65afc704825f458197012d6962d7a16b69466d118740

Download Submit
\Windows\SysWOW64\Gpfggeai.exe

Filesize
85KB

MD5
3e306c7e8611b518a087b46957029f7d

SHA1
fd7790f8ecab60f874c9fdd70efdaeac5e776a70

SHA256
2b88c3d049a45396c4841c761b260e8a9d4bd20d7ba13b7c6523303a2944059b

SHA512
2047ffcb9ff0ef9686a1a88c252bc0a393889bdaca088ed4dcb21a051a527f1e6dcce743ca1dd0199852fc4026f8b9c91875bfe78e55327c5ef26315f5490cd9

Download Submit
\Windows\SysWOW64\Hbhmfk32.exe

Filesize
85KB

MD5
7c455051212e615ba132c5655aa51fc1

SHA1
9ebbe973b03ab783e21508b78329e6b5929aae88

SHA256
b8c001646b5072af4939ce8b3b9b0a064dc137a606ff62a781b275cd2df29eaa

SHA512
5366359259ae7f275c9543517b8ff31028e553219c18d3e3cfdf75fd286f30ed671db56fb14871e36f5a182de946e4055b21411a7b21f0c48d126ff78ad5182a

Download Submit
\Windows\SysWOW64\Hjhofj32.exe

Filesize
85KB

MD5
7239b7120ba9880acd16cbacd3659ff8

SHA1
e89f360b131890151063de2e905007e7b03cd3c2

SHA256
ecb973de08acf0843ef16b1804093fe433a0b3303eac41dc98f41462c104dec9

SHA512
8e431a4e3d7a1213c685f7f4aaa2198cde36179ab7795a14519d35aa183a73e3b4770a2ddfac756c19fdf7634b5fc144e86f13229a53b30f196c17c06f207632

Download Submit
\Windows\SysWOW64\Hmighemp.exe

Filesize
85KB

MD5
5a5c5eac1caa8408984a23cb97382220

SHA1
854bf0488a8484310dffdfa276806eb9765d0c9e

SHA256
eb098dead3a32d489c6b15fb46bc239ee49316f633e7675b21dc8265736ec067

SHA512
cdc9812d8319fd26b55f1a5bc85bd130795be9f0a920c3a5171d20b52c8bba5f3c2c86114bdebbcbbf245decfc2d4c6bde0560da34120b1c344d720fc76b11c0

Download Submit
memory/516-132-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/516-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/784-187-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/784-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/784-238-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1244-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-27-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1252-173-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1252-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-322-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/1704-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-263-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1728-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-315-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1784-275-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1784-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-271-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1784-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-252-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2216-248-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2216-288-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2216-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-287-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2224-387-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2248-253-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2248-208-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2248-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-203-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2248-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-58-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2280-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-11-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2280-12-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2280-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-113-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2284-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-305-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2348-369-0x0000000001B70000-0x0000000001BB1000-memory.dmp

Filesize
260KB

Download
memory/2348-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-41-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2408-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-296-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2592-239-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2592-233-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2592-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-277-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2604-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-148-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2604-147-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2604-194-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2604-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-318-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2620-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-71-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2696-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-155-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2708-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-97-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2708-102-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2728-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-86-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2728-133-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2728-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-352-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/2832-386-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2832-377-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2832-339-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2832-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-364-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2840-360-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2840-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-224-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2872-222-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2872-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-50-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2956-371-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2956-376-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/3044-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads