berbew | 3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7

Analysis

max time kernel
37s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
Size

451KB
MD5

ad59eaeec9ec8151c785ff92f3bfdc70
SHA1

9059b494cccf4f82c0e58bfd94786a617311c26a
SHA256

3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7
SHA512

a31bfc4e8f79f2b434d7931afe044485b46127057ebf38db3c0c1f7c5c6f1bd4191c95940195d658744140bce787bc3c73c82c3eb71afd811b931e8b9029f466
SSDEEP

6144:CgV/GvSwPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:C7I/NcZ7/NC64tm6Y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceaadk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmicohqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjadmnic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadloj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflomnkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmicohqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahikqd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cahail32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadloj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aefeijle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahikqd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgeefbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpiipf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

pid	Process
2808	Pjadmnic.exe
2596	Pbhmnkjf.exe
2844	Pgeefbhm.exe
1700	Pflomnkb.exe
3044	Qmicohqm.exe
2928	Qedhdjnh.exe
2628	Aefeijle.exe
1664	Aplifb32.exe
112	Abmbhn32.exe
1712	Ahikqd32.exe
1484	Aadloj32.exe
2244	Bioqclil.exe
1912	Bpiipf32.exe
1884	Blpjegfm.exe
1136	Bidjnkdg.exe
2444	Bbokmqie.exe
328	Cadhnmnm.exe
1784	Cdbdjhmp.exe
2376	Cklmgb32.exe
1100	Ceaadk32.exe
3008	Cojema32.exe
1252	Cahail32.exe
1752	Ckafbbph.exe
2732	Caknol32.exe
2964	Cjfccn32.exe
2828	Cldooj32.exe
2780	Djhphncm.exe
2608	Dlgldibq.exe
1552	Dcadac32.exe
2920	Dliijipn.exe
3020	Djmicm32.exe
568	Dlkepi32.exe
1432	Dfdjhndl.exe
2836	Dlnbeh32.exe
1268	Dfffnn32.exe
2916	Dggcffhg.exe
1288	Dookgcij.exe
2412	Edkcojga.exe
796	Ekelld32.exe
1152	Ednpej32.exe
1132	Ekhhadmk.exe
1924	Enfenplo.exe
1304	Eccmffjf.exe
1628	Efaibbij.exe
1336	Enhacojl.exe
2540	Ecejkf32.exe
2956	Ejobhppq.exe
2720	Emnndlod.exe
2804	Eplkpgnh.exe
2612	Ebjglbml.exe
2660	Fidoim32.exe
2148	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
1228	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
1228	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
2808	Pjadmnic.exe
2808	Pjadmnic.exe
2596	Pbhmnkjf.exe
2596	Pbhmnkjf.exe
2844	Pgeefbhm.exe
2844	Pgeefbhm.exe
1700	Pflomnkb.exe
1700	Pflomnkb.exe
3044	Qmicohqm.exe
3044	Qmicohqm.exe
2928	Qedhdjnh.exe
2928	Qedhdjnh.exe
2628	Aefeijle.exe
2628	Aefeijle.exe
1664	Aplifb32.exe
1664	Aplifb32.exe
112	Abmbhn32.exe
112	Abmbhn32.exe
1712	Ahikqd32.exe
1712	Ahikqd32.exe
1484	Aadloj32.exe
1484	Aadloj32.exe
2244	Bioqclil.exe
2244	Bioqclil.exe
1912	Bpiipf32.exe
1912	Bpiipf32.exe
1884	Blpjegfm.exe
1884	Blpjegfm.exe
1136	Bidjnkdg.exe
1136	Bidjnkdg.exe
2444	Bbokmqie.exe
2444	Bbokmqie.exe
328	Cadhnmnm.exe
328	Cadhnmnm.exe
1784	Cdbdjhmp.exe
1784	Cdbdjhmp.exe
2376	Cklmgb32.exe
2376	Cklmgb32.exe
1100	Ceaadk32.exe
1100	Ceaadk32.exe
3008	Cojema32.exe
3008	Cojema32.exe
1252	Cahail32.exe
1252	Cahail32.exe
1752	Ckafbbph.exe
1752	Ckafbbph.exe
2732	Caknol32.exe
2732	Caknol32.exe
2964	Cjfccn32.exe
2964	Cjfccn32.exe
2828	Cldooj32.exe
2828	Cldooj32.exe
2780	Djhphncm.exe
2780	Djhphncm.exe
2608	Dlgldibq.exe
2608	Dlgldibq.exe
1552	Dcadac32.exe
1552	Dcadac32.exe
2920	Dliijipn.exe
2920	Dliijipn.exe
3020	Djmicm32.exe
3020	Djmicm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gojbjm32.dll	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Dlgldibq.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Mfacfkje.dll	Djhphncm.exe
File created	C:\Windows\SysWOW64\Lhnffb32.dll	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
File created	C:\Windows\SysWOW64\Pbhmnkjf.exe	Pjadmnic.exe
File created	C:\Windows\SysWOW64\Pjadmnic.exe	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
File opened for modification	C:\Windows\SysWOW64\Dliijipn.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Olkbjhpi.dll	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Aplifb32.exe	Aefeijle.exe
File opened for modification	C:\Windows\SysWOW64\Ahikqd32.exe	Abmbhn32.exe
File created	C:\Windows\SysWOW64\Bpbbfi32.dll	Ekelld32.exe
File created	C:\Windows\SysWOW64\Eccmffjf.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Iimfgo32.dll	Aadloj32.exe
File opened for modification	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File created	C:\Windows\SysWOW64\Abmbhn32.exe	Aplifb32.exe
File created	C:\Windows\SysWOW64\Ncdbcl32.dll	Ahikqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bioqclil.exe	Aadloj32.exe
File created	C:\Windows\SysWOW64\Agjiphda.dll	Blpjegfm.exe
File created	C:\Windows\SysWOW64\Ceaadk32.exe	Cklmgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceaadk32.exe	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Jejinjob.dll	Pjadmnic.exe
File created	C:\Windows\SysWOW64\Ecfhengk.dll	Pgeefbhm.exe
File created	C:\Windows\SysWOW64\Opfdll32.dll	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Enhacojl.exe
File created	C:\Windows\SysWOW64\Cahail32.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Focnmm32.dll	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Qedhdjnh.exe	Qmicohqm.exe
File created	C:\Windows\SysWOW64\Bioqclil.exe	Aadloj32.exe
File created	C:\Windows\SysWOW64\Gjhfbach.dll	Cahail32.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Hojgbclk.dll	Aefeijle.exe
File created	C:\Windows\SysWOW64\Cdbdjhmp.exe	Cadhnmnm.exe
File created	C:\Windows\SysWOW64\Gellaqbd.dll	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Dggcffhg.exe	Dfffnn32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Ekjajfei.dll	Bidjnkdg.exe
File created	C:\Windows\SysWOW64\Cadhnmnm.exe	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Eccmffjf.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Befkmkob.dll	Qedhdjnh.exe
File created	C:\Windows\SysWOW64\Djhphncm.exe	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Blpjegfm.exe	Bpiipf32.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Imehcohk.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Ekhhadmk.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Qmicohqm.exe	Pflomnkb.exe
File opened for modification	C:\Windows\SysWOW64\Dggcffhg.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Dfdjhndl.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Cojema32.exe	Ceaadk32.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Ednpej32.exe	Ekelld32.exe
File created	C:\Windows\SysWOW64\Aplifb32.exe	Aefeijle.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1956	2148	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbokmqie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caknol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednpej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qedhdjnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklmgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfffnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhacojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjadmnic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplifb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcadac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhhadmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmbhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadloj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceaadk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efaibbij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhmnkjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bioqclil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckafbbph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dookgcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflomnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmicohqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpiipf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blpjegfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadhnmnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggcffhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eccmffjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgeefbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbdjhmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecejkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bidjnkdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefeijle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahikqd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejinjob.dll"	Pjadmnic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbhmnkjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aplifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cahail32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflomnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnnibig.dll"	Aplifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aefeijle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahikqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll"	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll"	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjadmnic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadloj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll"	Qmicohqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahikqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll"	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfhengk.dll"	Pgeefbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgeefbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll"	Pflomnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qedhdjnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll"	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgeefbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aefeijle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2808	1228	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	30
PID 1228 wrote to memory of 2808	1228	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	30
PID 1228 wrote to memory of 2808	1228	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	30
PID 1228 wrote to memory of 2808	1228	3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe	30
PID 2808 wrote to memory of 2596	2808	Pjadmnic.exe	31
PID 2808 wrote to memory of 2596	2808	Pjadmnic.exe	31
PID 2808 wrote to memory of 2596	2808	Pjadmnic.exe	31
PID 2808 wrote to memory of 2596	2808	Pjadmnic.exe	31
PID 2596 wrote to memory of 2844	2596	Pbhmnkjf.exe	32
PID 2596 wrote to memory of 2844	2596	Pbhmnkjf.exe	32
PID 2596 wrote to memory of 2844	2596	Pbhmnkjf.exe	32
PID 2596 wrote to memory of 2844	2596	Pbhmnkjf.exe	32
PID 2844 wrote to memory of 1700	2844	Pgeefbhm.exe	33
PID 2844 wrote to memory of 1700	2844	Pgeefbhm.exe	33
PID 2844 wrote to memory of 1700	2844	Pgeefbhm.exe	33
PID 2844 wrote to memory of 1700	2844	Pgeefbhm.exe	33
PID 1700 wrote to memory of 3044	1700	Pflomnkb.exe	34
PID 1700 wrote to memory of 3044	1700	Pflomnkb.exe	34
PID 1700 wrote to memory of 3044	1700	Pflomnkb.exe	34
PID 1700 wrote to memory of 3044	1700	Pflomnkb.exe	34
PID 3044 wrote to memory of 2928	3044	Qmicohqm.exe	35
PID 3044 wrote to memory of 2928	3044	Qmicohqm.exe	35
PID 3044 wrote to memory of 2928	3044	Qmicohqm.exe	35
PID 3044 wrote to memory of 2928	3044	Qmicohqm.exe	35
PID 2928 wrote to memory of 2628	2928	Qedhdjnh.exe	36
PID 2928 wrote to memory of 2628	2928	Qedhdjnh.exe	36
PID 2928 wrote to memory of 2628	2928	Qedhdjnh.exe	36
PID 2928 wrote to memory of 2628	2928	Qedhdjnh.exe	36
PID 2628 wrote to memory of 1664	2628	Aefeijle.exe	37
PID 2628 wrote to memory of 1664	2628	Aefeijle.exe	37
PID 2628 wrote to memory of 1664	2628	Aefeijle.exe	37
PID 2628 wrote to memory of 1664	2628	Aefeijle.exe	37
PID 1664 wrote to memory of 112	1664	Aplifb32.exe	38
PID 1664 wrote to memory of 112	1664	Aplifb32.exe	38
PID 1664 wrote to memory of 112	1664	Aplifb32.exe	38
PID 1664 wrote to memory of 112	1664	Aplifb32.exe	38
PID 112 wrote to memory of 1712	112	Abmbhn32.exe	39
PID 112 wrote to memory of 1712	112	Abmbhn32.exe	39
PID 112 wrote to memory of 1712	112	Abmbhn32.exe	39
PID 112 wrote to memory of 1712	112	Abmbhn32.exe	39
PID 1712 wrote to memory of 1484	1712	Ahikqd32.exe	40
PID 1712 wrote to memory of 1484	1712	Ahikqd32.exe	40
PID 1712 wrote to memory of 1484	1712	Ahikqd32.exe	40
PID 1712 wrote to memory of 1484	1712	Ahikqd32.exe	40
PID 1484 wrote to memory of 2244	1484	Aadloj32.exe	41
PID 1484 wrote to memory of 2244	1484	Aadloj32.exe	41
PID 1484 wrote to memory of 2244	1484	Aadloj32.exe	41
PID 1484 wrote to memory of 2244	1484	Aadloj32.exe	41
PID 2244 wrote to memory of 1912	2244	Bioqclil.exe	42
PID 2244 wrote to memory of 1912	2244	Bioqclil.exe	42
PID 2244 wrote to memory of 1912	2244	Bioqclil.exe	42
PID 2244 wrote to memory of 1912	2244	Bioqclil.exe	42
PID 1912 wrote to memory of 1884	1912	Bpiipf32.exe	43
PID 1912 wrote to memory of 1884	1912	Bpiipf32.exe	43
PID 1912 wrote to memory of 1884	1912	Bpiipf32.exe	43
PID 1912 wrote to memory of 1884	1912	Bpiipf32.exe	43
PID 1884 wrote to memory of 1136	1884	Blpjegfm.exe	44
PID 1884 wrote to memory of 1136	1884	Blpjegfm.exe	44
PID 1884 wrote to memory of 1136	1884	Blpjegfm.exe	44
PID 1884 wrote to memory of 1136	1884	Blpjegfm.exe	44
PID 1136 wrote to memory of 2444	1136	Bidjnkdg.exe	45
PID 1136 wrote to memory of 2444	1136	Bidjnkdg.exe	45
PID 1136 wrote to memory of 2444	1136	Bidjnkdg.exe	45
PID 1136 wrote to memory of 2444	1136	Bidjnkdg.exe	45

C:\Users\Admin\AppData\Local\Temp\3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe
"C:\Users\Admin\AppData\Local\Temp\3bc00905af79eab91acaa3251e2335d97b8e36e138e64628bba2d4e2eff95de7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\Pjadmnic.exe
  C:\Windows\system32\Pjadmnic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\Pbhmnkjf.exe
    C:\Windows\system32\Pbhmnkjf.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Pgeefbhm.exe
      C:\Windows\system32\Pgeefbhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Pflomnkb.exe
        
        C:\Windows\system32\Pflomnkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SysWOW64\Qmicohqm.exe
        
        C:\Windows\system32\Qmicohqm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Qedhdjnh.exe
        
        C:\Windows\system32\Qedhdjnh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Aefeijle.exe
        
        C:\Windows\system32\Aefeijle.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Aplifb32.exe
        
        C:\Windows\system32\Aplifb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Abmbhn32.exe
        
        C:\Windows\system32\Abmbhn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Ahikqd32.exe
        
        C:\Windows\system32\Ahikqd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Aadloj32.exe
        
        C:\Windows\system32\Aadloj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Bioqclil.exe
        
        C:\Windows\system32\Bioqclil.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Bpiipf32.exe
        
        C:\Windows\system32\Bpiipf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Blpjegfm.exe
        
        C:\Windows\system32\Blpjegfm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Bidjnkdg.exe
        
        C:\Windows\system32\Bidjnkdg.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Cadhnmnm.exe
        
        C:\Windows\system32\Cadhnmnm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Cdbdjhmp.exe
        
        C:\Windows\system32\Cdbdjhmp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Cklmgb32.exe
        
        C:\Windows\system32\Cklmgb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Ceaadk32.exe
        
        C:\Windows\system32\Ceaadk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Cojema32.exe
        
        C:\Windows\system32\Cojema32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Cahail32.exe
        
        C:\Windows\system32\Cahail32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Ckafbbph.exe
        
        C:\Windows\system32\Ckafbbph.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Caknol32.exe
        
        C:\Windows\system32\Caknol32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cjfccn32.exe
        
        C:\Windows\system32\Cjfccn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Cldooj32.exe
        
        C:\Windows\system32\Cldooj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Dcadac32.exe
        
        C:\Windows\system32\Dcadac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Dfffnn32.exe
        
        C:\Windows\system32\Dfffnn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 140
        54⤵
        Program crash
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahikqd32.exe

Filesize
451KB

MD5
6c1a36d5d5aa7384f999c8ce47f3f364

SHA1
5c1bf6281a5e75d877ad800eefc4e4a93f3f7341

SHA256
4d9299ddd925153d434f99bd2bb0c4df7a194336090475b315c9ab988ef02f30

SHA512
69fa436563cfcae5420ab5e5895d1c40c9f54aa25ddaea2ad41415b0f09e1ddddfd31264364d7b8b53776f69eede70691fb658a39ee4665773bd71071b4cbb64

Download Submit
C:\Windows\SysWOW64\Bioqclil.exe

Filesize
451KB

MD5
85cbe9588fecd54cdcea3b5e5778dcd1

SHA1
1ecd01b1812121fcaa135754fe986c4d7b707b4d

SHA256
078665b52bc319fa4762b2f7749d576734abe6c3e73b61b60f407332af2cf4c0

SHA512
fd6e01580d7da78c241937e87022a6ac1a4eab40e4f0f8656e3a147e3ce29f24a991c44b17e1158d52de75b20edcf4a49c522604f2c44b1c999deeff44cfb730

Download Submit
C:\Windows\SysWOW64\Blpjegfm.exe

Filesize
451KB

MD5
fe64dfe235ba4ed6da9c0f0338449193

SHA1
a3db054012a66fa0e84316df4262a280779c183e

SHA256
6cd6576065be5eb2acb306a0fe0f2a298ecb27911f94e4e5122c0cb841bc792c

SHA512
bf1207e0a5e6b164f68c860694d1da33d9aafdeb5b94248f0aefee3b0343325f9f3b0ddd1feca97e2144065701f011a083fa9462c2137fc5abf48ca34b4924ba

Download Submit
C:\Windows\SysWOW64\Cadhnmnm.exe

Filesize
451KB

MD5
91aeedc321317c5290698f1bfab09569

SHA1
65bcfec8885cd34507181eda1d519fda1e10d220

SHA256
dacfa3b99a320e0bd3aff8a72436e851b4d714dda36b34817d6b514ff5bc5702

SHA512
4aa32b3b6b234470093352aa6d908277cbd712b6cc29d133655127d56ea83e5129b3ccb449d069df7150ee1aff097b396757c9bc11dd3d24a8c06ddfbc9ebaa9

Download Submit
C:\Windows\SysWOW64\Cahail32.exe

Filesize
451KB

MD5
1ec282456bb1a8f3dfcda032ce1d82b4

SHA1
1b515fa882d3275c1a047228c37ca19d2fd3edca

SHA256
40f5e1eb511a8091b0745782db855a32902886fc4f0c310c015970af3b69e8a2

SHA512
5523bca3600dc12c7ef3844aff8241f03a7769a85a36cb2ed1458de2198d263bd6912303d313c08091e99488abb5638a481306c269897007d6e7091d052a7556

Download Submit
C:\Windows\SysWOW64\Caknol32.exe

Filesize
451KB

MD5
ff08226763087c5c2b231a65b0c744ea

SHA1
a899599d750b8c4e96b9e283f9d04c8573aee507

SHA256
1ec19e00d2bffa5fea4df15a16e539f8515db008588c670e6ab2878735997d64

SHA512
f368a2ee4f8923dab56455ecd6c21b225da6a5ce21ec33313e5ea84aebbaf87ea1c87b55953761d86985228039072f23e365cb0c2c065646263c3bb84461c91f

Download Submit
C:\Windows\SysWOW64\Cdbdjhmp.exe

Filesize
451KB

MD5
2d43f17b4168f204e568c0e9b3302d2a

SHA1
70fd0d7847f76a8e2377759163092b9780d0d23d

SHA256
510c98188413ac95ec0d529694816e6377fcb9fca081635061476b20df94035e

SHA512
842fecf1363ca4c04424c37399655607b9bd2d40d11dd110299ed244383eb27c113f25b23936ee45c9250d3ac409c12c30b7f3ce5738f4be1a7469c2d8186f7a

Download Submit
C:\Windows\SysWOW64\Ceaadk32.exe

Filesize
451KB

MD5
e719a68d407a40e502a98c837a48a120

SHA1
7379630d56b59688573c2fb23f1b8b97bb2c953f

SHA256
a3dd328108ae4bca0c76cee023f0d0a831638da59115793e1a6fbabae10c5988

SHA512
c5fdb4c29d57a56016ed9b7eb3c54a1773ceac2b863ccb5299c180ae735b481e257e3ed6620929f6ecb8e63a3fadc3c5ef3206ac2e080db85278afb8eb412cf8

Download Submit
C:\Windows\SysWOW64\Cjfccn32.exe

Filesize
451KB

MD5
8353b5bb15814353d926ddc06e7f33f4

SHA1
681ba8f9c5b5e40f96034fc0ec9d98eb2a23069a

SHA256
0cb9b3381d9b8c8ee7a25283feb8013ce40eda63fccb9a43b3e1f556bae3f95f

SHA512
19233bfb36124ce57e10748a3061df88423f6cc0950f2c7a1ebbc2051aba1ef3c92a440e451358d43ac9f6fed72cc8feebe48a5d95505e568c51f0b90d557398

Download Submit
C:\Windows\SysWOW64\Ckafbbph.exe

Filesize
451KB

MD5
7d0da7556e4fb15a9d0ba040266ff0df

SHA1
4ee3efbc47d7832d8628df802a66b99d2a26e961

SHA256
e3818dabdb18f967a853c7155fa71dd4cb84a432d9e46064f0768e31b8fb3601

SHA512
d6fa47f0e86288e173d543880ef1ec0b90fae08d02ac78ffd581a5173cf3effdcf5072f6241ecfcfdbb27098701471757679b59a53265cce6fc67bcf6f06dbeb

Download Submit
C:\Windows\SysWOW64\Cklmgb32.exe

Filesize
451KB

MD5
79f8faa07f918a3063f3763287c34ec2

SHA1
ed75dc22384edf38932f485018fb572a6c81e4dc

SHA256
cd3ef7fe07c64204116f38f23c61b00de92ea721999c4568d2053bac6ca963b0

SHA512
50cd933e16bed76fc81945edcf19fc3ccc0704ac8144e5c244c59b6f221881ed09a3a9a937fdcb63322785e9e4bc66b5d43c4e8b110e851abdf4053d46fb4263

Download Submit
C:\Windows\SysWOW64\Cldooj32.exe

Filesize
451KB

MD5
503c99bc44ccc6d4155d6ca5f1774571

SHA1
b25f5ae3dd68413413a1d3fa22ce97286b7a6eb3

SHA256
2a83ab6da7e57cab93c33d12d39447f8669c164677baced2eca788edc807edc7

SHA512
ddbb93a356a98d3de145360b466e093693a2387c6175a06454fd66b1ce9d84df32cc0c85a5cf2f5049ba7158a34ef3839ae630200f24a46f550b140ee34a6b30

Download Submit
C:\Windows\SysWOW64\Cojema32.exe

Filesize
451KB

MD5
ac49f6da716acb9a9d1e1c045c6d61b7

SHA1
019076ecf5652db903804abd2590c03aa9e19efb

SHA256
0fe4c0fedaec6ec4621b0bba1b15cc28002b83a563aa5610c84a18b11051b4ae

SHA512
1fa6ba5da93bd2e37e9a5060952da9bba0b5ff3ddff2c1f90ae8ba0138b3bdcb5812ef7648b82067a73abada3a0c2aad52993d9a26df1cd731055f1297b3a9b6

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
451KB

MD5
a32b49e8686b8f12682d19051f5c7226

SHA1
025942c12113ca2759651284501f6726bb7261ad

SHA256
a49f74ba2345beccca3473329acc191d05959c71c325a3e6bbbe8a2d36b25b7a

SHA512
f420f447c9f7d6cfdf6120e12556f90f750ae24d69247797feeef0651a4668ef1c94e0422cbc2c023e5e899f9fedfa9a8f432f90497d5fad35027844e981a361

Download Submit
C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
451KB

MD5
632607da58e48e5e0b8a8c3be49d6cf0

SHA1
fa529bd01d2b9749622a1b1eef048527b6bf46f0

SHA256
e09a87b2fbcab91957914617c1dd8ca1ff4257cea4ff0a96bc084a47958d8b49

SHA512
9520568c3efa0a5ef7e92dbb44d8c44d4366fab7b7444c6c1fe207c3292897603cdca79cceb5909dc70ae3b59a9432eeaa11af879f281b4f1ca833eae9c9e777

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
451KB

MD5
49e6bcfea034cbf12b687d786ff72c3d

SHA1
155268d8f7856b0944c2e6dfbf5cfd426316c206

SHA256
7a2cd76bd6ecdab6f110c4dea82311eae819829158cf4dea4470e22f19f4f517

SHA512
f82b57ebe9cdb638116e0af9d758aa0b44946d0c413d3421f4543bce3d0a474327128e796c2d556371f5a2299129657fc81fdcb192bea077de554b63c3ab07ad

Download Submit
C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
451KB

MD5
034765b80dcc821bd43dd71d5eb935c7

SHA1
3f8192b599a0d82df7b6cbeb2bf7e3d8edb60ac7

SHA256
4a99e3f4dfeef115f87298754b8e5be8bb304b99bb9a62690550a6d3442168ca

SHA512
671a6ed68c9e22d2fbedd84e0b9956839e2f1cf1325656fded55695405fa034762f832a48193baf6c937c0d1edc04ae2ebdef7a9bbb51b7163cc23ee83da8510

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
451KB

MD5
622355833143f3b39fec2e136036632b

SHA1
6cec9d7e12ae206ab5db079eb5a0695aeef51d62

SHA256
53be158b425fcff9b2ded291fa55a475c574e630b2d5aafae44187d3a4d55bbf

SHA512
3a8de9afe58117b068d9fdd43229e9e19b07fd585790d5dbc2f14dbc8028bad46b0b76526981721ecf1fe4c6266b6531a4206ef207a582d9d4f8de0422c929da

Download Submit
C:\Windows\SysWOW64\Djmicm32.exe

Filesize
451KB

MD5
2be934761b50b257f822d14f42c6c894

SHA1
e13b8550ee49dddf5ba41562f101a8b79aa4ed01

SHA256
e1903697f41b8c077c887b88cd0c1dd8b5e2dbbd092fe10d6be8afcefc6ef63a

SHA512
d68447011c47242e3c3d4d29157f7ddc2b3b8346c22b192efd329bc03bfdf10218e3340231834df9781e2dd6cc42bb025a40e35e2380bc3e8ea8b36d53bd147d

Download Submit
C:\Windows\SysWOW64\Dlgldibq.exe

Filesize
451KB

MD5
c42e2c816dcd8c668ae181f27dea5541

SHA1
c5c1e66fa6d8086336686badb44b21509eb259a8

SHA256
37d1ade273a0efbdabbc88159e8cafa970798ae91529a97fb881cd99c39bc853

SHA512
93baa3ed0259d95070461d28bbd006d4e3495038766d9e6b15c20788cf11109f5ca628a0ae866ea8cf3a682b21c3551e9223e69014badfa2a4b206c9800cbb7e

Download Submit
C:\Windows\SysWOW64\Dliijipn.exe

Filesize
451KB

MD5
c61b13a42c643ea85f3b71cda505ab6a

SHA1
7d2a57bcaf3cc859acc7179f2315cab45eb6efc7

SHA256
613e9393f369645270eeaed100f36af1dddc9374fab3fb1e5cebff440da35328

SHA512
086c6167f5daaf03a583974e427217b39c5a760ce2dd01103db8cd616962158ceb737b3c45017c003e59e6050a422731277da0ffa88a3aaf9541e75f36956c81

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
451KB

MD5
4cf88fc63b547911cd7388da9a7527fb

SHA1
c761d179da0c0a7386bebccc3a5a9d04373c8952

SHA256
5d9e85b534182a04d9b390209d4adce47c256b5189b597101cfa6e40084ec2ff

SHA512
3b45e4e6ff922fd8f22707b0b8d66dff3a7b13721667b27c1b700b4d1b1a8dbcc8134cc7de645f835319ae04bcbdb76b98b6e0cd6e42987b67782f171593a923

Download Submit
C:\Windows\SysWOW64\Dlnbeh32.exe

Filesize
451KB

MD5
6bd8a2f00d9848bd49a59aeae084eb8b

SHA1
f1a710afa842ff757ee8c058396999e1d174b86a

SHA256
9428b31c500e8c7d566d1b526f1610690fcfe15830fd3f58d651a4f5f1bddf8e

SHA512
ebdb5b1e71af4a2c035c1232799a1a48693aba37769d1e1a9a2e403dc30bd42cf774261f5a34c91864c4247b8069ee981a45cdcf7dca99522a9dcc784c2edacb

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
451KB

MD5
2a982b1a24ea3dac0049a162b379dc13

SHA1
d383a5091346e450975a143eef8015c608f08b22

SHA256
3bbb0c60d470f46e62a3c35c186ad7249c7a8ac3495370676bb358592764b579

SHA512
8655e86e0f493434162d57ddbdf17a72f872e0ee29584dc3c6d26db8bd982e043349914ed103f1fc6977da8a48c72816d9074f1431e62a512def8145d379f41a

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
451KB

MD5
876f513115d44358b315016fc95a2044

SHA1
9709b42f980bc9146ad3601712de900b3c562fb1

SHA256
e6589318eab26a0b4ad938bf49e8b412cdfd92238bf2fa2ed75747966f759e07

SHA512
48b9ae1f5f0c48139396dd25e384ece79e0986ec0d80187601c439f2f13eef38af13cf53bf80b40f11e12422536678b43d932b12eab7a7eb2aa8702277283998

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
451KB

MD5
b051a9b1eca652d35707aaf412c189c2

SHA1
11bc106a54245d87588af2252b265913aeb9e7a6

SHA256
f2659ea3df2b6e054e93c7c4082b3edb9a42d8b95e91280f8aa5c84b81546cd7

SHA512
75ade5505aea7cb40c59103189bbcb35f6839eeac12ea99cd7e40f71a2bb52ff5c2e96004f1fabfddedd059c35a48562cf8be8621fa850aff273e3426d34bbe9

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
451KB

MD5
17a8fbbe89cb10e3afe642924a3465e1

SHA1
f4dac6e92528b367954ab3d7cc6ced40e16b0efc

SHA256
90e3b2bf5747a53201d9374b1b1ddb37055ca65a3525742a394f0dc26c57d69c

SHA512
14bbc2aa1076ee7a07eda518b224708cf034cab34f821176416e3d63bcaf9e45cf9d5181ec63bff50fecb1d9581866493f9ca0e71058f71f10a98c98a2bf4878

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
451KB

MD5
340a5d595b13fee974d9abfb009fb4d9

SHA1
e11aebf9bcb1dd47e8d17e5c9c4869d86d99ede0

SHA256
760111d3e84e4585188c21f0c68ce16a5eb91114eb18bad261fbc5b46785e0b9

SHA512
a0ae8a5ee1ea675071f5206c5ebfc5aefa9bcab45040ed5f1ede50b0729a05cdaae6e671432960fa96327d9e1054e566701cdde671a1b755e239a82ca46d4117

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
451KB

MD5
35df5d677e2d85a68c7af30735accebd

SHA1
35d669807884cfe90913379ed1fbb40f851d9131

SHA256
c224dd832b43f6f0ab9382b0679b9534f75d57ee7a952986f1d2f82563d07c3d

SHA512
25ecc9d55b10afca598e20216ad9bbb5dc33320b626b1afcaefda4bc7aaa1be6d12caaf0015b7ab9dd94f232568fad6bb803a482c1585802c7d4eacb4f6c410b

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
451KB

MD5
004de2958b1f362b811264fa00ec0b91

SHA1
0d15056e8673d90f09335a8b805066a904d94df7

SHA256
a292c44135d598e045c8251b3a490613d95e1a987c36bdef3b0aff8d9a526900

SHA512
f23fe3eecf4b5287db6e820b2cc09abcba40c05d1bfcd140ac059fbee750922869b97b674834f1020c6769b3de561e50614260282daab2744bca5405af456536

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
451KB

MD5
8daa759503f91995914dafc7f674fe55

SHA1
46494f675b6644718fa693d81474f281a58cb8f9

SHA256
0e4655dad5bb170abaa125e296d5c35bf538c52f121de7310a375d85eee884d9

SHA512
70d86728ebc22b9fe61fdddcfbcbf2cb5eae4c4757aa493310302605248f8997bced9cef58e9106cc9cd7b4a4bbb342a30621792a1366c16f829e0c0556b0082

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
451KB

MD5
e0b6074f32bf699ecc857a81a43a09bf

SHA1
e9e4076eb0df0ac072c2e08b10433462e5237de9

SHA256
9948b707065e7050cdf06f3893efaa62d4a50366fcdfb1b9007c9701678ea163

SHA512
df18cc18cc5b8d1f1444ceca346aec5bc664b96e35ec342fcf03b63e9fad554b9ecdb036dfe84b0a541ae699bdb1782c598b31ae2efa50a220b47d91bc030a49

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
451KB

MD5
5acffc9b44980473f8209a4399c4a5dd

SHA1
72ad490e0bf157c5161ba906a77056df1ffaeb59

SHA256
7fdde58dc786e38f089b9c2bb42b1eb8ce41c53ef19507a183e163c62ff76cb1

SHA512
4190ed16239fa3502e4d2980958d225d37f210b754a397f3a86ff109aca53e6c0eb9b5e093cabb9a235ce57e5079cd682c49db24a22acbf1e61ef6c1033e7597

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
451KB

MD5
688167edebe470f91ab02013fbf44293

SHA1
ee88aaf2f76683138ce7731cb4c81765affb38ee

SHA256
27f7d576a29d86a08312fbbd7e15704815d83f00c2bf4faf927332067f06ec65

SHA512
8044bb7f99911419c1e07129c721d4417e74e8356dced38051c5429dabdca0916552d23160beaf342664e02c092890165bf0dc050a2f47dac35bfd1e871ee8a6

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
451KB

MD5
940433a5ed46831cd20929a4cdc7d6bc

SHA1
e654db7fa9b52a1e83c4d97692fe75a465159c51

SHA256
3d277229a8c47daa9bf5bca2ed1081b74d72e7726ca4e94f6df2ca286f6c84b7

SHA512
d936cec114983a47f5bea7866cdbdcd0840938055b04fe718efbd789736cef801f76d0c9f3dadbc6dc2c985d10c26e281347a451b27f067593e3db01bfdbc3ad

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
451KB

MD5
5085b0c49d3cc083fb9bf12c1f97cdd5

SHA1
2702438b123c87a824c3094fc39df140a01f4c01

SHA256
1d07ed4d5b84beef3bca53a7f6328afbd3e3ae81eff2591712006977a3aa2e07

SHA512
34d14ec052cecc91416e7dad8acb59aaacd23eb9d1bc8e11dec30ad340ece53d9a69865554d6bfd1955c70cee33950f826bda311c79b412d97c8902a7ac64527

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
451KB

MD5
3389909e9227e4ae8dafdeaa3abc9bca

SHA1
c6114ab3bf90204833db385f0c4702a36b983d4e

SHA256
1c2d27a895117246affa8eb262dcb3e92f130257676eee08d407c63d6b57626d

SHA512
7256780fd4795ade0c926dfe684fcdcbcd3c8d75ab8da4c8c146c6da7c761468b0088c8815256ac09ff5ea8c3775cb2d7ce8dbb57082e10f5abb3a50f88c17c6

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
451KB

MD5
55e648fd4541fc4d7a30cf50b95fd40c

SHA1
24ea4d5168d7d580e2ef8a50708ec96ff97d38d0

SHA256
8a9b49f9f0dfd66c769f86a7494a7d495f554fab093b833dfe1c9f3adfb9f417

SHA512
745a49c5840153d07d37f2adeb0098d6f423f7c2f9f860b35c32750e4df1c100f2dd1b1efe1399631c77739d03243cc1afd395271fb5cd736acd2d7e15e965f5

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
451KB

MD5
cadce2beaf5611b6fcd489c94aa0007c

SHA1
c4dc297da7790be7abf549bdab66146b81080d96

SHA256
7ada6455550d6a03e47d04fcc665bdc44cde0cefb753bfe3104055ac1526d087

SHA512
242c1408d89bb769f71a72833eaad0de66fb2469f4728f271f43ac611e80adebdb805e5e5b0acc1defffdd9b12739735a330dfe8a95decf7e87ebed636fb7460

Download Submit
C:\Windows\SysWOW64\Pbhmnkjf.exe

Filesize
451KB

MD5
5af006f810dd90d6869b5e3178f7318c

SHA1
1fbcab43887aa74bb325d46ab4a74caf8389199b

SHA256
1d8491ab34be09be552d24b0b1625fd885e142a89d8f8dc5f53f3a0d423a2e6f

SHA512
3750783f2cd01eaa22ff008f0a64db890dc8f54545d2765cfccb9fd33f43e00a0ef1a9c541ce8d32141c97ebaf9216a560714a090c0d2be49532c40f299f8e90

Download Submit
C:\Windows\SysWOW64\Pflomnkb.exe

Filesize
451KB

MD5
532ae1ea40d62d3d5bfecc197567adb2

SHA1
813898887061897b762010800423d657c81bfd59

SHA256
596367aab8b0943609b4eda4496907d843748b955e115617f042234ad724d67b

SHA512
862e341e6ef72658832cbc84c00c8d86887c4d796ab41f4da0506b0205b4216f344b26da569d24469c0b7a6bf2bcf62bc11dcb369b4310543da9ad4ae5c17383

Download Submit
\Windows\SysWOW64\Aadloj32.exe

Filesize
451KB

MD5
5a8d837f8efa6b84e2ab8926529d193d

SHA1
6fe54cd2fefffddd52e19ae3065c9eb370ba1d45

SHA256
237bb29ab3bd0d8beb1da93a05ba104cb9340171a40db1b994566ff601904939

SHA512
c7d310c49d0f5a24c0f7ee84952389d0cbae1bc54d89f42a372350f18629f21b1045e345e26b7f74c08fa5739a5d4141e9e85f0f697e56d93c4b04e5a5346979

Download Submit
\Windows\SysWOW64\Abmbhn32.exe

Filesize
451KB

MD5
6caf1ad4fb0ccd7c6581d1086a50e7aa

SHA1
0d37ea9bd5115903e91b62358f01dd8602b2ca32

SHA256
e1a158756fc1d31bec9c8e7916345f2601046ccfa80a102df2435105bd4b4542

SHA512
00879f30dcfe10eec9f80f493be61b1a6b87d7a32c882379af2294072ece80c741e711f7621e71a0f446eb31d45d8681d47a43fcdf355701471b882fbc1c502f

Download Submit
\Windows\SysWOW64\Aefeijle.exe

Filesize
451KB

MD5
a8a98a5701e22c5f8a15db7e29198b4a

SHA1
82517a5cf5d1f145fdec648f9ed79b2bbdc89381

SHA256
215e59c51f2027206e11735969302e19cd5b5516660bf44305b013fe004eec66

SHA512
b0ba10df9aad3bdace89c8f54ddb5751eed5ef88fbd3d0a7683dc1f53d3d68dbc849886daf88161ddcce726532cab8eda512173c1eec1e8e2e0163647602d2c3

Download Submit
\Windows\SysWOW64\Aplifb32.exe

Filesize
451KB

MD5
d5b2c7cec3acb272f880715ec9158468

SHA1
06426fc1a985c6328c27ce15732c55c4955a2269

SHA256
b54d1277d2e71bff4abc1d547c1e24b21dd8d2df4dcbca2d653b38cfde056844

SHA512
6fa10ce674d12795ff6111a05026fd0605c7941f4dea4ee2bfb8f15454c146c5f5eeb26c0becf940da685eb05a073c1dfb22226c1d2303a11195d0173146b842

Download Submit
\Windows\SysWOW64\Bbokmqie.exe

Filesize
451KB

MD5
7eea438b7cb4884b6466482718cca1de

SHA1
c4a757230d8d812d8ddb3ffd992ff1f473637586

SHA256
08d67507aa8f8446d6c5abea1166ace0e42881da83f152b84e4034124c2eb974

SHA512
b4c79bf4156d9f35d20002e1b1dbc5a1c975efe602e797cfe1114d82f599af20ae68b629b5f0078c056b4ea0b1daa817e4ecace7b66a69aa6de0c0ade21a4dd4

Download Submit
\Windows\SysWOW64\Bidjnkdg.exe

Filesize
451KB

MD5
83fb80dffe412c028421a99a872b090f

SHA1
4de3ce5581c61293a106d2ee77a93d0ec8bc619c

SHA256
0579154a767b56a4b7dd750930920b4d0144ee2b4f5b5c76648221b12ab758da

SHA512
783426d0be18ed05d49a1c14e5d108ef4880134808eaeecd98a1b6014959bae1b771d25579ac509968a213cfc9f2106c8c65fe414076ff5c0f3e87b89841a711

Download Submit
\Windows\SysWOW64\Bpiipf32.exe

Filesize
451KB

MD5
af2d55890d1a56c153efb23d2e758850

SHA1
aa74a918a844e6f508a00c63b747bff02b5c61d7

SHA256
bd62602e52e360833b36c904471f0e3c0b2057861438b8407be59de9819d9041

SHA512
edd1c28fca9fc1f96586af1a86c33b2a124c6e22f9e0a9f1f48ce438e6c1fafad6fcf733ce7cb74258a814a62f1590c3609bc13031a025a0e61426a4fe6d316b

Download Submit
\Windows\SysWOW64\Pgeefbhm.exe

Filesize
451KB

MD5
6f5880063fff9374c6787a3d625be569

SHA1
f5809effb66d75c6013a307235738569eede5008

SHA256
4382ed9f2b6ad1ebf6ff40b213f1d04822ee73a21cd8b44f2b4bdde51af69ce6

SHA512
2b2f8637abf2ca4eb99196664aa07d31127fdc1c2f2eb2c5fd9c6c14a948af017fee543dfb7dcf5affa3b2bb18fc48b3c7f69340a61cdc56ce0a4f9ccffa352e

Download Submit
\Windows\SysWOW64\Pjadmnic.exe

Filesize
451KB

MD5
0332f2d562a6166cfc3e32a39eab6c67

SHA1
8ba9e81dabe6acd800a20acdbef30a9f41b14587

SHA256
1682ee4670b63030ed53cf2766d2dd3786eb87959ae96092ca5f81020c9235b4

SHA512
770c1dffa186922b648a911ed39afcb711362ae45a5a698a5ff97b3eb6b24d99c3ea6f19bf19aa9c531c12d184cb7fadb175d526268b7603bebaa69d79c152f7

Download Submit
\Windows\SysWOW64\Qedhdjnh.exe

Filesize
451KB

MD5
1c62bfc3c2ccef62cb0d3beac64e67c2

SHA1
a3b5948a5b70c951d773fea9baf9e95faa37b229

SHA256
bf3c0ccf74a949e89327b0c98ba1e187dc0894f15b67ae7c2b209154afe15834

SHA512
45a2c915c2f6d3ab2e90825c4c9dee163e4089aea3f0643845501ce6c02eae11677329df603dd7ba03d2dbcb406168ae35555e6c24c4455c21b290b275eebef6

Download Submit
\Windows\SysWOW64\Qmicohqm.exe

Filesize
451KB

MD5
a3299f13778bc190b651e1f91d7a6e1b

SHA1
1e2cb069498c69a95566edd7018a330dbb2b6ec1

SHA256
5f7423c948856965fae3b870d2b9ea29f518150e0a93fe96d6c40af6eea10d7a

SHA512
a2a8e7f8d1a5af476930cacca07c8248c92215f5e95deae934ed31ec0b100cb242609023354a35cb89673763d658d963e3e4586ef7907c1a9ddf433cb370f2a1

Download Submit
memory/112-138-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/112-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/112-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/112-459-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/328-244-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/328-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-401-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/568-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-271-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1100-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-223-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1228-12-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1228-352-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1228-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-11-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1252-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-292-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1252-296-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1268-436-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1288-458-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1432-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-166-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1552-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-119-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/1664-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-64-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1700-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-147-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1712-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-471-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1752-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-307-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1752-306-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1784-254-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1784-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-209-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1884-204-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1884-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-194-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2244-180-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2244-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-179-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2376-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-264-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2412-467-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2412-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-36-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2596-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-359-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2608-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-106-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2628-437-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2628-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-318-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2732-314-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2780-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-351-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2808-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-27-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2808-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-26-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2828-336-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2828-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-340-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2836-423-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2836-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2844-54-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2844-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-385-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2916-445-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2916-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-380-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2920-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-92-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2928-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-329-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2964-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-325-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/3008-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-284-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/3008-285-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/3044-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-83-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3044-416-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads