berbew | b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
Size

96KB
MD5

8be5162ab95bd2545dd7c9df2a3e931f
SHA1

3bc0b3f03b7e9dcd07df7bd2615d7e6026b3be58
SHA256

b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74
SHA512

dde9e99f05c57d3b62f6a8478c51d5b5e52f7aa6bc545719575d3950e4eb8afd3b8b16e9c1cffd2b8863db221b2bd25f0927ab421e0d25a7da1aff9cb938aad4
SSDEEP

1536:qEV7rOGVuqp+Krg+i2awzhSv2LP7RZObZUUWaegPYAi:qEVOGcqdrg+FztPClUUWae3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglpdomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eikimeff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffjagko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eikimeff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Donojm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglpdomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpgecq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emdhhdqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkeoongd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 51 IoCs

pid	Process
2752	Cpgecq32.exe
2968	Cgqmpkfg.exe
888	Chbihc32.exe
2536	Coladm32.exe
3060	Cffjagko.exe
1332	Dhdfmbjc.exe
2936	Donojm32.exe
2980	Dcjjkkji.exe
2136	Dfhgggim.exe
2924	Dhgccbhp.exe
2880	Dkeoongd.exe
2056	Dnckki32.exe
376	Ddmchcnd.exe
2096	Dglpdomh.exe
2484	Dkgldm32.exe
1080	Dbadagln.exe
2404	Dqddmd32.exe
896	Dhklna32.exe
2876	Dkjhjm32.exe
2228	Dnhefh32.exe
1672	Dqfabdaf.exe
1652	Ddbmcb32.exe
1988	Dcemnopj.exe
372	Dnjalhpp.exe
2052	Dmmbge32.exe
2360	Dqinhcoc.exe
2832	Eddjhb32.exe
2544	Enmnahnm.exe
528	Eqkjmcmq.exe
2560	Epnkip32.exe
2192	Egebjmdn.exe
2320	Embkbdce.exe
2892	Eqngcc32.exe
2204	Epqgopbi.exe
2376	Ebockkal.exe
484	Efjpkj32.exe
1152	Emdhhdqb.exe
2176	Epcddopf.exe
3020	Ebappk32.exe
1924	Eikimeff.exe
3036	Emgdmc32.exe
1760	Elieipej.exe
676	Enhaeldn.exe
1592	Eebibf32.exe
2312	Egpena32.exe
2412	Fllaopcg.exe
2416	Fbfjkj32.exe
2656	Fedfgejh.exe
2728	Fipbhd32.exe
2316	Fhbbcail.exe
2784	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2172	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
2172	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
2752	Cpgecq32.exe
2752	Cpgecq32.exe
2968	Cgqmpkfg.exe
2968	Cgqmpkfg.exe
888	Chbihc32.exe
888	Chbihc32.exe
2536	Coladm32.exe
2536	Coladm32.exe
3060	Cffjagko.exe
3060	Cffjagko.exe
1332	Dhdfmbjc.exe
1332	Dhdfmbjc.exe
2936	Donojm32.exe
2936	Donojm32.exe
2980	Dcjjkkji.exe
2980	Dcjjkkji.exe
2136	Dfhgggim.exe
2136	Dfhgggim.exe
2924	Dhgccbhp.exe
2924	Dhgccbhp.exe
2880	Dkeoongd.exe
2880	Dkeoongd.exe
2056	Dnckki32.exe
2056	Dnckki32.exe
376	Ddmchcnd.exe
376	Ddmchcnd.exe
2096	Dglpdomh.exe
2096	Dglpdomh.exe
2484	Dkgldm32.exe
2484	Dkgldm32.exe
1080	Dbadagln.exe
1080	Dbadagln.exe
2404	Dqddmd32.exe
2404	Dqddmd32.exe
896	Dhklna32.exe
896	Dhklna32.exe
2876	Dkjhjm32.exe
2876	Dkjhjm32.exe
2228	Dnhefh32.exe
2228	Dnhefh32.exe
1672	Dqfabdaf.exe
1672	Dqfabdaf.exe
1652	Ddbmcb32.exe
1652	Ddbmcb32.exe
1988	Dcemnopj.exe
1988	Dcemnopj.exe
372	Dnjalhpp.exe
372	Dnjalhpp.exe
2052	Dmmbge32.exe
2052	Dmmbge32.exe
2360	Dqinhcoc.exe
2360	Dqinhcoc.exe
2832	Eddjhb32.exe
2832	Eddjhb32.exe
2544	Enmnahnm.exe
2544	Enmnahnm.exe
528	Eqkjmcmq.exe
528	Eqkjmcmq.exe
2560	Epnkip32.exe
2560	Epnkip32.exe
2192	Egebjmdn.exe
2192	Egebjmdn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chbihc32.exe	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Ikggmnae.dll	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Emgdmc32.exe	Eikimeff.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Cffjagko.exe	Coladm32.exe
File created	C:\Windows\SysWOW64\Dglpdomh.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Qhalbm32.dll	Ddmchcnd.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dhklna32.exe
File created	C:\Windows\SysWOW64\Mqpkpl32.dll	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Bdnnjcdh.dll	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Emgdmc32.exe	Eikimeff.exe
File opened for modification	C:\Windows\SysWOW64\Egpena32.exe	Eebibf32.exe
File created	C:\Windows\SysWOW64\Hhejoigh.dll	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Eikimeff.exe	Ebappk32.exe
File opened for modification	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Booqgija.dll	Cffjagko.exe
File opened for modification	C:\Windows\SysWOW64\Dhgccbhp.exe	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Gmaonc32.dll	Dkeoongd.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dbadagln.exe
File opened for modification	C:\Windows\SysWOW64\Emdhhdqb.exe	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Gbmiha32.dll	Epcddopf.exe
File opened for modification	C:\Windows\SysWOW64\Fbfjkj32.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Pnenhc32.dll	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Hdpbking.dll	Embkbdce.exe
File created	C:\Windows\SysWOW64\Fdbnboph.dll	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Nceqcnpi.dll	Dnckki32.exe
File created	C:\Windows\SysWOW64\Dqfabdaf.exe	Dnhefh32.exe
File created	C:\Windows\SysWOW64\Akomon32.dll	Eikimeff.exe
File opened for modification	C:\Windows\SysWOW64\Enhaeldn.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Kglenb32.dll	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
File opened for modification	C:\Windows\SysWOW64\Dfhgggim.exe	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Okobem32.dll	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Dqinhcoc.exe
File created	C:\Windows\SysWOW64\Bnfoepmg.dll	Ebockkal.exe
File created	C:\Windows\SysWOW64\Aeackjhh.dll	Ebappk32.exe
File created	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Bjcmdmiq.dll	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Dkjhjm32.exe	Dhklna32.exe
File created	C:\Windows\SysWOW64\Ojdlmb32.dll	Dcemnopj.exe
File opened for modification	C:\Windows\SysWOW64\Dmmbge32.exe	Dnjalhpp.exe
File opened for modification	C:\Windows\SysWOW64\Efjpkj32.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	Egpena32.exe
File created	C:\Windows\SysWOW64\Donojm32.exe	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Qgfhapbi.dll	Dcjjkkji.exe
File opened for modification	C:\Windows\SysWOW64\Dbadagln.exe	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Hclemh32.dll	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Hmdkip32.dll	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Dqinhcoc.exe
File opened for modification	C:\Windows\SysWOW64\Fedfgejh.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Cpgecq32.exe	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
File opened for modification	C:\Windows\SysWOW64\Dkgldm32.exe	Dglpdomh.exe
File created	C:\Windows\SysWOW64\Khqplf32.dll	Dhklna32.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Fllaopcg.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Enoinika.dll	Dnhefh32.exe
File opened for modification	C:\Windows\SysWOW64\Dnjalhpp.exe	Dcemnopj.exe
File created	C:\Windows\SysWOW64\Imbige32.dll	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Fedfgejh.exe	Fbfjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdfmbjc.exe	Cffjagko.exe
File created	C:\Windows\SysWOW64\Dhgccbhp.exe	Dfhgggim.exe
File opened for modification	C:\Windows\SysWOW64\Dqfabdaf.exe	Dnhefh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	2784	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpdomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmnahnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbbcail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgecq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqfabdaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmchcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhklna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcemnopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdhhdqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbihc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikimeff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fhbbcail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll"	Cffjagko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpchmhl.dll"	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eikimeff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnckki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikggmnae.dll"	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhalbm32.dll"	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbige32.dll"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpgecq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnphfdp.dll"	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhbbcail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll"	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkip32.dll"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll"	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll"	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfhapbi.dll"	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkeoongd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmcojmg.dll"	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoinika.dll"	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcij32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll"	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdlmb32.dll"	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll"	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfjkj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2752	2172	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe	30
PID 2172 wrote to memory of 2752	2172	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe	30
PID 2172 wrote to memory of 2752	2172	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe	30
PID 2172 wrote to memory of 2752	2172	b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe	30
PID 2752 wrote to memory of 2968	2752	Cpgecq32.exe	31
PID 2752 wrote to memory of 2968	2752	Cpgecq32.exe	31
PID 2752 wrote to memory of 2968	2752	Cpgecq32.exe	31
PID 2752 wrote to memory of 2968	2752	Cpgecq32.exe	31
PID 2968 wrote to memory of 888	2968	Cgqmpkfg.exe	32
PID 2968 wrote to memory of 888	2968	Cgqmpkfg.exe	32
PID 2968 wrote to memory of 888	2968	Cgqmpkfg.exe	32
PID 2968 wrote to memory of 888	2968	Cgqmpkfg.exe	32
PID 888 wrote to memory of 2536	888	Chbihc32.exe	33
PID 888 wrote to memory of 2536	888	Chbihc32.exe	33
PID 888 wrote to memory of 2536	888	Chbihc32.exe	33
PID 888 wrote to memory of 2536	888	Chbihc32.exe	33
PID 2536 wrote to memory of 3060	2536	Coladm32.exe	34
PID 2536 wrote to memory of 3060	2536	Coladm32.exe	34
PID 2536 wrote to memory of 3060	2536	Coladm32.exe	34
PID 2536 wrote to memory of 3060	2536	Coladm32.exe	34
PID 3060 wrote to memory of 1332	3060	Cffjagko.exe	35
PID 3060 wrote to memory of 1332	3060	Cffjagko.exe	35
PID 3060 wrote to memory of 1332	3060	Cffjagko.exe	35
PID 3060 wrote to memory of 1332	3060	Cffjagko.exe	35
PID 1332 wrote to memory of 2936	1332	Dhdfmbjc.exe	36
PID 1332 wrote to memory of 2936	1332	Dhdfmbjc.exe	36
PID 1332 wrote to memory of 2936	1332	Dhdfmbjc.exe	36
PID 1332 wrote to memory of 2936	1332	Dhdfmbjc.exe	36
PID 2936 wrote to memory of 2980	2936	Donojm32.exe	37
PID 2936 wrote to memory of 2980	2936	Donojm32.exe	37
PID 2936 wrote to memory of 2980	2936	Donojm32.exe	37
PID 2936 wrote to memory of 2980	2936	Donojm32.exe	37
PID 2980 wrote to memory of 2136	2980	Dcjjkkji.exe	38
PID 2980 wrote to memory of 2136	2980	Dcjjkkji.exe	38
PID 2980 wrote to memory of 2136	2980	Dcjjkkji.exe	38
PID 2980 wrote to memory of 2136	2980	Dcjjkkji.exe	38
PID 2136 wrote to memory of 2924	2136	Dfhgggim.exe	39
PID 2136 wrote to memory of 2924	2136	Dfhgggim.exe	39
PID 2136 wrote to memory of 2924	2136	Dfhgggim.exe	39
PID 2136 wrote to memory of 2924	2136	Dfhgggim.exe	39
PID 2924 wrote to memory of 2880	2924	Dhgccbhp.exe	40
PID 2924 wrote to memory of 2880	2924	Dhgccbhp.exe	40
PID 2924 wrote to memory of 2880	2924	Dhgccbhp.exe	40
PID 2924 wrote to memory of 2880	2924	Dhgccbhp.exe	40
PID 2880 wrote to memory of 2056	2880	Dkeoongd.exe	41
PID 2880 wrote to memory of 2056	2880	Dkeoongd.exe	41
PID 2880 wrote to memory of 2056	2880	Dkeoongd.exe	41
PID 2880 wrote to memory of 2056	2880	Dkeoongd.exe	41
PID 2056 wrote to memory of 376	2056	Dnckki32.exe	42
PID 2056 wrote to memory of 376	2056	Dnckki32.exe	42
PID 2056 wrote to memory of 376	2056	Dnckki32.exe	42
PID 2056 wrote to memory of 376	2056	Dnckki32.exe	42
PID 376 wrote to memory of 2096	376	Ddmchcnd.exe	43
PID 376 wrote to memory of 2096	376	Ddmchcnd.exe	43
PID 376 wrote to memory of 2096	376	Ddmchcnd.exe	43
PID 376 wrote to memory of 2096	376	Ddmchcnd.exe	43
PID 2096 wrote to memory of 2484	2096	Dglpdomh.exe	44
PID 2096 wrote to memory of 2484	2096	Dglpdomh.exe	44
PID 2096 wrote to memory of 2484	2096	Dglpdomh.exe	44
PID 2096 wrote to memory of 2484	2096	Dglpdomh.exe	44
PID 2484 wrote to memory of 1080	2484	Dkgldm32.exe	45
PID 2484 wrote to memory of 1080	2484	Dkgldm32.exe	45
PID 2484 wrote to memory of 1080	2484	Dkgldm32.exe	45
PID 2484 wrote to memory of 1080	2484	Dkgldm32.exe	45

C:\Users\Admin\AppData\Local\Temp\b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe
"C:\Users\Admin\AppData\Local\Temp\b1e1186ec8aa1454e286031ab3a73dbb60399a75f99c16d6c37ab6a7c1113f74.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\Cpgecq32.exe
  C:\Windows\system32\Cpgecq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Cgqmpkfg.exe
    C:\Windows\system32\Cgqmpkfg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Chbihc32.exe
      C:\Windows\system32\Chbihc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Ddmchcnd.exe
        
        C:\Windows\system32\Ddmchcnd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Dglpdomh.exe
        
        C:\Windows\system32\Dglpdomh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Dhklna32.exe
        
        C:\Windows\system32\Dhklna32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dqfabdaf.exe
        
        C:\Windows\system32\Dqfabdaf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Dcemnopj.exe
        
        C:\Windows\system32\Dcemnopj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Emdhhdqb.exe
        
        C:\Windows\system32\Emdhhdqb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Eikimeff.exe
        
        C:\Windows\system32\Eikimeff.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Fedfgejh.exe
        
        C:\Windows\system32\Fedfgejh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Fhbbcail.exe
        
        C:\Windows\system32\Fhbbcail.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 140
        53⤵
        Program crash
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Chbihc32.exe

Filesize
96KB

MD5
1f8819de2cf3afecedb6c7a290421905

SHA1
7971ae585851690c92b94de66f7322950f3a129d

SHA256
6044a26244943573a3f3777bd0402d9b7cb03a2e1d79dd039fc8a525495a6b85

SHA512
93ade8768cb7749c85ef9557e0cf8e42fe674e77de1745e71b1aefc54b4bf457356ee894547b2baeda2b30172ca2c0e15267a7f244e520cc8effdf8c521dc474

Download Submit
C:\Windows\SysWOW64\Coladm32.exe

Filesize
96KB

MD5
c94487deda43b436da38eb60fdfae0eb

SHA1
93e63fd727f2989fce696f353cb8188707ee1ba4

SHA256
f492a07d485be048985cb64e3a39b9e1a4423347400c8ac641d3a58a9fffecd2

SHA512
873d01b47ff8d49e3e63a29542787aa3e6d003276d2b34fef0b708e56c434c1074fe766dbf28d0018db3c4e4aee7db0ab189217e0982ef3a4b62a4d72cd346e0

Download Submit
C:\Windows\SysWOW64\Cpgecq32.exe

Filesize
96KB

MD5
cf6a7bbb7db0fe61e60a5654f48cdf9a

SHA1
0ffe2626ae7e003fc76b30ab040528d337ea313a

SHA256
56b98673e778ace3b249901db5a71db49a4ac53a2eb3b599814f8bf64f21b32c

SHA512
e7f096b10cbe0eea0db9d4f1bf2914f7ee4a37c20d9c558f0f721bfa75f375c2bde6bb3b9e366870e2e3951343c32588c65647eafc0d8bd993177938fb8928cd

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
96KB

MD5
e5af436f0ac542503e8a201438b3bf5b

SHA1
5c8847125065f01c3848e3fca6f90bc519374e6e

SHA256
7e2ef952eb5b29e185fbc347882e869dd684b264bdd4882b6130a1ffcc6fc1dd

SHA512
3e7c07e8cec9512b91c0f7b3d4f8abdab1946dcd5e5ca87a0c611d7a82bec4a3d96cdd6dadb0b32fe8b4868602bbb5597560f7650cc0a417804890d9984acb33

Download Submit
C:\Windows\SysWOW64\Dcemnopj.exe

Filesize
96KB

MD5
a80f0fcf3951d67da8c34a18d4fb646e

SHA1
15d512313fbd0a1e1737e7b5adb3e99f9c70dd1b

SHA256
c08ada1faca11cff22f8dcc4dbccc505e6d6aff42fb5461d8ff0481ce3a5db5d

SHA512
d66f08624fc1dab36898a7e24c7ff625c555ae4e09796282a51f44f129e35f149252898dfb22de8374b65d2627ea66ed820a2a9b3d7bd7e37bdfcf0a50b018d8

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
96KB

MD5
60b575964880d5bf631518747f646b29

SHA1
b17aefdc9df7229591be42d398e73f164d4149d2

SHA256
987b6094c67dccf428baba6d945cd3cea8fe76b0988f91aa8f77db29fdf650d0

SHA512
548afb397fd24f3ad3f879f9773e8a4dab62cf786072ebf9056b2ad1dd0c618cde57017de1773855fffda7c727c590582f3e12ef1690fced10bc6ec67fe00ab4

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
96KB

MD5
e497533717ae68996ce0f2cf94ceecde

SHA1
4c745ce820ebaaffc020fd29db63c98d39686452

SHA256
e2ab8eb39314e76477b57074344dd2c818cde4fb2909bd6f7be483b9308ea0a7

SHA512
ffe0b39224ff5f08897f6d70d09251225b30813417c138eb1cd05287c0bf927b16f281fc33f4dbaec5d9e4773ecd09bfbb7f2424b489fb9e76ca0c84ffe307af

Download Submit
C:\Windows\SysWOW64\Dglpdomh.exe

Filesize
96KB

MD5
2b2619536c66a424e82a7d7de7b3d100

SHA1
fac21bb0444cd7ac0a4ab1e99753fc3258cec75f

SHA256
773b9aea76ddb66524fe1d4cc7289a1c18080ba28a4e52569607af48bd47c9f0

SHA512
5dacf3772239ad7302187c5b677887eccb454639836b98a0d8106a367d410b0981d6e7cc22b06754160f85a16b1f7bbe0ec36fedc0384f403a2e5c3cc99a79c4

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
96KB

MD5
333e888d1184411ddd66cc1573d32d1c

SHA1
15761639b056c454b60d23a51adba984a4704df6

SHA256
f5689d74d1ec2f94c89d505f3b232af8b098a67c6060ff604b95429c44cf2ce9

SHA512
dbd456bafff986b3be922358ac3bc46530cc2fdc1fe7942cde9f4d27eb2f61b48fc7a716170b7e54a8773a261d712da6f0a9c8086e9903404ac598a5aa25a18f

Download Submit
C:\Windows\SysWOW64\Dhklna32.exe

Filesize
96KB

MD5
f86caa432086112667a7fb873229c56c

SHA1
f448bfebef15c8474e7a1b7ab2f89e70a90572ad

SHA256
11c1f42b574ad0cf107dc0f3670c4e9d36f2244ef67415b53b222f816e16b68a

SHA512
d6605d4ffe423673b5edb062f665fcdf7266a0bd4f3fd58c3bf15c1b339187fa150658e2372464aa5d01721ce20b9d0f8b6293e1e677be27973c473e2281b3c5

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
96KB

MD5
baea5cf09365f62ce68a92f5543fc2db

SHA1
5412543d5abc9aaf022a816c843a910b59e0d770

SHA256
494ce95644a1ab7f52b5f3eda0cbfd79e7e8747d9f6364803c01c9481b15ccc5

SHA512
3f0a76a5b21d7cf9760e3322b1b347a72ad5875ac8dc6242f617223e1ffaed82d11f04bff70a808ba86b655dc5a0bee86134b41729c7c6e90ea526e1dead620d

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
96KB

MD5
ec240642a27d46466d806f2e7ffd44b6

SHA1
e74a25b6dd0b5b089899f332d5865bdfa87b1db4

SHA256
b75bb0ff9d3c7a18eb54c74eee47577d6fe74f82a3cf841a3f9eeea590028d89

SHA512
6d7216a3b0500f267cc874c1dcd36970f9ee164e4accce6f9941978d47f9c1000fbd2714a2c211a32777835ff65ad7fd9d02a063ff2c8b8b8ebe5d93b5169ad9

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
96KB

MD5
3f60b387f23cb6511ce9f97eaaea3d14

SHA1
beb8e122320a9743265d5cb5e0d83ddb767df9ff

SHA256
111447d7e0241fd2c6057333a1f980c3b866bd2337d42e2bbc8f62352bab523b

SHA512
50f7673a0472d67612402983a0b0447613a84e1c2ec704c92791602a089e847d9f1b90bfdbab58427b7092dc7efa371f8bb1d53118e8b708bf3756667f39c216

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
96KB

MD5
e91f41477327ec06be3e6ecdff0fe70d

SHA1
ff03e92d71b14dd4757c8d34287a6a513a407c61

SHA256
d71f59903569cd96e19b51ad72177c082b29ef707b98b4011200bf2fd20021e9

SHA512
a976fad579554cc30844b305254ce2b7dac77992c21c2119b93f52d66b2ea9f5d16f3d2700b6625f33b764adc9a101261a39fc5950c0bca5aeb8a7cd4a2158f0

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
96KB

MD5
467790d9f8af15a8dc6afd14834a0452

SHA1
1f01b71c071938ce2dcc087f5bda1ae9ccefebdb

SHA256
292cce92b36d82e1984a90a10154b279ee5d2f234ca9815065deb555f3706b9d

SHA512
2edca055a40ade321b8a05acafc9c6b59d0ea184fa506e82fda14373ab981f7e0811a4136b1f589d47689c987ae08e1fa80229a987f737c0788c9c2045fdb1b8

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
96KB

MD5
9d3585f55e24882906c5deeded59b45d

SHA1
dc5f3d476b7a37d734f97584de804e9302e52ad7

SHA256
4cd7d70ae048b5883797e50b0d3e70e8c9d006761c049ac651a77c90618818bc

SHA512
e8df84145cc86669d2569ae6c6d3d13eeb7bbbf405d4bb2b2539b73f08b0b96f407944bde0900b1a0ea1614efb6e1d75a7157f9f12534b1211e77f8f7ca4614c

Download Submit
C:\Windows\SysWOW64\Donojm32.exe

Filesize
96KB

MD5
b56a66db072d04045cf6949ea1a66e14

SHA1
a086916a48a1d61fac3e3256c99c332a69a5f2d4

SHA256
3d0c8d0215713a974770aa02e9baf8c8dc59b8fd471181eee6db08ec93ddc8df

SHA512
ea50c2c927606b88794eefa2e1fd13c526f78b87c1d6ba2b4ca66c5470f6df2652556efb6c98d28e859cc5b5e34f0611c5dddac53f25e9e3653b5c23bb8a092d

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
96KB

MD5
82afe47f4b0fc3eed566454395d74094

SHA1
4f00b76de97caf00a949df39fce84228ac27749b

SHA256
d2a28dc1eabe1e99768e8f043c996355d1e9133b8b78d8ed300c8737493e92e2

SHA512
03f3b416fdaa5a3395784aae4061e82ce905b3467fc97addc4cbecf9d408a82df12a9ecc9032e0ef381effa7dca45c3b6df6846c4a705002dfcf911fea79a6e6

Download Submit
C:\Windows\SysWOW64\Dqfabdaf.exe

Filesize
96KB

MD5
be669b6009f6c0ab0eab82c801f00f0c

SHA1
5239eebee970bb67c8d922d0acade8616ab9d918

SHA256
647e815e362c0f2a22bf537d21b3ff41716a001a0a817495fa8c17064b31ce82

SHA512
09238010a88131642e86b758b32c9801b1dc3268bda2653d411398e62c92cc7d026b512a7678bc7cb527abf169a21d80d5cd556d5afd1d94f45084e2219ac671

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
96KB

MD5
c23e2dd6b5bc613616f9797645e5fdbb

SHA1
1bd06bd5fb2c8bb8d577f44c02eda2e4b437e551

SHA256
39f17e43e6f93bdc4c7954e24be049807dc5e359ca3d4bab6e6144a1db0d659a

SHA512
80c69ce0a6c61766197f64a4d099995ee8239637ccd1da55858acdd64a6c432e793897b1be45fa83bdc200722f78c267c917029985c150889975df58e42cd0fd

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
96KB

MD5
cbae0203f22436011178b63b64dbce17

SHA1
782bffc390c146f06a88a7295f450c207ebdf067

SHA256
bae0c992a9c221d9acf74d14796d9fbeb3f2c41762e18f87a530512d2d6b3ef0

SHA512
b91d8a2f3f5ea2b7434d74893adf27454d3a0941145d69f6ff57e4473611b4ed1f1eac1ce60e7a0a3a700df6a08c90b2529f0ba5ab71207ac53d66c230c7bf68

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
96KB

MD5
8457a62954e9e58d182249cb890cd5e3

SHA1
1d9c9fa4fc5f8f71492cdf3ea359abde4620b326

SHA256
11ebec897811a3138bd024dfca94b5be2d501b524614df4926510dc3f52ac4af

SHA512
94b8c34d6bf2c8e7803c3d9fb6e371efac76e02fe43e2c33e2b0e194e02c3e81737aac5deb3bb466951262700e30a4dd7300fd7c4b997f18f51f4776c89a2357

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
96KB

MD5
87b68ad656ff9f425414ed9194c6511b

SHA1
327bbe94e7133920d8fddf433265a998842f2277

SHA256
288ff12e2b420e7124ce6043a7b43897e83d075506fb5e7fd427586dcb96e05c

SHA512
06f1639f3256cc17f642a825189bbfb2e6e5384f2e9c1c7aaff784ff01a407c06becdcbfacabcec0aba21cb7f0fa33af82a6febf344ed2854e61fada51866143

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
96KB

MD5
146970d285d99fa620574b47eb4348ae

SHA1
70cf0a92371f2987404f6f0dc72579aea0c5f7cf

SHA256
578b7c2ef2aa51f8dda319e5506c9c9cfcbc8a2052820f28a0f240220ec1208f

SHA512
11bcfb142f183594aee7ed2882725caf30741b2352732ff5e0bc24657b8657cfe05a3835e7b9858743f057d681fce6d9b2390a0b529f3f274e33e734d0e4492f

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
96KB

MD5
25159fdcbe96632c62deac7ca1c28b02

SHA1
6b78ce90918a22c06ef6bb5cc1ef7d6c79ecb765

SHA256
2f116bf20248a66325de682966ad4ad5a4be12bdb2686e2259313d76b72b0c5b

SHA512
a5f0ce53ff5a9903a066ecd771e4ceb57b53c36f0c9a25a78be2ca58c42af46d8a1185eaf6ef70550cd9fa7b1bfbd0324d21da39a700895f5f03a8985c6c0e5c

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
96KB

MD5
15dc6847a3f39888568c5c2d1e86ba9e

SHA1
c6d11a2c3536ae019ae6e43aed2406b062f602e1

SHA256
20ed43122231413af342555548c9c8ac14c54ebe73938dabd99749965cbe6a56

SHA512
8dd7e9461b5befa6a4df8c4bcb08f3cdacb0d14a63943da8d702fc47eb959bbf6364c63f82016e8b7b5a4195cd03ea96c350a09091b40dacd096d32109452dd5

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
96KB

MD5
f92bad1ee11591e53e97dbde2af1a334

SHA1
72b7ecb40e6eee9d0f0c91d280928bfabb5341b7

SHA256
bfd01d7c5f3c036d6a0bbeb4f541c59060145fb35f8fec20a87e43960ad757f3

SHA512
e208af3c4f94c93978977300a6c2fdde88370e27573ca8960964011bbd6d3f0f9dcadc640ed5e14859269b234999e3636ed09247780f51d083f24a4f0a09c07c

Download Submit
C:\Windows\SysWOW64\Eikimeff.exe

Filesize
96KB

MD5
1867d58af427eecc5e7c4e95d1f7757a

SHA1
82894d2954869b301c612837ddad107fb5725a2f

SHA256
34a71428c8fd48fbd44a15d73313fac4aad1a20378c4f5aebf91f2db2ac5c71d

SHA512
0a1eb7a7fbad135c553ac53891ca74913896278e55732f97db2d65d812bfd0d8e8e251a19f19a365a6bab1bdb3eb8a668193eeba53dda4b9259fef88da9d94bd

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
96KB

MD5
a6fda05fba735c588a5a121acf84a14f

SHA1
2080fe4b322d0c55f1b59b543d69c49e762445e0

SHA256
f3ed4d842d85b13b5ded5df6923510588e3250eae8fb008d3471267688129aa5

SHA512
d4fafd78a1ca46fc977271b9318b9f0cb40cd33bdfec3c361d3fa226692be3782bccd611be9370a1a17bf0f4aa60b324ff879d901b7a1a039361b9ac092e6f8c

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
96KB

MD5
8dbf116dcbc4dd6c214abdc7a75f8b8b

SHA1
62ff65aa0a32cc7c330e681b57a6c2a48a8d3987

SHA256
a3d297cdd107345d95402d05d9451a71e0ebc4cf2e885a308fb549c7eb56730f

SHA512
f87b7e5c7acc409f21e9115c30e6367777420b202b9e7cc4e6d9a287820e7e94909c6c5e268b5cb7ea7120cfc5300d4b51362fc666936314d67c387e94db26a8

Download Submit
C:\Windows\SysWOW64\Emdhhdqb.exe

Filesize
96KB

MD5
6cc69de99f37d44c41e4acdea00fca28

SHA1
09290cbea143ce2d4d9e333d9f9bd7d529344e63

SHA256
3bb211dfb7352d74d9d791bd050bd756ee82851809c3fc7b1db2d77e7ee08a84

SHA512
bc9213c2f3f82fcf63a9a1a3670d0341722fe9aa89e3f02c322536db5c367a8cf040195bcac5e974456f79041be12eb4eb1b0f0e461a05b56d503e6820b81e37

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
96KB

MD5
7e2b43d0530587f06eebe8b0c7879ca8

SHA1
8bc41491009dee10db69dc8511eb303fa585b2d4

SHA256
a930af578dbee8ea7906c1fd3eb0e9275ac17affff00f009b0e2fd6b5da539dc

SHA512
708d842165890d58641b7602489d27504f44436e8fba732fba64cd72f0b0e91c29888abc417dce11607d277876fd55b9376b35a73d788efbef9eeda59b7339d6

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
96KB

MD5
299dd587daec841b388b2a4d6f66fb17

SHA1
dde5d5ec376ed7e2c5ddf4184fb1e3533c224e79

SHA256
28edb73f954d3c8c10daa64e0770733fb06b61b17e34b77caf732e39f5fd183b

SHA512
b1571cf900e6e24ac761c5783cdd7e5143bd05a1f3819e71327b3190431a2cc04302fdb5d6ce67c3958556a6577d62b9ca7e8838a1d2bf208422dd9f7cd53101

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
96KB

MD5
ffd56b4c2e439c9c09a6fea983d51bfc

SHA1
4c8d14b39fea62c881bee4043ea1fa3482006c54

SHA256
ec896cd182f39ed06bce72ec2b6484f17f7b7a79ac4fd70e1248a8f18d2a56f9

SHA512
6e697c0d7ad49dd44aea131a6a6f0074df083e45dc70af4103098b8e8f1f835c4bee7b559eb0f0abf439ed48925eb17f6df25212c7a817c6055d76b1bca32fe3

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
96KB

MD5
b8e41a8bc7ee85178ca3990aa73b4c25

SHA1
d534dd45f5b73a19129196d33f2ac3b72270f155

SHA256
a9eead6874b5606af342fe4bc0bf5a320f270a6b4fd4345b78cade4cd493412a

SHA512
c7345dd3cd80427253b1fe2c88e16f3df7e3b4648ed3381e0b5e7f4b93425654838e57314f99e9ae9f6ad4079caa19282778b892d26414cf90f294e1277179e0

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
96KB

MD5
17c4e91b00f22f1675901f6e9315be5b

SHA1
7e9a5ec04ad3a19792aa125858714930bbd7eb72

SHA256
65648227c2e97d6798cc765c96bd0aa13ce7dacc782e8ba8f4c3f126600fe645

SHA512
4a94779732f1cd9544b5c545e06560a878bfcf7a9ca3b2805ab5e020451694a5f312dc4f7c7067c4c98cd10683fa74fd0a16283b1e6869c6a3045ce30de3f7d3

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
96KB

MD5
6dd98ab000c196ee845c3a7ffe8e8286

SHA1
70d98ab725a5033c5281054b4c8f1249bcbc47cc

SHA256
a2d052a5b7972ec134c7ad6c3de70b6cb796c83e1c2ad77cde0acee4eca3fe53

SHA512
8a1d5eeaef23d4c17db1fc49d4fb5a370e626f19c18046f9fcd6335be5adbea3664d162646f77516bb8d9dc315540203069f5c998bfd36a5bdc8b8d345f534cc

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
96KB

MD5
8bb7bba3d049e986fbc96d1d1651009c

SHA1
c3a28c56a48fa31f191137db98f6f22cfca18bec

SHA256
2cc20eb550f39e6ae7394f720ac11079bad9dfd998f4f0184c78e22a3d41f471

SHA512
5696fe2a3f21d157a87c146897dbff46e63f75635e6e8d737267cbff2d113b02e1d6444671d0e2d9692aa2df70605f66592aa20d66b64bbb2d27569a55560c7a

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
96KB

MD5
3889d7b2778d391aa872069eec601ecf

SHA1
cfd7f62d7c3b4ff054dafca6511bfc51cc28dd35

SHA256
cc056d716f1124a0328e3b5f47afc9102c9aeb61ef2c5199f246d7ad2a5629ba

SHA512
861dbd99f694591342abfd6610c450ce047d5ea65531d06c21d6a23165264e609e821d8544b7e3899324f6dc164b909b51cdf35e40ba6caafad9284b2ce0652f

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
96KB

MD5
42b309a1d3065ad923f19dd1629422b2

SHA1
1fa648e456b21c5a44a1cf7ccfb0691c697c3d50

SHA256
2d55391cfbc54eb3397af727911becb5e93c4b28701589d44bc270b2ac353b6b

SHA512
fcc0fd8962b19fcc565f5d20af9ef853a55b81241ee4d8845ac9dc234274ad9f38cc715cf0248e867cd09085eca055e6e1293f5149a2691f104830dd9fc9aff7

Download Submit
C:\Windows\SysWOW64\Fedfgejh.exe

Filesize
96KB

MD5
e866eb10bcd17869164d42004a99509b

SHA1
f04b6ebe9a0c79e128d375340ee09fe8759d98ee

SHA256
c382c61553bdf19183dbc18be6e6abc2587ad7205e0c4b8d4fcdfaed12acdc06

SHA512
c6513a1612c00a7bf7f7ea9593c06c07b7b35204102902f0bbe5a4dd78ac89dc8866fe50221e720c004ba0a7cd90222db7edd46b6d3e77587f16aaa6d27c9eb5

Download Submit
C:\Windows\SysWOW64\Fhbbcail.exe

Filesize
96KB

MD5
9d2771c985010f8ce56f71460a5ea4f0

SHA1
bca18f8812e4bcda2acf34c837abc498d2e30bcb

SHA256
ac2831f82c84df475a7d323a29e9c8e23dd61bfe8054df9520923c4ef3926078

SHA512
df8a43b5ae8675313ee25db52757dc0f591cc9dd864230ff1dee9b8498edbb55185845d40d767d15228218f1790de0f0966b0acc11338450d9899388e6332bd7

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
96KB

MD5
c8fa1f3450a8663c824f30b9d3ae3b0a

SHA1
2ac15b0d16e9313bbc9274de1c2d9c45da114dd3

SHA256
895ce69b3d4e53c47afd9b8d158cca0a1dbbedf2b0cda8f83a3af8918fa3f04e

SHA512
bd3ca9ee970ac4ba4ea68655d4921f3fc85bb0e31705d7ead7c3a239fd302a744c09f7dfb35697a89bb44a43a00f27b4bfb41b1c322c563d21529a38bad82256

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
96KB

MD5
3038d9f47f63c4cc13569f3e29b2a254

SHA1
3ab9cbe1da43c112e32c4efc3776e805420a6f13

SHA256
7a207f5c8a64dc05160d53f78716447e7bf8a66b64e7aaf2b49764cce4aa4444

SHA512
0021af14a3ce5740ede3fe7dbb16fd4bf6e1677806d9bf4f19a991a221b7b587ab626d7412677abb5f138e2f85fe0d688f5b11990e483b90bb0aa54e40745612

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
96KB

MD5
872db55b98dd880acc467ae52bfc0532

SHA1
1e1280438d58024a43505823aebec03c1b00c322

SHA256
5293ee6fbe795bae7fbfc1fc74135f20313821b509e4cdafb42d756eaed77dfa

SHA512
ca523bdf6aea65488a2f95cc3cde019ebe15d0ee1f43bff61578e423b8b597dd425bae6d4d1bbffef88e1763b8414383a853a9825539f6f05ee486c786e8081b

Download Submit
\Windows\SysWOW64\Cffjagko.exe

Filesize
96KB

MD5
40d4ef7deaa4da27f6216d61c132b3d1

SHA1
b337db41c4bc789677754f87b4313a482b361214

SHA256
6165655cfdb34a8ed125a5e6a3a69e430cef4d5aeff55e29496003b91961d1b5

SHA512
a6d1e8351dc5d9c5a485ca707e28cf4997b383b674df52006e071ff72b9895b609fc072f6eec76b773aa8222465807798ed58b29dca7e54180e92cc0d75b07fc

Download Submit
\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
96KB

MD5
7b384fed9f617f4cdfe01e3e952fde72

SHA1
8a86f82dd302bb29f6d34fb61721ed3f259cd7a7

SHA256
cff51f414d214713b50c21019b40ebae293a2ec5adfd582dce3c3f3fe79c9a85

SHA512
1d0d347d69f2f688aa3f61b20c5c5ac7a1c7bf758d341d33a0acf2e472c749843ad028cd9b78ddd35762ada3ef440cd5578791946e15dfad48561e095ad77e17

Download Submit
\Windows\SysWOW64\Dcjjkkji.exe

Filesize
96KB

MD5
880fc22824bfc9eeeeb7f9528975ee74

SHA1
69326c6639ce9f0c0a63dcd48206388538590957

SHA256
0a83b4e7f2deb2c90cdc9a99b9448ddf11834b256124fb3da6616bf134e34e1e

SHA512
c89a209d34f617f26d3b8a5f594b8a74e41e62692fc363a516c0fddfc872dd89fe0cb86c70572a928c2741cbd67eece6f5cef72150b75e4a272ac862afb815ef

Download Submit
\Windows\SysWOW64\Ddmchcnd.exe

Filesize
96KB

MD5
ea73c3e15241beaa328fdb12852bdf27

SHA1
f21330dc8146ac8207cccc936d6da05f76ecc32b

SHA256
80f48a3e596c565f4718d7bd308c59f13ac6add5743a27668bc199418947905d

SHA512
997d553ef31c37ccdbb89464f5e268a6be2ff8fc55d6fd5dadacf05c23bd516bc280945448d79b2933f3b5e8f2357b0f0398b670c91e33b7e2838b75741b0af7

Download Submit
\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
96KB

MD5
57f0eb33bd78edae8c6c8766b56266a7

SHA1
7b65a47579818ae568dbb6db530fed0ec08fd404

SHA256
4378543eaadb9278b0cb073ebae7916fe0ecb32f9dcfa4992e8272412dee6508

SHA512
4943dfbe59e21e1ebae8199657d682282df14853fda5c87442e0771a24fbea40b6e962a4dde726fdfad5de4905da143ec3d767ba35d3c9b22d774005c3b301ae

Download Submit
\Windows\SysWOW64\Dkeoongd.exe

Filesize
96KB

MD5
daeaafdfb0e9d23979f88115f341fac9

SHA1
e5bb51a4b3fe4c54412a173d37eda342bffa390c

SHA256
2d4f4e4ee592e3a069af579901db6619865b3d178cf1cd2868dd94ce62acabc1

SHA512
9dba9df62972c358e637fee46289693e82235e2938820486337dc18d83388aef0b6f2abdc19dcf11ddaa7b09faeae329a8095688df0c8cb47d2f645d1f64f65e

Download Submit
memory/372-295-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/376-177-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/376-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-354-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/528-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/528-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-509-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/676-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-46-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/888-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-235-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/896-239-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1080-217-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1152-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-90-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1592-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-279-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1652-275-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1672-264-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1672-268-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1760-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-497-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1924-478-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1924-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-476-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1988-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1988-285-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2052-639-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-309-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2052-308-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2052-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-196-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2096-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-125-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2136-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-11-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2172-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-455-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2176-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-381-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2192-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-412-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2204-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-411-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2228-258-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2320-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-389-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2320-390-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2360-319-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2360-320-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2360-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-423-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2376-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-422-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2404-226-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2484-205-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2484-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-341-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2544-342-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2544-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-366-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2560-365-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2560-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-20-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2752-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-330-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2832-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-327-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2876-249-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2876-245-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2880-151-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2880-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-399-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2892-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-138-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2936-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-99-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2968-39-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2968-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-117-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3020-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-462-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3036-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-72-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3060-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads