berbew | 62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1c

Analysis

max time kernel
101s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe
Size

896KB
MD5

307fcff9ad5c6cef841022d49223c490
SHA1

45786184324dc9058231417fcb4561c5bde5b37e
SHA256

62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1c
SHA512

96759ee1c9298bf1805e47da004b992747d0296dac9f659c82f7d148247a9452627d56016e83e4bc3e6e8f9d209da4b7060cba4d6c1ed75a1dbf9b1872a0f13a
SSDEEP

24576:MOWaTRTGryZ5d9TRTGryaITRTGryZ5d9TRTGryeLTRTGryZ5d9TRTGryaITRTGrC:n9bD99wI9bD99e9bD99wI9bD99

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fecadghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnbeeiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebfign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nciopppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Finnef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojmcdgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geldkfpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamjda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1924	Palklf32.exe
644	Pdjgha32.exe
1728	Qmeigg32.exe
4440	Qodeajbg.exe
8	Qpeahb32.exe
3012	Akkffkhk.exe
440	Adfgdpmi.exe
1528	Agdcpkll.exe
756	Aokkahlo.exe
1224	Ahdpjn32.exe
3356	Aaldccip.exe
1412	Aopemh32.exe
3128	Aaoaic32.exe
5096	Bdmmeo32.exe
32	Bgkiaj32.exe
1284	Baannc32.exe
2484	Bnlhncgi.exe
4044	Bdfpkm32.exe
3148	Bkphhgfc.exe
1900	Bajqda32.exe
1688	Cnfkdb32.exe
3468	Chkobkod.exe
1788	Dafppp32.exe
5008	Dhphmj32.exe
392	Dkndie32.exe
4480	Dahmfpap.exe
5020	Dggbcf32.exe
3936	Dqbcbkab.exe
4484	Dkhgod32.exe
3572	Ebaplnie.exe
2392	Eohmkb32.exe
3312	Ebfign32.exe
1092	Enmjlojd.exe
3756	Eomffaag.exe
3616	Ebkbbmqj.exe
3428	Eiekog32.exe
4632	Fbmohmoh.exe
740	Foapaa32.exe
3596	Fbplml32.exe
3844	Fdnhih32.exe
640	Fijdjfdb.exe
4652	Foclgq32.exe
4720	Fbbicl32.exe
3272	Filapfbo.exe
3120	Fbdehlip.exe
1640	Fecadghc.exe
2960	Finnef32.exe
4584	Fohfbpgi.exe
4424	Fajbjh32.exe
4568	Fiqjke32.exe
5032	Fkofga32.exe
5028	Galoohke.exe
3484	Ggfglb32.exe
1804	Gnpphljo.exe
4168	Giecfejd.exe
224	Gpolbo32.exe
1700	Geldkfpi.exe
3972	Ggkqgaol.exe
1636	Gbpedjnb.exe
920	Gijmad32.exe
1124	Gpdennml.exe
4412	Gaebef32.exe
3092	Hnibokbd.exe
5024	Hlmchoan.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Klndfj32.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Foclgq32.exe	Fijdjfdb.exe
File opened for modification	C:\Windows\SysWOW64\Gaebef32.exe	Gpdennml.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Mhbacd32.dll	Likhem32.exe
File created	C:\Windows\SysWOW64\Lpjjmg32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Mjlalkmd.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Jhgiim32.exe	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Hpmhdmea.exe	Hicpgc32.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Ichelm32.dll	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Dqbcbkab.exe	Dggbcf32.exe
File created	C:\Windows\SysWOW64\Jpehef32.dll	Gaebef32.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Ihbponja.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Jlikkkhn.exe	Jbagbebm.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Oncelonn.dll	Ebaplnie.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Foapaa32.exe
File opened for modification	C:\Windows\SysWOW64\Hnlodjpa.exe	Hlmchoan.exe
File opened for modification	C:\Windows\SysWOW64\Jeapcq32.exe	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Fldeljei.dll	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Nfldgk32.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Ofegni32.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Qbkofn32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Fkofga32.exe	Fiqjke32.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Jibclo32.dll	Fijdjfdb.exe
File created	C:\Windows\SysWOW64\Ilnjmilq.dll	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Mledmg32.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Phgibp32.dll	Obgohklm.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Hicpgc32.exe	Halhfe32.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Kapfiqoj.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Mleggmck.dll	Lafmjp32.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe
File opened for modification	C:\Windows\SysWOW64\Ebaplnie.exe	Dkhgod32.exe
File created	C:\Windows\SysWOW64\Ehfomc32.dll	Klndfj32.exe
File created	C:\Windows\SysWOW64\Mcoljagj.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Finnef32.exe	Fecadghc.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Gpdennml.exe	Gijmad32.exe
File created	C:\Windows\SysWOW64\Mohidbkl.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Epoaed32.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Okjpkd32.dll	Finnef32.exe
File created	C:\Windows\SysWOW64\Hodlgn32.dll	Fkofga32.exe
File opened for modification	C:\Windows\SysWOW64\Galoohke.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Ceknlgnl.dll	Gpdennml.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Eohmkb32.exe	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Coffgmig.dll	Ggkqgaol.exe
File opened for modification	C:\Windows\SysWOW64\Iijfhbhl.exe	Iacngdgj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7152	7096	WerFault.exe	285

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fecadghc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnpphljo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loacdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhgiim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmjlojd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebkbbmqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkofga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhenai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohidbkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofegni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdnhih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpdennml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgkan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhdcmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocgbend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckboblp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebfign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnlodjpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojmcdgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nciopppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpeiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiekog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnibokbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hajkqfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hicpgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlalkmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgomnai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galoohke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlikkkhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbgeqmjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iahgad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipkdek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbbicl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdehlip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geldkfpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaebef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebjihf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdndloi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koonge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giecfejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll"	Khlklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Halhfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoaed32.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbldphde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkiongah.dll"	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahceqce.dll"	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll"	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedlip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll"	Fkofga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Galoohke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1924	1072	62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe	84
PID 1072 wrote to memory of 1924	1072	62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe	84
PID 1072 wrote to memory of 1924	1072	62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe	84
PID 1924 wrote to memory of 644	1924	Palklf32.exe	85
PID 1924 wrote to memory of 644	1924	Palklf32.exe	85
PID 1924 wrote to memory of 644	1924	Palklf32.exe	85
PID 644 wrote to memory of 1728	644	Pdjgha32.exe	86
PID 644 wrote to memory of 1728	644	Pdjgha32.exe	86
PID 644 wrote to memory of 1728	644	Pdjgha32.exe	86
PID 1728 wrote to memory of 4440	1728	Qmeigg32.exe	88
PID 1728 wrote to memory of 4440	1728	Qmeigg32.exe	88
PID 1728 wrote to memory of 4440	1728	Qmeigg32.exe	88
PID 4440 wrote to memory of 8	4440	Qodeajbg.exe	89
PID 4440 wrote to memory of 8	4440	Qodeajbg.exe	89
PID 4440 wrote to memory of 8	4440	Qodeajbg.exe	89
PID 8 wrote to memory of 3012	8	Qpeahb32.exe	91
PID 8 wrote to memory of 3012	8	Qpeahb32.exe	91
PID 8 wrote to memory of 3012	8	Qpeahb32.exe	91
PID 3012 wrote to memory of 440	3012	Akkffkhk.exe	92
PID 3012 wrote to memory of 440	3012	Akkffkhk.exe	92
PID 3012 wrote to memory of 440	3012	Akkffkhk.exe	92
PID 440 wrote to memory of 1528	440	Adfgdpmi.exe	93
PID 440 wrote to memory of 1528	440	Adfgdpmi.exe	93
PID 440 wrote to memory of 1528	440	Adfgdpmi.exe	93
PID 1528 wrote to memory of 756	1528	Agdcpkll.exe	94
PID 1528 wrote to memory of 756	1528	Agdcpkll.exe	94
PID 1528 wrote to memory of 756	1528	Agdcpkll.exe	94
PID 756 wrote to memory of 1224	756	Aokkahlo.exe	95
PID 756 wrote to memory of 1224	756	Aokkahlo.exe	95
PID 756 wrote to memory of 1224	756	Aokkahlo.exe	95
PID 1224 wrote to memory of 3356	1224	Ahdpjn32.exe	96
PID 1224 wrote to memory of 3356	1224	Ahdpjn32.exe	96
PID 1224 wrote to memory of 3356	1224	Ahdpjn32.exe	96
PID 3356 wrote to memory of 1412	3356	Aaldccip.exe	97
PID 3356 wrote to memory of 1412	3356	Aaldccip.exe	97
PID 3356 wrote to memory of 1412	3356	Aaldccip.exe	97
PID 1412 wrote to memory of 3128	1412	Aopemh32.exe	98
PID 1412 wrote to memory of 3128	1412	Aopemh32.exe	98
PID 1412 wrote to memory of 3128	1412	Aopemh32.exe	98
PID 3128 wrote to memory of 5096	3128	Aaoaic32.exe	99
PID 3128 wrote to memory of 5096	3128	Aaoaic32.exe	99
PID 3128 wrote to memory of 5096	3128	Aaoaic32.exe	99
PID 5096 wrote to memory of 32	5096	Bdmmeo32.exe	100
PID 5096 wrote to memory of 32	5096	Bdmmeo32.exe	100
PID 5096 wrote to memory of 32	5096	Bdmmeo32.exe	100
PID 32 wrote to memory of 1284	32	Bgkiaj32.exe	101
PID 32 wrote to memory of 1284	32	Bgkiaj32.exe	101
PID 32 wrote to memory of 1284	32	Bgkiaj32.exe	101
PID 1284 wrote to memory of 2484	1284	Baannc32.exe	102
PID 1284 wrote to memory of 2484	1284	Baannc32.exe	102
PID 1284 wrote to memory of 2484	1284	Baannc32.exe	102
PID 2484 wrote to memory of 4044	2484	Bnlhncgi.exe	103
PID 2484 wrote to memory of 4044	2484	Bnlhncgi.exe	103
PID 2484 wrote to memory of 4044	2484	Bnlhncgi.exe	103
PID 4044 wrote to memory of 3148	4044	Bdfpkm32.exe	104
PID 4044 wrote to memory of 3148	4044	Bdfpkm32.exe	104
PID 4044 wrote to memory of 3148	4044	Bdfpkm32.exe	104
PID 3148 wrote to memory of 1900	3148	Bkphhgfc.exe	105
PID 3148 wrote to memory of 1900	3148	Bkphhgfc.exe	105
PID 3148 wrote to memory of 1900	3148	Bkphhgfc.exe	105
PID 1900 wrote to memory of 1688	1900	Bajqda32.exe	106
PID 1900 wrote to memory of 1688	1900	Bajqda32.exe	106
PID 1900 wrote to memory of 1688	1900	Bajqda32.exe	106
PID 1688 wrote to memory of 3468	1688	Cnfkdb32.exe	107

C:\Users\Admin\AppData\Local\Temp\62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe
"C:\Users\Admin\AppData\Local\Temp\62d1c7ab0d4e35d594dd7d8d7b4e4bea90d9a19f61391b769235447ce08b1a1cN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\Palklf32.exe
  C:\Windows\system32\Palklf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\Pdjgha32.exe
    C:\Windows\system32\Pdjgha32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\Qmeigg32.exe
      C:\Windows\system32\Qmeigg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        25⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        29⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        32⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        35⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        38⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        40⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        43⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        45⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        50⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        54⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        69⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        73⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        75⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        77⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        78⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        80⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        86⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        87⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        88⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        96⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        97⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        100⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        101⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        104⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        106⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        108⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        109⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        110⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        114⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        116⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        119⤵
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        120⤵
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        122⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        123⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4024
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        129⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        133⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        137⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        139⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        142⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        144⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        147⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        149⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        155⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        157⤵
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        158⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        159⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        164⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        168⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        169⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        171⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        173⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        177⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        178⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        179⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        180⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        181⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        182⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        186⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        190⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        192⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 220
        193⤵
        Program crash
        
        PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7096 -ip 7096
1⤵
PID:7060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
896KB

MD5
d81c7cc0d431d9df2249f5c55d2e12b5

SHA1
e1a240163b7b0869f23a42896a97e72cae95d049

SHA256
b487fd6683ba753ab3d113209b1162fcd57ab7c4da755a45757ce38e16f41a89

SHA512
ce3cc59b9ab9858ffa20f0634c77139b329bb75c2e85f2ccede4543b0a250692890078d09901f6b7271e095b4946d25b62d374e7db112987e53425f8be81eb44

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
896KB

MD5
d544edbf3d33572e7f0ab589f3347cdb

SHA1
31730e577cfb3d20fed7a73fc3cc8382d22dfc1b

SHA256
8cdbdf43c86cf98e88d8b7958fd0ec866aa620ed5d26134c777c16e38d1d657a

SHA512
df58be94b07bdb4da957d31d5258c45d2ba2801351ea2bed922bdbe2a3449d9f80d505e6aeae6b8bcf00f7170cb385c91b660831a12d98b1b4605a5479412de6

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
896KB

MD5
0f08795e90ca7a1cf4baf1523ed9e031

SHA1
68cf8adf3ae6ecea482ae86e7d874e14c32649fb

SHA256
e8c1ea12abeeff68c93e6148f5796468db721fe687f826b987b646221c05e1ac

SHA512
e25ca3c017429202640bd1cb4848ea5c1569f4d7dfcda3ff6c2fd24fff4482c24004ce643a807ed2ab525f048f39df792874b9ad6d5f9c31ad737faddee380cc

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
896KB

MD5
1ebee5be0b5fff864a5ccc88e797deb2

SHA1
99367e54756ab4bbfaf2bad3cb51b03c10f5db0b

SHA256
a4f497f1260145986f76c48e209f02605f07ea8008a2229b239b737ef070da0b

SHA512
08b6baa0b998fe004311c569a5b129a478e2a97c0cdcc64e069193ad5e9a7a2fd581f9a12f8af7c8a4a0c91a489007c324c90dfb20dc552ecfdcb0ed757a578b

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
896KB

MD5
c9f76f2864d3e585620fd29836de7d22

SHA1
b7c849c8edf41969b5bbdb68287c9054ab9dcedd

SHA256
f0993b410620f6323ac26f2cb8448ee6b0adfacd15b0e26d89096cd9fd4a9e5c

SHA512
1a25ea353a5aa77d67d401bb4a3d3f12093d4cda68fd0549f8b175e2014bcf7fe5c72edc852ba981fe91ca19218aed63acd33a8883593ee8c01b2628b96a4328

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
896KB

MD5
7dc3a1837ba2a1ca3de552147328a328

SHA1
d5687198283225bd9d6b9e9f6451e7c9243e1f96

SHA256
f31ebe41cfd6d3517a55d244ec4c8004201098226e28f572edfd02cec6e8568c

SHA512
bcd92b7ab3f1c2a38788d238e3711ada2b557868f6f0a1bb9d9fa888892259397b063328c1fad7b80639bd298451e634afd6d06337e394d38ecac119b7867d92

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
896KB

MD5
82f41250f652468618e6c665b03e569a

SHA1
120763ae2cd63b8b67b3099a1e4eaa0deb0aed49

SHA256
ca7224bc4d5ad5531934363435a394143b13f075f5a1d2cafa1be3ef1f491f4b

SHA512
a5edfb29e7ef1842de870a3921e591afd8f42a7b8a3ee53475b50a1b562528410d1d7dfe00ec6eae42217ee4b8f3e4d03e6bfdba79a0287163ae55a2fa68152c

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
896KB

MD5
f9330a1470e82c4eb512eada0f91765d

SHA1
a9cfaa6ce736932e6d959ee994958e5b8be87a95

SHA256
0435473f73cffbea890b23e8d71e6d5c1dfa50ae6fa905aeef57ae8e5c8aa62d

SHA512
4ae58c5ade15845789d2ce0bd99f598c77d8c747bc841ba34a42792773f03af4aadd674a10a1337124e6cf38127de66d6497112307c9fb0ca2613df238d8e287

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
896KB

MD5
029d7f5dd646e810d620775760fee324

SHA1
140eb4ba0f237998c0631ba7cdd82e5a8ec2dde3

SHA256
0f7783c1373c3f3a95401b09c44f21761f8c782b4569462bc5d68d50da04fd0b

SHA512
1f8a2d8b7c32ab9c5f0e5313e745db7151ae9c15facd29788529080ccb9334ec45a697b01d03a99fd4298cbc6a98783c823984a13ab9b1e30396aa954c47fa42

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
896KB

MD5
ddd50ce2e2fc152d30b202136962a5e1

SHA1
1c3e90ac6f456be1eca0097d09b44135d5a2c430

SHA256
b3ab6c17fae4fe4a2ee226fff990923042877746cf4b44fcc76f3648c8ddfe5a

SHA512
0b2ee53a7907d9328a073edadbb5be02fe862e3de23a61dafb9ccaeed4d2a1c76700647d6e2fb9e16defd869875fb4e2af9c12a62dd929a343776a9afd0d3320

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
896KB

MD5
5df24ef069129a643acea7253237a1ec

SHA1
cc67692eec3002addb9ee74d34fdf44236d92891

SHA256
c25f993356b0178673e41f80b8d2daa6cb73f769c02dc2de096797bfea9dff9b

SHA512
4b7f73197f06292d8fef2a67adfa0c61294377a3d81248d17a5798255fa839fc73e691d34afcbfcf243bd9b6f21303d744d435ffabb144309ccce8da01dee7ed

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
896KB

MD5
82949f57318e4fd34f1282e468a9599c

SHA1
6cce41716d84d3996eb83f3f3493386bd70a79f1

SHA256
ecc94d1582f59f5a60dd3ef9fc69fd9da6f79c80b64294d6f820929294c4d0dc

SHA512
93d8dfef5cb94ec800a25107e9854288fdaeff2829fada037ed79457b9efc77c8ce5786976490c09cbf5a7ce5946773e9eab9d6ece91384a5f6d1ed4e33567eb

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
896KB

MD5
e9232c95888261905cdd8006634e4880

SHA1
b9c22aa752f3506ec47f3de06861d867d257c5d8

SHA256
29bca05f4f84eb362110cfff6b46a200cf90b3f3450b59583e5b0278ee2f1190

SHA512
8420b95fc9881dc2c14d09ceb796066983df24f81beaf4565c5152b24e17743dd67d6b205d505614ae7edbdcb6e906021e190bb4a45a235e8e4ec4c3f695615c

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
896KB

MD5
e029c8ff9ef61567f37ec4b1544d655e

SHA1
bb261e6d5cf47aa566f6b74d724feff72d4c41f1

SHA256
cb0116d41e9c0593a8b0a6990ce8e5d0e5df0ed736bbbc242b03ad1d9f778517

SHA512
3a75ec18651063387b56c1e14f2208a4825657d1291705e1b09688e3e738fbd51c9a625195f0b5efd1ce434ebcd7772ca3e6e4abe07dc63c5f3bcb184857905c

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
896KB

MD5
caf88a329851c4bbfbac6802b51971cb

SHA1
63ee7a11c247ce3255e883a411cf609878ee9c45

SHA256
01fb8f5994dbce3955c65171fb12121f7ba6f965ee52f984141c9fbb5e5b8a6e

SHA512
5ba57ab36185b69c98fa3053e5d0d6185614b806aae723c881711e9bca0188d5225bf7477250f3652ff8a5ef353c48fcc4dfa47f0fe81748745d649954e1e723

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
896KB

MD5
7efd3cc4ae1933c6389d008bd11eda96

SHA1
68f1aa4e34bbf6c8f209e273ab99be65de05eaa4

SHA256
e4878bb10ebc772561bf93b1cee35142284c2ca00edcdece1d860b30ac693022

SHA512
6d2bb022dd19883124c29a5c3e2f93ac51ea378a2f8069b6c6bfeac0b5faec66a5a7033d1e25b4f5fe0aae790b0b0e1b1f1d3ebf2da0e162ef512af041a8d10b

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
896KB

MD5
0fa506e81f41384023e90068e0ef0ee1

SHA1
53324f043870567712b2249f236c7da01fd13912

SHA256
42abbe473b545e5499841cb52878b2be980ad42cdb7546814bb5432b583ac360

SHA512
a093a44e6cd29b6ef46d326bb3ae9bebadbc4aadf7e76b2aec0375418719fb0ecf4f09466440f699ebd8cd0814e4da5e9aa0d39725892cd0829d3f9aac941a16

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
896KB

MD5
39c10449c051c8f8d9486f03bcba0310

SHA1
90f73c20a850171efef21188f15c08dee34470a1

SHA256
06b0f61066c563a83ff3aafd98e1284d5b940bb3b4654a8b69aee5f5d7a92964

SHA512
76bde50255dee7e30996897e01ca4a8b07530a5a8d67e1d5936c80d2949a50fe4de8a96795cae0d55816659d394a1d24a20b3d1a86e1d040f2dc3e57124e23a4

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
896KB

MD5
2f1979bcc71c1704b527f3fe381f17e1

SHA1
7c770d8fe57cc3d015284ddafe80cde07262ca8f

SHA256
6e19cbecc0fa26cefdd8c213e37a61de8fa16021b7dafd0b89cb69602d966755

SHA512
ee139947e8f32d6d9e639b37626e1bace0b2d40e36c906b722bc3d9403857d8b1444a620f746b416800b3068869de10d0a6b1980ead64e524b16b35ee23d844a

Download Submit
C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
896KB

MD5
78c52307523dcf07aefc04a307691827

SHA1
23f621d25eb582f5d1c5b3f65b52b911d23fa2b5

SHA256
1b7b422676768a230ae69fb11d6ecdf99b89df5588690a64facc68df7fa02938

SHA512
1c75c559b83953931404ac54947f8fe9f9820a0bb2b7e8b8f0502b101ad1602e999d077d022a4501c6aae5831af2d0f34c846d2162e9ed7cb4d7d68c51b3240e

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
896KB

MD5
13e2d5a21da599a690016b7c8178462b

SHA1
ec8db6b520b4cc55efb1f7d464561a924cf22e5e

SHA256
0ef84a54a07f4614e1302538b9e97f23725af05b18c9d2a419bf992f9b94e19e

SHA512
64ef04c856df4c99e861033901aedce1c993f31761fe35fdbabf5530596bdf1da78d21cd74e9134c0857689ac992dd41a00fd767b349750fd851d42f0a616306

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
896KB

MD5
bf15c75cfc19359e826bd4a6f8bb7816

SHA1
07efe1ea8ee755422f6161bab2d24d1da1d75f43

SHA256
4cac5c74090c0404d7d51d34ef6dccd764c1908099bf829fb8f2d69fde052b20

SHA512
42920bc66ee5a1734d2d19b9c5e256a454a1143b8013b3554301b7d45df5d0ee58dcecba95061fa8e47a3d23c6a0766a765b7e8d0dc935ff7d87724c8ca6238d

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
896KB

MD5
2dcb9e39f60dc8c18a0235ff07977656

SHA1
f4cef213aeb72fe256d4a9f79ec5a724fbcd8f53

SHA256
80defba327247dcace7f7b56739a7594159403a7a9a47e1fa5def6f8b0c28064

SHA512
74297ce8cbac099832503cca5572f90880dbd782ae41908e80cb591dd5791c6bf260e130a92acc8df06a54dc390286709473a9d134a2ad703cf6c985997d90e6

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
896KB

MD5
f59bc83f152b5dd35c0f7e0cbc99c7cc

SHA1
c9e307c64259569ff50e0cba1719f292b27d5ce2

SHA256
3797123c70fa3e31a95113636e9276549af0b5f60ece55ac6511952b49786292

SHA512
48023b3661541e001db7ae5453abba9002e58fd4cc45bc6a4a1c7d10cb127f452934874e9dfd8669ac8ef6767a1b9a323e1d285931914ba25abd449679dd671a

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
896KB

MD5
1c55e15cdd9272aafe206dddfd9ccf5f

SHA1
ad42deba0099e3c38895690e2897252b1f194be2

SHA256
496abec70efbe34ceea51231f6950ff004e27acc7054198c65c1cb3bfe6b62ac

SHA512
283ac3d66d47085fe7a09745043be76a8a3d8078f2cfb1f28a591d1d05324bccdb362f085ab379bfef6c6bfdb965f65ba48fdb3efffcf0d30fd9b01fcf1d2692

Download Submit
C:\Windows\SysWOW64\Ebfign32.exe

Filesize
896KB

MD5
6bc11c9c0a8f974a4a8bdd4451645752

SHA1
10596df530f8796ec6990468867d317255c43190

SHA256
5802339b8f1df7bfbcf4ad0ec88deb32e65ed9fa77c1d5eba7817699236e41c2

SHA512
54043364ebfbeed6513b2db00fa5b4fc46625ddc4442bddd71e20981f8b9f7b8231a257d548c96c0fb2c31f8c0718a0a9b48724be805822a43ccebe2769ef09c

Download Submit
C:\Windows\SysWOW64\Eohmkb32.exe

Filesize
896KB

MD5
480dda20b4639203c76d80b0c53e294f

SHA1
17ba0090ee4e6b4c58583fd19846d81e695d92fb

SHA256
a57b568522c8bae3b9a17b2a982e91605ed2d630295f26557785417b95c08a1d

SHA512
14884f9ebd0eda12c7c899eeb10b4855e900e55ee17492cce6584d5657b6a150e843fce8f30ca6ea24bcbda5bae878915ae647bee5dbb66de98560b9828a04a6

Download Submit
C:\Windows\SysWOW64\Eomffaag.exe

Filesize
896KB

MD5
c9750b1eb8437427e9dc7e1aa4c8c322

SHA1
390cf995095034bac82de6458d6cf05bae1e622f

SHA256
76706a0ff6e224b6b89c7473ac3cda8154d46a18c709954698124e56f08bcbd6

SHA512
f2317c264679354d4017d9b7f6906851c02573ddd6a27738ed0ede76c5b55c8e1a6d399fb1e363b6e651474d9ff00b69272fe092d1c7db9ee52e2d14d7235c9b

Download Submit
C:\Windows\SysWOW64\Fajbjh32.exe

Filesize
896KB

MD5
8c41cc4527b74c91e5ad4f13c7c74497

SHA1
663ef392b201a861c0d054f7f0c62d9f8802516e

SHA256
3f5251f7dfda8fe6f0a0050cf2903b39cb865e4e4b4bc737ec05197279a7e7b6

SHA512
57b7715770bed2a4f74ce27fe5af294d26896ae25869108dd5cc66a1f0e0b33a23b59d916ffbd45965d71e67cfa2e1ada28ab825ab8a6f6b7f95d55041e2b35d

Download Submit
C:\Windows\SysWOW64\Fecadghc.exe

Filesize
896KB

MD5
520d0f8b324988e901ba02964bee4b51

SHA1
dbd8a1f9b00e4193ab673a62a2d62486d9137c54

SHA256
310f57f0b591a0a6e274d88bfe8d5d70206faa77825505d2bf6f3553ee090344

SHA512
53f421ecbc375ae06af2a78a107160ef500748b6e0e54e21d177d21e108242d0cab4398c4a85a3a5eb9088dac42fe227f131b79d2245ab556d524bbc2fd5b249

Download Submit
C:\Windows\SysWOW64\Fijdjfdb.exe

Filesize
896KB

MD5
995ba93dfb68f2fc03ce04e6cd7d34fc

SHA1
7f34d22137dbd1b800a6a52588b6db0dfe29ff40

SHA256
33df89b497d5003fdfffc0b521cf81415d6473ddc7f57e34abb43695b46283d6

SHA512
2815bd444c877d86add66d06afd1d2c93130d3a3a40025e11cab872a0c1f0bbf016a335aea7a2b3d4d37e8d28873ecc7944e56fa4cf84558cdeeb9058786af3e

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
896KB

MD5
9c0f118c959fcf4fe6c9341a8da3440a

SHA1
0f67486330c760e7aa47f2b370742165b5cd0118

SHA256
25faede62fe4f761ac131e7e9604cf2926206488b9911a83a74a891a390ac546

SHA512
6e2f64d2918de0600b8a1963aad258a5336392fea72ebc517bc0a3e6352e80167a87c2a2760e91722166ba181075b91acaaea7f4586e1b07eca519cdf7be84eb

Download Submit
C:\Windows\SysWOW64\Ggfglb32.exe

Filesize
896KB

MD5
4bdaf6f0e9e8f0e955f7ec1a60073bd8

SHA1
4754a2fd0fd80b2a2e28336e0be143417eb4ac8e

SHA256
7b7df8e44959cc919f778c17c0a23e9e695a6afba58e7c4a7b381ee25cf7af13

SHA512
9829f29a51b31f44c0e8cf3378e91cafea4d8d69342d3e58db879a25e675d934dc3eceaac89d3620a916a114c2bb6fa0cd4033be05fef07bac4986ef5d1e43db

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
896KB

MD5
f572349077fff5320a7babe6e92d89db

SHA1
2e3e77b25f99f5d98f19c9200d7b42920b09a3f7

SHA256
231437794602defcf16d5879fddc15dcd26b8c059926f72989aa4460f124497c

SHA512
98c56b44882fd95ab3a418833ac02eb0f5e486fcf3b0bbecf11cb7139d550045cbc85467e21393ace8af60fa6d181cac1294b3982ea60d1f57c4fe4563636b06

Download Submit
C:\Windows\SysWOW64\Hnibokbd.exe

Filesize
896KB

MD5
59fe722b3bb6af1af885c242210a9e59

SHA1
9c6889fff8b38773e62756e1c50c97df485b7170

SHA256
0bddf6cf5fe4a443c260503709bf8afcb628c3b1dcf01288a95acbdbc7c27f7b

SHA512
0e9341daee87f5fcaa3ffa9538cd175ee0dd5bec5e9a923c6c74a2794192f53d18e3706086abd596a09bb7901b0275a3d33273b74822df1ff0d8720e570ed973

Download Submit
C:\Windows\SysWOW64\Jemfhacc.exe

Filesize
896KB

MD5
0442257e17f2c0c5972e55714990bed3

SHA1
4a0509979426a6686e94d3c992dcd530653ce6bc

SHA256
ee59979814b4d7fd8b3092a0a37c093832641de904089160f419d9179d713bd5

SHA512
bcb554e3bb337b7d90cbc1b73caa16eb282d181e71e68bdaddb929b7f40abffed3090e8f74c948c1078d44a09dab31e8c62e0c2fbcc88122a2e6554fe5bb6f19

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
896KB

MD5
220ca5ebf0e63660c2cfd3fc30be1274

SHA1
93675c695ee075a4592188ea505336296c9bf530

SHA256
0903d8dcadc402723db6396e02f6a3da39e241da35353a7117f7183e7e698c81

SHA512
18b520c859987b6640a21a07878be77c3eaefe233e007eaef31f5001ae7b6adf6c22c0d09a81a31d2ded2dad884ee34ebe6c986ee98f9202038eb31a9356ddc6

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
896KB

MD5
2204f5bc28e0d55ba856bc66f18dab0b

SHA1
670e3fe7c351b8bb35ed54b4189465498375da26

SHA256
c3843da621caf24d0fa9e5f2c59c2f4193eafce8625153d43e893ac971630790

SHA512
872a40903258868667807db73f89485a73300ffa6bc95b4f3dfa950b7ed0c89aa8e419feaa713b201ef2e42fbc6d5c93f0ca78c42a9646f5254007992535058a

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
896KB

MD5
6eb27f7e91f918d717f24914c400b55b

SHA1
c8a965ccd9c75515557b84a8061b14cf1aa389cb

SHA256
991bf0dc22b2f4d53ae8a2b864eec7bd8cddee898fdec6d7349efa69ba509fc9

SHA512
5a8204ee92a60c4d84c374d086a1056d5d8b4b08da760608f84d1eec108f54ad755bd187d31be3d06e70675307e57ae9ee7a93a0302c794acbae840975985041

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
896KB

MD5
3813b614d2a7c7bdea5ee84f26550fdf

SHA1
84c3b97246f9bf1b1f04b4a4e8e3980cf28b3158

SHA256
0fa9c201a4a707ebd842a3bcde97701c8e087e48c88c20ff65fe23b621772635

SHA512
21adcb986dad313465c247eeb965a58a69e6e27cf46ace4b5ba1ed02215454c58f666184db062db15679a835bb3fe4929ff8d1ac4a37dfc9b3fc6cce01fdab69

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
896KB

MD5
a62a0a8b25cb72c31826b67e33baf9cb

SHA1
0fac910a7f8280f7866b2abcc8458b8863f0a2a8

SHA256
66c22c8734d355c7e05f3286db74163756be898d465fcd8c48757e964ba9f9cd

SHA512
3d772b821f9b7b5062346a0d1158f29c7d441f212e5e75d89582531cbf79a59db19d80fd29db5470657c0521bb622e5044f3a773c7c3c1801b8f33b391a7be2a

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
896KB

MD5
0eab908e91ffa655310a8cba74cbab6d

SHA1
7fe99e686452addcbdd175c20a4f4f3335f83612

SHA256
ea853688ebeb18bec715e3818681a4cb0bc831d50ee58237430eb1c712beef8f

SHA512
beb5d0a3d8a203ddcce88210bb12924f4e86bcb8ad22aba94fafd6b4bafdd1e10df7950577857e025c8ec35973bd51bbe5e8197bfb7a4f0f45176b10ad9dcb04

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
896KB

MD5
5f2b9d9c07d9002b848d719a0f8508ce

SHA1
2a3c0aaf4a82bcfc268a2d31520fd2d6473bf28f

SHA256
212c1b7be2b594736040f7fa04efc8998997186526fa2117c949c8139031e4da

SHA512
b4c636b93535707183d599f942b9fbecd969c05a3aa712cfb34d63ca16f2eea5d205e732fabf68a21cc87487a07d338991e74bf26e4cdff423e02467c2186efd

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
896KB

MD5
8e5b1da4c4e7985c6d0e5bbbf7c5c9d3

SHA1
0a5f2d242205a89d84259e50e1e2db09d27b66b1

SHA256
c231b8e9670968197fe42efe5dc9f39abf58d5c38710adfd3425d331fcaaa5fc

SHA512
a816d309aca7da54e32ae2c50b301ce134cfdd1d7549fc3399816a1c0a37b5c94099a08b4697aa39f2e901df8db3bb376def630930a17960582860228b4c9121

Download Submit
C:\Windows\SysWOW64\Nqmojd32.exe

Filesize
896KB

MD5
dd37c92915dd76c4fbb680b32363246e

SHA1
6a465d2a2b92fdb397ecc9b2b0fcdcfcf94ea0eb

SHA256
dac926ae4749337e1b2244b6054c7410a06b5967216a4c2205b3c370bb0c2105

SHA512
66e151ea6f7edebb065dbbeb0d57f4a81a8e7c4aa589b1c53c2bb797555fd43cb3cc00e6b301c2874446e623965d421641a6d5473d6273cf8451ccb43099e940

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
896KB

MD5
165cf0777e301f41a472f917331c55e5

SHA1
170f063da0b869638b694df5e842dcb63488c95e

SHA256
8cc9818e5e474e5e9e2e383e2d140796c90ccf95682391ca276f6fcb5bb09e1d

SHA512
c7f7c7f11fee23644ee337b96c41a752fab4eece157589e3740dcdb27fdc877bbbcc3500802a95bb3c37fe3a61d91b446a5064b004d93153c94b9c3bedf5bc30

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
896KB

MD5
904e7bbb5caf5dae4b84a803b8f15eb0

SHA1
e8afbd1e35760e99dffa7b09f89c7bab4a631970

SHA256
bc229c7fea1f525244769f5bca27f09e049fb2366d252ba413a8a3901dc6635a

SHA512
3ffe94bc93659f77c02d723dc3b2f3becb7e086fe3445a456936fa93fdbdc694cf1c50fff624a77d01a14a7b98ccca128b8ddb6d4126de07a934738ae84c29df

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
896KB

MD5
5030352142efc6508f1725389c65e308

SHA1
6dc823413427162cdce779f21c45e35d907acd4a

SHA256
709d6fdff440f8c53114c4ec48b1acd57680c2af1ab379f98e3017542ae2b484

SHA512
9159e38efeb2abd1feb17ef8b17dc265d505045252aa8393ce4a12e091620b7f3781707e020d6a248c323314a301eda2821426a84f16f2c2a20b470da65af0ea

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
896KB

MD5
884372883d50f8525962aa73d74fffa4

SHA1
367f0e67683f23864feb3b35a097666074444c15

SHA256
1a3fd6b192340b79182567c7a01ab2d34f6b9c4aa80a04983752e95c0993d201

SHA512
d3bc07d2f3d373bac8197e77e320c73361801f2d123efd19431fa386481c7960edc10e182f195b62d5d74588be46b12bd1077aff45302856b2fd00e38e52a73e

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
896KB

MD5
c2499ade3a4951c26eeb3b7f698fd719

SHA1
c5dd8a944a41e40f3c358c7c1c6525532467d181

SHA256
6fbdb176df818b4b81867a35504d3566452e6cc0e252fac2316325fd0b1ebbb7

SHA512
803fa9acfeabf4dcd789daee97bb5236899ea381e8d7da19781a3209e0d519073e00bd5dcc6e68d96befdf2773f9e9e371d4eba3d05cba2e148c8ae161c6eeb9

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
896KB

MD5
86fbb64b58c333ff56cffa4c35cb7370

SHA1
c8c2116cd89ba1e4d9e67eed3304840fbbcde9e8

SHA256
0cd8657b040d5dddee8e9fc4c28c213b0cb1be70c74758f03428c47ce2624216

SHA512
9be385f98ee912025f4e7a41b74825921f26e2c7387b63985610939d262906e94f6df29fe8610919e480cf40d2d537e3f837c444e8e13700fc17272c94b3f6d1

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
896KB

MD5
4e5e2f22b29c89ab232737b5ec21cc8b

SHA1
cf45dcd7a9a52b249313d9fe6ca4d1e77243a97b

SHA256
f97491bbe29db5cf2013241e1ae67025e36320b6c04ce20d96b7fddd924070e3

SHA512
6e297b23f6327dde05f99242e14daa219c6ca7185019b4c4c97930f6c721afa296eabc9ae89501261d053b07ca1b2f94e90deaee71b0f63e10f75f9f2d5dc9c8

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
896KB

MD5
8e93748170c85c64c8c2e53e52533b2d

SHA1
2fad3d793169c8da0407ea364d92c340b0a02611

SHA256
8244bc41daef4af5112f9ce4d47a0973603ff042a0f48f5e6df6922494ab3e8b

SHA512
2652112b7648921ca2d7857cdf659357a6aa820edb722f97fa1c265309a6b00c1a9f66088198dd009b74db3396116e0875b5c88e2ac5d7a943c1813308e80032

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
896KB

MD5
7b9971fece360d554f7a9ebc788b2bf5

SHA1
3fed0cd3fbbb92c9d24bc32ca67120f8cd8d717d

SHA256
0814107cdcd5ebdaa753e309d5e9f4c16698cdcb3f8285910e40770dd8ecaec9

SHA512
53e779471d67882b4309b6c7ebe473999aab260a1d7ac3a9f0de0177fb0178ea56fa95850a3ad115e2a5a90b8d11847fb66ace57b69fc8c3276269dfcdb4b2ac

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
896KB

MD5
652ff1fb66ef686864beb32f3f80477d

SHA1
e1c9b2bb6ff2f91b4596302e581f1da1ed37b522

SHA256
1f64a978726e9ca1a5fb87a7c5074273c1dd2f066ec725415800154377d9db4e

SHA512
2390b3b93ff3d917c259af4f1b8de1f0147d0749546d06517dda62d9d82bbf51f304757c9ac32a3e45d368d0dfdcbd118c4df8ead72a503fb2643c08e7787973

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
896KB

MD5
81bfb3302e20c8c867cd23500c142e03

SHA1
6812aa2ab49c0dc66b93440b01c8457a71b1f1b5

SHA256
2c331007f0731d4d9213a6b0b842bfe8483414b13782bd0d0cc7e62f59d154d6

SHA512
1c89184dbbad26cf2aa981b703e31ad3d82d9aec97428e42a3103e153c2b1c33ef4f0d6c913639e8e13c541e5387ccd88087d3f7f712b3ce36ea98a7432fa4d0

Download Submit
memory/8-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1076-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5196-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5468-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5512-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5556-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5600-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5672-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5720-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-1336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7076-1341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7096-1322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads