berbew | 0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Size

576KB
MD5

328955849b16e0c627f4f251ac7246b0
SHA1

23853e16ad935bf188a92f77feec87539b220ad8
SHA256

0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5
SHA512

a9e1316e602be3f2659122ab74857451f0f283c6490418a6820c8c7464a9f80f42909a198e70a03cfbe54e857e7469360045b14cbfdd4f3e014d0069732344ca
SSDEEP

12288:0oRAS6YGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:zRA7YGyXsGG1ws5ipX6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eemnnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epbbkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gojhafnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elkofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fahhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fefqdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giolnomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdnfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeojcmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmdbnnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gehiioaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaagcpdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhgifgnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefqdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fahhnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gojhafnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdnfjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epbbkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooembgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goqnae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goqnae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnlkgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkcekfad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eeojcmfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmdbnnlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglfgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcekfad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafkhn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feachqgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehiioaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaagcpdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flnlkgjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgifgnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giolnomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eemnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elibpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emaijk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elkofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fooembgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fglfgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feachqgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elibpg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
2696	Emaijk32.exe
2684	Eemnnn32.exe
2580	Epbbkf32.exe
2552	Eeojcmfi.exe
3012	Elibpg32.exe
2836	Eafkhn32.exe
2204	Elkofg32.exe
292	Fahhnn32.exe
1260	Flnlkgjq.exe
2844	Fefqdl32.exe
1504	Fooembgb.exe
320	Fhgifgnb.exe
2348	Fmdbnnlj.exe
1128	Fglfgd32.exe
2996	Feachqgb.exe
1980	Gojhafnb.exe
1848	Giolnomh.exe
1092	Gcgqgd32.exe
2164	Gkcekfad.exe
2112	Gehiioaj.exe
1984	Goqnae32.exe
2500	Gdnfjl32.exe
1820	Gaagcpdl.exe
1836	Jnofgg32.exe
2776	Kambcbhb.exe
2708	Kbmome32.exe
2800	Kmfpmc32.exe
2612	Kdphjm32.exe
1928	Kdbepm32.exe
2728	Kkmmlgik.exe
2432	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2648	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
2648	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
2696	Emaijk32.exe
2696	Emaijk32.exe
2684	Eemnnn32.exe
2684	Eemnnn32.exe
2580	Epbbkf32.exe
2580	Epbbkf32.exe
2552	Eeojcmfi.exe
2552	Eeojcmfi.exe
3012	Elibpg32.exe
3012	Elibpg32.exe
2836	Eafkhn32.exe
2836	Eafkhn32.exe
2204	Elkofg32.exe
2204	Elkofg32.exe
292	Fahhnn32.exe
292	Fahhnn32.exe
1260	Flnlkgjq.exe
1260	Flnlkgjq.exe
2844	Fefqdl32.exe
2844	Fefqdl32.exe
1504	Fooembgb.exe
1504	Fooembgb.exe
320	Fhgifgnb.exe
320	Fhgifgnb.exe
2348	Fmdbnnlj.exe
2348	Fmdbnnlj.exe
1128	Fglfgd32.exe
1128	Fglfgd32.exe
2996	Feachqgb.exe
2996	Feachqgb.exe
1980	Gojhafnb.exe
1980	Gojhafnb.exe
1848	Giolnomh.exe
1848	Giolnomh.exe
1092	Gcgqgd32.exe
1092	Gcgqgd32.exe
2164	Gkcekfad.exe
2164	Gkcekfad.exe
2112	Gehiioaj.exe
2112	Gehiioaj.exe
1984	Goqnae32.exe
1984	Goqnae32.exe
2500	Gdnfjl32.exe
2500	Gdnfjl32.exe
1820	Gaagcpdl.exe
1820	Gaagcpdl.exe
1836	Jnofgg32.exe
1836	Jnofgg32.exe
2776	Kambcbhb.exe
2776	Kambcbhb.exe
2708	Kbmome32.exe
2708	Kbmome32.exe
2800	Kmfpmc32.exe
2800	Kmfpmc32.exe
2612	Kdphjm32.exe
2612	Kdphjm32.exe
1928	Kdbepm32.exe
1928	Kdbepm32.exe
2728	Kkmmlgik.exe
2728	Kkmmlgik.exe
1924	WerFault.exe
1924	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Fmcjcekp.dll	Fahhnn32.exe
File created	C:\Windows\SysWOW64\Gkcekfad.exe	Gcgqgd32.exe
File created	C:\Windows\SysWOW64\Jjbpqjma.dll	Gcgqgd32.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kbmome32.exe
File created	C:\Windows\SysWOW64\Mpbclcja.dll	Fefqdl32.exe
File created	C:\Windows\SysWOW64\Fmdbnnlj.exe	Fhgifgnb.exe
File created	C:\Windows\SysWOW64\Goqnae32.exe	Gehiioaj.exe
File created	C:\Windows\SysWOW64\Gdnfjl32.exe	Goqnae32.exe
File created	C:\Windows\SysWOW64\Ojmklbll.dll	Emaijk32.exe
File created	C:\Windows\SysWOW64\Bdmnkd32.dll	Eemnnn32.exe
File created	C:\Windows\SysWOW64\Fahhnn32.exe	Elkofg32.exe
File created	C:\Windows\SysWOW64\Fooembgb.exe	Fefqdl32.exe
File created	C:\Windows\SysWOW64\Iecbnqcj.dll	Elkofg32.exe
File created	C:\Windows\SysWOW64\Gojhafnb.exe	Feachqgb.exe
File opened for modification	C:\Windows\SysWOW64\Gojhafnb.exe	Feachqgb.exe
File created	C:\Windows\SysWOW64\Qbceme32.dll	Feachqgb.exe
File created	C:\Windows\SysWOW64\Ojacgdmh.dll	Giolnomh.exe
File created	C:\Windows\SysWOW64\Fkpeem32.dll	Gehiioaj.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Cocajj32.dll	Elibpg32.exe
File created	C:\Windows\SysWOW64\Fglfgd32.exe	Fmdbnnlj.exe
File opened for modification	C:\Windows\SysWOW64\Fglfgd32.exe	Fmdbnnlj.exe
File created	C:\Windows\SysWOW64\Feachqgb.exe	Fglfgd32.exe
File created	C:\Windows\SysWOW64\Ielqinkm.dll	Eafkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Gkcekfad.exe	Gcgqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Flnlkgjq.exe	Fahhnn32.exe
File opened for modification	C:\Windows\SysWOW64\Fooembgb.exe	Fefqdl32.exe
File created	C:\Windows\SysWOW64\Gacdld32.dll	Fmdbnnlj.exe
File opened for modification	C:\Windows\SysWOW64\Gaagcpdl.exe	Gdnfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Epbbkf32.exe	Eemnnn32.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	Kambcbhb.exe
File opened for modification	C:\Windows\SysWOW64\Gdnfjl32.exe	Goqnae32.exe
File created	C:\Windows\SysWOW64\Gaagcpdl.exe	Gdnfjl32.exe
File created	C:\Windows\SysWOW64\Kambcbhb.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Emaijk32.exe	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
File opened for modification	C:\Windows\SysWOW64\Fahhnn32.exe	Elkofg32.exe
File created	C:\Windows\SysWOW64\Nhmbnqfg.dll	Fooembgb.exe
File created	C:\Windows\SysWOW64\Moibemdg.dll	Gojhafnb.exe
File created	C:\Windows\SysWOW64\Mdmckc32.dll	Gdnfjl32.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Gaagcpdl.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Eeojcmfi.exe	Epbbkf32.exe
File created	C:\Windows\SysWOW64\Elibpg32.exe	Eeojcmfi.exe
File created	C:\Windows\SysWOW64\Giolnomh.exe	Gojhafnb.exe
File created	C:\Windows\SysWOW64\Gehiioaj.exe	Gkcekfad.exe
File created	C:\Windows\SysWOW64\Epbbkf32.exe	Eemnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Elkofg32.exe	Eafkhn32.exe
File created	C:\Windows\SysWOW64\Hcjdjiqp.dll	Flnlkgjq.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Eickphoo.dll	Gkcekfad.exe
File created	C:\Windows\SysWOW64\Nncgkioi.dll	Goqnae32.exe
File opened for modification	C:\Windows\SysWOW64\Kambcbhb.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Eemnnn32.exe	Emaijk32.exe
File opened for modification	C:\Windows\SysWOW64\Eemnnn32.exe	Emaijk32.exe
File opened for modification	C:\Windows\SysWOW64\Fmdbnnlj.exe	Fhgifgnb.exe
File opened for modification	C:\Windows\SysWOW64\Goqnae32.exe	Gehiioaj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	2432	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gojhafnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fahhnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefqdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feachqgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcekfad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gehiioaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaagcpdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emaijk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhgifgnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elibpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeojcmfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcgqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglfgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eemnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmdbnnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnlkgjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giolnomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooembgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goqnae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdnfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epbbkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elkofg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giolnomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll"	Gcgqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glcgij32.dll"	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eeojcmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emaijk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fefqdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fglfgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gehiioaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fahhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjdjiqp.dll"	Flnlkgjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feachqgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moibemdg.dll"	Gojhafnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eemnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdnfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmnkd32.dll"	Eemnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhjl32.dll"	Epbbkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elibpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhgifgnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gojhafnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaagcpdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll"	Elibpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ielqinkm.dll"	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll"	Fahhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fahhnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdld32.dll"	Fmdbnnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmdbnnlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkcekfad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkcekfad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epbbkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flnlkgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbclcja.dll"	Fefqdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fooembgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmdbnnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncgkioi.dll"	Goqnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmbnqfg.dll"	Fooembgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elibpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecbnqcj.dll"	Elkofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fefqdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll"	Gkcekfad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epbbkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdngobg.dll"	Fhgifgnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fglfgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giolnomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goqnae32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2696	2648	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe	30
PID 2648 wrote to memory of 2696	2648	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe	30
PID 2648 wrote to memory of 2696	2648	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe	30
PID 2648 wrote to memory of 2696	2648	0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe	30
PID 2696 wrote to memory of 2684	2696	Emaijk32.exe	31
PID 2696 wrote to memory of 2684	2696	Emaijk32.exe	31
PID 2696 wrote to memory of 2684	2696	Emaijk32.exe	31
PID 2696 wrote to memory of 2684	2696	Emaijk32.exe	31
PID 2684 wrote to memory of 2580	2684	Eemnnn32.exe	32
PID 2684 wrote to memory of 2580	2684	Eemnnn32.exe	32
PID 2684 wrote to memory of 2580	2684	Eemnnn32.exe	32
PID 2684 wrote to memory of 2580	2684	Eemnnn32.exe	32
PID 2580 wrote to memory of 2552	2580	Epbbkf32.exe	33
PID 2580 wrote to memory of 2552	2580	Epbbkf32.exe	33
PID 2580 wrote to memory of 2552	2580	Epbbkf32.exe	33
PID 2580 wrote to memory of 2552	2580	Epbbkf32.exe	33
PID 2552 wrote to memory of 3012	2552	Eeojcmfi.exe	34
PID 2552 wrote to memory of 3012	2552	Eeojcmfi.exe	34
PID 2552 wrote to memory of 3012	2552	Eeojcmfi.exe	34
PID 2552 wrote to memory of 3012	2552	Eeojcmfi.exe	34
PID 3012 wrote to memory of 2836	3012	Elibpg32.exe	35
PID 3012 wrote to memory of 2836	3012	Elibpg32.exe	35
PID 3012 wrote to memory of 2836	3012	Elibpg32.exe	35
PID 3012 wrote to memory of 2836	3012	Elibpg32.exe	35
PID 2836 wrote to memory of 2204	2836	Eafkhn32.exe	36
PID 2836 wrote to memory of 2204	2836	Eafkhn32.exe	36
PID 2836 wrote to memory of 2204	2836	Eafkhn32.exe	36
PID 2836 wrote to memory of 2204	2836	Eafkhn32.exe	36
PID 2204 wrote to memory of 292	2204	Elkofg32.exe	37
PID 2204 wrote to memory of 292	2204	Elkofg32.exe	37
PID 2204 wrote to memory of 292	2204	Elkofg32.exe	37
PID 2204 wrote to memory of 292	2204	Elkofg32.exe	37
PID 292 wrote to memory of 1260	292	Fahhnn32.exe	38
PID 292 wrote to memory of 1260	292	Fahhnn32.exe	38
PID 292 wrote to memory of 1260	292	Fahhnn32.exe	38
PID 292 wrote to memory of 1260	292	Fahhnn32.exe	38
PID 1260 wrote to memory of 2844	1260	Flnlkgjq.exe	39
PID 1260 wrote to memory of 2844	1260	Flnlkgjq.exe	39
PID 1260 wrote to memory of 2844	1260	Flnlkgjq.exe	39
PID 1260 wrote to memory of 2844	1260	Flnlkgjq.exe	39
PID 2844 wrote to memory of 1504	2844	Fefqdl32.exe	40
PID 2844 wrote to memory of 1504	2844	Fefqdl32.exe	40
PID 2844 wrote to memory of 1504	2844	Fefqdl32.exe	40
PID 2844 wrote to memory of 1504	2844	Fefqdl32.exe	40
PID 1504 wrote to memory of 320	1504	Fooembgb.exe	41
PID 1504 wrote to memory of 320	1504	Fooembgb.exe	41
PID 1504 wrote to memory of 320	1504	Fooembgb.exe	41
PID 1504 wrote to memory of 320	1504	Fooembgb.exe	41
PID 320 wrote to memory of 2348	320	Fhgifgnb.exe	42
PID 320 wrote to memory of 2348	320	Fhgifgnb.exe	42
PID 320 wrote to memory of 2348	320	Fhgifgnb.exe	42
PID 320 wrote to memory of 2348	320	Fhgifgnb.exe	42
PID 2348 wrote to memory of 1128	2348	Fmdbnnlj.exe	43
PID 2348 wrote to memory of 1128	2348	Fmdbnnlj.exe	43
PID 2348 wrote to memory of 1128	2348	Fmdbnnlj.exe	43
PID 2348 wrote to memory of 1128	2348	Fmdbnnlj.exe	43
PID 1128 wrote to memory of 2996	1128	Fglfgd32.exe	44
PID 1128 wrote to memory of 2996	1128	Fglfgd32.exe	44
PID 1128 wrote to memory of 2996	1128	Fglfgd32.exe	44
PID 1128 wrote to memory of 2996	1128	Fglfgd32.exe	44
PID 2996 wrote to memory of 1980	2996	Feachqgb.exe	45
PID 2996 wrote to memory of 1980	2996	Feachqgb.exe	45
PID 2996 wrote to memory of 1980	2996	Feachqgb.exe	45
PID 2996 wrote to memory of 1980	2996	Feachqgb.exe	45

C:\Users\Admin\AppData\Local\Temp\0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe
"C:\Users\Admin\AppData\Local\Temp\0d78ee04231b4e46a46e3a2eca88df7b31a83debd311a44f6feb1f5e5eac05f5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Emaijk32.exe
  C:\Windows\system32\Emaijk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Eemnnn32.exe
    C:\Windows\system32\Eemnnn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Epbbkf32.exe
      C:\Windows\system32\Epbbkf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\Eeojcmfi.exe
        
        C:\Windows\system32\Eeojcmfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\Elibpg32.exe
        
        C:\Windows\system32\Elibpg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Eafkhn32.exe
        
        C:\Windows\system32\Eafkhn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Elkofg32.exe
        
        C:\Windows\system32\Elkofg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Fahhnn32.exe
        
        C:\Windows\system32\Fahhnn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\Flnlkgjq.exe
        
        C:\Windows\system32\Flnlkgjq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Fefqdl32.exe
        
        C:\Windows\system32\Fefqdl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Fooembgb.exe
        
        C:\Windows\system32\Fooembgb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Fhgifgnb.exe
        
        C:\Windows\system32\Fhgifgnb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Fmdbnnlj.exe
        
        C:\Windows\system32\Fmdbnnlj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Fglfgd32.exe
        
        C:\Windows\system32\Fglfgd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Feachqgb.exe
        
        C:\Windows\system32\Feachqgb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Gojhafnb.exe
        
        C:\Windows\system32\Gojhafnb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Giolnomh.exe
        
        C:\Windows\system32\Giolnomh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Gcgqgd32.exe
        
        C:\Windows\system32\Gcgqgd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Gkcekfad.exe
        
        C:\Windows\system32\Gkcekfad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Gehiioaj.exe
        
        C:\Windows\system32\Gehiioaj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Goqnae32.exe
        
        C:\Windows\system32\Goqnae32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Gdnfjl32.exe
        
        C:\Windows\system32\Gdnfjl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Gaagcpdl.exe
        
        C:\Windows\system32\Gaagcpdl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajokhp32.dll

Filesize
7KB

MD5
676d53ad6a7da6986494608642d15124

SHA1
d99f98b0d3deafc22f111fc24cbf692e16a066e3

SHA256
cfdf92bb40b14f2a4b08de374febfba4e78b65def15cf23dbfe263539b3515c3

SHA512
d7e190977c3acc792f0451c70a99ac976c0119f61923d9a410a562b587055c49e96a35f66866377ee04628f40fda041c5044fe0b436fbb65465b4b308d2614f8

Download Submit
C:\Windows\SysWOW64\Eafkhn32.exe

Filesize
576KB

MD5
c21464884bbfd2ddbfe6c40f0ceb7873

SHA1
850c375e5ac697b378472bc5d63aa2affddd66a3

SHA256
2228b5c8e1508f2b6c4a108e3bada7d21da3614a9785b61b864a75cd2f3e1144

SHA512
b5e023aa39f8a8eabf701f44e8b1bf3e2046fbd9a4be24f2937d2df5cea6e11b972ca33136907996e05e27aa517dd9f412bc3b374b57cc82e0d2d5d58a586214

Download Submit
C:\Windows\SysWOW64\Eemnnn32.exe

Filesize
576KB

MD5
388f291a379eb4257e2da627969c9047

SHA1
c35ee3704e1268a362c6e53945e29dcf089d6e4e

SHA256
52eadd1fc552ec743b47dfd736d284bcc6e5279178c1544fe4f1d19d9be2a16a

SHA512
d467e7a92ffb7fa172737e3dd370116b65fbe186f34f41a53fa2934bcb6962d5c94f4bc4c20cfc41738aa8b3df7895d3a8655e1f0b0e7fb1c73b67120b636504

Download Submit
C:\Windows\SysWOW64\Eeojcmfi.exe

Filesize
576KB

MD5
062de0374fd56eb7e187d8e110383776

SHA1
d25ba3ecd7a1cc1f8e216dc6be6f2dcf136974e6

SHA256
acf4220ba82f6ff708d60b0c59ab49eb16f350acf6cb9df2c84c3616a46ad120

SHA512
8e30fda30306b75d9a9a264590be6b48122fc4054357a4bc5260da7464a21574f16ba2cf19c11d9f8a59a6bb12d6c71d0fe6a7e8ed8b84222a9e340c8925caaf

Download Submit
C:\Windows\SysWOW64\Elkofg32.exe

Filesize
576KB

MD5
7a22cdc3e36d7ae00e813da838b71ff7

SHA1
68d5d0d8c75868dd0eb7d3b2a2bebc4b73e49e00

SHA256
959993c442a28adc6487e1572d1c46e9971de5bdc8fc885cdaa2b9f04ef1159a

SHA512
38c8b409f9ed6ba0c54779428c20fdb9f524e7e1e88ad3c887212506aca795a5cc0924f1dcdfb77d93bde88bec76b5987a7b36cb3dac78ac0c3e158e796e6b12

Download Submit
C:\Windows\SysWOW64\Emaijk32.exe

Filesize
576KB

MD5
e9199f82f103bd6b4dc893d87c41cc87

SHA1
51977a2e405effaf5d94f819ce883fcef7f2fd70

SHA256
a22675aaf98626684ef49d35109905f406f801af082ecc622179f1beb34cdca1

SHA512
5efe7c6c183dfa274eafd8b57813fd1306b8c96c7d3e05b24400f2554da837d74b4177bb2a7848636813eebc1d00bfbcc81325747ecfbbd8dcc985f456e6e8e1

Download Submit
C:\Windows\SysWOW64\Fahhnn32.exe

Filesize
576KB

MD5
7f7c57394c90865bd4a4b13eee4af43c

SHA1
eec69dc78348741daa42f93e5631d26829509328

SHA256
7697ea9e45ff5debbc382d972537337e52b1d780cdb6e8d1b85e439bb0210107

SHA512
f28ad2ed6e05309850243e6b10919bfa6b8460c317feaf611a2de01152dd24c3bd2279627274267be3d07f062e554c45fa090cdc53c40583ff5a6edde45aa4f9

Download Submit
C:\Windows\SysWOW64\Feachqgb.exe

Filesize
576KB

MD5
8d19a6ab26804ffb5319244ebae7bbbd

SHA1
d5157988e99f8319872127e4093bbf507b1aee13

SHA256
bf1e94ef505444c9a5e36349bb38094558804b61d74ad6f0d658b02c817de8c3

SHA512
6d4bdc28e821633035ac2011b2690732635065e827feec40f732c1eb048b637a69a107b4e89a297baeacb21384a59b314c24c6c69129b881baff79ad2ee7768d

Download Submit
C:\Windows\SysWOW64\Fefqdl32.exe

Filesize
576KB

MD5
1fc7ceac011791c308e99216ec0676b4

SHA1
ed7f3babe6bce205d0416771cb9f9bfdc2fb1aaf

SHA256
75df48b8cfdf66042bbb42220f29b90b29ff64f44204600b1be1ca1ec72c3c5f

SHA512
22c705f608bb85b0d5d3baff4b21ed0f900a2657550c235169e72701249965bd616f922fddc3d127d78e3ea0f9e470cce6116d3021530b7dee877505737386ea

Download Submit
C:\Windows\SysWOW64\Fglfgd32.exe

Filesize
576KB

MD5
7f953cf931ffc94a08521a23e8029188

SHA1
16818d5740c36b79b1e1156e614179091bb71a45

SHA256
dbcb5add862931d3f7bdf35f33887b5af0f197e77196a472b10eff09b12050e8

SHA512
a283234f79108a9ef894750fa2dea29b653f78a0697cfcc2065cecaef52393da79862121267d8c9a46237b595c7457dc9e59c0cbc57a7544ead6947840966dc9

Download Submit
C:\Windows\SysWOW64\Fhgifgnb.exe

Filesize
576KB

MD5
4436258edae8751cd4b7a6b3365236b4

SHA1
0cda3cc0aa7d5d334048ce7c98fdb1f8af2e742e

SHA256
b16c0b1c5bf7caae692d2934bde76b3ad6d590513a57079ee43416b94ed50ee1

SHA512
93a1b7a46d9df7c62a894e239bf4e58ac37c0586099739fbf4a466a7a5062cdc6bf0552217ff2060604a69585b26bb70b6914ee368e665090d1662d9306f1061

Download Submit
C:\Windows\SysWOW64\Flnlkgjq.exe

Filesize
576KB

MD5
1303dee4dff0c8b60fdec119542d9de0

SHA1
f71f03f0494bd9d4ffed5c738d4d3b5a8f09f33a

SHA256
f12871c015af24f927e304172e8ad93ba05e823b382d37544380a1d30ef7b18d

SHA512
c9ac27b0685bcf2b7f4bdbc3fc010931497c13dec089330ced010467c1e8146f57483f6135621729659b8eeda0a80491c43c8affa525ed69bb4a6182515f54c6

Download Submit
C:\Windows\SysWOW64\Fmdbnnlj.exe

Filesize
576KB

MD5
adc6acd8271428da2eb135fcd99280c7

SHA1
b387be922ceae481eece38f8a40f21671db17236

SHA256
2de3d4c98f610c5a7514ff923e20e09ca1c75942a4f845fc7c68c50df3c4b812

SHA512
0c2bf335b1a976719f4c1a41c67c726123ca112bc715df61ac00c8a14e07a0a6f608a5e2308005c6faf5ef5a09204bb1b13407c7c2c128f6825022fbb16e452f

Download Submit
C:\Windows\SysWOW64\Fooembgb.exe

Filesize
576KB

MD5
302ebfe3bbfc355d7258883915821044

SHA1
bbcfaf95a2beb8b51d258fdbd002f7f7d985a46e

SHA256
2e2fb431b2b5f297d0aa848d6809de9f0aea7f6b2b62b5fb87b42c06f43adfa6

SHA512
be9e890a3f8f4143a122450487d6da6c05d3055f9a75ddbe26e4af5caf289c37dbb44aa5f07d5628c77736e59e59589fefd3de12e0917c5bc52297dd636aa480

Download Submit
C:\Windows\SysWOW64\Gaagcpdl.exe

Filesize
576KB

MD5
f543c9564ccc986e4fec1c7809694430

SHA1
d2eb3f879bc1fe0f1d4a56e0456df1f985c8a812

SHA256
3f6cf58e0f22b875a1893ccc91ea3e267bf71cf1af4c2934d7a863752d8c3ac2

SHA512
ec3b0d56ed38424fb613a8f569e8921b4e8b0a4f2b5b99b52d216f4ccb25911c2bb84d3d5cf8ea39aa988b0a93254fb15eaf7720d4eb53742d9caf06f36e9be7

Download Submit
C:\Windows\SysWOW64\Gcgqgd32.exe

Filesize
576KB

MD5
405ce1528b1de96965e9c2ec9612864a

SHA1
be9e7556db6381d2a9373d1fe0b2bf5da16163b9

SHA256
d9d12f571bb0a24f5fdf161fbdc9b0b09b1a039a11d59c2a64b763ee1ce49c3e

SHA512
d53aab9f391799aaa44106f643718fdee8e9463d84e8fd0adc996b0f9122e78bacab03e25b378f40e1d1a1417c4ea19c2207639d5b71442679fa7057c764b8f7

Download Submit
C:\Windows\SysWOW64\Gdnfjl32.exe

Filesize
576KB

MD5
91b7336dcc79a513a8705c691dc2b6dd

SHA1
f333cfaaf8a42b0bfd24ea659aafd993d84685ef

SHA256
ad563ab14f25922e6ea6c7c96693db10dd4d52b62d83be2c314e7746826bda7a

SHA512
5efb14db49465d9d0dcc3ef2cf1fb220b095db8fea46eca40b316a7304ca4da51d8e32855171304c5415c72e0134ce6c1599024d32a1d5172d9f9e334aaf3652

Download Submit
C:\Windows\SysWOW64\Gehiioaj.exe

Filesize
576KB

MD5
6605ac4533c99521131b51d7f2cf9421

SHA1
9765e9133c835c7911303edde9022d2868560b26

SHA256
b7d2e10e0b5a5a74101679689d2fa42ea65b034053dd4b872eee5a52d866d361

SHA512
ea51cf743c049d85a5e981c52d32fddbf142b16396354fe99ef9d70859fe1772675fea7c2fc9bf720a39ce2163a483514fd2e543b9cbafa902c83f098c8d1498

Download Submit
C:\Windows\SysWOW64\Giolnomh.exe

Filesize
576KB

MD5
e41912c039d235987774deb3a79dd335

SHA1
0a151696201a20251bfb1238ba2f726e64237cd9

SHA256
c02b875b031834d08b2ad30f0fb0d4b7786b38b0add81e12bd69d4b7899228c4

SHA512
e09573f3e15b0b7fd9a861faad338609217600d58d00842a25aaa0c6b9981bd7ac46598b4e81b9b4070d2ba4bfbbc20956231c19add39f8d76e4ae550f0abfa0

Download Submit
C:\Windows\SysWOW64\Gkcekfad.exe

Filesize
576KB

MD5
9f273ddad58f8c3da2bc8fad36e86467

SHA1
6169eacdf673e2a305387c0318cd8f4de097db3e

SHA256
edb7f9972a44b60d5f69dd47425443101680c3f4ea4b1775f7e1a733aa277d06

SHA512
04a198a7ea99cf3f235e1d9a7d6b080934f9fa694211354c6469515d3d4c05e72f41448a23076d6fc00145f533112a36d20adb603c897f165709e989e69f19af

Download Submit
C:\Windows\SysWOW64\Gojhafnb.exe

Filesize
576KB

MD5
dd91e90dbeafcd0f4712087493452c25

SHA1
d34bb9f42f32491de6215a1e61838d3dda5fc8cc

SHA256
a1ca64708460b666b8d7f7021cbe3bef19a11c20c1f90b226cd8a702b4363e65

SHA512
8cae60952714c58d10f3e2de396cfd19d25fdf659cde1fae53b9d022a12f1749cba89069fcfbf78596675975aeb5158844ac2d7750e45a65e3640da2796a61ee

Download Submit
C:\Windows\SysWOW64\Goqnae32.exe

Filesize
576KB

MD5
5efed08b7a4b06484b2d5c33b8983570

SHA1
0b70fd41e10e80b457733dc8ed4c2eb6379a9f84

SHA256
04a0d7c1c35557557fbf6ae0c0c66a4373ff9973b267dbf90bf30e5c36a84fe8

SHA512
faf587231d16cc550825aebe40db62ea3d89151ec5862491727b941bab1d1706e484f98de964ba9a90d2fbd7cb511847e984baf24beb5f75e56e087a4fdf71e4

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
576KB

MD5
fa996c043c963dac69d3d7137f80edf5

SHA1
036799e539d89c9189267872c4697400f6fdf0cb

SHA256
601eac5ec975e171f574ac89e7fdf2ccbcc998d938de4e02c9f99eb5af2ef090

SHA512
28526382da03294fc66c4c264bd8995b242740008e79026f6737a0d7c6e369383d303e2222c57143063783332eeeb8c6d32f52758cac1d40642e87e78bedb590

Download Submit
C:\Windows\SysWOW64\Kambcbhb.exe

Filesize
576KB

MD5
1e24787870556e65990304833390c710

SHA1
55a2bcfc8d9ee2116a39a526351f076fb335743c

SHA256
eed7d5e59fb6709dd42ccb120adeae3f8d3417fa7fbc39e6adff519acea30375

SHA512
6d2da4d0028418e3f33a117193ee3e5201345586eeb91e6df5582550b56d3a22c3852e409fd84446f8c5464a9f5a3626a2e1ab53826ec451f8926ab407e6caaa

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
576KB

MD5
277dc28894bfbba600d50a5cc7ae1064

SHA1
ca33418ecc1e8e43ce5b3e38ad7a1e709ca24471

SHA256
359b258de484060dca654632c91bd12ae4c442b3d227ff2bccbdca3c970a8d07

SHA512
0f0b5667b0fc22e17237bbfb7237e8f3f138f9b61c858e5f85662fb7807329c0e9993591752e8db72e42056605953a19011510d9d607e471e5f18b6d04406c66

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
576KB

MD5
ffd5a25452ff2e9c09a454e698451a1d

SHA1
9956631f8d12e91be860c02c0b219af44cbdc0c0

SHA256
30b0ee4c3637e87f9112b29d2d84cccf716c56cba9024842c98d0f15e0d9c2f8

SHA512
21149eae7e7c73b427085f62a8061cbe4d7dad913000756a7098fcc4e53eec6a79f2a86fe37e2389e48289cd051e7bac5a5b16c5c337a9aff9676e305fab7470

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
576KB

MD5
6df471afdd5c46a06be67a2bb29b331f

SHA1
40f4b39d07ee8a05bd5da49c007246a30b16f2a1

SHA256
7d9a0760ae494467648ddad9aed238c01211ff2e6efd079adc18c2cef55cfb49

SHA512
b79943c467cd01c8508cd344a0142664aa2479714420208e0dae45d808a8829b9a3a333afe485d71400c8e3345814ab4c748c298592a7371640018183898b9e6

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
576KB

MD5
3fd6824fbcb55eb69fb36531f66d200f

SHA1
e3ce53a250eea6196bfb324b6f8b25d486d8b240

SHA256
7ef8053d3a6ebdd6b2bb2f626f35c3598b214acfe9898915888bd1edbc20839a

SHA512
ddaf3296a45144b55d60378acc39521e38e228490a3d1f52ef1e6b2f1e8e908b291224bc44bb76838219b9b954f44cd2b03f97b0f919198a14a2d86724477a69

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
576KB

MD5
63a76508517c9e8e9b4597d5e5063a03

SHA1
3910e78a239468ba39b5af3ed6f4d7946348a77b

SHA256
2bd0f2691887803c7dcc2c29c5c1e66408c9c7359bd18a42d01b61184f42bce3

SHA512
7f47524ba794e44cc52744273ff647af9a0893ddf58c769dfe3177a2d5ef1d221aa86668ef0c5d5bb11818d371c894a38775f500895bc546a085735f6f30abc7

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
576KB

MD5
18972d3e03430779a85fed0026b0cc55

SHA1
ddab39f6ea9f8b44f376bc19d832e9e334d0710f

SHA256
a7c7b109eede36904917513da775be4c3157b384c8a6cf391fbb4422ae2d888e

SHA512
9a7e5336ee55dc36c51687b54001cb9bf43e030eeebe3b172c9dd745bd0a0c9862ecd5d20dfdba2b21a98336e3406ae4d916d3feaa02e9d9fb9fe322347fc7d9

Download Submit
\Windows\SysWOW64\Elibpg32.exe

Filesize
576KB

MD5
30c9706cbc87c4f68fe140c475aae094

SHA1
9a4692b59a09284372794cf73351e95852f24c5e

SHA256
19d946dfd1f0b3802c1228fa042cc713d1df57c6c4c5004f6199a05b2663f5b2

SHA512
6efa48b6706d0ddace2026ee170e1d402d2ccf894072e581bfdf4967ccdf87850c10efbdc0b6f7e1e155e057f5e7cfb6e5a7acee290c480fd6380c1a68726446

Download Submit
\Windows\SysWOW64\Epbbkf32.exe

Filesize
576KB

MD5
965a4691fdfb66af59352fc3549db090

SHA1
15920c9b1f0676259a01ee9856bc1a6f019f581d

SHA256
42845c548626632711efc5c23ec09ece91c44d918f3de001eabc8de5c4458874

SHA512
d93661e68fbc64f5d0e28a3e27fbb9f8e9068fe3a753cb30f25f65941fe072c94d9bffcb6a44c1234acb6f633f76bf1fe263932b279e644447fab5ec2b0939e5

Download Submit
memory/292-120-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/292-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-176-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/320-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-255-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/1092-259-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/1092-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-209-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1128-204-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1260-138-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1260-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-166-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1820-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-317-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1836-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-321-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1848-248-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1848-247-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1848-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-378-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1980-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-233-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1980-237-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1984-290-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/1984-291-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/1984-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-280-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2112-276-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2112-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-269-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2164-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-106-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2348-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-194-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2432-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-306-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2500-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-395-0x0000000001F70000-0x0000000001FA4000-memory.dmp

Filesize
208KB

Download
memory/2552-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-65-0x0000000001F70000-0x0000000001FA4000-memory.dmp

Filesize
208KB

Download
memory/2552-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-55-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2580-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-391-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2612-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-365-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-366-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2648-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-7-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2684-379-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2684-41-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2684-36-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2684-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2696-25-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2696-367-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2696-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-343-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2708-342-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2728-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-390-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2728-392-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2776-332-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-331-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-354-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2836-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-92-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2844-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-148-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2996-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-223-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2996-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-224-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads