berbew | 1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
Size

91KB
MD5

f6b953d3dfa688402a3b8f1696ca4430
SHA1

78e6eb1c7043bbd8b5944900a17031723283ad1a
SHA256

1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241
SHA512

386ee1e41cc9a896e02293350d83065ca7aa2a7dd17a7743df967f884c3cee229c5607c38ef1a311ff3456d46e859e3925f235dc3b95822b997231a53540278a
SSDEEP

1536:DlMpbQi9VECrdmvlLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaadhXd45J:Kpbr9VECrdIlLBsLnVUUHyNwtN4/nEB9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahoodqi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iggdmkmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjand32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlgmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgoohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifajif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcijmhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gledgkfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hldpfnij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkjbml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfanjcke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbandfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlncdio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gledgkfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kclmbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhnnpolk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igeggkoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbandfkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mikooghn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgoohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inffdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iggdmkmn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjjdjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfhmhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidkep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdilalko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlgmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnpkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkjbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mikooghn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikembicd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inffdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnchg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkihli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdgjpkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhhcdjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfanjcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igeggkoq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhclfphg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjjdjb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
2644	Dcijmhdj.exe
3016	Dopkai32.exe
2540	Dcnchg32.exe
2932	Dkihli32.exe
2860	Enjand32.exe
2972	Enlncdio.exe
2664	Eheblj32.exe
2716	Emdgjpkd.exe
1372	Ejhhcdjm.exe
2984	Fpgmak32.exe
2968	Fdefgimi.exe
2096	Fidkep32.exe
1680	Faopib32.exe
2232	Gledgkfn.exe
2424	Gkjahg32.exe
2636	Gmkjjbhg.exe
2388	Ggcnbh32.exe
1752	Gnocdb32.exe
2032	Hdilalko.exe
1716	Hldpfnij.exe
2536	Hlgmkn32.exe
1520	Hhnnpolk.exe
1792	Hfanjcke.exe
1124	Hahoodqi.exe
696	Igeggkoq.exe
804	Iggdmkmn.exe
1592	Ibmhjc32.exe
3020	Ikembicd.exe
2504	Inffdd32.exe
2884	Ifajif32.exe
2808	Jmnpkp32.exe
2696	Jbkhcg32.exe
2668	Jfhqiegh.exe
2720	Jgljfmkd.exe
2256	Jbandfkj.exe
2412	Jkjbml32.exe
2384	Kgqcam32.exe
1704	Kakdpb32.exe
1300	Kfhmhi32.exe
2360	Kclmbm32.exe
3052	Kpcngnob.exe
460	Lebcdd32.exe
2356	Lhclfphg.exe
2484	Lmpdoffo.exe
2228	Lanmde32.exe
1404	Mapjjdjb.exe
2468	Mikooghn.exe
1580	Mgoohk32.exe
1964	Mllhpb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2344	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
2344	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
2644	Dcijmhdj.exe
2644	Dcijmhdj.exe
3016	Dopkai32.exe
3016	Dopkai32.exe
2540	Dcnchg32.exe
2540	Dcnchg32.exe
2932	Dkihli32.exe
2932	Dkihli32.exe
2860	Enjand32.exe
2860	Enjand32.exe
2972	Enlncdio.exe
2972	Enlncdio.exe
2664	Eheblj32.exe
2664	Eheblj32.exe
2716	Emdgjpkd.exe
2716	Emdgjpkd.exe
1372	Ejhhcdjm.exe
1372	Ejhhcdjm.exe
2984	Fpgmak32.exe
2984	Fpgmak32.exe
2968	Fdefgimi.exe
2968	Fdefgimi.exe
2096	Fidkep32.exe
2096	Fidkep32.exe
1680	Faopib32.exe
1680	Faopib32.exe
2232	Gledgkfn.exe
2232	Gledgkfn.exe
2424	Gkjahg32.exe
2424	Gkjahg32.exe
2636	Gmkjjbhg.exe
2636	Gmkjjbhg.exe
2388	Ggcnbh32.exe
2388	Ggcnbh32.exe
1752	Gnocdb32.exe
1752	Gnocdb32.exe
2032	Hdilalko.exe
2032	Hdilalko.exe
1716	Hldpfnij.exe
1716	Hldpfnij.exe
2536	Hlgmkn32.exe
2536	Hlgmkn32.exe
1520	Hhnnpolk.exe
1520	Hhnnpolk.exe
1792	Hfanjcke.exe
1792	Hfanjcke.exe
1124	Hahoodqi.exe
1124	Hahoodqi.exe
696	Igeggkoq.exe
696	Igeggkoq.exe
804	Iggdmkmn.exe
804	Iggdmkmn.exe
1592	Ibmhjc32.exe
1592	Ibmhjc32.exe
3020	Ikembicd.exe
3020	Ikembicd.exe
2504	Inffdd32.exe
2504	Inffdd32.exe
2884	Ifajif32.exe
2884	Ifajif32.exe
2808	Jmnpkp32.exe
2808	Jmnpkp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gledgkfn.exe	Faopib32.exe
File created	C:\Windows\SysWOW64\Ikgmcnba.dll	Kfhmhi32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgmak32.exe	Ejhhcdjm.exe
File created	C:\Windows\SysWOW64\Faopib32.exe	Fidkep32.exe
File created	C:\Windows\SysWOW64\Jbandfkj.exe	Jgljfmkd.exe
File created	C:\Windows\SysWOW64\Dopkai32.exe	Dcijmhdj.exe
File opened for modification	C:\Windows\SysWOW64\Gnocdb32.exe	Ggcnbh32.exe
File created	C:\Windows\SysWOW64\Kclmbm32.exe	Kfhmhi32.exe
File created	C:\Windows\SysWOW64\Oqmfaebe.dll	Dcijmhdj.exe
File opened for modification	C:\Windows\SysWOW64\Fidkep32.exe	Fdefgimi.exe
File opened for modification	C:\Windows\SysWOW64\Ikembicd.exe	Ibmhjc32.exe
File opened for modification	C:\Windows\SysWOW64\Jbandfkj.exe	Jgljfmkd.exe
File opened for modification	C:\Windows\SysWOW64\Lmpdoffo.exe	Lhclfphg.exe
File created	C:\Windows\SysWOW64\Lanmde32.exe	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Komhoebi.dll	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Emdgjpkd.exe	Eheblj32.exe
File opened for modification	C:\Windows\SysWOW64\Faopib32.exe	Fidkep32.exe
File created	C:\Windows\SysWOW64\Dlgind32.dll	Gledgkfn.exe
File opened for modification	C:\Windows\SysWOW64\Iggdmkmn.exe	Igeggkoq.exe
File created	C:\Windows\SysWOW64\Pohpepmf.dll	Ikembicd.exe
File opened for modification	C:\Windows\SysWOW64\Dopkai32.exe	Dcijmhdj.exe
File created	C:\Windows\SysWOW64\Lgaahp32.dll	Gmkjjbhg.exe
File opened for modification	C:\Windows\SysWOW64\Mgoohk32.exe	Mikooghn.exe
File opened for modification	C:\Windows\SysWOW64\Dcijmhdj.exe	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
File created	C:\Windows\SysWOW64\Logaao32.dll	Emdgjpkd.exe
File created	C:\Windows\SysWOW64\Ppmlkl32.dll	Ejhhcdjm.exe
File created	C:\Windows\SysWOW64\Gmkjjbhg.exe	Gkjahg32.exe
File created	C:\Windows\SysWOW64\Pifmaooo.dll	Ggcnbh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnpkp32.exe	Ifajif32.exe
File created	C:\Windows\SysWOW64\Eamqahed.dll	Jfhqiegh.exe
File created	C:\Windows\SysWOW64\Ifdlmglb.dll	Jbandfkj.exe
File opened for modification	C:\Windows\SysWOW64\Ejhhcdjm.exe	Emdgjpkd.exe
File created	C:\Windows\SysWOW64\Ifhgoghp.dll	Hldpfnij.exe
File opened for modification	C:\Windows\SysWOW64\Jgljfmkd.exe	Jfhqiegh.exe
File created	C:\Windows\SysWOW64\Modieece.dll	Kakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Lanmde32.exe	Lmpdoffo.exe
File opened for modification	C:\Windows\SysWOW64\Gkjahg32.exe	Gledgkfn.exe
File created	C:\Windows\SysWOW64\Igeggkoq.exe	Hahoodqi.exe
File opened for modification	C:\Windows\SysWOW64\Igeggkoq.exe	Hahoodqi.exe
File opened for modification	C:\Windows\SysWOW64\Kakdpb32.exe	Kgqcam32.exe
File opened for modification	C:\Windows\SysWOW64\Lhclfphg.exe	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Lelnjj32.dll	Dkihli32.exe
File created	C:\Windows\SysWOW64\Enjand32.exe	Dkihli32.exe
File created	C:\Windows\SysWOW64\Hahoodqi.exe	Hfanjcke.exe
File created	C:\Windows\SysWOW64\Kfhmhi32.exe	Kakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Kclmbm32.exe	Kfhmhi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpcngnob.exe	Kclmbm32.exe
File created	C:\Windows\SysWOW64\Dkihli32.exe	Dcnchg32.exe
File created	C:\Windows\SysWOW64\Hfanjcke.exe	Hhnnpolk.exe
File opened for modification	C:\Windows\SysWOW64\Hfanjcke.exe	Hhnnpolk.exe
File created	C:\Windows\SysWOW64\Gphflo32.dll	Hahoodqi.exe
File created	C:\Windows\SysWOW64\Iggdmkmn.exe	Igeggkoq.exe
File created	C:\Windows\SysWOW64\Inffdd32.exe	Ikembicd.exe
File opened for modification	C:\Windows\SysWOW64\Jfhqiegh.exe	Jbkhcg32.exe
File created	C:\Windows\SysWOW64\Jcgjno32.dll	Kpcngnob.exe
File opened for modification	C:\Windows\SysWOW64\Ggcnbh32.exe	Gmkjjbhg.exe
File opened for modification	C:\Windows\SysWOW64\Mikooghn.exe	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Eheblj32.exe	Enlncdio.exe
File created	C:\Windows\SysWOW64\Fidkep32.exe	Fdefgimi.exe
File created	C:\Windows\SysWOW64\Ibmhjc32.exe	Iggdmkmn.exe
File created	C:\Windows\SysWOW64\Lebcdd32.exe	Kpcngnob.exe
File created	C:\Windows\SysWOW64\Jkjigh32.dll	Enjand32.exe
File created	C:\Windows\SysWOW64\Ifajif32.exe	Inffdd32.exe
File created	C:\Windows\SysWOW64\Ohhmhk32.dll	Hfanjcke.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	1964	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eheblj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidkep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iggdmkmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikembicd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebcdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjand32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhhcdjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgmak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlgmkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inffdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhclfphg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcijmhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdefgimi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faopib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmkjjbhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdilalko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hldpfnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhqiegh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgljfmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkjbml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcngnob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjjdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdgjpkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnocdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfanjcke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibmhjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmnpkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbkhcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnchg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkjahg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggcnbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhnnpolk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifajif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kclmbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikooghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgoohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahoodqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfhmhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpdoffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkihli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlncdio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gledgkfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igeggkoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbandfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgqcam32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigh32.dll"	Enjand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neicdg32.dll"	Gnocdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamqahed.dll"	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idafbjna.dll"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iggdmkmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcnchg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eheblj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logaao32.dll"	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgind32.dll"	Gledgkfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfanjcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchhlj32.dll"	Inffdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqmfaebe.dll"	Dcijmhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcijmhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifmaooo.dll"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikghe32.dll"	Hdilalko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijgo32.dll"	Hlgmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcchl32.dll"	Ibmhjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbandfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgoohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkhcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kclmbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkihli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iociomhg.dll"	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hldpfnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhmhk32.dll"	Hfanjcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbqfe32.dll"	Jmnpkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnao32.dll"	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpdoffo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcnchg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkihli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgfed32.dll"	Eheblj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inffdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enjand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejhhcdjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkjbml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kclmbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahibj32.dll"	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emdgjpkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhhcdjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnocdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikembicd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelbl32.dll"	Ifajif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modieece.dll"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lanmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcijmhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emdgjpkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnncp32.dll"	Kgqcam32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2644	2344	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe	29
PID 2344 wrote to memory of 2644	2344	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe	29
PID 2344 wrote to memory of 2644	2344	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe	29
PID 2344 wrote to memory of 2644	2344	1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe	29
PID 2644 wrote to memory of 3016	2644	Dcijmhdj.exe	30
PID 2644 wrote to memory of 3016	2644	Dcijmhdj.exe	30
PID 2644 wrote to memory of 3016	2644	Dcijmhdj.exe	30
PID 2644 wrote to memory of 3016	2644	Dcijmhdj.exe	30
PID 3016 wrote to memory of 2540	3016	Dopkai32.exe	31
PID 3016 wrote to memory of 2540	3016	Dopkai32.exe	31
PID 3016 wrote to memory of 2540	3016	Dopkai32.exe	31
PID 3016 wrote to memory of 2540	3016	Dopkai32.exe	31
PID 2540 wrote to memory of 2932	2540	Dcnchg32.exe	32
PID 2540 wrote to memory of 2932	2540	Dcnchg32.exe	32
PID 2540 wrote to memory of 2932	2540	Dcnchg32.exe	32
PID 2540 wrote to memory of 2932	2540	Dcnchg32.exe	32
PID 2932 wrote to memory of 2860	2932	Dkihli32.exe	33
PID 2932 wrote to memory of 2860	2932	Dkihli32.exe	33
PID 2932 wrote to memory of 2860	2932	Dkihli32.exe	33
PID 2932 wrote to memory of 2860	2932	Dkihli32.exe	33
PID 2860 wrote to memory of 2972	2860	Enjand32.exe	34
PID 2860 wrote to memory of 2972	2860	Enjand32.exe	34
PID 2860 wrote to memory of 2972	2860	Enjand32.exe	34
PID 2860 wrote to memory of 2972	2860	Enjand32.exe	34
PID 2972 wrote to memory of 2664	2972	Enlncdio.exe	35
PID 2972 wrote to memory of 2664	2972	Enlncdio.exe	35
PID 2972 wrote to memory of 2664	2972	Enlncdio.exe	35
PID 2972 wrote to memory of 2664	2972	Enlncdio.exe	35
PID 2664 wrote to memory of 2716	2664	Eheblj32.exe	36
PID 2664 wrote to memory of 2716	2664	Eheblj32.exe	36
PID 2664 wrote to memory of 2716	2664	Eheblj32.exe	36
PID 2664 wrote to memory of 2716	2664	Eheblj32.exe	36
PID 2716 wrote to memory of 1372	2716	Emdgjpkd.exe	37
PID 2716 wrote to memory of 1372	2716	Emdgjpkd.exe	37
PID 2716 wrote to memory of 1372	2716	Emdgjpkd.exe	37
PID 2716 wrote to memory of 1372	2716	Emdgjpkd.exe	37
PID 1372 wrote to memory of 2984	1372	Ejhhcdjm.exe	38
PID 1372 wrote to memory of 2984	1372	Ejhhcdjm.exe	38
PID 1372 wrote to memory of 2984	1372	Ejhhcdjm.exe	38
PID 1372 wrote to memory of 2984	1372	Ejhhcdjm.exe	38
PID 2984 wrote to memory of 2968	2984	Fpgmak32.exe	39
PID 2984 wrote to memory of 2968	2984	Fpgmak32.exe	39
PID 2984 wrote to memory of 2968	2984	Fpgmak32.exe	39
PID 2984 wrote to memory of 2968	2984	Fpgmak32.exe	39
PID 2968 wrote to memory of 2096	2968	Fdefgimi.exe	40
PID 2968 wrote to memory of 2096	2968	Fdefgimi.exe	40
PID 2968 wrote to memory of 2096	2968	Fdefgimi.exe	40
PID 2968 wrote to memory of 2096	2968	Fdefgimi.exe	40
PID 2096 wrote to memory of 1680	2096	Fidkep32.exe	41
PID 2096 wrote to memory of 1680	2096	Fidkep32.exe	41
PID 2096 wrote to memory of 1680	2096	Fidkep32.exe	41
PID 2096 wrote to memory of 1680	2096	Fidkep32.exe	41
PID 1680 wrote to memory of 2232	1680	Faopib32.exe	42
PID 1680 wrote to memory of 2232	1680	Faopib32.exe	42
PID 1680 wrote to memory of 2232	1680	Faopib32.exe	42
PID 1680 wrote to memory of 2232	1680	Faopib32.exe	42
PID 2232 wrote to memory of 2424	2232	Gledgkfn.exe	43
PID 2232 wrote to memory of 2424	2232	Gledgkfn.exe	43
PID 2232 wrote to memory of 2424	2232	Gledgkfn.exe	43
PID 2232 wrote to memory of 2424	2232	Gledgkfn.exe	43
PID 2424 wrote to memory of 2636	2424	Gkjahg32.exe	44
PID 2424 wrote to memory of 2636	2424	Gkjahg32.exe	44
PID 2424 wrote to memory of 2636	2424	Gkjahg32.exe	44
PID 2424 wrote to memory of 2636	2424	Gkjahg32.exe	44

C:\Users\Admin\AppData\Local\Temp\1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe
"C:\Users\Admin\AppData\Local\Temp\1bd16840b19488506af807618bc7b8ee6ab0f4d439861dc125e13a6b0df99241N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\Dcijmhdj.exe
  C:\Windows\system32\Dcijmhdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\Dopkai32.exe
    C:\Windows\system32\Dopkai32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\Dcnchg32.exe
      C:\Windows\system32\Dcnchg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Dkihli32.exe
        
        C:\Windows\system32\Dkihli32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Enjand32.exe
        
        C:\Windows\system32\Enjand32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Enlncdio.exe
        
        C:\Windows\system32\Enlncdio.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Eheblj32.exe
        
        C:\Windows\system32\Eheblj32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Emdgjpkd.exe
        
        C:\Windows\system32\Emdgjpkd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Ejhhcdjm.exe
        
        C:\Windows\system32\Ejhhcdjm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Fpgmak32.exe
        
        C:\Windows\system32\Fpgmak32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Fdefgimi.exe
        
        C:\Windows\system32\Fdefgimi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Fidkep32.exe
        
        C:\Windows\system32\Fidkep32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Faopib32.exe
        
        C:\Windows\system32\Faopib32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Gledgkfn.exe
        
        C:\Windows\system32\Gledgkfn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Gkjahg32.exe
        
        C:\Windows\system32\Gkjahg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Gmkjjbhg.exe
        
        C:\Windows\system32\Gmkjjbhg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Ggcnbh32.exe
        
        C:\Windows\system32\Ggcnbh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Gnocdb32.exe
        
        C:\Windows\system32\Gnocdb32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Hdilalko.exe
        
        C:\Windows\system32\Hdilalko.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hldpfnij.exe
        
        C:\Windows\system32\Hldpfnij.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Hlgmkn32.exe
        
        C:\Windows\system32\Hlgmkn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Hhnnpolk.exe
        
        C:\Windows\system32\Hhnnpolk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Hfanjcke.exe
        
        C:\Windows\system32\Hfanjcke.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Hahoodqi.exe
        
        C:\Windows\system32\Hahoodqi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Igeggkoq.exe
        
        C:\Windows\system32\Igeggkoq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Iggdmkmn.exe
        
        C:\Windows\system32\Iggdmkmn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ibmhjc32.exe
        
        C:\Windows\system32\Ibmhjc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Ikembicd.exe
        
        C:\Windows\system32\Ikembicd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Inffdd32.exe
        
        C:\Windows\system32\Inffdd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ifajif32.exe
        
        C:\Windows\system32\Ifajif32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Jmnpkp32.exe
        
        C:\Windows\system32\Jmnpkp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Jbkhcg32.exe
        
        C:\Windows\system32\Jbkhcg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Jfhqiegh.exe
        
        C:\Windows\system32\Jfhqiegh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Jgljfmkd.exe
        
        C:\Windows\system32\Jgljfmkd.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Jbandfkj.exe
        
        C:\Windows\system32\Jbandfkj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Jkjbml32.exe
        
        C:\Windows\system32\Jkjbml32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Kgqcam32.exe
        
        C:\Windows\system32\Kgqcam32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Kakdpb32.exe
        
        C:\Windows\system32\Kakdpb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Kfhmhi32.exe
        
        C:\Windows\system32\Kfhmhi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Kclmbm32.exe
        
        C:\Windows\system32\Kclmbm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Kpcngnob.exe
        
        C:\Windows\system32\Kpcngnob.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Lebcdd32.exe
        
        C:\Windows\system32\Lebcdd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Lhclfphg.exe
        
        C:\Windows\system32\Lhclfphg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Lmpdoffo.exe
        
        C:\Windows\system32\Lmpdoffo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Lanmde32.exe
        
        C:\Windows\system32\Lanmde32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Mapjjdjb.exe
        
        C:\Windows\system32\Mapjjdjb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Mikooghn.exe
        
        C:\Windows\system32\Mikooghn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Mgoohk32.exe
        
        C:\Windows\system32\Mgoohk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 140
        51⤵
        Program crash
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcijmhdj.exe

Filesize
91KB

MD5
d455459a2d01602e20347096f00c3f7f

SHA1
e4e29bf796473575f78c4d90018f6ac5f86c1646

SHA256
6390a8a9c958503f2a83ff19fa7ffc9c768487ea6f3ae283beb4f015ae81cf7e

SHA512
307c8aec45f92b623f1a557f02170558594bd22ca38ed3674be356dfa5065b74dc7974807910ed44c3d1697cebac37bc36c5f4a01186476cfa90a0d781dda61f

Download Submit
C:\Windows\SysWOW64\Ggcnbh32.exe

Filesize
91KB

MD5
34b2ffb6ff5295a9c3eca7b4b03ba66b

SHA1
29bb5767609a8b22d473fd98c39664a0ba0b80e2

SHA256
a1c32e0f42d596286af36e81ce5611c7ddf612f54f9ab9bcfb8e2a3cdf9c3a20

SHA512
257c32529c1d2b65b37a39766e7453ffe76cb8a46a09c939af0fc2147b5c84e0aab0c983856dd7ceb2b9e06130301f8cd62b6218c33535b78485a078ed0f6d6f

Download Submit
C:\Windows\SysWOW64\Gnocdb32.exe

Filesize
91KB

MD5
2b1bdfaf8cf24d7c335658ad9b495fc0

SHA1
cf9231fa082361a67f315da04a4f0c67fd3491a3

SHA256
2e386d558a569098e2d065d259a95736ab2b2a3c6083e589412ed1f895629c39

SHA512
6ae7416d00e89488216709c47047acb305682718f5424435fa245d7ed9354ba04ed56979ec75f5f335b54dfc07ae768435d17f757fb1f6975637a759c8a578c2

Download Submit
C:\Windows\SysWOW64\Hahoodqi.exe

Filesize
91KB

MD5
6c34945a3eea9f215505edd165786b3c

SHA1
527733ac92a2c84772a953a7961e99be12a61389

SHA256
af835d3e510775d39f6874e4489c98f44551c9a9aaca02dbfd255e1e81dc0c44

SHA512
fac044d2b896ed1f2590aba5f7e47348284a599d7fc8ec0caf7c9e71eaa87734edd318611b3a839283e759e66110ea572df0d9c085cb5983942f5ebc012a80ad

Download Submit
C:\Windows\SysWOW64\Hdilalko.exe

Filesize
91KB

MD5
ee0dbaf0906ead7f09965724f3f9334d

SHA1
6e981b47a2697d0554b0f82f9b84f1275cae2d74

SHA256
c6c4da4883ab493b3188ef784455689d07c8d93718e1bc65059a3f5da6791979

SHA512
5cfb54a9b95966a6ea77be3d5cda57264b50338be4d0d845f3c098cbc88cdd6c4971d109f060d082dfc9b1e890feec5d5b078e625f65887f5b99cabf584676a0

Download Submit
C:\Windows\SysWOW64\Hfanjcke.exe

Filesize
91KB

MD5
55b2bbaa6b9f2d0511933030d245759e

SHA1
d5654db2d21c8b181044c9bc6d32e2d92e68660c

SHA256
055b70828fe445288253eb62b4a1f09279a3e03f66a2d63b3cf2dfa8cefaed40

SHA512
3cdbdc829fa325dda9f468fb901e6b692a246a560c547a2e0450c17ea1a9b17154f2b9c0e0ee1966f25630f813a67df8efea7dda27f3828d524def169bf97ec8

Download Submit
C:\Windows\SysWOW64\Hhnnpolk.exe

Filesize
91KB

MD5
6aa0960d088331dc30cc6a10d54b25f0

SHA1
61398207e5c3d4226c3a7ab8814c0db8b9774ffb

SHA256
aef2cde1c41d50ebaf8b4aa41895b15e856b7cc16c3f419524a38b34b0528bba

SHA512
ef1e270b389768660853d3df4389f38146d566a37a3621ccf566ec8dd626ddc20c858e82d7644fca881094706954618f44e18b7f6e15437236b978f0c33673f2

Download Submit
C:\Windows\SysWOW64\Hldpfnij.exe

Filesize
91KB

MD5
3b4032d1bafa9189c2623703aebc6a41

SHA1
12293bc4532758a9599e195665f1f1dbed6c3844

SHA256
7dcb9631939f7688e6f53228da87ddfb345eda64a500e5ab6fae9bd504ad4e1d

SHA512
d4ca2a9e63b64a7b92febce5d3c876de3cd615cbff302f74a339adf49761a572dced14b099f93dd0b4a8e70269e7ae103882007a6addb2831d421dba1bd84147

Download Submit
C:\Windows\SysWOW64\Hlgmkn32.exe

Filesize
91KB

MD5
ad16941e99ea7e81b10971f9289335ac

SHA1
468e2ad03332d4aacde5d648a0992e5251a05c92

SHA256
9272954beed8a3b1052c0b4bdf89cf3f7108da6587e7084c27e2d740239d710e

SHA512
e7a0ce0d2a322780911cea9e7a1b5da564f70b151aefaa2032455aa2349f7c78e7c209d66d6ada9505c1c947a2d98af4047556952f5ef7c39da94389cdc8be2b

Download Submit
C:\Windows\SysWOW64\Ibmhjc32.exe

Filesize
91KB

MD5
0fd4fcce6c0d325bc37cfd4059e6af1a

SHA1
8533be4fbd842c8705550d79d0168f546efac5df

SHA256
871f96187eebf0db9086b519898708e3933f73223243a191fa8febfb99e953eb

SHA512
51464d26151a994bfd6821523b9143932e9dbf494b04e899eb90ce5205857a17b2c78eb636f743be1837fbf0e9832d5a703c7ef3a902f6a087f44225707b33f3

Download Submit
C:\Windows\SysWOW64\Ifajif32.exe

Filesize
91KB

MD5
615e2a5e1db81661dd6fd4416bd98016

SHA1
6e0421039c6116f59c895d5878dd935ed9dde31b

SHA256
7165a4dee73155203f195160f8505716fcce9215dc752b436084b664132fdae1

SHA512
dfa7cabdf24aa103e4c6d31eafcd6eea0f42db277306de603e6da0d475ec9f1e058d53faeecfa96c2fc0da1b62a3617e35c5f9ae0bf733d4f684e7897326da69

Download Submit
C:\Windows\SysWOW64\Igeggkoq.exe

Filesize
91KB

MD5
ff2a087bd6911c2c6be0a415f4cd4bda

SHA1
bb8c2c620e666610ea7cc6aa2ff7a5f08062d613

SHA256
723f349733e6cb7851b1b2b847186aaa365e6fd3c15ab11022655ad8167e288c

SHA512
2bc445f1ab32db4f3b1b4dc0915e7922482bde829fbcc7a17c0e9451c077bd2bfbb4aec799e7cf6bcec0925767b1f853aefe6686e21937caf6ba00821df5bb04

Download Submit
C:\Windows\SysWOW64\Iggdmkmn.exe

Filesize
91KB

MD5
615acdc778890624436c339e494429b1

SHA1
d3a65dfa265520433cac223e81bb37388111e823

SHA256
efda4acfee01396f0fdc1c318277f52c551121cfd613e990aeae52c82af81157

SHA512
2d7eb5bb2ed926b008e1b28d751975e610d91cc485e0590cc7d26d3145552126ab59d2b8096ec8bd639ebede831293d27d7fa859759e02441b8e2cbf90d586ff

Download Submit
C:\Windows\SysWOW64\Ikembicd.exe

Filesize
91KB

MD5
425166996b7036a383a7e901f2ce12dd

SHA1
e6fa8f6c707fc43ecbc6ae1655991a20e2f8db8e

SHA256
a6740ad814bf2177e113b4a531b5626eaaaf2fb0477908d87af32e4e43b57e38

SHA512
fb888cb2f1ab543ae09d7ef7d4b0dad02b91bd1867bbcb401b4d4a800f05eb771dad853559d2e0a686ea312525c9b8cbe0f1dc95b09fb1d492f50de43ccba65d

Download Submit
C:\Windows\SysWOW64\Inffdd32.exe

Filesize
91KB

MD5
ffc9ba69d41f26b7aca5ce5763e6b565

SHA1
0f1c168139854a73f1a2072c0911b675fe20719b

SHA256
8e447657cc2187e5a59c01ca7073efc5434c1f9ef07a74937e6ee5acfe3b88d5

SHA512
bfedfe995cdfbd4abde60769668b2e644ea3b0dc984981f6646ce1d30ba645233735f3668c1f5240649038b46f21889cde03daee9ac9c9bd9fa761417c11f9ad

Download Submit
C:\Windows\SysWOW64\Jbandfkj.exe

Filesize
91KB

MD5
f66bc39687ad93c1b83b29f642d8bc8a

SHA1
ed3e0cd60a81280db462088c1543415ffa513bc0

SHA256
b5981f9a61719d7bd239eaed2da522838f96a3a60ba19a4063c6d5dcd23d8c85

SHA512
fe3b6a082600fb2a641af561247cf98cff654821ade7f04adc22de76e4435a3def19716a7871ca4d398a87cf59786536f5392e1616742392a957ee357c4dad71

Download Submit
C:\Windows\SysWOW64\Jbkhcg32.exe

Filesize
91KB

MD5
dc85909d965735fd40a2ee73c7bbc0b8

SHA1
d60474d827c15f720e3cfa88aaf26273617e722f

SHA256
3f31810ed501d0af195a26acf05261b8dd3df0c53115547452490b744ea00385

SHA512
ea5ea7d13cda5cb5194091e54a19c6081eabb3b7dc5f9048635f0fc9c5eb57565e447dac7c8b25dc129c019a7252a0d32e8288a2901a82f9078a2dafbf720662

Download Submit
C:\Windows\SysWOW64\Jfhqiegh.exe

Filesize
91KB

MD5
4a0a4c9c31ef1a4ca623687cffe3dfee

SHA1
cfb2da57f8f933fa0abff1b5a6c48b7a8385c5e8

SHA256
b0fffc5f06229b6b4d332314ae65881884a68c83bb77abf1998f0315f5b9a493

SHA512
96a329a378a8788ffcc8fcc17a83fea206560ef5d266d1cd75026661ed817e6bd97f430de6d8b821855f0268da9cadeec97e8f01ba341582e8cef3bee5432683

Download Submit
C:\Windows\SysWOW64\Jgljfmkd.exe

Filesize
91KB

MD5
17aabb97f4e92183b94b91d7a64ff104

SHA1
555fd0f7b09f48481d9cf2166dcdfc987891585c

SHA256
9e6c397827696ab09b7db1e42247ba1b6b973aa67bdf54571591bef6130d0a9a

SHA512
6fc08fb59b2b5d3c4a2a28453f0c0a441d2a54b5b452d30c48bcad31c5b48703e4675892ec0dcfe707455b9a29ccdb0a1822ce71418108e90c06b02aec4aab52

Download Submit
C:\Windows\SysWOW64\Jkjbml32.exe

Filesize
91KB

MD5
3bcd84084a3e520a2d378f7042233081

SHA1
8e1cb9e689f2087effd74b3092ba6621c5d0fbb8

SHA256
b635031558b810671beb391488153045616df2c403979d5c3735a819aa854cd4

SHA512
4304c332cce8175820c2f5b15ea5c5034f16ac83434959b3405fe6bdf3a991d4f69ea80706f44aa955668d7c04d86db2dae175ea2df2aa9a7605b2e455b698f4

Download Submit
C:\Windows\SysWOW64\Jmnpkp32.exe

Filesize
91KB

MD5
760829b7b002391d19b5eb6514084909

SHA1
8c0dfa83b181bbbca8c284a87e99865d8650872c

SHA256
954e99e1481e0de35d9ec8ed4ea7f9dfef0948584e6b9b7cd16bdbd421518a5e

SHA512
aea16ce92de8e04bb5b6e446d0cc0c59e8d2d5f859c6ea55d87d53710025f9b42c96168d1ecd0e82d8c143c8658099be4d87e2be02c3471a92132f14d7262959

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
91KB

MD5
bf2bf24a39c3cc7dfbf5293338111209

SHA1
ce7a10bce1f404c6df7f35947fd0eed2023f4757

SHA256
2dfca48283f643136bd9fc218a969d4dcbd55def9562c0e0b92d69fbd1f2e1fd

SHA512
312b994cf122decdffcaf9611eb8aa00793188d5e15727d45886fe39eac2d95f8f0736788245e4342eb129c1c35e914fc86345a89dda3c30ef56cfd077284811

Download Submit
C:\Windows\SysWOW64\Kclmbm32.exe

Filesize
91KB

MD5
7059d18aceda6509ec44506bcb245c9a

SHA1
fe8453442fd536c4d1eda1b0f1042ebc35558e29

SHA256
e7e793505ec964aa806da5b47c2a9622f72a5e28e8fecb266079d84fcc463891

SHA512
1b63a51c4591bebd155665dbd7f795ca34bd9d7b30ec99a0537ebc204bc44f9902c2cc6967fed2be462842bbd3db658dcf7d2a5184524a3165b24eca49c304cf

Download Submit
C:\Windows\SysWOW64\Kfhmhi32.exe

Filesize
91KB

MD5
91d681fe5734b7bafce90160dc892425

SHA1
4fc320b5c51c4575770a5c23a737452befdd4391

SHA256
ebede19443eb3e5e3c9014dbdaecedfb65674f2df9234adccc8a97a86705f23a

SHA512
25b233269e41a0c46986c26048ba0b8d104a534b137fbab1114f2cc2992c61fff256e344a3e8f6a2ed86c98374cf8defc33ed4f62138c936e572324742e11414

Download Submit
C:\Windows\SysWOW64\Kgqcam32.exe

Filesize
91KB

MD5
f728bb9fddc0874fb8422440fe29131a

SHA1
8120e3e15ddf908fb4abc1aec2bfebb1bac5609a

SHA256
fa2f24dfdc49ad56035e68a617ff064d95ee0326955570a46a80e2322d0bf654

SHA512
294d6ed5043f40ab9f807fac6f30b755ce702a60c7bf64c22d629237464579d60a707673bf59c8b9e56202ce38e8b0b67d7cd11571763fa58d543f76d57588e5

Download Submit
C:\Windows\SysWOW64\Kpcngnob.exe

Filesize
91KB

MD5
920f5e01688ba0de1d75af355a033d34

SHA1
bd790bb6134cec30a06850c31be595886cde2bc0

SHA256
2c41ce48429ec5d03dd4934ee4bdf3d67e6872b8ffbbbd906711aec8a612efc9

SHA512
16878e3e096c845227d5ff8b1c7ed17216a2575cb88e7c7b9c31b3063bb75d04ef94bf2f5a4f3ee236195bebe25e98ab8c131dbcfb20eeee674655143122074a

Download Submit
C:\Windows\SysWOW64\Lanmde32.exe

Filesize
91KB

MD5
50ff0da9e047b0e752c0facbbeef23c7

SHA1
9cd3a959f1314c1e91e991ffe97b224c745b3983

SHA256
bdc522e9ce5c83501dc624238d57540242bf09cfb18fef950f3938c2627ec631

SHA512
ae28627d033c2dc461918ee7a62b7c5b0b3540e246abc75adf1802d2470a49a723fc2adbd3ce5551786c8cfae394f2c8e0b3d2b1e70d3cd5e7f21d9d72487cdb

Download Submit
C:\Windows\SysWOW64\Lebcdd32.exe

Filesize
91KB

MD5
e0826e911d7e3244814d18b3cfc860d1

SHA1
d034351778c8f31086d63ed39aff1f216e2f7712

SHA256
86f601cb6d0351dfa32065a2ad1c37354b07cb23c6c2c956212a9351d592bd37

SHA512
839c078026221c5846c73ece4cb4ec1bc762343ac6f8d904a06106fa97e12a5eb5224779a054372b62ce21833e039214098f4496f6394cbfa7097eda5310f665

Download Submit
C:\Windows\SysWOW64\Lhclfphg.exe

Filesize
91KB

MD5
e7c73886e3ec0304b7103f80cf1d84b6

SHA1
9e2de26e98f3ced2133b83e717012d4f4db67270

SHA256
f900ed4bae24049743a71ecb07507b7527673d1a2a2c5e9ec1edb20070cd912e

SHA512
d20c1a68cfd0e9db3f9d2f985b04d4d5eec7e912314e7e0518f9fe2791966ecf7b720137ec980dc6af25a82d84ae19a9784186a760042cae1646d77eaca8543e

Download Submit
C:\Windows\SysWOW64\Lmpdoffo.exe

Filesize
91KB

MD5
da460049527a3b65cbaf6673169ed6e1

SHA1
9b349fa44641d016a7654d82a1a732eb1b8da13e

SHA256
a701fbb2cddf6de72085d977389977ebd4f0604a6a7a52267d1e2d412d04a394

SHA512
2dbd0b5367ec293bb9af03e441e9cbb7cbc69dd495ec3e79bbe3d73a0f52116055e9bb928a44fb68615ee4ddc98067bc3290f5cbfafc71210429e799cf4a2aa7

Download Submit
C:\Windows\SysWOW64\Mapjjdjb.exe

Filesize
91KB

MD5
c843be8867dce6b87c78fade30cc11d0

SHA1
86094bf9b5fdda09afe2d42bd94e1cdd0df360d9

SHA256
80eb264c54bf2bf91f9f731f5cae9c3b389328b9d99dd16281a683d09c09d5f3

SHA512
4c92cc60b7c5cf7322b7540ff5aa777b90368840009cf751f25520079e36aeb40374321d2deffd55582102b1ff46cb35d5be574afd668c7606350a884a46c1b2

Download Submit
C:\Windows\SysWOW64\Mgoohk32.exe

Filesize
91KB

MD5
df1f0f8e7736c09c4036d272e683d8a7

SHA1
b9e90cc97591cbbfe089ba6b2cb29d919a420592

SHA256
82420243a368704a60f53d06c6f44482c6dde8d881c47e55cc85e96d720e07ac

SHA512
d6d356bd6bcfeadbe327f2cb32704753675c4e2b62ec285971b70176901b7f326d6399c6bbcbd2d43c02bd5e1fccb7d608f69bf672fddf57b2d3a0effc759faa

Download Submit
C:\Windows\SysWOW64\Mikooghn.exe

Filesize
91KB

MD5
7b3da72619156024d556691cc3fba31b

SHA1
7db625b1cd87cd63613b336684aa7afdf187907e

SHA256
d921d48a266485a8a94693b61d4e608b94ce00f20af37276edfe112d76b517e4

SHA512
48a3573cf11a05c8d76dd0fe11900a0e732c11f6a4a29aa488aadcae7ea2e4d8f624e517aa13e0daf160aa326bbe61af60ec6dbd75a752a46108a485d8d63ab9

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
91KB

MD5
087a9d3c63451f3d03d3e1fa3a01e4cb

SHA1
239baa8120422ecb094d13e35deb505a0d5e89e5

SHA256
dd55d83d3715e1d50ee95eb0bec4f509fbfa9bf74559df0535b5fc2bdcc4fa87

SHA512
3047e4432d67d4827286ec3e19bb0ca6c1ac3e676725781375dfe6da768be121d149af70a894b6a54bb6e8c4c723fdbff76f35bd3b859526a892174e5bfdfa98

Download Submit
\Windows\SysWOW64\Dcnchg32.exe

Filesize
91KB

MD5
6a28b0d2601a4e014e1f0b67fe53d094

SHA1
84fb4fd0674240bbdd7828527c45c9c9d95a125f

SHA256
d1783508867acade2aae4d8910e79cf6c27d7e85326b2974c67a2c983b6e8a5e

SHA512
9de735d6c0dd4f207b0353b05f0884cb8d8c02248b900f6a74cf192b372a31dfac6ee657aa64b2867a72c9ace95862d35ee72394180879cc796982a8b09b4feb

Download Submit
\Windows\SysWOW64\Dkihli32.exe

Filesize
91KB

MD5
36d06eddba265eeb227d11a007af2aa3

SHA1
66ad5a6481e9165907a035175fe7870429202d07

SHA256
92766888d2db669864e84ebf5c3a6d65a9acf3917d7fd70aa367fc0aa042ecb4

SHA512
4cb31fc67e6b718872e8563ff2312e072e8c99c753c7074bd596d185a7b4b0cd42a68ddc98a00d00346b855f85ddb66847403ef542ca1cf7accaddab9f4a9a00

Download Submit
\Windows\SysWOW64\Dopkai32.exe

Filesize
91KB

MD5
2b3458dcde83e03869da832d9ccc5334

SHA1
8e9b332f40dd236644a070b4f43be09c034ac95e

SHA256
71ae97c3472cda0215ecd5c09b166e3be050122599ce9caf89d29560a9c496d1

SHA512
e6d13b31e0ca7c149580b0f0b8cf65c3c6efde591214404faab93d72c1b07cf5602e6f0a84bdce7c0f2cd70189af4676b7d8da06b6874852e06f4f5128849b0b

Download Submit
\Windows\SysWOW64\Eheblj32.exe

Filesize
91KB

MD5
8d3f739e14c4c5b3f5333db3a6e55fe2

SHA1
f1beff5b6389ffa425ab901991de9554febb0fde

SHA256
60b3e691e165070be0e7612aa8953e57997262486825b0d0c169efa16937c9d5

SHA512
91e70a8da7c5bba7699bd816a7113d0cebcdd5013db3a07004d24f0bd0093042e57ab10840bf577435d1df46e0497fa3c386631742f843e43cbbe15845de3593

Download Submit
\Windows\SysWOW64\Ejhhcdjm.exe

Filesize
91KB

MD5
e4ce4894f08784529c27c60d9b2d19f5

SHA1
2d770b33296d0f2880fd4af36f5ab68a5084b0b4

SHA256
976c411e095d8f941858d1c365177dfdba08543de2a56bbfcd897f57a983fa87

SHA512
386606cb0361e817983669bdbcfdd0d93253e5a85cffeab2050901ad01f4213ce2f6bffe6ca79caccb0e143394a540cc88b027a10918d863415a6fbd9ac9bbf5

Download Submit
\Windows\SysWOW64\Emdgjpkd.exe

Filesize
91KB

MD5
53a432c6022fbad29b98b637f7931bc3

SHA1
729d53c5d0a1afceea419e21d5fbfe2dab6b4ea6

SHA256
4d9a89f743a97ac1771f44592db10db7e9f522deb6431ca582bd8d169447da6d

SHA512
58423e8ca4a0dc67a7150d18d451d671c7f7832a2632efab8d52cc68260a1384ab396271f296d95540a558daa99ef7b8c1556d7fddda332e4d68d245e9ad74d4

Download Submit
\Windows\SysWOW64\Enjand32.exe

Filesize
91KB

MD5
ebdd195a15325391d75d575edb53c7d1

SHA1
c8f33c03b915a7d3dc82daf58d17bde5ac2cb3ad

SHA256
b377bb4c279044bf87dc55ccf4e9dc447e5189e2eb9a6314e6bb0bd630de7f27

SHA512
8f3ce4bf151a81838afb4c0e16059cec537b990be11a028e705e29e6eda18d0c183172bd5e943a2581e6870a9bb82b441a0b52e58823203a00c810735b305b36

Download Submit
\Windows\SysWOW64\Enlncdio.exe

Filesize
91KB

MD5
dca985d16d5742b1fc0db29e2f21bfe1

SHA1
94e525308b7b82c2c130c7cd53c181bc80c2bf7f

SHA256
5e3726e12c32131967797631f33cee4b6d293ccbd04e3d31b898f1ae8acef099

SHA512
ea9cf735c20b3967f33fe73d3f5f0482c7e43997879c99026867666b4785245ad702f7e90b38830ed33e95f056650fc9d556d849b494678622c64718b6a8c883

Download Submit
\Windows\SysWOW64\Faopib32.exe

Filesize
91KB

MD5
dc4b645accc764dada47c5a4755b5a13

SHA1
9b98f343acb6c84754742f4ac637a02f629e81ea

SHA256
564d4541588c67a3bf3dd562bd26b551c77e02db505652f395c611ceb8b31fc6

SHA512
f3ffd8e34d8564c67efb7bf05a23c3ee18cee0deacca8e3e291bda55d4f2156509bdda637444e26d7be6dd7e5cd56dd18de127b0045e8f52ca2c17bc8a00b669

Download Submit
\Windows\SysWOW64\Fdefgimi.exe

Filesize
91KB

MD5
de0afbfd6a21b95b4065bd4dcb8c3aad

SHA1
69a0d2e0e4d083919217c629e3f46865d29bf2bd

SHA256
2d85b1c5c813179fc1382324d1729e192999a99175e201902b6f47c9a689f83b

SHA512
75215ae4ef0206e9545110c0b87533e2b2ea332f002054ae72d7f5003154fb0fbc8007feec2e91041bbdc93987f7777e53108191f13daaf7a2edc282aaea0710

Download Submit
\Windows\SysWOW64\Fidkep32.exe

Filesize
91KB

MD5
eda49d23eab99f650bf880dd6318190c

SHA1
52471f414387ad32e756652e2ebcf229307a9908

SHA256
a8c4977265a1705501a89d981005e4e0f69e681514559b4b8816987e7bb0b813

SHA512
3576d4f31138e9d06f854ff15ce509db71ed022ef0f7b7a81359a6cdfc860e071dc30538fc7419cde9f9c3f8b12f5625665d98c390e5706bc6ce533d4b566de7

Download Submit
\Windows\SysWOW64\Fpgmak32.exe

Filesize
91KB

MD5
4b784211227884c21e5c4aef9be7a8b6

SHA1
816f4f15f4a3170010b0da6a51e602f256cc7e2c

SHA256
8483708d66cc0d34f8005362eb812ca336a7cfacfe666fb5bd2d8928d0bcd24d

SHA512
d89c55d9021ba589294cd6331776103d376aea9565786b885367f1c6e88bca089e4e412793e6c978b9a89364b6e658dabcdbae24208330ce73663a839fe68e32

Download Submit
\Windows\SysWOW64\Gkjahg32.exe

Filesize
91KB

MD5
d116dbfda0d6c2da6c6e97a0cf2ef472

SHA1
b3d35fed6847616ad8a96f242a18e9cfca25eadb

SHA256
ee7b5e8d50a5a5325f487c91a1fba6165d0d727d77f0fd95e2e0db2d17166fb8

SHA512
e2754e0c906b5da75b9429daf3ec842fff733d891b036fb07ee792f5edf767d2ef2d73e7959800fce5a8eed0134c30bcec9fb3fd795be8e43831b2a3aa7e81a6

Download Submit
\Windows\SysWOW64\Gledgkfn.exe

Filesize
91KB

MD5
ec9fe7da061866ca63694d0d799533ec

SHA1
1889b892de463ae3599751ea0d306ede2139013a

SHA256
eb767441e39229657358c4170ae89b2f11857f888fcfcf4833ef138d36bb6c9e

SHA512
7d3bdcba6f78795bfab0d1b9d9af227cdfab1ef63bec2bd41fc2df8b301bc9d4f748a766a55b18aea55a944fa398dc681ffc04f65261bdcda0af317140b74a77

Download Submit
\Windows\SysWOW64\Gmkjjbhg.exe

Filesize
91KB

MD5
3bd53ab15e65237773b1509ad07ed492

SHA1
7b0f7f7eecee790b782804fb41122133714e4bcf

SHA256
68c61b2f9302044c28fa24b3c92b3b132767457525d5191940ca5e53f84bef46

SHA512
406dca49cdcb9e9360f6d4940f36ca87b3e9bc77dcec5d13132530299f274ec9ea8f2b1f9dea006ad2c0728ffb53e9e829dd1fb0ac4174413711af27d8ae492a

Download Submit
memory/460-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/460-494-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/460-493-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/696-307-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/696-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-308-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/804-318-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/804-321-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/804-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-297-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1124-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-296-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1300-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-457-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1372-126-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/1372-470-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/1372-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-326-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1592-330-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1680-505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-179-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1680-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-239-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1792-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-248-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2096-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-527-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2228-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-198-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2256-423-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2256-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-421-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2344-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-349-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2344-11-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2344-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-12-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2356-506-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2356-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-471-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2360-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-429-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2424-212-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2424-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-513-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2504-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-353-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2536-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-266-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/2540-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-48-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2636-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-22-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2644-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-101-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/2664-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-395-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/2696-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-381-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2716-114-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2716-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-405-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2720-411-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2808-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-74-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2884-364-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2884-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-61-0x00000000002A0000-0x00000000002CF000-memory.dmp

Filesize
188KB

Download
memory/2968-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-144-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2984-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-340-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3020-341-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3052-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-482-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads