berbew | c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Size

96KB
MD5

7816d62aaaf9f6fcb635c7405b8044bb
SHA1

c76e7409d9d2105a47accdfe72797e40ec210029
SHA256

c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e
SHA512

a45dac0ee6e163a98cd34e26bf9a70216f044dc630aaae9f4a16a3ce43a1e0287a39163a158b1b130465e9e69acbec585654632f950977ab14cfe258806d46a0
SSDEEP

1536:do0UJAouAvHtjyUShj5g282Li7RZObZUUWaegPYAS:dotK3AvHRGhj5gCiClUUWaef

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdpmljan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmjpoci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhpjfoji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikcpmieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhoig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeameodq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enokidgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpkckneh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhpjfoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inopce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eedijo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifdjcif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enokidgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efllcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goemhfco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kffpcilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhmhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcehkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enagnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmknko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhkakonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkngbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdgkkppm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inopce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikcpmieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcngnob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkngbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jccjln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfhmhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpkckneh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knhoig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjand32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enagnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggcnbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcekbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjand32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpmljan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgjdcghp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhkakonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqdbqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iqdbqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efllcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmjpoci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidkep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggcnbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdilalko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdilalko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkqpfmje.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 47 IoCs

pid	Process
2396	Eeameodq.exe
828	Enjand32.exe
2948	Eedijo32.exe
2716	Enokidgl.exe
2780	Enagnc32.exe
2696	Efllcf32.exe
2184	Fdpmljan.exe
2452	Fpgmak32.exe
2748	Fmknko32.exe
972	Fmmjpoci.exe
2096	Fidkep32.exe
2128	Feklja32.exe
1324	Goemhfco.exe
3028	Gdbeqmag.exe
2220	Ggcnbh32.exe
2504	Gpkckneh.exe
2564	Hdilalko.exe
2276	Hifdjcif.exe
1988	Hgjdcghp.exe
1744	Hhkakonn.exe
1616	Hadece32.exe
2124	Hhpjfoji.exe
1972	Hkngbj32.exe
1572	Hdgkkppm.exe
2008	Inopce32.exe
876	Ikcpmieg.exe
324	Ijhmnf32.exe
2344	Idnako32.exe
2052	Iqdbqp32.exe
2888	Ifajif32.exe
2940	Jcekbk32.exe
2856	Jkqpfmje.exe
2724	Jidppaio.exe
2804	Jncenh32.exe
2064	Jkgfgl32.exe
1692	Jccjln32.exe
2560	Knhoig32.exe
1888	Kffpcilf.exe
2952	Kfhmhi32.exe
1652	Kleeqp32.exe
1064	Kpcngnob.exe
2632	Lhnckp32.exe
2492	Lebcdd32.exe
2520	Lhclfphg.exe
1576	Lkcehkeh.exe
2252	Mmgkoe32.exe
776	Mllhpb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2600	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
2600	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
2396	Eeameodq.exe
2396	Eeameodq.exe
828	Enjand32.exe
828	Enjand32.exe
2948	Eedijo32.exe
2948	Eedijo32.exe
2716	Enokidgl.exe
2716	Enokidgl.exe
2780	Enagnc32.exe
2780	Enagnc32.exe
2696	Efllcf32.exe
2696	Efllcf32.exe
2184	Fdpmljan.exe
2184	Fdpmljan.exe
2452	Fpgmak32.exe
2452	Fpgmak32.exe
2748	Fmknko32.exe
2748	Fmknko32.exe
972	Fmmjpoci.exe
972	Fmmjpoci.exe
2096	Fidkep32.exe
2096	Fidkep32.exe
2128	Feklja32.exe
2128	Feklja32.exe
1324	Goemhfco.exe
1324	Goemhfco.exe
3028	Gdbeqmag.exe
3028	Gdbeqmag.exe
2220	Ggcnbh32.exe
2220	Ggcnbh32.exe
2504	Gpkckneh.exe
2504	Gpkckneh.exe
2564	Hdilalko.exe
2564	Hdilalko.exe
2276	Hifdjcif.exe
2276	Hifdjcif.exe
1988	Hgjdcghp.exe
1988	Hgjdcghp.exe
1744	Hhkakonn.exe
1744	Hhkakonn.exe
1616	Hadece32.exe
1616	Hadece32.exe
2124	Hhpjfoji.exe
2124	Hhpjfoji.exe
1972	Hkngbj32.exe
1972	Hkngbj32.exe
1572	Hdgkkppm.exe
1572	Hdgkkppm.exe
2008	Inopce32.exe
2008	Inopce32.exe
876	Ikcpmieg.exe
876	Ikcpmieg.exe
324	Ijhmnf32.exe
324	Ijhmnf32.exe
2344	Idnako32.exe
2344	Idnako32.exe
2052	Iqdbqp32.exe
2052	Iqdbqp32.exe
2888	Ifajif32.exe
2888	Ifajif32.exe
2940	Jcekbk32.exe
2940	Jcekbk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fdpmljan.exe	Efllcf32.exe
File created	C:\Windows\SysWOW64\Hlhleh32.dll	Hkngbj32.exe
File created	C:\Windows\SysWOW64\Ifajif32.exe	Iqdbqp32.exe
File created	C:\Windows\SysWOW64\Aceapdem.dll	Kleeqp32.exe
File opened for modification	C:\Windows\SysWOW64\Lhclfphg.exe	Lebcdd32.exe
File opened for modification	C:\Windows\SysWOW64\Eeameodq.exe	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
File opened for modification	C:\Windows\SysWOW64\Goemhfco.exe	Feklja32.exe
File created	C:\Windows\SysWOW64\Jkgfgl32.exe	Jncenh32.exe
File opened for modification	C:\Windows\SysWOW64\Knhoig32.exe	Jccjln32.exe
File opened for modification	C:\Windows\SysWOW64\Kpcngnob.exe	Kleeqp32.exe
File opened for modification	C:\Windows\SysWOW64\Enjand32.exe	Eeameodq.exe
File opened for modification	C:\Windows\SysWOW64\Lhnckp32.exe	Kpcngnob.exe
File created	C:\Windows\SysWOW64\Mhcdfiom.dll	Ifajif32.exe
File opened for modification	C:\Windows\SysWOW64\Feklja32.exe	Fidkep32.exe
File opened for modification	C:\Windows\SysWOW64\Ggcnbh32.exe	Gdbeqmag.exe
File opened for modification	C:\Windows\SysWOW64\Hifdjcif.exe	Hdilalko.exe
File opened for modification	C:\Windows\SysWOW64\Hkngbj32.exe	Hhpjfoji.exe
File created	C:\Windows\SysWOW64\Iqdbqp32.exe	Idnako32.exe
File created	C:\Windows\SysWOW64\Lceodl32.dll	Knhoig32.exe
File created	C:\Windows\SysWOW64\Dmhocf32.dll	Eedijo32.exe
File created	C:\Windows\SysWOW64\Goemhfco.exe	Feklja32.exe
File opened for modification	C:\Windows\SysWOW64\Gdbeqmag.exe	Goemhfco.exe
File created	C:\Windows\SysWOW64\Ggcnbh32.exe	Gdbeqmag.exe
File created	C:\Windows\SysWOW64\Hdilalko.exe	Gpkckneh.exe
File created	C:\Windows\SysWOW64\Mddclbkb.dll	Ijhmnf32.exe
File created	C:\Windows\SysWOW64\Dbfbofjn.dll	Idnako32.exe
File created	C:\Windows\SysWOW64\Jcekbk32.exe	Ifajif32.exe
File opened for modification	C:\Windows\SysWOW64\Kfhmhi32.exe	Kffpcilf.exe
File created	C:\Windows\SysWOW64\Lkcehkeh.exe	Lhclfphg.exe
File created	C:\Windows\SysWOW64\Knhoig32.exe	Jccjln32.exe
File created	C:\Windows\SysWOW64\Gdljncel.dll	Kpcngnob.exe
File created	C:\Windows\SysWOW64\Lebcdd32.exe	Lhnckp32.exe
File created	C:\Windows\SysWOW64\Eedijo32.exe	Enjand32.exe
File created	C:\Windows\SysWOW64\Fpgmak32.exe	Fdpmljan.exe
File created	C:\Windows\SysWOW64\Lkjcqj32.dll	Fpgmak32.exe
File created	C:\Windows\SysWOW64\Gpkckneh.exe	Ggcnbh32.exe
File opened for modification	C:\Windows\SysWOW64\Ikcpmieg.exe	Inopce32.exe
File created	C:\Windows\SysWOW64\Fmmjpoci.exe	Fmknko32.exe
File opened for modification	C:\Windows\SysWOW64\Fmmjpoci.exe	Fmknko32.exe
File created	C:\Windows\SysWOW64\Hifdjcif.exe	Hdilalko.exe
File created	C:\Windows\SysWOW64\Ojbachjd.dll	Kfhmhi32.exe
File created	C:\Windows\SysWOW64\Hadece32.exe	Hhkakonn.exe
File opened for modification	C:\Windows\SysWOW64\Jidppaio.exe	Jkqpfmje.exe
File created	C:\Windows\SysWOW64\Kkaick32.dll	Jncenh32.exe
File created	C:\Windows\SysWOW64\Lhclfphg.exe	Lebcdd32.exe
File opened for modification	C:\Windows\SysWOW64\Eedijo32.exe	Enjand32.exe
File created	C:\Windows\SysWOW64\Ppmlkl32.dll	Fdpmljan.exe
File created	C:\Windows\SysWOW64\Fidkep32.exe	Fmmjpoci.exe
File created	C:\Windows\SysWOW64\Fdpmljan.exe	Efllcf32.exe
File opened for modification	C:\Windows\SysWOW64\Gpkckneh.exe	Ggcnbh32.exe
File created	C:\Windows\SysWOW64\Ghliap32.dll	Jidppaio.exe
File created	C:\Windows\SysWOW64\Pcnlbohb.dll	Lkcehkeh.exe
File created	C:\Windows\SysWOW64\Epjlaj32.dll	Enjand32.exe
File opened for modification	C:\Windows\SysWOW64\Enagnc32.exe	Enokidgl.exe
File created	C:\Windows\SysWOW64\Hdgkkppm.exe	Hkngbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hdgkkppm.exe	Hkngbj32.exe
File opened for modification	C:\Windows\SysWOW64\Lkcehkeh.exe	Lhclfphg.exe
File created	C:\Windows\SysWOW64\Idnako32.exe	Ijhmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Jccjln32.exe	Jkgfgl32.exe
File created	C:\Windows\SysWOW64\Enokidgl.exe	Eedijo32.exe
File created	C:\Windows\SysWOW64\Enagnc32.exe	Enokidgl.exe
File created	C:\Windows\SysWOW64\Lpdabcij.dll	Fidkep32.exe
File created	C:\Windows\SysWOW64\Hhkakonn.exe	Hgjdcghp.exe
File created	C:\Windows\SysWOW64\Ijhmnf32.exe	Ikcpmieg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	776	WerFault.exe	75

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikcpmieg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jncenh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgfgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfhmhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kleeqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhclfphg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmknko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebcdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdgkkppm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enagnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgmak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpkckneh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifdjcif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhpjfoji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkngbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijhmnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enokidgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqdbqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpmljan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmmjpoci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhkakonn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inopce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffpcilf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eedijo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjand32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidkep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idnako32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knhoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcngnob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeameodq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdbeqmag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgjdcghp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadece32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efllcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feklja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goemhfco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkqpfmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidppaio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jccjln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcehkeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmgkoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdilalko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifajif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcekbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggcnbh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigmoadp.dll"	Enokidgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjhlh32.dll"	Hdilalko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hifdjcif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeehobf.dll"	Jcekbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmknko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phooqo32.dll"	Ikcpmieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfbofjn.dll"	Idnako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enokidgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidkep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idnako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchhlj32.dll"	Iqdbqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll"	Lhnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iqdbqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkaick32.dll"	Jncenh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneffc32.dll"	Hdgkkppm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkcehkeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enagnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcekbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifajif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enjand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enagnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feklja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidppaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jncenh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modieece.dll"	Kffpcilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjlaj32.dll"	Enjand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgaahp32.dll"	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgjdcghp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdgkkppm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inopce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enokidgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhkakonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhleh32.dll"	Hkngbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghliap32.dll"	Jidppaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifdjcif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkegf32.dll"	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhclfphg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahlejlon.dll"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neicdg32.dll"	Gpkckneh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfdlmpf.dll"	Hifdjcif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidppaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfhmhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eedijo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhocf32.dll"	Eedijo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggjlfl32.dll"	Efllcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcqj32.dll"	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfhmhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhclfphg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmjpoci.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2396	2600	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe	29
PID 2600 wrote to memory of 2396	2600	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe	29
PID 2600 wrote to memory of 2396	2600	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe	29
PID 2600 wrote to memory of 2396	2600	c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe	29
PID 2396 wrote to memory of 828	2396	Eeameodq.exe	30
PID 2396 wrote to memory of 828	2396	Eeameodq.exe	30
PID 2396 wrote to memory of 828	2396	Eeameodq.exe	30
PID 2396 wrote to memory of 828	2396	Eeameodq.exe	30
PID 828 wrote to memory of 2948	828	Enjand32.exe	31
PID 828 wrote to memory of 2948	828	Enjand32.exe	31
PID 828 wrote to memory of 2948	828	Enjand32.exe	31
PID 828 wrote to memory of 2948	828	Enjand32.exe	31
PID 2948 wrote to memory of 2716	2948	Eedijo32.exe	32
PID 2948 wrote to memory of 2716	2948	Eedijo32.exe	32
PID 2948 wrote to memory of 2716	2948	Eedijo32.exe	32
PID 2948 wrote to memory of 2716	2948	Eedijo32.exe	32
PID 2716 wrote to memory of 2780	2716	Enokidgl.exe	33
PID 2716 wrote to memory of 2780	2716	Enokidgl.exe	33
PID 2716 wrote to memory of 2780	2716	Enokidgl.exe	33
PID 2716 wrote to memory of 2780	2716	Enokidgl.exe	33
PID 2780 wrote to memory of 2696	2780	Enagnc32.exe	34
PID 2780 wrote to memory of 2696	2780	Enagnc32.exe	34
PID 2780 wrote to memory of 2696	2780	Enagnc32.exe	34
PID 2780 wrote to memory of 2696	2780	Enagnc32.exe	34
PID 2696 wrote to memory of 2184	2696	Efllcf32.exe	35
PID 2696 wrote to memory of 2184	2696	Efllcf32.exe	35
PID 2696 wrote to memory of 2184	2696	Efllcf32.exe	35
PID 2696 wrote to memory of 2184	2696	Efllcf32.exe	35
PID 2184 wrote to memory of 2452	2184	Fdpmljan.exe	36
PID 2184 wrote to memory of 2452	2184	Fdpmljan.exe	36
PID 2184 wrote to memory of 2452	2184	Fdpmljan.exe	36
PID 2184 wrote to memory of 2452	2184	Fdpmljan.exe	36
PID 2452 wrote to memory of 2748	2452	Fpgmak32.exe	37
PID 2452 wrote to memory of 2748	2452	Fpgmak32.exe	37
PID 2452 wrote to memory of 2748	2452	Fpgmak32.exe	37
PID 2452 wrote to memory of 2748	2452	Fpgmak32.exe	37
PID 2748 wrote to memory of 972	2748	Fmknko32.exe	38
PID 2748 wrote to memory of 972	2748	Fmknko32.exe	38
PID 2748 wrote to memory of 972	2748	Fmknko32.exe	38
PID 2748 wrote to memory of 972	2748	Fmknko32.exe	38
PID 972 wrote to memory of 2096	972	Fmmjpoci.exe	39
PID 972 wrote to memory of 2096	972	Fmmjpoci.exe	39
PID 972 wrote to memory of 2096	972	Fmmjpoci.exe	39
PID 972 wrote to memory of 2096	972	Fmmjpoci.exe	39
PID 2096 wrote to memory of 2128	2096	Fidkep32.exe	40
PID 2096 wrote to memory of 2128	2096	Fidkep32.exe	40
PID 2096 wrote to memory of 2128	2096	Fidkep32.exe	40
PID 2096 wrote to memory of 2128	2096	Fidkep32.exe	40
PID 2128 wrote to memory of 1324	2128	Feklja32.exe	41
PID 2128 wrote to memory of 1324	2128	Feklja32.exe	41
PID 2128 wrote to memory of 1324	2128	Feklja32.exe	41
PID 2128 wrote to memory of 1324	2128	Feklja32.exe	41
PID 1324 wrote to memory of 3028	1324	Goemhfco.exe	42
PID 1324 wrote to memory of 3028	1324	Goemhfco.exe	42
PID 1324 wrote to memory of 3028	1324	Goemhfco.exe	42
PID 1324 wrote to memory of 3028	1324	Goemhfco.exe	42
PID 3028 wrote to memory of 2220	3028	Gdbeqmag.exe	43
PID 3028 wrote to memory of 2220	3028	Gdbeqmag.exe	43
PID 3028 wrote to memory of 2220	3028	Gdbeqmag.exe	43
PID 3028 wrote to memory of 2220	3028	Gdbeqmag.exe	43
PID 2220 wrote to memory of 2504	2220	Ggcnbh32.exe	44
PID 2220 wrote to memory of 2504	2220	Ggcnbh32.exe	44
PID 2220 wrote to memory of 2504	2220	Ggcnbh32.exe	44
PID 2220 wrote to memory of 2504	2220	Ggcnbh32.exe	44

C:\Users\Admin\AppData\Local\Temp\c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe
"C:\Users\Admin\AppData\Local\Temp\c30c0390d11815a8cf9d54cdfcd5c87452ccd0ffea8abe2cc48ecc5ef26c501e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\Eeameodq.exe
  C:\Windows\system32\Eeameodq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\Enjand32.exe
    C:\Windows\system32\Enjand32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\Eedijo32.exe
      C:\Windows\system32\Eedijo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\Enokidgl.exe
        
        C:\Windows\system32\Enokidgl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Enagnc32.exe
        
        C:\Windows\system32\Enagnc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Efllcf32.exe
        
        C:\Windows\system32\Efllcf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Fdpmljan.exe
        
        C:\Windows\system32\Fdpmljan.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Fpgmak32.exe
        
        C:\Windows\system32\Fpgmak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Fmknko32.exe
        
        C:\Windows\system32\Fmknko32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Fmmjpoci.exe
        
        C:\Windows\system32\Fmmjpoci.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Fidkep32.exe
        
        C:\Windows\system32\Fidkep32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Feklja32.exe
        
        C:\Windows\system32\Feklja32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Goemhfco.exe
        
        C:\Windows\system32\Goemhfco.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Gdbeqmag.exe
        
        C:\Windows\system32\Gdbeqmag.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ggcnbh32.exe
        
        C:\Windows\system32\Ggcnbh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Gpkckneh.exe
        
        C:\Windows\system32\Gpkckneh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Hdilalko.exe
        
        C:\Windows\system32\Hdilalko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Hifdjcif.exe
        
        C:\Windows\system32\Hifdjcif.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Hgjdcghp.exe
        
        C:\Windows\system32\Hgjdcghp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hhkakonn.exe
        
        C:\Windows\system32\Hhkakonn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Hadece32.exe
        
        C:\Windows\system32\Hadece32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Hhpjfoji.exe
        
        C:\Windows\system32\Hhpjfoji.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Hkngbj32.exe
        
        C:\Windows\system32\Hkngbj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Hdgkkppm.exe
        
        C:\Windows\system32\Hdgkkppm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Inopce32.exe
        
        C:\Windows\system32\Inopce32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ikcpmieg.exe
        
        C:\Windows\system32\Ikcpmieg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ijhmnf32.exe
        
        C:\Windows\system32\Ijhmnf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Idnako32.exe
        
        C:\Windows\system32\Idnako32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Iqdbqp32.exe
        
        C:\Windows\system32\Iqdbqp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Ifajif32.exe
        
        C:\Windows\system32\Ifajif32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Jcekbk32.exe
        
        C:\Windows\system32\Jcekbk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Jkqpfmje.exe
        
        C:\Windows\system32\Jkqpfmje.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Jidppaio.exe
        
        C:\Windows\system32\Jidppaio.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Jncenh32.exe
        
        C:\Windows\system32\Jncenh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jkgfgl32.exe
        
        C:\Windows\system32\Jkgfgl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Jccjln32.exe
        
        C:\Windows\system32\Jccjln32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Knhoig32.exe
        
        C:\Windows\system32\Knhoig32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Kffpcilf.exe
        
        C:\Windows\system32\Kffpcilf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Kfhmhi32.exe
        
        C:\Windows\system32\Kfhmhi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Kleeqp32.exe
        
        C:\Windows\system32\Kleeqp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Kpcngnob.exe
        
        C:\Windows\system32\Kpcngnob.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Lhnckp32.exe
        
        C:\Windows\system32\Lhnckp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Lebcdd32.exe
        
        C:\Windows\system32\Lebcdd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Lhclfphg.exe
        
        C:\Windows\system32\Lhclfphg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Lkcehkeh.exe
        
        C:\Windows\system32\Lkcehkeh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Mmgkoe32.exe
        
        C:\Windows\system32\Mmgkoe32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 140
        49⤵
        Program crash
        
        PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eedijo32.exe

Filesize
96KB

MD5
5365f4310a41ce4c561fbc245672443c

SHA1
c55cbe78f99451692f1e5879c32d13d88b7c3410

SHA256
00e6e01a6e2f83402e10b60e70d9f5c33aba9a0e5c3e37de69436c0fb389582a

SHA512
325771bf3e759407fc99d6659fb1e75cfe144903c0c29d5600201170b6a15a720f7b260de82e0a3135f8818ef3643bc5588f634d598476d320aded36f629b69d

Download Submit
C:\Windows\SysWOW64\Hadece32.exe

Filesize
96KB

MD5
118642556d9aa9d82db392b1b9954c8a

SHA1
e748a5f7eb27733bb287f144e2c8d2794bc4282a

SHA256
89bf2ce85230147dee93dce76b2af02c1db0c8ef44d14459b50c18c01fde04a8

SHA512
f17a2dc82a242b8ebb8293d864d7915d76e670dd1bdf6f79d9099370acee785ff2902b7c1fe3514c3687310ca53f6aadaf549059c607b3e0ffbff7da4e1db5a0

Download Submit
C:\Windows\SysWOW64\Hdgkkppm.exe

Filesize
96KB

MD5
b320270db6be91e648b6896b2f377ec6

SHA1
2c977bbb117807635eb70b381e34a2dead5216c0

SHA256
f8b5d7a4f06e654cdc75a0426bccc153bfe3fd871096460d166dfccb8d3c23df

SHA512
be3d8154a75c87f8b763d210f7d58ff62c73c930612fe3b3a189845b81a6ac24a78bc647da66f15fe9c3fa116e160a5df49ddf8754e36f5a2ed135d207d60f22

Download Submit
C:\Windows\SysWOW64\Hdilalko.exe

Filesize
96KB

MD5
7e0325aefc400e429b69752918db2b16

SHA1
121c2cd67ee68aec8104a08bd0fb712c63cfee1d

SHA256
c61e7b0acc93d870f7ea7c90635d4d1eca29b63b4ef9d0784720fd9d537afa7a

SHA512
bc8fe41e993fdd1008685d6f39a927f5b7271a598e3f063f876a83d6b4927a115fe76b19b19ec9f524e009006f8136e0895964b246a2df71871d39c680a3561d

Download Submit
C:\Windows\SysWOW64\Hgjdcghp.exe

Filesize
96KB

MD5
cf8bae9d3d2c47bb4de8fbdc63de21a9

SHA1
bb051de4330415e22d8f8df6ea48da9064f102d7

SHA256
e5046871abbd5f22827b277e2efd54fd09d78afab1ff311a11073856b5c8a72c

SHA512
d320e1f030b7caaa7306d60389c018d61041e80afc6790b5e151931c3e8aaac1923ea164645d21cd8da8c0383defde78d28b8bcb3ee911999c8b5d00a22ac96a

Download Submit
C:\Windows\SysWOW64\Hhkakonn.exe

Filesize
96KB

MD5
089d50326e18a5240487b890970dd084

SHA1
351d8a2c4895e9c051693082f8b7e3f736cc48c1

SHA256
da77673a55c10283e1d01a676a2ba061542c0e079f07a41cc3d67f921c601688

SHA512
19ed9cc3aaeee298269bacbf818a9afcb0d391518a8a6e50fbbc0be67c9de7b996bda2b5e5392383d53dfc2152c8b0328071b81ede2d5ff38c6837b97d5da313

Download Submit
C:\Windows\SysWOW64\Hhpjfoji.exe

Filesize
96KB

MD5
0c2dc1d56cdfdfcccd50d89ce389317d

SHA1
8f16912f198f6900a76398365094fc17255c2be1

SHA256
efafb1f53586a86604db32aeed9bc85eb1029515787ba1ecd1a7fc31089a9ac2

SHA512
efdf726cca457c73de6ae7ec1bbc2a221429c7ae79b40e8ae1b113264b76e0abcaa0c92af16cb0d663a1d26ae959b3824a1b713727b258548b50c16d9da7e3af

Download Submit
C:\Windows\SysWOW64\Hifdjcif.exe

Filesize
96KB

MD5
8d612558d04c62516589fa1780906c02

SHA1
2780ab40597a6b5c1e84e96e2e5d409e91017839

SHA256
edae373926e4d2abe289d8960aaf70ce62fab946ed7b54685377e81b7e2d0372

SHA512
81fb6b1125df0a86e5aace636cd3bd2d1c85070c3118ff1aa8a7c7409b106672cbe536b156dd30a84c3b9cdb63fb499c3b821cf493c50e6f15825be29f553a30

Download Submit
C:\Windows\SysWOW64\Hkngbj32.exe

Filesize
96KB

MD5
68a033e51b07e7c370b61e8c61679ad0

SHA1
f822001b7e9dc5a6382a4557a328ec07956a7988

SHA256
1dfb9ef51690cd3b13ecaef59388a7768ed5687ae19ebf1edf791e5ce7625c44

SHA512
82d268a926c8a1fbf2b9775cfe9a19f3616278ee4aec0ecf3a322ff8806210526beeecd3cbbe4e2aa00abb12a9dbad7ade0617fd0d4e1e196c72a2760d9db8f6

Download Submit
C:\Windows\SysWOW64\Idnako32.exe

Filesize
96KB

MD5
9a119fe7e0e87a740eb4ecde5ac73ad5

SHA1
1b6973c56fec8a8b7c544aa213aac961faf867dd

SHA256
6a0b52293a9f98549a2e643d7913bb8893774d4cc06761787b0f4d783ee9695b

SHA512
420669c0d53e4eec72867345680536ee15f0b4416896ed5dd59c2a5fb009ab0f6a638fb63d23d0ca48f1e56d889a6165dbef0e51e76001cc77ac2f59e42db61c

Download Submit
C:\Windows\SysWOW64\Ifajif32.exe

Filesize
96KB

MD5
f74c1dc84a86a0beb6d2b9d3d62c3ee9

SHA1
7434d6103750a05975a44b27a531b32c6820c590

SHA256
08644dcb590ca0b1c0529c682a503c0533ef3dd17f9ecfbfe63f3cd4a3c56146

SHA512
eca4f7f3ca36a1549b104631efc2320c709f356e746fd7b65bc754cfbb591b22760cfc000b7ecdf9b69b9577588c047c711d7319a6397519daf35486646e86a7

Download Submit
C:\Windows\SysWOW64\Ijhmnf32.exe

Filesize
96KB

MD5
c0844a33866c3724967f2917e7f7db59

SHA1
04eef919c88b9f217bb8934b0f1f9736c4f02867

SHA256
8a04dd91ab4fe85e409979e7e16fac71e62f192546171fa7d7e949aeff17ef4c

SHA512
ad0598f63d8c65f32720f56f8aa9cae94efc4d87ac4b330bd4f7dcd373eaadb5f7409183828e0c470fc7ef797f55c0abe4a55aaec507c3233ab8a64b50804559

Download Submit
C:\Windows\SysWOW64\Ikcpmieg.exe

Filesize
96KB

MD5
ff22555fc57d9249f624b7d7f3e3a6fc

SHA1
599e10ddec671b6f21176cd8e3d0aab046042a55

SHA256
4a82fb3edb2b6d19672b1972d42d8ea1a4cd0e36b5627d06e81a2e2a6787c558

SHA512
df00b7acd2c4556c89cf19d4ec27aa8238e56e9b3e879de0ed7b726eb9ea0f9a81668777c90d3564345bb6d4d0dee9b1c3c078a1c6a2863c74819f8ecd0b885e

Download Submit
C:\Windows\SysWOW64\Inopce32.exe

Filesize
96KB

MD5
5eb7c124c7f956e2d1bacabe4136cb97

SHA1
ddfad818932b9affebdbbb8ba6b01c482ed75ead

SHA256
2ef97861712747a578a25b861ba581ee9bc59dffaa1f1a41b2ba2fb5de98b6a0

SHA512
8ba8759c941f3d01e04ccbab89f311e8c88f982c8d3e4fd3e4f649111548157e2d3e7ebf79cc61f61c68f8c6e14abdf8bf2b406ff83dd42fed8c60ad9b3d222c

Download Submit
C:\Windows\SysWOW64\Iqdbqp32.exe

Filesize
96KB

MD5
24f8ab5d800b633eedd2aa95493bfda7

SHA1
fdc79d3ff3c2968feda78a59bfc49f9198ee7534

SHA256
3cc3ae6514af456f3fedce97ba68c630d4b7d0890da62373b6a0142230f27829

SHA512
fd5bd1fdbbe9963c0205f0d75773fb1867067597cd2086cf293423ca7427066e442168e796cd449c5f9ad742af8d70e85077e198f846632ca710afcbd431a6c9

Download Submit
C:\Windows\SysWOW64\Jccjln32.exe

Filesize
96KB

MD5
e203150cb191ca2e77d48450b64e832c

SHA1
9e704b627b4b25a9c340daad202a256aec12d205

SHA256
f86a7b381984d3b55982e46944f7acbfe543ecf6179cdd543cf06331f5b07a9c

SHA512
7249823f6909c721f213227c76d40950b9066597d7d4cabe9dbe76af3796a73f74ee1a061e286aa09ffab00ffdb60e9dd3730d22fd3ce8653c3780f82b82ec33

Download Submit
C:\Windows\SysWOW64\Jcekbk32.exe

Filesize
96KB

MD5
be6924ec7aa243b3fb86950159f9c947

SHA1
3dace9c5d1da54ced5f9995be9dd9ecab9d407fa

SHA256
a336e9a65bf80da4c2d105ff6f0153fd048cc4bb714a7f2f840301ca0e6a87fb

SHA512
ef963f36102e59a8d0c6d327c43c8be824d7891197365eb2ae218e75e30cc3222f1457a944635ba58da83e2f8475538df97ee5b72fc8aec16f196583836232c4

Download Submit
C:\Windows\SysWOW64\Jidppaio.exe

Filesize
96KB

MD5
35ed1252126909a9d95bca60b2a95ae1

SHA1
53ce53f9b829cf08c6dd420f825bc926e260a3d2

SHA256
0cafff4e62028fd8162e2825ca437c48b41db11f8e3762e2b7eba42fe2c9c71f

SHA512
e7a78d1cd8a9e88e39e10d8460c9e5b6b8372e192662627172b5ee249c17de47aaf49b39d619697d697299e3b5b45e6d7b5c935afd18a1331aa586cf53b23212

Download Submit
C:\Windows\SysWOW64\Jkgfgl32.exe

Filesize
96KB

MD5
dbe5ddfb42135aabd813cfde155e203d

SHA1
645f7e4e8a023d3d92dd145c96ee50a02e157d0c

SHA256
13fed71a6dd70ef184f7195899e8902180470591d1bd0cc7cb6af9d591799402

SHA512
8c6d587551813cb0bddc5a8efca06d2a2ca76237b8451ca41acfd0f9e9da4753b6e40ad38a133551902913e401682a6b8477ac27651b625d34645e31bd123e5f

Download Submit
C:\Windows\SysWOW64\Jkqpfmje.exe

Filesize
96KB

MD5
830ff3fe4f43a74e886265eda8baf653

SHA1
08ace171659715b519a5d9644e570f97462c2c82

SHA256
68f720c43d8b5fa3be270fba86461bce0c444df7bcfb8afaf5a36ef21b8bf00b

SHA512
369b6f32ad906be6a81382aac418090689ced5f71b166d39ba1e4cf27bc4a0b8f31a411603ded8ba6342cf710990b3e31524953f19fbe9887021155b526b4dd3

Download Submit
C:\Windows\SysWOW64\Jncenh32.exe

Filesize
96KB

MD5
7d0af1af49ae46eaa748757e8dfb391d

SHA1
f18c2c56bd906e22c2a505d262ae1ff153d0a4a6

SHA256
c69c7ad499b1200aa226051068cdbb53fcb94c5b26d1f00e74dd99497797c4c1

SHA512
c4ea2d0a6d7eebfb6414cb7cf2e66d2405fb112d03d46f6e927dc3eea94941e710836c1af91b2caeab5ccf9e15ed3e271ec112a3f2620eab716159b02cad3f13

Download Submit
C:\Windows\SysWOW64\Kffpcilf.exe

Filesize
96KB

MD5
b7cf54259e106c584593e885d8f4e899

SHA1
333b8f8b9b15356317c51e79bd9e86c502f6c9e5

SHA256
0936c57ada7ca3a442279c4a4dc1ed833029492e904a87cea3e75ff958312612

SHA512
eeab2c0fefec6ef72e53a1bc16bb2bdad8bcd13f96c02987280f5e32ea01563243ff215a2febbd11f247041189e7aa142fba81c03af4c4b34890f2f4c531d980

Download Submit
C:\Windows\SysWOW64\Kfhmhi32.exe

Filesize
96KB

MD5
874ecb811d9d34369d9e71f209fca473

SHA1
3d09d28930d6153557b44da97b2c0f54c31ff467

SHA256
a9b5a26b02816d7aaa59ee32de73411f73d73bb6c5ce467f8fc375c34881e08e

SHA512
c9d5f49198d8869f8a1bcfd045216bb77a663d5dfa5e674ddbf1c18c0d2c626495981600b73bfebb42e62490afd48b96417128bc459c7b4063fc0e77126bd4b5

Download Submit
C:\Windows\SysWOW64\Kleeqp32.exe

Filesize
96KB

MD5
3d533e98a897b99d2bf13267c4f7c944

SHA1
5258bf81558849751d712c24846cc006364fd533

SHA256
b9414c41c686562ccf495a113645b2808f9b49f99a2d0abb3cdb18159d53b520

SHA512
3cdfc2b267a73846ba39e0306af39b58d562abe647e8e37b988535f3f0371052c8367cd544723b0147c796971d590681f2af3e4d6d6683307fff004c07f98d77

Download Submit
C:\Windows\SysWOW64\Knhoig32.exe

Filesize
96KB

MD5
a72ea94f3d534be6a15c9db413dba4fa

SHA1
937a55720e51cc0184bb3490698f3dfb84d81652

SHA256
88db0c2719c170e581143441869c2e1523277c4d016ba13b46cc498db16a9a3e

SHA512
cf490939b69019763e9d688f18ad0ccb5428a9a1e2582a85eb5ea7cd3a071246d4bec81cf3c8ad7eb6f61a26769e88126a35fccf5089014d2b45d52245868876

Download Submit
C:\Windows\SysWOW64\Kpcngnob.exe

Filesize
96KB

MD5
f3ccd2751dbd262ced287e6dd06e2fb4

SHA1
29a88e3146afcdf0ec684289f7edacc9da5c1bf0

SHA256
70d01975a4af490423f72812f65a19833e2a2f781cc861220c2a99d722e321f2

SHA512
0d36aa9748ddd1997ceaaa45ef1aebc14e97ea3ca54004c96a7c603e4eb1fc92e7d5bf8f75661db1c53e11fbb0d65617b37b20812ea4cf7fc6e31d2e4434a45c

Download Submit
C:\Windows\SysWOW64\Lebcdd32.exe

Filesize
96KB

MD5
df96f9c1479ee6bc64e8d4e5365e79ce

SHA1
35b67576c835fcc81205cd03362ef9e93779d257

SHA256
b9bf1fc4f694a36244aec23266b8e5e9959ddd5de6d29951b23a52ff4778d08b

SHA512
b5e77c6a95228d2ea69e345ceea26ebadf6f6175e2b147da06d349cac10df65c74cca72bbf29f3f225b3fbe0fa2e88ac2217af8ec1bc0b1b002cbc6a5ab2d558

Download Submit
C:\Windows\SysWOW64\Lhclfphg.exe

Filesize
96KB

MD5
9ecb880adeb50dc20463c0148457e92e

SHA1
e354eef169a06d05037d2625389a864f0854ad86

SHA256
d6cf85a23510cd3c597cbf317a426840bf4afef6bc1345050e1a0759abe09524

SHA512
0b31d2b68c2114f654b932477154de6bceef902c044b8ac1ee9855c2ddd561defca1916b94e86db7a7e8b7bacbb8d9d59541264df6e46fd7fd57f2071dab6c01

Download Submit
C:\Windows\SysWOW64\Lhnckp32.exe

Filesize
96KB

MD5
eabf43d726f2ff85aa452cb634e774c5

SHA1
8520dc48bee8c3493d9e8c2af9c5f4697c7a1c88

SHA256
49aa564fbe682f7391c4088e57b4521087d4d7ad8b6b8ae5a8bb3398f77f5110

SHA512
bd39b943d4a82d8f088b5437d816d46394cb2eddeb2df79a517b1c957d15e05c6e2620ef5f2b78134ac32b399232a2d94ee671b79817012b98df0837df6a3af9

Download Submit
C:\Windows\SysWOW64\Lkcehkeh.exe

Filesize
96KB

MD5
4a8eb69184c06f5efe4b0aff05fd8ca3

SHA1
0a633a80deb7133d668fed0036f960ec771d993f

SHA256
f8566a831c0c9ba560c814658c72db168a81bcabe23a7e9bac877f463535cc62

SHA512
a738f28dc48b8207740a585b9ec52be5356bbb568dc42bb9840f9308e667e7ce36766eff3b4a41b791faeb2feeea7713d7b80d945353bc8d5894a89d2f191d17

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
96KB

MD5
c2dcb0acb50c662514088ba12e2e1eeb

SHA1
12471690baba78494f38bd9d4afaea78d1fad323

SHA256
0857025cd390c2e45cb43edac31c94e6f404fe78a49e1b168d7d77609b4f6cf0

SHA512
633642045144cba539645d6dc52b52e4c9e72d240fc9c60dc7fd73ba23b2ee51f7aad9058f2ce47c88bfb2c5e88e4e7e00382697de01fcd102bbbf059b7b7fd4

Download Submit
C:\Windows\SysWOW64\Mmgkoe32.exe

Filesize
96KB

MD5
3b245bc0cb21c1a33cdc879878dfd83c

SHA1
11352be6e7181ddf110318c6aa5fd8fa4af595f5

SHA256
7b7069149024c761e166933314c938885938e0e380ab8ef39202f6e6d01cbb01

SHA512
e19fdbb01ff387b7116626158854294b0e7d4774edb55b4aa4132625e9b3611dd2893a7506a60a2dd900b299adba71cc57d1bb59cf6ee554c918db5878e7c7a2

Download Submit
\Windows\SysWOW64\Eeameodq.exe

Filesize
96KB

MD5
2c4c61685e50ccbc5956649bebfe1b98

SHA1
41a2d017a4df29a97946f03792c98acb2d0fc83e

SHA256
8d84a6e6a9767e59a192eabe44fbdef4d641abb4252b3af234d81cb969070d90

SHA512
739331f5a2d3077d618065b3b46173efcc04deac61f5902a89e7869bc59bfb28bda39d4075e2aee39374184be65b134d485f48ed0b4a0717845722be82cfb37b

Download Submit
\Windows\SysWOW64\Efllcf32.exe

Filesize
96KB

MD5
51f2e6eb41a97f14a0f49a1e7b0ec2c6

SHA1
953b0c052f696e9624489adc8f021d8dc57e0415

SHA256
5148712cab3acc3c7c8b2cc23e9a00e508f34c165f4f5d48192585601c3034da

SHA512
23cd65c62840bcb72ef20c030079aeacad11d61d03e90c8f9fe22c86cc887b0448aec1b4f75015a10b92b7c8adddeb38156dc748760cba4846a89be261345a12

Download Submit
\Windows\SysWOW64\Enagnc32.exe

Filesize
96KB

MD5
49c51e02a60a720d07caf59fa01ec1fd

SHA1
8bfa3bf16cff155a5ca01fe2e88baec43daf1774

SHA256
593d79d9f3bb52f689f9cf127d53fb7ef73cc9914fd9ffc27d196936670f1de8

SHA512
0d5f057622c32081bd7d4ca03ab4de12f24f43c080675dd92f694ffee420031dae3e7175dba67abc696be2791424b1233543511f122b9b39f86c2d00f3a65a26

Download Submit
\Windows\SysWOW64\Enjand32.exe

Filesize
96KB

MD5
d50b427ffe8d3d36a64dcff966636971

SHA1
f20c45a12463efa69d5da7cd44edbd52519690a8

SHA256
65655ab064337e2136bed937bb45bd7d17fba48dcf664633e53ba70d85f77304

SHA512
0c7614f9b80bdee2585e245cd06639c73fcd23cd23d7ed78d5092f4f7994c6881bf96a26190894a5485f5997188ff7a2b6d32b079fc46f375c299e080e7efb08

Download Submit
\Windows\SysWOW64\Enokidgl.exe

Filesize
96KB

MD5
fcd4a0617d9e56158c8858c5a08f8fef

SHA1
3382691d2fe0d64e64ffd8523d7cbb0fdfd6ed5f

SHA256
ec04ab940ce151ef9f8c0650febe8643d8fc3c7c8fea5122bd606ade83dbb379

SHA512
f62f8816165bbd6fc3ef76cfdb90e7047c2dcf62b66849ddec17c67fc364ad599dafe83b4f5b98ad29e551aafdf6a00b55ad806b8cad32c600a1ba2dc8cce66e

Download Submit
\Windows\SysWOW64\Fdpmljan.exe

Filesize
96KB

MD5
6308085d00d5c233c07d832d37756363

SHA1
a4da403dc9d37579256b29646c7b79dde6b01e7a

SHA256
cfed9717162769dff30bf554c5543cc70de73ecce2d892c672784495e31a0941

SHA512
f92933797b0ede52dd6f117dffdbe9310bd948c611bf4f8632b78926a53213707e809b65a7df3fa70857b10455ac0d46cb7a31316e557fde436a3230224802f2

Download Submit
\Windows\SysWOW64\Feklja32.exe

Filesize
96KB

MD5
ebd89fd2b0ef99bb4f1b681de23ec217

SHA1
7457b412965640d188381652c6fee1073910cb92

SHA256
8958e2581c837ed729594547dcb20d20cf1a4916e4c5c0970bc0efb3baafecdf

SHA512
9410e0e17c8fd14ad96694933f1a16181887f2e9d775a4fd9d29a5ea609c94a2d9a74ee1e516b54978ad468a8a05bbd5a3211007c160798079953dc78d1d159a

Download Submit
\Windows\SysWOW64\Fidkep32.exe

Filesize
96KB

MD5
ff0cfd5da06495da9d0dcf5f3aa5007c

SHA1
ea20fd1ee7b5b48149b4525ab403f4cfce31343d

SHA256
5b6b1844cdddf1c6c020b4539c8ae2838ffbf0b54f99617f674a863ca0ba17fe

SHA512
b8647172e438e192ff1bc4b7f936b96fb7b6ab20d9fd1b9b66b02cdd59c9041d88d8cd01dec511cc6e2523e2830e4a46020da41f08c9c0da3aa52dd9811ef401

Download Submit
\Windows\SysWOW64\Fmknko32.exe

Filesize
96KB

MD5
f63e7665adcf7bd53776e927bab1ed6a

SHA1
cd3fd01c7ac1651165458691f1ac7e2c9b090130

SHA256
b3e17a331e231e19c6b4e5fa01d1d614af47734cd51cea6bbe883b3618a235fa

SHA512
131d955b3f22a79f0509a58a91d20170e7316b5605272066fa5bcfdc13652d5e4d9b1d1dc5f057bf238a6d061a58d539444fc6d33026cd2559d6f3b909964c68

Download Submit
\Windows\SysWOW64\Fmmjpoci.exe

Filesize
96KB

MD5
5d96cce30a55543ebf70aed4ccc4694e

SHA1
323adeb18b6259205184ec18078d09bf2d894b6d

SHA256
f4f26db1f519018dc53770faa3a100a0a38617d534af9a7fafc2c1eef6a8c094

SHA512
f0f00db52c6559179060ec9f908dafec3f9d3b5954ea530e580c1fb600855a791993b119e3fafa99e01e8003399cff15bc512a8d547ee58b3641082c14ca30cc

Download Submit
\Windows\SysWOW64\Fpgmak32.exe

Filesize
96KB

MD5
a867756c0d0261e064a6e82818f646f8

SHA1
d917273e0d8ce29f7583423f323a29feb4350cf5

SHA256
aad0834c56ae1f67d5fea6f8a11a879134fde2fc6756260903e1a2e78585e943

SHA512
54afb5eb4d34026c62820c6168072467773ef4661ca7144f9805ce70fdd398be164feee63c31fba2ab8934f9f30a5ae887d5f21991219ba05a9fdc5b715b88e1

Download Submit
\Windows\SysWOW64\Gdbeqmag.exe

Filesize
96KB

MD5
bdf334284e2494851f7a05617262363c

SHA1
2a6a65e58c4e09ac382a5150a34e60e9e383b391

SHA256
8e63eee6ff002d0690ed01b3f77489f76214ae77d65c3d2d2b4d216d5ec8074d

SHA512
969d0563868311a1631b95444b776bf78fe4def6e7dff51742efc3e895d75068f9ead9eb8a2c8154137cc320e692ae4624619e110b425da4a4e9551effb485f4

Download Submit
\Windows\SysWOW64\Ggcnbh32.exe

Filesize
96KB

MD5
b697e899a48c5ab989ad3a54bc8d3589

SHA1
337dafe385806981bc6181358c5c5b68852bf18c

SHA256
de8d5b6b37430f9d0a658c82c4eddc9c4bfbb2b5cce588c3ac65911413e9009a

SHA512
4230a5e09cb2521ffd24cd5f8f74743d4aa5331c57711475698b13c2bb60e2fc3b10747168b3f0c0ae55538b5b04b9d35e26e10ff36a473571e811532edaecf8

Download Submit
\Windows\SysWOW64\Goemhfco.exe

Filesize
96KB

MD5
93547e77b698a7343a45b68bfee96c5b

SHA1
0f9a90e55e7a328dc67fafc1987e1a41cb66a30a

SHA256
d7a08fb8b6f6bccc2b76cb2acb27568a27915846e8ec1b862591898e05daf2ba

SHA512
a029f720a4ae681ecb406f7b40a00ef04c842b8c66fd5a9efdf479c4937e428f6605b7da222331d7248183a39dff149a1b1dcf8e9bbcebb87251ab4d4ed4c03a

Download Submit
\Windows\SysWOW64\Gpkckneh.exe

Filesize
96KB

MD5
4a028594e1391d072e00cd5ee0c99db1

SHA1
c798a1930020487d4032bf0c849a134fc45471ea

SHA256
11a6053e995aea864ab55b3884a04f397dc7f312a09a2946d298889c7f96bd04

SHA512
0200c72e0749dfc15c5eaba4e033df555ea2c9353cdde03f8a4b7ff27ae09eacebf30a936dd0930fb819de7f0c4ebead5fd5d37c95a2452e3d9a93dfa2c77818

Download Submit
memory/324-332-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/324-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-331-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/828-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-321-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/876-317-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/876-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-142-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/972-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-485-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1064-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-299-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1572-298-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1576-527-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1576-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-474-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1692-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-428-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1744-257-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1744-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-287-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1972-288-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1972-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-306-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2008-310-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2052-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-353-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2064-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-421-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2064-420-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2096-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-172-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2128-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-102-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2184-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-242-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2276-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2396-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-116-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2452-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-502-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2504-220-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2504-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-516-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2560-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-18-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2600-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-17-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2600-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-343-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2632-492-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2632-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-89-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2696-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-63-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2716-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-395-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2724-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-409-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2856-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-383-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2888-363-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2888-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-364-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2940-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-375-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2948-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-54-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2948-49-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2948-387-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2952-464-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2952-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-459-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/3028-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads