berbew | 6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bd

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
Size

265KB
MD5

a7ab27b5630ebd4df0d3113710184e90
SHA1

f07389eb213e9f5c11bd55fb40c68121ffb85294
SHA256

6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bd
SHA512

14d3aafe6107174dd1595af2748d76326c7c271f57c45d09397b70d20dc718153d01c093cd50395166eb54d4336e184beca2bf44814894a6a6be7f66cfb91b0d
SSDEEP

6144:DThPw3VgZvhEFM6234lKm3pT11Tgkz1581hWF:+IWFB24lzx1skz15LF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbiggof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkiiom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjqdjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgndnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dflpdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebhjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmlofhmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmceomm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akpmhdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlofhmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeokdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aogpmcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkphmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciiccbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bglghdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eapcjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fianpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeholco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflidmic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkphmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eeameodq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gocpcfeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkigbef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lelmei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aahhoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafpjljk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qechqj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfganb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aahhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpkaai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noighakn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noighakn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbbbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clbbfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lelmei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moikinib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adkbgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqajqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfganb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkbgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeameodq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eapcjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiafff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moikinib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nflidmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbjchfaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeokdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gadidabc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpmhgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpmhgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pafpjljk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgndnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqknqleg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmdkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmdkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebhjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqajqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qechqj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogpmcmb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
1508	Jlkigbef.exe
2908	Kiojqfdp.exe
2880	Kiafff32.exe
3060	Kkiiom32.exe
2776	Lmlofhmb.exe
2264	Lpmhgc32.exe
2452	Lelmei32.exe
1356	Moikinib.exe
2972	Mjeholco.exe
1216	Nflidmic.exe
1964	Noighakn.exe
2084	Nkphmc32.exe
1768	Oqajqi32.exe
676	Ocbbbd32.exe
2392	Pjqdjn32.exe
1056	Pciiccbm.exe
1288	Pafpjljk.exe
560	Qechqj32.exe
1812	Qfganb32.exe
1620	Adkbgf32.exe
1540	Aeokdn32.exe
1652	Aogpmcmb.exe
548	Aahhoo32.exe
2092	Akpmhdqd.exe
2408	Bglghdbc.exe
1584	Bgndnd32.exe
2940	Ccgahe32.exe
2896	Cpkaai32.exe
2848	Clbbfj32.exe
2116	Cfmceomm.exe
2680	Dgbiggof.exe
580	Dqknqleg.exe
2760	Dmdkkm32.exe
2032	Dflpdb32.exe
2984	Eeameodq.exe
2976	Ebhjdc32.exe
976	Ebjfiboe.exe
2232	Eapcjo32.exe
2112	Fdpmljan.exe
2184	Fadmenpg.exe
2344	Fianpp32.exe
2160	Fbjchfaq.exe
2496	Fpncbjqj.exe
968	Feklja32.exe
860	Gocpcfeb.exe
612	Gkjahg32.exe
2280	Gadidabc.exe
2180	Gmkjjbhg.exe
868	Gmmgobfd.exe

Loads dropped DLL 64 IoCs

pid	Process
1996	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
1996	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
1508	Jlkigbef.exe
1508	Jlkigbef.exe
2908	Kiojqfdp.exe
2908	Kiojqfdp.exe
2880	Kiafff32.exe
2880	Kiafff32.exe
3060	Kkiiom32.exe
3060	Kkiiom32.exe
2776	Lmlofhmb.exe
2776	Lmlofhmb.exe
2264	Lpmhgc32.exe
2264	Lpmhgc32.exe
2452	Lelmei32.exe
2452	Lelmei32.exe
1356	Moikinib.exe
1356	Moikinib.exe
2972	Mjeholco.exe
2972	Mjeholco.exe
1216	Nflidmic.exe
1216	Nflidmic.exe
1964	Noighakn.exe
1964	Noighakn.exe
2084	Nkphmc32.exe
2084	Nkphmc32.exe
1768	Oqajqi32.exe
1768	Oqajqi32.exe
676	Ocbbbd32.exe
676	Ocbbbd32.exe
2392	Pjqdjn32.exe
2392	Pjqdjn32.exe
1056	Pciiccbm.exe
1056	Pciiccbm.exe
1288	Pafpjljk.exe
1288	Pafpjljk.exe
560	Qechqj32.exe
560	Qechqj32.exe
1812	Qfganb32.exe
1812	Qfganb32.exe
1620	Adkbgf32.exe
1620	Adkbgf32.exe
1540	Aeokdn32.exe
1540	Aeokdn32.exe
1652	Aogpmcmb.exe
1652	Aogpmcmb.exe
548	Aahhoo32.exe
548	Aahhoo32.exe
2092	Akpmhdqd.exe
2092	Akpmhdqd.exe
2408	Bglghdbc.exe
2408	Bglghdbc.exe
1584	Bgndnd32.exe
1584	Bgndnd32.exe
2940	Ccgahe32.exe
2940	Ccgahe32.exe
2896	Cpkaai32.exe
2896	Cpkaai32.exe
2848	Clbbfj32.exe
2848	Clbbfj32.exe
2116	Cfmceomm.exe
2116	Cfmceomm.exe
2680	Dgbiggof.exe
2680	Dgbiggof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Moikinib.exe	Lelmei32.exe
File created	C:\Windows\SysWOW64\Imgljkbm.dll	Pciiccbm.exe
File created	C:\Windows\SysWOW64\Aomekckd.dll	Aeokdn32.exe
File created	C:\Windows\SysWOW64\Mbomgjkh.dll	Bgndnd32.exe
File opened for modification	C:\Windows\SysWOW64\Kkiiom32.exe	Kiafff32.exe
File created	C:\Windows\SysWOW64\Fodbcjid.dll	Pjqdjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgndnd32.exe	Bglghdbc.exe
File created	C:\Windows\SysWOW64\Gkjahg32.exe	Gocpcfeb.exe
File created	C:\Windows\SysWOW64\Kkiiom32.exe	Kiafff32.exe
File created	C:\Windows\SysWOW64\Ocbbbd32.exe	Oqajqi32.exe
File created	C:\Windows\SysWOW64\Aogpmcmb.exe	Aeokdn32.exe
File created	C:\Windows\SysWOW64\Bgndnd32.exe	Bglghdbc.exe
File created	C:\Windows\SysWOW64\Ebjfiboe.exe	Ebhjdc32.exe
File created	C:\Windows\SysWOW64\Fbjchfaq.exe	Fianpp32.exe
File created	C:\Windows\SysWOW64\Bpoqlm32.dll	Kkiiom32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeholco.exe	Moikinib.exe
File created	C:\Windows\SysWOW64\Noighakn.exe	Nflidmic.exe
File created	C:\Windows\SysWOW64\Aeokdn32.exe	Adkbgf32.exe
File opened for modification	C:\Windows\SysWOW64\Akpmhdqd.exe	Aahhoo32.exe
File opened for modification	C:\Windows\SysWOW64\Bglghdbc.exe	Akpmhdqd.exe
File opened for modification	C:\Windows\SysWOW64\Dgbiggof.exe	Cfmceomm.exe
File created	C:\Windows\SysWOW64\Djnjmoea.dll	Gkjahg32.exe
File opened for modification	C:\Windows\SysWOW64\Ebhjdc32.exe	Eeameodq.exe
File created	C:\Windows\SysWOW64\Kiafff32.exe	Kiojqfdp.exe
File opened for modification	C:\Windows\SysWOW64\Lpmhgc32.exe	Lmlofhmb.exe
File created	C:\Windows\SysWOW64\Blbfiq32.dll	Lmlofhmb.exe
File opened for modification	C:\Windows\SysWOW64\Ocbbbd32.exe	Oqajqi32.exe
File created	C:\Windows\SysWOW64\Aahhoo32.exe	Aogpmcmb.exe
File created	C:\Windows\SysWOW64\Bglghdbc.exe	Akpmhdqd.exe
File opened for modification	C:\Windows\SysWOW64\Cfmceomm.exe	Clbbfj32.exe
File created	C:\Windows\SysWOW64\Pjqdjn32.exe	Ocbbbd32.exe
File opened for modification	C:\Windows\SysWOW64\Pafpjljk.exe	Pciiccbm.exe
File created	C:\Windows\SysWOW64\Clbbfj32.exe	Cpkaai32.exe
File created	C:\Windows\SysWOW64\Dqknqleg.exe	Dgbiggof.exe
File opened for modification	C:\Windows\SysWOW64\Eeameodq.exe	Dflpdb32.exe
File created	C:\Windows\SysWOW64\Feklja32.exe	Fpncbjqj.exe
File created	C:\Windows\SysWOW64\Gpjhgkof.dll	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
File opened for modification	C:\Windows\SysWOW64\Ebjfiboe.exe	Ebhjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Fadmenpg.exe	Fdpmljan.exe
File created	C:\Windows\SysWOW64\Jlkigbef.exe	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
File created	C:\Windows\SysWOW64\Hignfnfk.dll	Aahhoo32.exe
File created	C:\Windows\SysWOW64\Fmjgnb32.dll	Clbbfj32.exe
File created	C:\Windows\SysWOW64\Fpncbjqj.exe	Fbjchfaq.exe
File created	C:\Windows\SysWOW64\Gkiiie32.dll	Gadidabc.exe
File created	C:\Windows\SysWOW64\Dgoikhhk.dll	Adkbgf32.exe
File created	C:\Windows\SysWOW64\Moncom32.dll	Aogpmcmb.exe
File created	C:\Windows\SysWOW64\Cpkaai32.exe	Ccgahe32.exe
File created	C:\Windows\SysWOW64\Eapcjo32.exe	Ebjfiboe.exe
File opened for modification	C:\Windows\SysWOW64\Gocpcfeb.exe	Feklja32.exe
File created	C:\Windows\SysWOW64\Eeameodq.exe	Dflpdb32.exe
File created	C:\Windows\SysWOW64\Bigngdee.dll	Jlkigbef.exe
File created	C:\Windows\SysWOW64\Lmlofhmb.exe	Kkiiom32.exe
File created	C:\Windows\SysWOW64\Jpmaii32.dll	Lpmhgc32.exe
File created	C:\Windows\SysWOW64\Qechqj32.exe	Pafpjljk.exe
File opened for modification	C:\Windows\SysWOW64\Adkbgf32.exe	Qfganb32.exe
File created	C:\Windows\SysWOW64\Nibmdpam.dll	Cfmceomm.exe
File created	C:\Windows\SysWOW64\Dflpdb32.exe	Dmdkkm32.exe
File created	C:\Windows\SysWOW64\Lelmei32.exe	Lpmhgc32.exe
File created	C:\Windows\SysWOW64\Oloioh32.dll	Oqajqi32.exe
File created	C:\Windows\SysWOW64\Hcmmoflm.dll	Lelmei32.exe
File created	C:\Windows\SysWOW64\Lmeqilpj.dll	Kiafff32.exe
File created	C:\Windows\SysWOW64\Nflidmic.exe	Mjeholco.exe
File created	C:\Windows\SysWOW64\Gmkaphmi.dll	Ccgahe32.exe
File opened for modification	C:\Windows\SysWOW64\Dqknqleg.exe	Dgbiggof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	868	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpmhdqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeameodq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpmljan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lelmei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfganb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeokdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahhoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gocpcfeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmkjjbhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiojqfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkiiom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgahe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbiggof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqknqleg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflidmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqajqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjqdjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebhjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjfiboe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feklja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlofhmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbbbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmceomm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmdkkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fianpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gadidabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpmhgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciiccbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qechqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpkaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbjchfaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgndnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clbbfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dflpdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkigbef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiafff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moikinib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjeholco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkphmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eapcjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fadmenpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpncbjqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkjahg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noighakn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafpjljk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkbgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogpmcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bglghdbc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pafpjljk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqajqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgndnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpkaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpncbjqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nflidmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkgeh32.dll"	Ocbbbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgoikhhk.dll"	Adkbgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aogpmcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbomgjkh.dll"	Bgndnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnifhcei.dll"	Dgbiggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadfnabd.dll"	Fianpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbjchfaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmmoflm.dll"	Lelmei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkiiie32.dll"	Gadidabc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkaphmi.dll"	Ccgahe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlpince.dll"	Moikinib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aogpmcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moncom32.dll"	Aogpmcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egedlo32.dll"	Bglghdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeqilpj.dll"	Kiafff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoqlm32.dll"	Kkiiom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bglghdbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbiggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kiojqfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clbbfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmceomm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dqknqleg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmgdi32.dll"	Ebhjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccgahe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Noighakn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oloioh32.dll"	Oqajqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeokdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmlofhmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomekckd.dll"	Aeokdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qechqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacnlhed.dll"	Qechqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeokdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aahhoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dflpdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckflh32.dll"	Fdpmljan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkiiom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pafpjljk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfganb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fadmenpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejighnb.dll"	Fadmenpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnjmoea.dll"	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkphmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdocail.dll"	Mjeholco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dflpdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibmdpam.dll"	Cfmceomm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbiggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eeameodq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fianpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Feklja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hignfnfk.dll"	Aahhoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adkbgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlejbj32.dll"	Fbjchfaq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1508	1996	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe	29
PID 1996 wrote to memory of 1508	1996	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe	29
PID 1996 wrote to memory of 1508	1996	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe	29
PID 1996 wrote to memory of 1508	1996	6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe	29
PID 1508 wrote to memory of 2908	1508	Jlkigbef.exe	30
PID 1508 wrote to memory of 2908	1508	Jlkigbef.exe	30
PID 1508 wrote to memory of 2908	1508	Jlkigbef.exe	30
PID 1508 wrote to memory of 2908	1508	Jlkigbef.exe	30
PID 2908 wrote to memory of 2880	2908	Kiojqfdp.exe	31
PID 2908 wrote to memory of 2880	2908	Kiojqfdp.exe	31
PID 2908 wrote to memory of 2880	2908	Kiojqfdp.exe	31
PID 2908 wrote to memory of 2880	2908	Kiojqfdp.exe	31
PID 2880 wrote to memory of 3060	2880	Kiafff32.exe	32
PID 2880 wrote to memory of 3060	2880	Kiafff32.exe	32
PID 2880 wrote to memory of 3060	2880	Kiafff32.exe	32
PID 2880 wrote to memory of 3060	2880	Kiafff32.exe	32
PID 3060 wrote to memory of 2776	3060	Kkiiom32.exe	33
PID 3060 wrote to memory of 2776	3060	Kkiiom32.exe	33
PID 3060 wrote to memory of 2776	3060	Kkiiom32.exe	33
PID 3060 wrote to memory of 2776	3060	Kkiiom32.exe	33
PID 2776 wrote to memory of 2264	2776	Lmlofhmb.exe	34
PID 2776 wrote to memory of 2264	2776	Lmlofhmb.exe	34
PID 2776 wrote to memory of 2264	2776	Lmlofhmb.exe	34
PID 2776 wrote to memory of 2264	2776	Lmlofhmb.exe	34
PID 2264 wrote to memory of 2452	2264	Lpmhgc32.exe	35
PID 2264 wrote to memory of 2452	2264	Lpmhgc32.exe	35
PID 2264 wrote to memory of 2452	2264	Lpmhgc32.exe	35
PID 2264 wrote to memory of 2452	2264	Lpmhgc32.exe	35
PID 2452 wrote to memory of 1356	2452	Lelmei32.exe	36
PID 2452 wrote to memory of 1356	2452	Lelmei32.exe	36
PID 2452 wrote to memory of 1356	2452	Lelmei32.exe	36
PID 2452 wrote to memory of 1356	2452	Lelmei32.exe	36
PID 1356 wrote to memory of 2972	1356	Moikinib.exe	37
PID 1356 wrote to memory of 2972	1356	Moikinib.exe	37
PID 1356 wrote to memory of 2972	1356	Moikinib.exe	37
PID 1356 wrote to memory of 2972	1356	Moikinib.exe	37
PID 2972 wrote to memory of 1216	2972	Mjeholco.exe	38
PID 2972 wrote to memory of 1216	2972	Mjeholco.exe	38
PID 2972 wrote to memory of 1216	2972	Mjeholco.exe	38
PID 2972 wrote to memory of 1216	2972	Mjeholco.exe	38
PID 1216 wrote to memory of 1964	1216	Nflidmic.exe	39
PID 1216 wrote to memory of 1964	1216	Nflidmic.exe	39
PID 1216 wrote to memory of 1964	1216	Nflidmic.exe	39
PID 1216 wrote to memory of 1964	1216	Nflidmic.exe	39
PID 1964 wrote to memory of 2084	1964	Noighakn.exe	40
PID 1964 wrote to memory of 2084	1964	Noighakn.exe	40
PID 1964 wrote to memory of 2084	1964	Noighakn.exe	40
PID 1964 wrote to memory of 2084	1964	Noighakn.exe	40
PID 2084 wrote to memory of 1768	2084	Nkphmc32.exe	41
PID 2084 wrote to memory of 1768	2084	Nkphmc32.exe	41
PID 2084 wrote to memory of 1768	2084	Nkphmc32.exe	41
PID 2084 wrote to memory of 1768	2084	Nkphmc32.exe	41
PID 1768 wrote to memory of 676	1768	Oqajqi32.exe	42
PID 1768 wrote to memory of 676	1768	Oqajqi32.exe	42
PID 1768 wrote to memory of 676	1768	Oqajqi32.exe	42
PID 1768 wrote to memory of 676	1768	Oqajqi32.exe	42
PID 676 wrote to memory of 2392	676	Ocbbbd32.exe	43
PID 676 wrote to memory of 2392	676	Ocbbbd32.exe	43
PID 676 wrote to memory of 2392	676	Ocbbbd32.exe	43
PID 676 wrote to memory of 2392	676	Ocbbbd32.exe	43
PID 2392 wrote to memory of 1056	2392	Pjqdjn32.exe	44
PID 2392 wrote to memory of 1056	2392	Pjqdjn32.exe	44
PID 2392 wrote to memory of 1056	2392	Pjqdjn32.exe	44
PID 2392 wrote to memory of 1056	2392	Pjqdjn32.exe	44

C:\Users\Admin\AppData\Local\Temp\6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe
"C:\Users\Admin\AppData\Local\Temp\6a3d1b066f8bc05b115c9d3c8c62b28a2c467d6e4b31c4e5484e0f4b30de92bdN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\Jlkigbef.exe
  C:\Windows\system32\Jlkigbef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\Kiojqfdp.exe
    C:\Windows\system32\Kiojqfdp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\Kiafff32.exe
      C:\Windows\system32\Kiafff32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\Kkiiom32.exe
        
        C:\Windows\system32\Kkiiom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\SysWOW64\Lmlofhmb.exe
        
        C:\Windows\system32\Lmlofhmb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Lpmhgc32.exe
        
        C:\Windows\system32\Lpmhgc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Lelmei32.exe
        
        C:\Windows\system32\Lelmei32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Moikinib.exe
        
        C:\Windows\system32\Moikinib.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Mjeholco.exe
        
        C:\Windows\system32\Mjeholco.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Nflidmic.exe
        
        C:\Windows\system32\Nflidmic.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Noighakn.exe
        
        C:\Windows\system32\Noighakn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Nkphmc32.exe
        
        C:\Windows\system32\Nkphmc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Oqajqi32.exe
        
        C:\Windows\system32\Oqajqi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ocbbbd32.exe
        
        C:\Windows\system32\Ocbbbd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Pjqdjn32.exe
        
        C:\Windows\system32\Pjqdjn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Pciiccbm.exe
        
        C:\Windows\system32\Pciiccbm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Pafpjljk.exe
        
        C:\Windows\system32\Pafpjljk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Qechqj32.exe
        
        C:\Windows\system32\Qechqj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Qfganb32.exe
        
        C:\Windows\system32\Qfganb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Adkbgf32.exe
        
        C:\Windows\system32\Adkbgf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Aeokdn32.exe
        
        C:\Windows\system32\Aeokdn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Aogpmcmb.exe
        
        C:\Windows\system32\Aogpmcmb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Aahhoo32.exe
        
        C:\Windows\system32\Aahhoo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Akpmhdqd.exe
        
        C:\Windows\system32\Akpmhdqd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Bglghdbc.exe
        
        C:\Windows\system32\Bglghdbc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Bgndnd32.exe
        
        C:\Windows\system32\Bgndnd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Ccgahe32.exe
        
        C:\Windows\system32\Ccgahe32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cpkaai32.exe
        
        C:\Windows\system32\Cpkaai32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Clbbfj32.exe
        
        C:\Windows\system32\Clbbfj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Cfmceomm.exe
        
        C:\Windows\system32\Cfmceomm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Dgbiggof.exe
        
        C:\Windows\system32\Dgbiggof.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Dqknqleg.exe
        
        C:\Windows\system32\Dqknqleg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Dmdkkm32.exe
        
        C:\Windows\system32\Dmdkkm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Dflpdb32.exe
        
        C:\Windows\system32\Dflpdb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Eeameodq.exe
        
        C:\Windows\system32\Eeameodq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ebhjdc32.exe
        
        C:\Windows\system32\Ebhjdc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ebjfiboe.exe
        
        C:\Windows\system32\Ebjfiboe.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Eapcjo32.exe
        
        C:\Windows\system32\Eapcjo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Fdpmljan.exe
        
        C:\Windows\system32\Fdpmljan.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Fadmenpg.exe
        
        C:\Windows\system32\Fadmenpg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Fianpp32.exe
        
        C:\Windows\system32\Fianpp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Fbjchfaq.exe
        
        C:\Windows\system32\Fbjchfaq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Fpncbjqj.exe
        
        C:\Windows\system32\Fpncbjqj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Feklja32.exe
        
        C:\Windows\system32\Feklja32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Gocpcfeb.exe
        
        C:\Windows\system32\Gocpcfeb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Gkjahg32.exe
        
        C:\Windows\system32\Gkjahg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Gadidabc.exe
        
        C:\Windows\system32\Gadidabc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Gmkjjbhg.exe
        
        C:\Windows\system32\Gmkjjbhg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 140
        51⤵
        Program crash
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aahhoo32.exe

Filesize
265KB

MD5
8946c4fb853f65766c76849ef2cedfbe

SHA1
83403a4c2c50f660fe7442fe2a687e147a3ac5b2

SHA256
4a46db2499e7a41187ba0cf12ea2f99c80df8968ea9585355d698c45acb9c476

SHA512
1f2bcb3c00683c01b3766e8f14309dd1af767e025cc09be5f7461b34fe1c8ad31a87deef1c09e81a9377d9f19fce20b68863ad724ef39208583ce8c93cccb838

Download Submit
C:\Windows\SysWOW64\Adkbgf32.exe

Filesize
265KB

MD5
5f4a4bec9f76b9344eaca165615539b8

SHA1
af52ee26ed48637b843eddaa58f11bc890671e27

SHA256
000a7c4004b9d5518f2104f6a5fa93d7c3ffcf0c9f4f7f25a9d4630adf1873d0

SHA512
bb9fdefa2b2e42278bb2a74bfa4b28c135507835ddd07f25fa6941eee2d29ac1eb6e1c6d558ba26f3438b1b8fda81e651134a96514755d1d84305f8b75904247

Download Submit
C:\Windows\SysWOW64\Aeokdn32.exe

Filesize
265KB

MD5
5cfcd849fe4fcc3b64a26266c18b7335

SHA1
e9d67aaa90b7b0d90cde7c485cd0b0983b3d22df

SHA256
f78ea10aca8b3d4d187ee8fe4ba37f3235099b30e4a5b58603b66b75807b8950

SHA512
db6eb444c83df8b72b519de4b76b494b77cc88816457afe66552a53b36da8343c1d600bdf6b16ba3efdc1767e39008f461a72d5466e68fa47592cd5b67de8e5f

Download Submit
C:\Windows\SysWOW64\Akpmhdqd.exe

Filesize
265KB

MD5
2d18e8929ff84dfa464c753db2be8107

SHA1
860f8b422a8b79df1d510c07f19019af80cda289

SHA256
9e27e14a69ca1cbea924b4e4b4503e91a22b3f375c5b5e374dca3e64fbfe3701

SHA512
131ae978fdec9127c295b358383285830ee293e70c1e821a4fe37d99b7c7f4cf1f09cc2fbe95a4d1fd75514b29ae9b7d5b61422d87876b90ca11a8fcfa8ae08c

Download Submit
C:\Windows\SysWOW64\Aogpmcmb.exe

Filesize
265KB

MD5
34ff5cecdec33027db46fc8fea6b605a

SHA1
ba3c5cb06993919e23d1574a32eae4b6a504d7e4

SHA256
77774e3a813a76073e0387bcbdbdea1ce7352a791d15a3d6172bd75df94521e3

SHA512
9bc8ebeecf741e8afb8d201833b2d33ffa440ce40e5eab152386029293cfc3e745302e8a8716d7377ace816fb451213c79f3f79ae86fa25ff85db7eaf50ee416

Download Submit
C:\Windows\SysWOW64\Bglghdbc.exe

Filesize
265KB

MD5
d7250ef33c420ac05ed43ad00ee7b509

SHA1
8c50506b9ef8c48e59fe49334c31f34c45d71ac2

SHA256
246854db4796afc7485f8ef7c5dcd8da3541071131a6262c274afb26df92768d

SHA512
1a2fdf97d0c905790bd979d32fdd379f084b9652ab840b377b1ecd1c294ede957534bc4e7c375a50c70ffa2a96c63c08b373245f7e704d2d6f9f8a7b35ae385e

Download Submit
C:\Windows\SysWOW64\Bgndnd32.exe

Filesize
265KB

MD5
d6024342b8f861e5133369667cc4a16d

SHA1
23aa1f1e5f58b6bb20a528ab2f72af35916ff441

SHA256
8e708635877fd7178d56cf0281e8fb77bb78491936006d76ca4a8c3f911d49cc

SHA512
b956b340ca22db22a535783a2621c63d0d02d58b54368bb0e5a4fd0edc17a0210ae3b605165de83ac6be24633d79d4f0fff5327fad6351b9925b251078fbdf5b

Download Submit
C:\Windows\SysWOW64\Bpoqlm32.dll

Filesize
7KB

MD5
733a88ba734b537a73103b9dd7f0c633

SHA1
6fbb63593292f43b545678f90ca46ef9418bd370

SHA256
c55321ce993445b942c1bd844de0c0500d1233424584a0260a1ba7f14c984309

SHA512
34c1436c51cf3744fbf7941de7768a3bca57662d0b178e79669734111b69925e7c50fc935cb2ad34b0dfca6b474a49ceef60add96656f91e2691cc78ec01998a

Download Submit
C:\Windows\SysWOW64\Ccgahe32.exe

Filesize
265KB

MD5
d08f3854b751e5d9232c525ef8f998dd

SHA1
fb8bdadf3b53c22612305be0f7b9167277b49d24

SHA256
fc66c752c64ab0dd4bb692dbde70678e3f4aa9bc39a9b79617d4961bddb6f622

SHA512
d3709ca07c1b8bc0dfb65828bb4fadeaeb7b9e26a8b94d1f7de75d5277c4b963a18e4f0c90def14406a40758de050ef10c29f456ffee741bd75742f684f7cff2

Download Submit
C:\Windows\SysWOW64\Cfmceomm.exe

Filesize
265KB

MD5
099e3691a964e7ae0327c15ae29c69fe

SHA1
7645ff4abc4720c7c6cee743cd528d98c7a8155b

SHA256
705a040cec2f01af32bbcfaeef3c7ed7ce64e6a9f30826b079a0280e0bd0787e

SHA512
64fb7552ed7cde9e7b15fcc9fb93de3e4764be51063e689e70f683b7f5851448a491c96e7dda5d392c009c8db943a38e622de264c4f5c568b5d32829d806d301

Download Submit
C:\Windows\SysWOW64\Clbbfj32.exe

Filesize
265KB

MD5
b9ae12de04cc949fa96f91e4c37436bd

SHA1
6e9aaf0967e7a98ef1522f0d5b9955ff86488c54

SHA256
acb3686aae663f95f01c04c767f1a44218e0075f726a128508236e2b94bc6598

SHA512
6aa7c57383cfeb90744f86363511fd7756666f7461243c6e7fa7fff4d68d930e5781bdb30bf7d4be38de6e1738be255ade4cc752fb99ff658fa81e367047b746

Download Submit
C:\Windows\SysWOW64\Cpkaai32.exe

Filesize
265KB

MD5
02a6852a4940432c4293478d9be5b784

SHA1
61fec55ef99ae5205b286769eee5c7912af19980

SHA256
9755edb47695ffd86b055cf85822630cc7b750cc424337db7348f07b2dbbd021

SHA512
1bb5eb327a0e5ba6c20b45093d5d8590986f6a7a6cf82fdb951acf6b9eb432682894dadc764c4e54223ab60fc1f9c628f5b061b386940f2aecb7f2a2ee82f6a1

Download Submit
C:\Windows\SysWOW64\Dflpdb32.exe

Filesize
265KB

MD5
fe848973ca6442845ee72482440ce331

SHA1
7577aa4bbdaa2ac82115f745cfa1543650f2ddd5

SHA256
507cd7d95ebc89757e53538f43a57fe0aee1df6a9c7ea7274b01e932f586ee48

SHA512
054d1f4dcceebb62c15e0a1195726cdf402197e8386edccc08476bbf408c4feec7ccf58d2bde93878696594ddc2cfc57f74a21cd03d8027c0f7e1870e1e2a35d

Download Submit
C:\Windows\SysWOW64\Dgbiggof.exe

Filesize
265KB

MD5
8446c5ea10ebb4a871547f19281f9256

SHA1
5044f16dd0382244118b3d8d66db94eb15aa2b70

SHA256
43e00f7b2529fe74ea3424ffe53bdf922bd8a72eb0a6df70718bd7b5cb6c6d6e

SHA512
d8db49d42289768794e2d04dda76f591e2602434250a194e73923b1611b7f4d7aaa3e72d6a39a75e769d6b8a98464d4338464d54988678bddb055948fb51095b

Download Submit
C:\Windows\SysWOW64\Dmdkkm32.exe

Filesize
265KB

MD5
75d2fb32beedf6fc35c5dfd30ad875bb

SHA1
a3ea8d512ed956908fb6a24433ca4a40341dc9c5

SHA256
a658a4cbba2904e928ce797a4aa4dc3146f0a519a5d0e84f6531c1116539876d

SHA512
3b402a8eedeb84850dd8bb85407271840b4246edd3e6ebf585093f88a638128422f2fea432ce26346f8d2f8fc5cd7bc39880c8076659f182832a27d332275313

Download Submit
C:\Windows\SysWOW64\Dqknqleg.exe

Filesize
265KB

MD5
478d7aa1bfd128e64c7f811303053379

SHA1
ba6c2007e135484fe56963b289d5b68e612c58bf

SHA256
4c785d82e05e7bfb0ab9e498164f635065af63ebdd8070c184c82c5bd09c71ab

SHA512
ce99e20e1ef8913748fc6547c1e2017e2df7854209f1e2cbd01cd0ff6407905a5fdd4fa7e92db3bab61f6e7e22b4d70ac7f785cfc8e12b8b2852cf2cb9c2292e

Download Submit
C:\Windows\SysWOW64\Eapcjo32.exe

Filesize
265KB

MD5
f8771857fe4f0717e3aaf1fb95aa4bcf

SHA1
74ac153efe8900aa4c26f3d68ac58fb0365137db

SHA256
9b8d213ac124a9b34152070ba8764165f4b1797abd1042b854eb8abcb82ddf90

SHA512
a052fe807b7f383dc2431808411250c5a8e42d3b31392e6b7bf4fd9df94ef7e9e954bebc2f6e55ffd2729f4d537dd1493d3403e2d4e0e41d89c4eeedcf268db5

Download Submit
C:\Windows\SysWOW64\Ebhjdc32.exe

Filesize
265KB

MD5
0e68c792ac2edbf21f7615c3e522059a

SHA1
5acd162be5f333b32f568362359d013cc2ee4e73

SHA256
6f50daa6e98ccbdb06a907a7ff27b47fa2e7c8555ca7fe405ab5617ae3379562

SHA512
d8d18bf151c0381002135d3e42930095a0635991a7ca3c09dc9f26cf5153a840bf8192edc152273301175438d7851cdefb6a456ea249a5cca5baf0e046ec7686

Download Submit
C:\Windows\SysWOW64\Ebjfiboe.exe

Filesize
265KB

MD5
8af4416b4c4a52c0dad248e85b264f2d

SHA1
37d3caa83e7264fb3c85c1bdee6f363a44d771a9

SHA256
ceeca392f64eec3f23416525bb4d34872a7c1e5178090ffdfcc338b99c3489da

SHA512
3e64d73c43a833d3891b60784e5cc5fd42f1af09d6e427c1af4956686908bb65bc84e1e3aa76865c866c93f33f00473cfba5f71c952cb47cb08f2f3dd35f176f

Download Submit
C:\Windows\SysWOW64\Eeameodq.exe

Filesize
265KB

MD5
c4610ff41f9f99cc6ad97370d37f2db2

SHA1
ef86c66c732abf3d5e6c9f1c9f15df30705650f5

SHA256
3b2f36ba23eb33273d421985473309d33cad2c98aa64235f27e7260eb4fd4c23

SHA512
998e5767398541610f6529b4efea662737dc33997bf21483b704e02588964de5adb53820612ece2ffcc9eae6141b190fa8dc23e874286e34cc81fe3b712c7272

Download Submit
C:\Windows\SysWOW64\Fadmenpg.exe

Filesize
265KB

MD5
7216ca080eb28b998c97abc288df6b77

SHA1
0ec9a3fc07c8c59ad6e445331f0c328047f0d98a

SHA256
8fb0d929d77835a1b78e655c6a1fa67693e858ee852de971a522aa37675dbbac

SHA512
9b9d325758b6b33cbd4835cf8c342594de9438269dc09618f9e396286ac8d3781c027189889d9b9788b3ebd63acf27e1d53d56f0b137d9143f8832124c917325

Download Submit
C:\Windows\SysWOW64\Fbjchfaq.exe

Filesize
265KB

MD5
8832b4010b125f62afbdc7fbdef93e29

SHA1
eeda6fd8248a12830fccc34ac6a7eb48dd06f1d3

SHA256
6b36046fee9d21796c5316ede668c956d8a726e08126b8d08039595851db7f50

SHA512
85283a3edfff684e3b968075f55f2eb31a289be5f3826ded2b0abe2895de5a5bb3a67d02a9ce2534221ba258c345db0c97f6a0a40a83558a73f1221baa6f80d9

Download Submit
C:\Windows\SysWOW64\Fdpmljan.exe

Filesize
265KB

MD5
80525c3a43a019c40b4057b57b855ffc

SHA1
fb95a1dec5eb82b9f06a4be600b1b9fd10854dd0

SHA256
c16f7128196eea0c1ad3226545a6a30dbae3d68b1f9bdf5ccec028780311b218

SHA512
19bd551fd0937b60759499b8afa1e23f6613394f32746c2f9e2444d5f4ee5af6ebfe48144d90b10651196184fd76721e79238280b7ad921e648f452545d97053

Download Submit
C:\Windows\SysWOW64\Feklja32.exe

Filesize
265KB

MD5
15f229cba0ef8ab76b98917084950b06

SHA1
be1400c7dde6eaa34f3e006abe44c06d6a70797f

SHA256
da17da91e8e11b16c1afb3cb39dd2848d797a56b4e9c22186ab1c26492c11097

SHA512
4f225fa39ed82997f18104c08526d9d740ec28157efd79ec09b53d4cdfdb40d49e1435fe7073d4458e19c8d1d6650a44308cc5563818008743b1ce1ca58ceb5c

Download Submit
C:\Windows\SysWOW64\Fianpp32.exe

Filesize
265KB

MD5
8e79db9afd12a007cf50276ae780cf2d

SHA1
6997637f70d390089469ed4251d6b5f2cb4255c8

SHA256
bb1598cd327634fb2f6886e0a1f0fc1f4ff5a1db5e98e029b7f9f4f26a43dc23

SHA512
92210147bf8be954005cd2e6e7aa51b10b90bdd14774ecf00361a9c31b74afef30d404b7a06fe5032520867756855314a353e14692f447e0e89bcb5faac0042e

Download Submit
C:\Windows\SysWOW64\Fpncbjqj.exe

Filesize
265KB

MD5
f9df83a0f5114f3ac9e08062e1425726

SHA1
29f204a94b0c65ff59c7c6b0771d2f38d9cc29b6

SHA256
e2fb01025c889ef7cd1b731f4bb8be37f1af39ef8af7f8566fe9e17fdbe5ae00

SHA512
d791d7d221db014de108254eaae398bd43bcd54352092cfb02ea68a2fe5bc2ff8f08b55c0cac5345b014461f16cfde60621b50a3fa8e07801ae1ad3b726871b0

Download Submit
C:\Windows\SysWOW64\Gadidabc.exe

Filesize
265KB

MD5
2348448c104c1a5b945677e8bf1c04ec

SHA1
f58296e72e02bb6f84bf2b13d5f9057716924d3f

SHA256
751c4f63bbdaf8c6aa49b8d406862844976840ffadce31f80b121545ed26810b

SHA512
36775e0d807bb7e5e1aa07f478186a2a0c5a44d969ab42ff25fadbf03c76083dbda3fc436bcd1404d85b16241b4f35405862e90ed6428cf0f538bd1b65c97feb

Download Submit
C:\Windows\SysWOW64\Gkjahg32.exe

Filesize
265KB

MD5
dddeefcb5441363d53c789e5e36ad995

SHA1
d25ee377fa6828ecb52f3052a3fc470832db3aec

SHA256
8a3af2731f4ce08481f483f8c8c9876e8948b35f8bc5a97908cf42cb40eb7c01

SHA512
46c34fc81e323f43c6c064d3fe230ec87f0ee93530f5582fdc6d32a7617585fd7bfc0ad4738b0c9ce4304aff7e93f769a8fafbd551e1011bffd6e460e010344b

Download Submit
C:\Windows\SysWOW64\Gmkjjbhg.exe

Filesize
265KB

MD5
e3fde7e5683f1d7d22100631eee94a29

SHA1
cfce80066c5070bc0610b2dac1bdd0dcc4e32c49

SHA256
504188382b6d0f37b61059b24c93d5a3507007a42263cd61e1e5bf1354a9ed1e

SHA512
507bf7aacf4ddc9afb6f72f7d64cb5142b35e44e8a2750a01846cf19cdffd09ff15d94db164f214df40d8fac671490267b074d8983328f9f58704d800215e89c

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
265KB

MD5
3aa5df3d37636ff1e9c3958b9c6ac57a

SHA1
4e4db1130df94f22c48f85613468efa7708aa264

SHA256
788f552c62b673c4ef4f774ea5a85e32934a6731b3a23657bd1613b4e26812f2

SHA512
5d389be84cc65f41798f5cd452c5e2a3a307385bf7a4082033e43f641c1fd980714223e29156131116f6a2dd2a84b6112c42aa5c31535f7eb869627ee520011c

Download Submit
C:\Windows\SysWOW64\Gocpcfeb.exe

Filesize
265KB

MD5
94b13d9b3f294ec130eb3c76eed27073

SHA1
7d1d0c78f6916a0106fbb1c577fc07fadf1ca75b

SHA256
c51bcd038b7c65b187360a3bca2996e3c4429697647fee616c0326d7a4f0f334

SHA512
bbb49fca72ef2b2d88f881f6f2304855a6475d1b49feca839c265e663238f7bc6a3703879f8e485c2dda736adc62d4ae0d7283a2da4a0bb270dedeab1d934f01

Download Submit
C:\Windows\SysWOW64\Kiojqfdp.exe

Filesize
265KB

MD5
df0953ee14101b5c6e747052530e2543

SHA1
97c6346667414bccf1bf67648cdcdcfde52ec256

SHA256
de2bc81c301dbed3dd54d8ad11c2201c8feb27f591fd3c12b4d1feef775ea307

SHA512
4410f6720e88597e1359995bca4265fd5ef531d5bdd768488e3bca6beca463a6edf1110ce1fd2cabd276815ff5192e278673c6878bae517c33897d48af5dbc68

Download Submit
C:\Windows\SysWOW64\Lpmhgc32.exe

Filesize
265KB

MD5
fbaf812d07f938f40d072d71f4b08264

SHA1
90d66fcb665b82c5a9e4d823752b659a32eba20e

SHA256
afc6271516f2d9f9e3ffadfa0474be11b553b382f982c2d39b0e8fb59a77acd5

SHA512
d94768b9cae46812332c12fc81b7cc6b669b358b676467a8024187ff5fe89a74e2e5882288ea303aa29daabd8b544d8d40dde0b2fe5461f1cba8f01702dca051

Download Submit
C:\Windows\SysWOW64\Nflidmic.exe

Filesize
265KB

MD5
ef102d84e8b83504fc14e77e195aea0d

SHA1
4791f9a1f681f35dab1f9dd4449d84f1b8ef6c46

SHA256
819e9bc1901b78d8dfb9c4f0e402b0c263ed7abd89f1d386a4b54ccdb3958e76

SHA512
3e4602238dcda21617ad8d23a9383f693ee94d24c8bbb2821d2f4e20e3bb09ab029070f4ed0afe9a7ff89dbc7f719147a39239c108d2869f77e4981b36c49855

Download Submit
C:\Windows\SysWOW64\Nkphmc32.exe

Filesize
265KB

MD5
039840d69c50302b124047a91590c549

SHA1
e51247583bbb1c8768f849504bc05986221b3f4c

SHA256
73b849636fa667815e25b8982fbab31c9531734fea1ed7c99c383e0ac9f86c82

SHA512
2d16667b6872fb9a4ab02d3bd26c84a6f205aa5f8e525f6ad9482e967f1ea9be8bf591b2bf944d014e83037352ee6e12fa0e599b9b30c881e13c847fad788780

Download Submit
C:\Windows\SysWOW64\Pafpjljk.exe

Filesize
265KB

MD5
e3ff90bb00ba65a618dd94b4a0e444bc

SHA1
a3490ba620ad2699775b2932b603451ae4d87702

SHA256
11cbb094639afccb01b81e5f15a1a160b14d3ab4864dbeb431373ac20695db88

SHA512
febda46a78115a00ad6b22e0bfbb8442499203fa9d94844a81fdd906fbedefde8e8212804b16ddfeea3e26f6d3fc3cdd170397c5227658a469f892016ea822e6

Download Submit
C:\Windows\SysWOW64\Qechqj32.exe

Filesize
265KB

MD5
154417ab49fbfbc1fa71fa009ca381a4

SHA1
9b566177fa0666c91ab2467aecb3e04eeccea6bd

SHA256
3edf98e36d99c02cfd643a7a29f2ab3a56827b1a9afa8f64185539130e4d7e42

SHA512
731728b9f84ccb9235c8536813a7cd318746eda4345f540d65953d67dff005c928cb406c118f2b473363ec2a27bdc3eb4f420c4782c0a174f67d0d92ab8f86b2

Download Submit
C:\Windows\SysWOW64\Qfganb32.exe

Filesize
265KB

MD5
e3d80a939d6e3c7bc6b9443b8182761c

SHA1
1e33d1d869e992a4ebfa0298628c521a02ed1fae

SHA256
8790e5ba15d3bf7f15268ba428e05e3a8f019ce0d7f8f96ee08ea9e21c335b25

SHA512
9e814e9ab6a9ad48cb1ca56b98cdb085070f70fb270e4de74c6f9be939619cf63204b7207193b8c7c7e3ca6e445b2cf0a1343d975abee2890c6d2927dcbac963

Download Submit
\Windows\SysWOW64\Jlkigbef.exe

Filesize
265KB

MD5
3de5e02a059edd4662e5319afbf15db5

SHA1
ca495081c4c258e3f54377d3509c83c0f1624848

SHA256
fff8e89b47fd8753f9733e942074b258578766bcb78e91f4f8e1d3b722539beb

SHA512
6e442d8a24e31ee55d65ed564b1def5951ea34d914f67af277849e98455bc694be3e385d6cf6f0dcdc905d0744916e61fa27c7a7ce4854346edf6c6215735809

Download Submit
\Windows\SysWOW64\Kiafff32.exe

Filesize
265KB

MD5
fb73ee98d94d9084b360dd1b58ba7df0

SHA1
9e64e63a0c8509f6a32d87c292cd95c595f1d5f6

SHA256
8f98cf8277e611256ac94d33bfcc61c398b7db1ae50a4d778771aa2c4b31f939

SHA512
d0a80e069a78f43696d379b069fcebb114c3928f7a7e76f57b4b38dbe5e0786a0ec720202477218f9418f940e2290f52d72e8d300a8a436954833b39a6cfc524

Download Submit
\Windows\SysWOW64\Kkiiom32.exe

Filesize
265KB

MD5
2678f4b6ed0b01c764793b670c33dc26

SHA1
c9b48b38ecea5f5061c0d639e7f70d4412c93930

SHA256
89a2d3065626b466fa848958739829ed67bf4b2022e7676352ef83d4ea7d8916

SHA512
a1a16ee440fb36cb2da0ffe8adac61dd7069ddc18c933c64e69a5c03dcf933c97f948ae33b833a01f9c4cf2a26df7fce5022cd22364692bf7c7820f15ba27e35

Download Submit
\Windows\SysWOW64\Lelmei32.exe

Filesize
265KB

MD5
27567758b236dd90a4f33f4ea9ae2c24

SHA1
79dc9726a94a55bb2292ad5bab48123ff101d5a7

SHA256
90865cee4be91e1132dd0d03ae22220184ca4e2046d7e94c9334c92a1bbdafc2

SHA512
e7319b7bf171c30c24c44d6ef7af27fb7f5cafa23e32bc5ead532d6b82d002443a2948b91df54c5c2180c643929e497f4f54b99eb5086e6802c6fa04fdb7699b

Download Submit
\Windows\SysWOW64\Lmlofhmb.exe

Filesize
265KB

MD5
bf530bd49fef6da8a0e9a416791c1988

SHA1
caa59f7ee8946ce5f6cff333ca7b027e9a114430

SHA256
f20564cfa5c6af1c903af4a68127634a07a41f2fe4782531b507ce377d95c460

SHA512
630bd49078f33db3fcf5a0327d60d43160721df972052f64ff3812aa16544d86a09c214fb65d3265e088b232d96d5049155c1b1e0adbc62f67a3f0d96db13b5a

Download Submit
\Windows\SysWOW64\Mjeholco.exe

Filesize
265KB

MD5
1d15f280a4a8a04718a999fa92b88c39

SHA1
3d92eca705bec4e617f0feff0819c4e5e127c1dd

SHA256
d3eb5a9642ad45e6102813e1dfa99c00606cce920453c582658986a0d18d0997

SHA512
ac365913ed808e75f723dbe6dfa36d6b5f021d2888304d8bc8392151537b48ed3ec96decb8ea95868411f99456c826a7345b55923af7c4aa4136a1da86b37794

Download Submit
\Windows\SysWOW64\Moikinib.exe

Filesize
265KB

MD5
7ad5b4f1a5e099f183df7e5562e61679

SHA1
7b4d5295f5926a08b388b913a8f1af5f2903f0d3

SHA256
2173c85d3a63d56607057ee278477795d1be2fcbae6a1a77e1099530d6dc58f3

SHA512
887293968ce99456b00837cbf9b8989e570775835d7f84bbb2e086501b857d73f6ff3d91c5bf9cf6bc96861b3731a5c6440241e4e0d362b8f43304bdc618397c

Download Submit
\Windows\SysWOW64\Noighakn.exe

Filesize
265KB

MD5
736e09d0aadd7da98f2cd64baae9d14d

SHA1
5c04c622211783a3880883d28d5d414b2eab3b13

SHA256
be3689193f605469b72f625fce1e76c0cb2ed78dff416df78f0ae80469633c87

SHA512
462955bd2596e09a785f780ab3466f972211be16d8d99897322f9cf88bfcef31d69807698947365bef4fcbc807b70f8afd57342c93e9631f07d15b990b9be1b8

Download Submit
\Windows\SysWOW64\Ocbbbd32.exe

Filesize
265KB

MD5
afaf78c787556c0b131c084237a291bf

SHA1
0e3830ecf311d143bf6e323fb8225f60d59adb29

SHA256
3657d40079d928ebca5ecd3edd4c84a738f77ff685a7aa43e93a673ec2efb5ee

SHA512
d8352c7d0259fc282686ca2498f9472cb767be167504d782e2d381dfe84a62cd0a188b59d52771333175b23b67d4adbb6440019908ef2f2ec706b572c9df5881

Download Submit
\Windows\SysWOW64\Oqajqi32.exe

Filesize
265KB

MD5
576adced824a6193e8901d7636851899

SHA1
d3a8b0a144537b3716c5abad0c5148bf611b1ae9

SHA256
6f577b0ea8d4e146168e5e4344185e31a10bff3cd8a01f433a4dec3af43bf27e

SHA512
4a4b5be6af93e42a3272118f1dcfacf920f6ce67fffbcbcafd1b925cbb1d581681eefa225b7cd89de5221adcdee12a3f2357a6482906b562a74e43f2f2d1b0a7

Download Submit
\Windows\SysWOW64\Pciiccbm.exe

Filesize
265KB

MD5
86812da53656af9a6c29739d294ae0db

SHA1
160b9fe5b25233d9b59784fb6ff0cf3b9b3ec6e2

SHA256
6693769f606e01970ab8a45c6998ff89bcb19e813e61c5cb5b77cb086517fa3b

SHA512
b714ec0d32254b3fe17b2e5fc076eb6e7f2c0ea14099d35e89870cf0a15696ad296a16dc8b60eaf8d7f2938e9f3e7e3358201975938e1ab61a8950551eef4366

Download Submit
\Windows\SysWOW64\Pjqdjn32.exe

Filesize
265KB

MD5
60f4b7c2f3fc9e8379d404aaff25d573

SHA1
20f95d701b6bee416239e760b7f932061b4b2b98

SHA256
8d559b7556a33bfa56e03688aee79af07023df1bc4e67ced54430b9ad36e493a

SHA512
08a711ded23ceebebcd8225c24b4cd01d9bffe658da44e142b22b9a63d82ff1f43333d53ef419ea6a457aadca00565db6d0f2967b9578bb09a6ef85c9c461351

Download Submit
memory/548-302-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/548-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-303-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/560-248-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/580-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-408-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/676-206-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/976-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-228-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1056-232-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1216-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-242-0x0000000001C10000-0x0000000001C43000-memory.dmp

Filesize
204KB

Download
memory/1288-238-0x0000000001C10000-0x0000000001C43000-memory.dmp

Filesize
204KB

Download
memory/1356-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-452-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1356-124-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1508-27-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1508-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1540-277-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1540-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-336-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1584-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-335-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1620-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-268-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/1652-291-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1652-292-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1652-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-188-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1812-261-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1812-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-355-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1996-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1996-13-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2032-427-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2032-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-174-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2092-314-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2092-310-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2092-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-383-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2264-97-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2264-425-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2264-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-431-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2264-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-219-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2392-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-324-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2408-325-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2452-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-108-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2680-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-396-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2760-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-83-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2776-418-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2776-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-368-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2848-372-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2880-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-386-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2880-55-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2880-385-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2880-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-359-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2896-360-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2896-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-41-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2908-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-379-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2908-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-346-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2972-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-463-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2972-138-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2972-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-65-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads