berbew | 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
Size

161KB
MD5

9b8d216d4912875c95ee6d4afa90db8a
SHA1

fcd91bda493d27a817658e164c28d699f7b06720
SHA256

270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f
SHA512

0d520f79886fff44a508f881e26bb0d39da9b9b35ab710887b177c6a2cde182100dac57d46e069140720122f898bebc3b5a4244480eb7ed7ddc3dd94e6f26b37
SSDEEP

3072:h1OI36ztplr0+DxkQVwtCJXeex7rrIRZK8K8/kvN:z6ztjjDxkQVwtmeetrIyRN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocgbend.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mablfnne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbccge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamjda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kemooo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haodle32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1476	Hlppno32.exe
3992	Hbihjifh.exe
1888	Hhfpbpdo.exe
4820	Haodle32.exe
2400	Hppeim32.exe
1936	Hbnaeh32.exe
4644	Ilfennic.exe
808	Iacngdgj.exe
2988	Ilibdmgp.exe
4112	Iafkld32.exe
3644	Iojkeh32.exe
2944	Ipihpkkd.exe
3496	Ihdldn32.exe
4516	Iamamcop.exe
1232	Jpnakk32.exe
4324	Jaonbc32.exe
4328	Jocnlg32.exe
2236	Jihbip32.exe
1748	Jbagbebm.exe
1884	Jeocna32.exe
3668	Jlikkkhn.exe
4116	Jpegkj32.exe
4156	Jbccge32.exe
4344	Jeapcq32.exe
1540	Jimldogg.exe
3660	Jllhpkfk.exe
4284	Jpgdai32.exe
4572	Jbepme32.exe
5000	Jahqiaeb.exe
4832	Kiphjo32.exe
4152	Klndfj32.exe
1112	Kpiqfima.exe
4724	Kbhmbdle.exe
1900	Kefiopki.exe
4468	Kibeoo32.exe
2152	Klpakj32.exe
3604	Kplmliko.exe
4376	Kcjjhdjb.exe
5004	Kamjda32.exe
1688	Kidben32.exe
2028	Khgbqkhj.exe
208	Kpnjah32.exe
3240	Kcmfnd32.exe
2576	Kapfiqoj.exe
3964	Kekbjo32.exe
3944	Khiofk32.exe
3112	Klekfinp.exe
1988	Kocgbend.exe
4824	Kcoccc32.exe
2716	Kemooo32.exe
2792	Khlklj32.exe
3036	Kpccmhdg.exe
4988	Kofdhd32.exe
4708	Kadpdp32.exe
1820	Lepleocn.exe
4456	Lhnhajba.exe
4296	Lpepbgbd.exe
3620	Lohqnd32.exe
644	Lafmjp32.exe
4508	Lebijnak.exe
2060	Lhqefjpo.exe
4792	Lpgmhg32.exe
4656	Lojmcdgl.exe
1192	Laiipofp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpnakk32.exe	Iamamcop.exe
File created	C:\Windows\SysWOW64\Caecnh32.dll	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Pbhgoh32.exe	Pcbkml32.exe
File opened for modification	C:\Windows\SysWOW64\Ilfennic.exe	Hbnaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Iacngdgj.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Chgnfq32.dll	Lebijnak.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Pninea32.dll	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jeocna32.exe
File created	C:\Windows\SysWOW64\Hghklqmm.dll	Khlklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lancko32.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kplmliko.exe
File created	C:\Windows\SysWOW64\Hapfpelh.dll	Klekfinp.exe
File opened for modification	C:\Windows\SysWOW64\Mjnnbk32.exe	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Pmmlla32.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Kekbjo32.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Lckboblp.exe	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pblajhje.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Hbnaeh32.exe	Hppeim32.exe
File created	C:\Windows\SysWOW64\Ledepn32.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Ljdkll32.exe	Lancko32.exe
File created	C:\Windows\SysWOW64\Llcghg32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Lphdhn32.dll	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Foniaq32.dll	Lepleocn.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kplmliko.exe
File created	C:\Windows\SysWOW64\Ipamlopb.dll	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Ihdldn32.exe
File created	C:\Windows\SysWOW64\Jaonbc32.exe	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Jeocna32.exe	Jbagbebm.exe
File opened for modification	C:\Windows\SysWOW64\Lpepbgbd.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Hnekbm32.dll	Lchfib32.exe
File created	C:\Windows\SysWOW64\Odlkfe32.dll	Hlppno32.exe
File created	C:\Windows\SysWOW64\Hppeim32.exe	Haodle32.exe
File created	C:\Windows\SysWOW64\Nfnamjhk.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Ppadalgj.dll	Kplmliko.exe
File opened for modification	C:\Windows\SysWOW64\Kcmfnd32.exe	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Bpemfc32.dll	Ledepn32.exe
File created	C:\Windows\SysWOW64\Pkbcikkp.dll	Mjggal32.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mhldbh32.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Mnknop32.dll	Jbagbebm.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Ofckhj32.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Kofdhd32.exe	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Llqjbhdc.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Llgdkbfj.dll	Nfihbk32.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Mpnmig32.dll	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Jpgdai32.exe	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Pmhbqbae.exe	Pjjfdfbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	6068	WerFault.exe	205

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipihpkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnakk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpakj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlikkkhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpegkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllhpkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjggal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjpjgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnamjhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebijnak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mledmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfihbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcoccc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khlklj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khiofk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llqjbhdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgbqkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekbjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoljagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofjqihnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbepme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledepn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckboblp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iojkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihdldn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomjicei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemooo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocnlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlppno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeocna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klekfinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loacdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmlla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaonbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpnjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakfeodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocgbend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilibdmgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeapcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamamcop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnhajba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iacngdgj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iamamcop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfhfd32.dll"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhphpicg.dll"	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll"	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbqppqg.dll"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khiofk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkffgpdd.dll"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfmjddg.dll"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcmal32.dll"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilibdmgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1476	5060	270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe	89
PID 5060 wrote to memory of 1476	5060	270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe	89
PID 5060 wrote to memory of 1476	5060	270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe	89
PID 1476 wrote to memory of 3992	1476	Hlppno32.exe	90
PID 1476 wrote to memory of 3992	1476	Hlppno32.exe	90
PID 1476 wrote to memory of 3992	1476	Hlppno32.exe	90
PID 3992 wrote to memory of 1888	3992	Hbihjifh.exe	91
PID 3992 wrote to memory of 1888	3992	Hbihjifh.exe	91
PID 3992 wrote to memory of 1888	3992	Hbihjifh.exe	91
PID 1888 wrote to memory of 4820	1888	Hhfpbpdo.exe	92
PID 1888 wrote to memory of 4820	1888	Hhfpbpdo.exe	92
PID 1888 wrote to memory of 4820	1888	Hhfpbpdo.exe	92
PID 4820 wrote to memory of 2400	4820	Haodle32.exe	93
PID 4820 wrote to memory of 2400	4820	Haodle32.exe	93
PID 4820 wrote to memory of 2400	4820	Haodle32.exe	93
PID 2400 wrote to memory of 1936	2400	Hppeim32.exe	94
PID 2400 wrote to memory of 1936	2400	Hppeim32.exe	94
PID 2400 wrote to memory of 1936	2400	Hppeim32.exe	94
PID 1936 wrote to memory of 4644	1936	Hbnaeh32.exe	95
PID 1936 wrote to memory of 4644	1936	Hbnaeh32.exe	95
PID 1936 wrote to memory of 4644	1936	Hbnaeh32.exe	95
PID 4644 wrote to memory of 808	4644	Ilfennic.exe	96
PID 4644 wrote to memory of 808	4644	Ilfennic.exe	96
PID 4644 wrote to memory of 808	4644	Ilfennic.exe	96
PID 808 wrote to memory of 2988	808	Iacngdgj.exe	97
PID 808 wrote to memory of 2988	808	Iacngdgj.exe	97
PID 808 wrote to memory of 2988	808	Iacngdgj.exe	97
PID 2988 wrote to memory of 4112	2988	Ilibdmgp.exe	98
PID 2988 wrote to memory of 4112	2988	Ilibdmgp.exe	98
PID 2988 wrote to memory of 4112	2988	Ilibdmgp.exe	98
PID 4112 wrote to memory of 3644	4112	Iafkld32.exe	99
PID 4112 wrote to memory of 3644	4112	Iafkld32.exe	99
PID 4112 wrote to memory of 3644	4112	Iafkld32.exe	99
PID 3644 wrote to memory of 2944	3644	Iojkeh32.exe	100
PID 3644 wrote to memory of 2944	3644	Iojkeh32.exe	100
PID 3644 wrote to memory of 2944	3644	Iojkeh32.exe	100
PID 2944 wrote to memory of 3496	2944	Ipihpkkd.exe	101
PID 2944 wrote to memory of 3496	2944	Ipihpkkd.exe	101
PID 2944 wrote to memory of 3496	2944	Ipihpkkd.exe	101
PID 3496 wrote to memory of 4516	3496	Ihdldn32.exe	102
PID 3496 wrote to memory of 4516	3496	Ihdldn32.exe	102
PID 3496 wrote to memory of 4516	3496	Ihdldn32.exe	102
PID 4516 wrote to memory of 1232	4516	Iamamcop.exe	103
PID 4516 wrote to memory of 1232	4516	Iamamcop.exe	103
PID 4516 wrote to memory of 1232	4516	Iamamcop.exe	103
PID 1232 wrote to memory of 4324	1232	Jpnakk32.exe	104
PID 1232 wrote to memory of 4324	1232	Jpnakk32.exe	104
PID 1232 wrote to memory of 4324	1232	Jpnakk32.exe	104
PID 4324 wrote to memory of 4328	4324	Jaonbc32.exe	105
PID 4324 wrote to memory of 4328	4324	Jaonbc32.exe	105
PID 4324 wrote to memory of 4328	4324	Jaonbc32.exe	105
PID 4328 wrote to memory of 2236	4328	Jocnlg32.exe	106
PID 4328 wrote to memory of 2236	4328	Jocnlg32.exe	106
PID 4328 wrote to memory of 2236	4328	Jocnlg32.exe	106
PID 2236 wrote to memory of 1748	2236	Jihbip32.exe	107
PID 2236 wrote to memory of 1748	2236	Jihbip32.exe	107
PID 2236 wrote to memory of 1748	2236	Jihbip32.exe	107
PID 1748 wrote to memory of 1884	1748	Jbagbebm.exe	108
PID 1748 wrote to memory of 1884	1748	Jbagbebm.exe	108
PID 1748 wrote to memory of 1884	1748	Jbagbebm.exe	108
PID 1884 wrote to memory of 3668	1884	Jeocna32.exe	109
PID 1884 wrote to memory of 3668	1884	Jeocna32.exe	109
PID 1884 wrote to memory of 3668	1884	Jeocna32.exe	109
PID 3668 wrote to memory of 4116	3668	Jlikkkhn.exe	110

C:\Users\Admin\AppData\Local\Temp\270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
"C:\Users\Admin\AppData\Local\Temp\270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\Hlppno32.exe
  C:\Windows\system32\Hlppno32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\Hbihjifh.exe
    C:\Windows\system32\Hbihjifh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\SysWOW64\Hhfpbpdo.exe
      C:\Windows\system32\Hhfpbpdo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        31⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        33⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        35⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        41⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        60⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        62⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        74⤵
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        78⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        84⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        90⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1992
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        104⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        105⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        109⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        111⤵
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        118⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 412
        119⤵
        Program crash
        
        PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3668,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6068 -ip 6068
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dlofiddl.dll

Filesize
7KB

MD5
b714b402d457812f780a2a541659d212

SHA1
3612ea79c719c798d1cc9d7f43504a5999542226

SHA256
5fa2861499fdb3693b5198e65ecf69f216937c73f7d40be11149754ccb3637a8

SHA512
62ba0de8466807cd2b0734676b77c5e489734ca9185c771f66005044bcb78e53324d1e4b5e3793eff813e3ecac6a60e0e96221e36b8bb0805860b4b54bce3629

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
161KB

MD5
a5758b7ebd0c61694b4a41921b2b854d

SHA1
113f2f5415527e5d74b31a8d9481dda70199eb4e

SHA256
be1311d99083186bc1a070506bb162d71dbc8594442f3401ad68b2e254ea6b80

SHA512
52851f550c4c2c7a4d65c00ba456c47668e9109a87add327ef38c28e40d19f69f1e4a6fcabf305ae8843b5b7ab060261f6e91ac1144d09ecd35f5f6f6917d604

Download Submit
C:\Windows\SysWOW64\Hbihjifh.exe

Filesize
161KB

MD5
9601582b352ac509cf8a424b8aa0fc57

SHA1
5e8eb8c2cfb9b65ac35060a8e683d085645cda14

SHA256
94646a7efff3511f19ff4f536230044454eb73f696968fc65ae1109fddbd6ebc

SHA512
8f957c711ec011f168b0ef071c2af1b8a987014a8120747c470573887022af8eb2d2e9c49af9059604104dc1997285ff12c0dac9a94c6a6269821022a0ca848b

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
161KB

MD5
26705aa1a0c7b5a666f4c953d1019481

SHA1
ed3167f71cdecf7d8f0e779a73e75ace0290e72b

SHA256
9ecf469a700cffb2ddf6bd996f155bbb1805db54b72105f288e49c555287d5de

SHA512
28d0391d5dc9bb49316e8a81bb4125572b0a2adc1baef12b59eb6fea8632f1c17244fb4b86791e41f44bbc51496e177e521cad92eeebb46d0b0dce90a1956565

Download Submit
C:\Windows\SysWOW64\Hhfpbpdo.exe

Filesize
161KB

MD5
8ea60e4924186473956f7712277796e5

SHA1
43dfcc7a67b88cb32dfd306399007448efacc6cd

SHA256
14fc8a1582a47baa5d0b5d7acc3731a9c953080715ab84d11c0d45bbe684a4cd

SHA512
dafb5d67f0aac03b4fae74d5dbbad22195439467fcb74f17d823d43b823da1eed46177c6ee4fdf4ced1b9f241b94d970f0af79852d0d4b2fc12bc0982acb04bd

Download Submit
C:\Windows\SysWOW64\Hlppno32.exe

Filesize
161KB

MD5
c7d03597cb57f028c2903bd7a56b7642

SHA1
96e185d50140137d75a99e2c9897a7c681375f4c

SHA256
205558bec9a7113a035f373249b97de0abb405b510f6b60ce90d1583acf7a134

SHA512
3cf6eb3ff90d11f8a9cd130ae4520c8b934d36b2cef040b74abfe638d99ef666a76cbf1def95d28230697a5d342474e2ebc522c060d5ec214a80909c3a4c5707

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
161KB

MD5
5ad23b965456e68b738f2cb33c2bec60

SHA1
65b2e1b7bdbd7cc5ea6eaae5d04447f2aebff259

SHA256
76ae75a100c6e833143b631786f4099c3dc0d5706319dceeb7452261378581b2

SHA512
579d8276ab5788127a39b4081fc7e1825503c368170c725b2cf407ecfce8af975230a703b8b3dce737b98b8f827260e75b861a1b92012f440c8a2d5811953434

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
161KB

MD5
33b6c8d5b9769e2f19a8c724b009ce97

SHA1
f807c31a32f96a726f9dadf7d5942e75ff07f898

SHA256
a70b381095ff18b591ed594f35f74a412a70e05d70dda28adc25abedb19a1f2f

SHA512
8b509ae7a44e0278b8040d1f707353125c5524ba2294cb960743da327294800ded12c51f8160baf6438e18e10e268c254b53889218b86273d0f4c15f524cba6f

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
161KB

MD5
e42b7faf74c24009804a2fbeaffe2709

SHA1
f8ef28b3a3034bbfcd4dd1d67bc25760cbbd4d3b

SHA256
14e3897f04c9fa204412cc9841065e9f952be24375b7081c30e20122f083ea9a

SHA512
b2ff7af4aa316ba773e15a84d3f625e7929e72b8b4f58e2c9157f415cbab97f5166fcb93e4b67cec3a6baef111c38bb21fbb179df6116fbbde1d46a151a18879

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
161KB

MD5
64b5657c9d1c80a624734815771dd559

SHA1
64057ebd9bab9021397e7655e4b0f351af2efc7e

SHA256
280a9e36eaf856397b37e56d194acc57d0ebc30935e278944f06e099ae48b236

SHA512
e318f04a014aba0bc5ab6b3fd3bf19f4b4b61aca034247b9b1a8714a693641aadc974548ad39877460a016462739823a6387bc881758700e84fe2664b36850db

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
161KB

MD5
8693d6cfd3733675bc6c081f4f5ac2f5

SHA1
047f9bc99f6389c01816941aa8b5b3f4285786f4

SHA256
796f008be513dac07209448c3a1d487718b1dcd4f1a72bfb91978f3597167bd5

SHA512
942681ef6b44b0cce90f16329354e4628a235336a4f804b664c7c6a132bf9edcb85e1da35d1d0b3cbb77f62536860cc9cff4a9f49108d632ac1af60052632115

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
161KB

MD5
7abf8cb768ed29d6398c69c2b434022f

SHA1
41462ffeb8e3c7563988853b88a5018cb0d93b81

SHA256
6a9757b9d50bceb123050ea744936aa2d65bd81cb2d4f04e34d4ebaa88f721d8

SHA512
26e37f06259e9509377a0af9542620be2519c1c49beddbca6a94aca491c2bcfd86c8fd1a7b3b164d43062e9307084430afdb6c88d61510cf0ee7a6ec7b93c3da

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
161KB

MD5
eec8aeb53da4601514c2b1afaffee90e

SHA1
753a35381fce6b1feb92312661b72e81d1707f9e

SHA256
b5b3d658364d5362b01c40b413a6f9566133cd91ce6edf6831074b3e217f0caa

SHA512
f280f188a8b9083f995409a6a2062cb1b956b120055c1c0de5a7c961e6dcb189b6750fff415b68ecefe4efc739a8a103809cfc8fc2fffcfcac3acab0d1870a38

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
161KB

MD5
9217ab974689716a3d176409f8f5eb72

SHA1
a15038238c0966d1e837893c945c07a0f16cbd85

SHA256
73ad8e7b3b35a4252846e345f0f12a6e1d02b2bcc5244746b976d9ce90a5ca11

SHA512
e41bdbac2ed577efb2dbf057a72b17e24adb6b105eb0704ef069bda2c81a37452adea8f64463e081a031e708b4cb54a40eb6e2d67497c294ee8f366efd82f526

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
161KB

MD5
00669ffbe18368c23e06d03a545fb9bb

SHA1
7bae3b3bcf8899ca88b22a340e14e2b0efe87cb8

SHA256
cef76eb8034ca99dafb9c51509104fbf5830b5d57cf51593588b5fb143752f0c

SHA512
2e6a347ebbdb1d2920b89181d7046249442a075f4587e9a5d1cf480a23f5fc0dfb56e617a4cf6be670d8a74c00d240bc9d8b6a13ed9fc682cf584f22cc6e4fab

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
161KB

MD5
2c41953034879d50440dd68399431ac9

SHA1
ecea7ba51e6c1e89baaf0a3863c4ab32af056d55

SHA256
71343748c1ab4f5238d9764d491680f3f5149ec3b9960d000df4c9ab24415c9b

SHA512
2bf20329ff4fd7e1eeddbba0afe3c244622f2b7bca13e9596738fc3c0fab3c9f70a00384eb3ca0b92b691c05101c5ad9dd7a03af702c041f6da1dffe88cecaa1

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
161KB

MD5
f9d7458e65191d414df85fd5dedcea9d

SHA1
c68af330e8d4a0b9871bf1459d4f1cfe772acc67

SHA256
3dda40579ee6e937cd618bad443229a862c03ce35f090c21554ad5c3111b4a26

SHA512
2d040e25497aa56d69d17c15d09b341f64a787f127493dc2fabfdf31d02f206db1c9dc69fc1a1a7c21f4eb4a8879c5d367fa1909cd6763415c8920a597622532

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
161KB

MD5
e01ec78f0952ddac7d58a2f1c27c4813

SHA1
83d61b289179e0ea2145221addd4b0988d452ffb

SHA256
6668967c2c1bc44c676c51c3dba38ff16ad5020c25e2a1fff18770dee06b874b

SHA512
bc5df67681aefab599c0f0851e3634c6d79a7d0b141717d259bbf88acaa351f1e4dc93dc43e30c26bca51280efd46e43a6d7b581feb6266d9a7013901c010060

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
161KB

MD5
14218d4521e3d79ff48a62f1c165c7ee

SHA1
619a4fd6b75cf9c7268462860e2d60c36b683575

SHA256
8b85bfce026b41967a06e6643078d760baf5cd389a509aa874cfa2feebdbf98c

SHA512
448af6829fc1654141dfececf94470bfd2b4fc4356eee168295c2637b9d06b15be20e05ec5c4abdd42bed5c43625bf089927e5aef0647f51145d4c23bc594990

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
161KB

MD5
c1de3fc41057fa183e7210f38482d082

SHA1
7e0789704f6025c460a580ed09a4a5b919ddcc82

SHA256
7b8ca6a9f70f9aeeeea4667da628b2fb37eda744d018495c9730ad75987506dd

SHA512
4bc623dc35bf305c9f51c9b1992ab406e9e69577149aad2450c763e8c552adab499cb01434d7aec28022e93d28bcb1e0aa24b649ff8f97c6e4da0a0f071d46c0

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
161KB

MD5
3ea93bec0d2589fdb0943ca9d4815984

SHA1
8096a4e735e3adaa30382d97d561707d7f18e0cf

SHA256
1f51aceb47644751802806505863f6bd8c79e8252ac8368a0f27d01a9f5985e4

SHA512
040a9ac5032c78882b51cc049f2259dbb5d381da14a9173c9b38cf73a0a85d7fe75e9301d027114b59acb4483e02f1b9159c7dc7f04d60836a2a71ad88f6f53e

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
161KB

MD5
144b2ca3b39b328ff510ba8abcf4a41a

SHA1
dda04dd7ff58775a97ef58ce4724a421b46e949e

SHA256
6f4158eaf2a005ffee26f541200e599b2ccc1726f08ca787fb7fd3be0f4b2ffc

SHA512
b1228e55139c6705cebb885b8f36f871fe3a491bf9381f676fefaa9090a591f74922eea90f0808d7483491ec9db7256b3c945016295c4ca5808dcf16f6b0d56c

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
161KB

MD5
5a2495fb3d9a291df2cd643f6e56a0f4

SHA1
dbdef9e4bc446dee3ae08c452e5d60f8e01a444f

SHA256
cb4284c52227bcceea781c19e1dd4de10ba62808ec1dc7ce7e3159c95de1b634

SHA512
823db10f398462033a505c699a4b4eeb7ed78fc93c4d8b5e94b2482e994cbdee01fe614726c23109477b4a4c0ee31630a9cd4d742b7f8374e85c212ec4f69638

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
161KB

MD5
2cb868279952ada8bf4163c906b60dc5

SHA1
38b02bb80f6a2e66f1b7178be611b2813c6b3d95

SHA256
e380941c764a4f267c42766f9d51063987548af54f79c3ee309bdf05f22f4574

SHA512
7fca2d12661c6545a77ea0cb0458ddc5f0efed14023cf753f7c65802b32068f4dbec5798bf6a5f2d5866e359e9bab71e6555f6ca85d922a2eb0c9d1baff45f8c

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
161KB

MD5
8ba6fdc2807f47dc1466a2fb5879fb2c

SHA1
c0cebccb856c71e344980c7149c5b4cf8b3380a8

SHA256
80b844c2df16c02c7bfb32ea3830c7a22d7266a01f869c53cfb168d177711b25

SHA512
d703910ccdc31f9a4cb46397bb2ed57040ea503a18f5413d7766d244b38bb68ae914b90b0a008e764294cf0e745830cf70c8d55487056175cf915670a4f2cdf2

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
161KB

MD5
e52d6327b695084710065ad61607efdb

SHA1
dec5dad010bbd763e3bb42bd4d2ea9a222e15a0c

SHA256
72a572b85b589993fe4a9c51d55e50bda90b966d19c2faec79460d5af76534a7

SHA512
be2ba6fb657b786200c2eba9ff9361da1c0d86c489427f55cb1df1243e5a95c6f47cb8b26f4b02fa3bbb7c2997abd40d8b1b4b0ecfaf4b1982da0ad0000c76c4

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
161KB

MD5
a63f550eef4854fe0a729a47b3c5dfab

SHA1
5afae20d94f9f7684289c65b988d75ea5a8acdd0

SHA256
3e9d6b46be4231d91617531b6b6153899cea69db7cd6346cdde157b947bde08f

SHA512
71c437da695d4ac52c525c479e782b9df196617e2760f2736636dbddf65e0129decdecfd28f1a5f76836ef14aefd5e7ddfb77ca42cf44d42e465ceba02defef4

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
161KB

MD5
523dab67189ed25e287ed21edd093a4f

SHA1
09e6220f2bbab73e34c837ddc4b37684595bc20f

SHA256
610622fae8364bd8b12800e120bdff70ffce181aedf8c2ce7f13f5694fd71335

SHA512
d6ba39b335acf4750fbc1852b156b16ebab571ebe095b4f7c84341135b711c893fd3af0f6d104a184ae0f111a143f3c43db1108a106de539cfbcea6360e89243

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
161KB

MD5
059dc7d374a71cb8ffdee7e93541b850

SHA1
d591980b1ac4ae6d4cb5aec5696e10b978fbf3b2

SHA256
06ff463bc20377b3c88a9469500a6a6e353572f8cea1a7fdc2f3c6a58ded5b89

SHA512
c1ba17b8d0b54b25d3652d01bcff1e64356117e1a7e0cb019e9f670e87332fee57cfa5b4bb3c6212e190dfe30435afff95e5e9ba82e363d0a96a7cb65bfc4b6a

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
161KB

MD5
3e6a30cc0859c9a6007dd3cb5ae5d9c0

SHA1
d8d689aae062ced6b6af43d3af3402b9324b2a60

SHA256
6d0447d56f2245f759bb892b71b4edc5a6da5c9a236966465d175b4d69c05094

SHA512
82bcdd8340b986691cba4c05a599f19f0a3d53e890b83d3a12e445996c11e65f575ecd5545715722c6ea47f30aa01f86cbdba6eef0a984d49365adce6384e3b9

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
161KB

MD5
88997bb7fb0a64d71047fc5a18431635

SHA1
a257a60e705d1d5d6987329dca59660a658e32e9

SHA256
77a309c685bb01ad2b20ca23aa539a445fb518b79f7539d0e76d2a01ac23c3af

SHA512
0649a46a6896f212765e75a428e351eeaf9cd42958e7de23649b55e4880f4907cc4ca3c2b95783e06c0a0cb937ee97f2064a803ecb723c69d1da7c65782ed2d0

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
161KB

MD5
39b84c6d0039187895c45a85adb607c6

SHA1
b5f713085f9f3f3738831c4fd561fcf3455c221f

SHA256
9b4b050dd84e772471b5d6ce2a7c085aeedca7dc7945f6eaa616bb57244a2fef

SHA512
eb69b4b6bcdf3d20312e62ab7bae5e6279ac2fc0105d49c4db4f98efd24eefa2610b5f8224fc03235363f85bc4f42c291d4127c9f8859ce852640823cf6a37a0

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
161KB

MD5
a3da967a184487773318cf0d233dcdd4

SHA1
ff3fba439be01f95c6517475364aa3873e2af883

SHA256
9af130f34ae93fd0d0cced528d1a3a49c574be8399ec18d8d53818e98b2d70ad

SHA512
de798498827a171d7bf0d319839ff7fbdb599822640459340a285720bc221a8d5b1100627ad2f49eced1e027a4c6e92fc7ec3894f279796e35af394d0c1f1201

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
161KB

MD5
7e6345446feee81c47d7fbd35ea38b78

SHA1
f0f53482d839c7303ed5e8de760aa705f5218e0e

SHA256
48c927ef20695735060f0cce5c32a0dfba0b93397f492c52086b26b7cc2d408d

SHA512
460e2c8c3d4fcd15b9d7bbbfe2cc74deecf4bab939d0dd7067ca2299dcc87b607abd3b246426f4ba06b5e52d308116fb84b676fc5679c036ae373e79b5d379d9

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
161KB

MD5
908a95df9947014a31fb15a0ede3c401

SHA1
fb3a5cf5fc425cc5255e72d8c821377fd5f4868a

SHA256
db34ed1b760f903bf27bf54f4b7050263c409c28b6fa1a3106470b2f99c929c2

SHA512
66cd93980094e616083b1c4e53c40b447962ca5d610b1d59beb9f96faf2bd5ec0e478e78461b6c87b66e54471ffbeaf4057e69e9dbedc2b96f4cdaacb4a402ad

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
161KB

MD5
9c864a955c293b7d69b27e948da24753

SHA1
44b1250ba82d9387a4ee0d9105945f3372eae1b6

SHA256
a6afa572e582352e532ee70715b8116798dd714efa8d7527fc0b6425b239c045

SHA512
d4e2b1d03d7190a270fb8f05e2ccb5efd9a97f503c40182471ecdb1f843263314416726b41a39464e1de6c11571568a796a7aa00060f1689f3da40775fe011d5

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
161KB

MD5
5f5570b0312cd4e182452bdd010fed57

SHA1
dc245e9bb41e89e9ea8b1bd9198142317b9e0a2f

SHA256
1c05ca6ab037489807d5ff17ebcf5ee327c07dbfb8bca95f9edcb6ae50672941

SHA512
693f5fce67c7c9b64548237d73cbb2c087b275b8e7fef9391d6ed97542a8f18c3277ce8e07729aee5ec96a5ace3d96804c112bb3e0307e60a1d977f481d56a9a

Download Submit
C:\Windows\SysWOW64\Ookoaokf.exe

Filesize
161KB

MD5
15369a1273d559c4707fbabbcb6706d5

SHA1
62a29896ff4ba8ff8d87c7ef76150331d604bed3

SHA256
4d9e750a989c755ed3ef84cc04a8e87cd6091d380fb85bbf2970f780b7780f45

SHA512
cd7b4799acf0fddf92f2b43780c217497c0849d25fe5301d2f3853e31e4913544d7b06c1a9d5ecf3368584eab97ac75099f141df03c212e5ca7ef0fef7bb54e6

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
161KB

MD5
1b04260453260f452ff2b22652b22401

SHA1
66fde67d17aad591890664e7e7fb12890c5d7447

SHA256
f86fce01715b71dafbcf338376190c326670698e34d99e8d0763c6a3916bc2c4

SHA512
a9c43b0c6f265be33f7bed41ba6fd0cde8d7c2d9baa866408bdb340a75a47ba345d59cff18b4aebdd71a63a856c15326462d39b8bc1503c58aa7e24e8a52ae00

Download Submit
memory/208-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/244-527-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/416-509-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/644-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1112-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1192-474-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1232-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1232-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1540-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1740-480-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1820-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1900-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-492-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3112-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3240-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-515-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3604-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3660-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3668-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3880-521-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3944-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4328-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4328-237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4708-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4724-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-533-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads