berbew | a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe
Size

364KB
MD5

c98ecbd55b8ea5ff264bf090729df3c0
SHA1

56cc4ee4ac7899046e72391ac79844aff7e337b8
SHA256

a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998
SHA512

c9e87430af19f980ddad01a70b5798ea91dceeca81fcf8c95129fd1fd16c20640bc722f164d7bf490ec2f182170815557216f32f5511d9e7b03e9635d1f1f6de
SSDEEP

6144:ydawLJisFj5tT3sFwJk7hDplcsFj5tT3sF:BMEs15tLsp1Dpis15tLs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daaofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gapdni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhelfapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgcef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqklhpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpiacgbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdaompce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efemocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkabfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghlbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgnojog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbcbadda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifndm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmdofmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggmlfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghlipchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkgnojog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbmkhej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnnlinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehppng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdlcdedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhelfapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihakbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhlgalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehkgbgdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gplnigpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnknf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdjgoefc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gapdni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghlipchd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipcmpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikmkilgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqklhpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjcqqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdabhka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daaofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emabamkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkabfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ingnjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnqqpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keheno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dameknaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnnlinc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjgjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdefkcle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdefkcle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjimqjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Diemiqqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehppng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giilml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgaeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqaiaaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edinhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmdofmic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjleq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnknf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmlfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkkgjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbmkhej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emabamkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmpobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnqqpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnejkfnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjlkpgdp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4184	Dhdabhka.exe
1652	Diemiqqp.exe
456	Dameknaa.exe
3064	Dihjopom.exe
4612	Ddnnlinc.exe
696	Daaofm32.exe
2928	Ehkgbgdi.exe
1856	Eimcjp32.exe
2332	Ejlpdbbj.exe
1520	Ehppng32.exe
1812	Eiameofb.exe
2556	Efemocel.exe
768	Edinhg32.exe
4188	Emabamkf.exe
916	Ffjgjb32.exe
5092	Fmdofmic.exe
3524	Fflcobod.exe
4172	Fmflll32.exe
2248	Fkjleq32.exe
4336	Fpgdng32.exe
396	Fkmikpcg.exe
4892	Fpiacgbo.exe
2868	Fgcjpa32.exe
4268	Fibflm32.exe
4116	Gplnigpl.exe
4284	Ggffeagi.exe
3496	Gkabfp32.exe
2064	Gmpobk32.exe
3536	Gpnknf32.exe
116	Gdjgoefc.exe
4416	Gghckqef.exe
5020	Gmbkhk32.exe
3092	Ganghiel.exe
4680	Gdlcdedp.exe
4932	Ghgpec32.exe
3632	Gkflaokm.exe
5096	Giilml32.exe
4124	Gapdni32.exe
3860	Gpcdifjd.exe
1540	Gdnpjd32.exe
5100	Ggmlfp32.exe
2392	Gikibk32.exe
4304	Gabqci32.exe
1600	Ghlipchd.exe
1816	Gjnehk32.exe
1144	Hpgnde32.exe
4660	Hjpbmklp.exe
3992	Hdefkcle.exe
1100	Hnnkcibf.exe
1096	Hhcoabbl.exe
1072	Hjdkhj32.exe
760	Hhelfapi.exe
1852	Hghlbn32.exe
4552	Hanpoggj.exe
2312	Hkfdhm32.exe
3672	Ipcmpc32.exe
4644	Ingnjh32.exe
4960	Ihmbgqja.exe
488	Iaefpf32.exe
3096	Ikmkilgb.exe
1916	Ibgcef32.exe
2496	Ihakbp32.exe
984	Ijbhjhlj.exe
3972	Ibjpkeml.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jacpdlfi.dll	Hanpoggj.exe
File created	C:\Windows\SysWOW64\Dkiidj32.dll	Ipcmpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ihakbp32.exe	Ibgcef32.exe
File created	C:\Windows\SysWOW64\Gnehdgkp.dll	Idhlgalp.exe
File created	C:\Windows\SysWOW64\Gmbkhk32.exe	Gghckqef.exe
File created	C:\Windows\SysWOW64\Bfjpkifk.dll	Ganghiel.exe
File created	C:\Windows\SysWOW64\Gpcdifjd.exe	Gapdni32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjpkeml.exe	Ijbhjhlj.exe
File created	C:\Windows\SysWOW64\Npbdjm32.dll	Jdaompce.exe
File created	C:\Windows\SysWOW64\Jbmnicfe.dll	Dihjopom.exe
File opened for modification	C:\Windows\SysWOW64\Gkflaokm.exe	Ghgpec32.exe
File opened for modification	C:\Windows\SysWOW64\Gdnpjd32.exe	Gpcdifjd.exe
File created	C:\Windows\SysWOW64\Hpgnde32.exe	Gjnehk32.exe
File created	C:\Windows\SysWOW64\Coqhbb32.dll	Gjnehk32.exe
File created	C:\Windows\SysWOW64\Jpnqml32.dll	Jiogcn32.exe
File opened for modification	C:\Windows\SysWOW64\Emabamkf.exe	Edinhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hjdkhj32.exe	Hhcoabbl.exe
File created	C:\Windows\SysWOW64\Fcdbok32.dll	Gghckqef.exe
File created	C:\Windows\SysWOW64\Bqbjmm32.dll	Ikmkilgb.exe
File opened for modification	C:\Windows\SysWOW64\Kblegblg.exe	Kkbmkhej.exe
File created	C:\Windows\SysWOW64\Nnifig32.dll	Jkkgjj32.exe
File created	C:\Windows\SysWOW64\Bmnaao32.dll	Jbeogcbo.exe
File created	C:\Windows\SysWOW64\Pnjgfdai.dll	Kqklhpgg.exe
File created	C:\Windows\SysWOW64\Fpfkhdhc.dll	Ghgpec32.exe
File opened for modification	C:\Windows\SysWOW64\Kifndm32.exe	Kblegblg.exe
File opened for modification	C:\Windows\SysWOW64\Jjlkpgdp.exe	Jgnndk32.exe
File opened for modification	C:\Windows\SysWOW64\Jdaompce.exe	Jbcbadda.exe
File created	C:\Windows\SysWOW64\Cqnkjjaf.dll	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe
File opened for modification	C:\Windows\SysWOW64\Diemiqqp.exe	Dhdabhka.exe
File created	C:\Windows\SysWOW64\Fpgdng32.exe	Fkjleq32.exe
File opened for modification	C:\Windows\SysWOW64\Gikibk32.exe	Ggmlfp32.exe
File created	C:\Windows\SysWOW64\Dipadphe.dll	Hjdkhj32.exe
File created	C:\Windows\SysWOW64\Nlbabn32.dll	Ingnjh32.exe
File created	C:\Windows\SysWOW64\Jiogcn32.exe	Jbeogcbo.exe
File created	C:\Windows\SysWOW64\Dkgbpl32.dll	Ehkgbgdi.exe
File opened for modification	C:\Windows\SysWOW64\Gplnigpl.exe	Fibflm32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjimqjm.exe	Jnqqpf32.exe
File created	C:\Windows\SysWOW64\Jobcfmff.dll	Jqaiaaoa.exe
File created	C:\Windows\SysWOW64\Jbeogcbo.exe	Jkkgjj32.exe
File created	C:\Windows\SysWOW64\Inmdoh32.dll	Kjcqqf32.exe
File created	C:\Windows\SysWOW64\Dihjopom.exe	Dameknaa.exe
File created	C:\Windows\SysWOW64\Eiameofb.exe	Ehppng32.exe
File opened for modification	C:\Windows\SysWOW64\Giilml32.exe	Gkflaokm.exe
File created	C:\Windows\SysWOW64\Ibgcef32.exe	Ikmkilgb.exe
File opened for modification	C:\Windows\SysWOW64\Kkbmkhej.exe	Keheno32.exe
File created	C:\Windows\SysWOW64\Kifndm32.exe	Kblegblg.exe
File created	C:\Windows\SysWOW64\Daacjbmh.dll	Diemiqqp.exe
File opened for modification	C:\Windows\SysWOW64\Ejlpdbbj.exe	Eimcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Ikmkilgb.exe	Iaefpf32.exe
File created	C:\Windows\SysWOW64\Flgnmmnp.dll	Jnejkfnk.exe
File created	C:\Windows\SysWOW64\Daaofm32.exe	Ddnnlinc.exe
File created	C:\Windows\SysWOW64\Fkjleq32.exe	Fmflll32.exe
File created	C:\Windows\SysWOW64\Fkmikpcg.exe	Fpgdng32.exe
File created	C:\Windows\SysWOW64\Ppahba32.dll	Gkflaokm.exe
File created	C:\Windows\SysWOW64\Gdnpjd32.exe	Gpcdifjd.exe
File created	C:\Windows\SysWOW64\Gjnehk32.exe	Ghlipchd.exe
File created	C:\Windows\SysWOW64\Hcaofb32.dll	Ihakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkndpi32.exe	Jiogcn32.exe
File created	C:\Windows\SysWOW64\Ddnnlinc.exe	Dihjopom.exe
File created	C:\Windows\SysWOW64\Ffokaj32.dll	Gdjgoefc.exe
File created	C:\Windows\SysWOW64\Ihakbp32.exe	Ibgcef32.exe
File created	C:\Windows\SysWOW64\Jqaiaaoa.exe	Jjgaeg32.exe
File opened for modification	C:\Windows\SysWOW64\Daaofm32.exe	Ddnnlinc.exe
File created	C:\Windows\SysWOW64\Banlmoig.dll	Fkjleq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2520	212	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fibflm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdjgoefc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmbkhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ingnjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiogcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehppng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffjgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghlbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbhjhlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjpkeml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dihjopom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daaofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgcjpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igfhclkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gabqci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpgnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dameknaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddnnlinc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiameofb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmflll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkmikpcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdlcdedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjlkpgdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnejkfnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbcbadda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlpdbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmdofmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfdhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhlgalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgieil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgaeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifndm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efemocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkabfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpnknf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjcqqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fflcobod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gapdni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpcdifjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjpbmklp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkkgjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkndpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhjlejb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edinhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ganghiel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggmlfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhelfapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqklhpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblegblg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdkhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjimqjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehkgbgdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjleq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpiacgbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gghckqef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdnpjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghlipchd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhacopd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqaiaaoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keheno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgdng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gplnigpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmpobk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpikcce.dll"	Fmdofmic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmflll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keheno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aikmih32.dll"	Emabamkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlknmfod.dll"	Gplnigpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggmlfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gghckqef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghlipchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiabinh.dll"	Jdjimqjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhcoabbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjimqjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbcbadda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diemiqqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlpdbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggghjkm.dll"	Efemocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghlipchd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipcmpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edinhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmpobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ganghiel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqklhpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbmkhej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiameofb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhiomkk.dll"	Gdlcdedp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihmbgqja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebgcd32.dll"	Hhelfapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgnndk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjlkpgdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgopa32.dll"	Kifndm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppahba32.dll"	Gkflaokm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onhjakke.dll"	Gapdni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdbdmc32.dll"	Ggmlfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhelfapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnifig32.dll"	Jkkgjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegpgf32.dll"	Gkabfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnnkcibf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkjleq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnknf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdefkcle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjlkpgdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diemiqqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmflll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgamjb32.dll"	Jbcbadda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkiidj32.dll"	Ipcmpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgcef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbmkhej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkflaokm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hghlbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hanpoggj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqklhpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfkhdhc.dll"	Ghgpec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gikibk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hanpoggj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbhjhlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhhacopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipadphe.dll"	Hjdkhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kifndm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dihjopom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 4184	3624	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe	82
PID 3624 wrote to memory of 4184	3624	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe	82
PID 3624 wrote to memory of 4184	3624	a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe	82
PID 4184 wrote to memory of 1652	4184	Dhdabhka.exe	83
PID 4184 wrote to memory of 1652	4184	Dhdabhka.exe	83
PID 4184 wrote to memory of 1652	4184	Dhdabhka.exe	83
PID 1652 wrote to memory of 456	1652	Diemiqqp.exe	84
PID 1652 wrote to memory of 456	1652	Diemiqqp.exe	84
PID 1652 wrote to memory of 456	1652	Diemiqqp.exe	84
PID 456 wrote to memory of 3064	456	Dameknaa.exe	85
PID 456 wrote to memory of 3064	456	Dameknaa.exe	85
PID 456 wrote to memory of 3064	456	Dameknaa.exe	85
PID 3064 wrote to memory of 4612	3064	Dihjopom.exe	86
PID 3064 wrote to memory of 4612	3064	Dihjopom.exe	86
PID 3064 wrote to memory of 4612	3064	Dihjopom.exe	86
PID 4612 wrote to memory of 696	4612	Ddnnlinc.exe	87
PID 4612 wrote to memory of 696	4612	Ddnnlinc.exe	87
PID 4612 wrote to memory of 696	4612	Ddnnlinc.exe	87
PID 696 wrote to memory of 2928	696	Daaofm32.exe	88
PID 696 wrote to memory of 2928	696	Daaofm32.exe	88
PID 696 wrote to memory of 2928	696	Daaofm32.exe	88
PID 2928 wrote to memory of 1856	2928	Ehkgbgdi.exe	89
PID 2928 wrote to memory of 1856	2928	Ehkgbgdi.exe	89
PID 2928 wrote to memory of 1856	2928	Ehkgbgdi.exe	89
PID 1856 wrote to memory of 2332	1856	Eimcjp32.exe	90
PID 1856 wrote to memory of 2332	1856	Eimcjp32.exe	90
PID 1856 wrote to memory of 2332	1856	Eimcjp32.exe	90
PID 2332 wrote to memory of 1520	2332	Ejlpdbbj.exe	91
PID 2332 wrote to memory of 1520	2332	Ejlpdbbj.exe	91
PID 2332 wrote to memory of 1520	2332	Ejlpdbbj.exe	91
PID 1520 wrote to memory of 1812	1520	Ehppng32.exe	92
PID 1520 wrote to memory of 1812	1520	Ehppng32.exe	92
PID 1520 wrote to memory of 1812	1520	Ehppng32.exe	92
PID 1812 wrote to memory of 2556	1812	Eiameofb.exe	93
PID 1812 wrote to memory of 2556	1812	Eiameofb.exe	93
PID 1812 wrote to memory of 2556	1812	Eiameofb.exe	93
PID 2556 wrote to memory of 768	2556	Efemocel.exe	94
PID 2556 wrote to memory of 768	2556	Efemocel.exe	94
PID 2556 wrote to memory of 768	2556	Efemocel.exe	94
PID 768 wrote to memory of 4188	768	Edinhg32.exe	95
PID 768 wrote to memory of 4188	768	Edinhg32.exe	95
PID 768 wrote to memory of 4188	768	Edinhg32.exe	95
PID 4188 wrote to memory of 916	4188	Emabamkf.exe	96
PID 4188 wrote to memory of 916	4188	Emabamkf.exe	96
PID 4188 wrote to memory of 916	4188	Emabamkf.exe	96
PID 916 wrote to memory of 5092	916	Ffjgjb32.exe	97
PID 916 wrote to memory of 5092	916	Ffjgjb32.exe	97
PID 916 wrote to memory of 5092	916	Ffjgjb32.exe	97
PID 5092 wrote to memory of 3524	5092	Fmdofmic.exe	98
PID 5092 wrote to memory of 3524	5092	Fmdofmic.exe	98
PID 5092 wrote to memory of 3524	5092	Fmdofmic.exe	98
PID 3524 wrote to memory of 4172	3524	Fflcobod.exe	99
PID 3524 wrote to memory of 4172	3524	Fflcobod.exe	99
PID 3524 wrote to memory of 4172	3524	Fflcobod.exe	99
PID 4172 wrote to memory of 2248	4172	Fmflll32.exe	100
PID 4172 wrote to memory of 2248	4172	Fmflll32.exe	100
PID 4172 wrote to memory of 2248	4172	Fmflll32.exe	100
PID 2248 wrote to memory of 4336	2248	Fkjleq32.exe	101
PID 2248 wrote to memory of 4336	2248	Fkjleq32.exe	101
PID 2248 wrote to memory of 4336	2248	Fkjleq32.exe	101
PID 4336 wrote to memory of 396	4336	Fpgdng32.exe	102
PID 4336 wrote to memory of 396	4336	Fpgdng32.exe	102
PID 4336 wrote to memory of 396	4336	Fpgdng32.exe	102
PID 396 wrote to memory of 4892	396	Fkmikpcg.exe	103

C:\Users\Admin\AppData\Local\Temp\a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe
"C:\Users\Admin\AppData\Local\Temp\a880eaf72c7b470c58d073770a880cd70240e41fa1ab7186a73d9b2129ded998N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\Dhdabhka.exe
  C:\Windows\system32\Dhdabhka.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\Diemiqqp.exe
    C:\Windows\system32\Diemiqqp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\Dameknaa.exe
      C:\Windows\system32\Dameknaa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\SysWOW64\Dihjopom.exe
        
        C:\Windows\system32\Dihjopom.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\Ddnnlinc.exe
        
        C:\Windows\system32\Ddnnlinc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Daaofm32.exe
        
        C:\Windows\system32\Daaofm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ehkgbgdi.exe
        
        C:\Windows\system32\Ehkgbgdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Eimcjp32.exe
        
        C:\Windows\system32\Eimcjp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Ejlpdbbj.exe
        
        C:\Windows\system32\Ejlpdbbj.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Ehppng32.exe
        
        C:\Windows\system32\Ehppng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Eiameofb.exe
        
        C:\Windows\system32\Eiameofb.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Efemocel.exe
        
        C:\Windows\system32\Efemocel.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Edinhg32.exe
        
        C:\Windows\system32\Edinhg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Emabamkf.exe
        
        C:\Windows\system32\Emabamkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Ffjgjb32.exe
        
        C:\Windows\system32\Ffjgjb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Fmdofmic.exe
        
        C:\Windows\system32\Fmdofmic.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Fflcobod.exe
        
        C:\Windows\system32\Fflcobod.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Fmflll32.exe
        
        C:\Windows\system32\Fmflll32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Fkjleq32.exe
        
        C:\Windows\system32\Fkjleq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Fpgdng32.exe
        
        C:\Windows\system32\Fpgdng32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Fkmikpcg.exe
        
        C:\Windows\system32\Fkmikpcg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Fpiacgbo.exe
        
        C:\Windows\system32\Fpiacgbo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Fgcjpa32.exe
        
        C:\Windows\system32\Fgcjpa32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Fibflm32.exe
        
        C:\Windows\system32\Fibflm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Gplnigpl.exe
        
        C:\Windows\system32\Gplnigpl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ggffeagi.exe
        
        C:\Windows\system32\Ggffeagi.exe
        27⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Gkabfp32.exe
        
        C:\Windows\system32\Gkabfp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Gmpobk32.exe
        
        C:\Windows\system32\Gmpobk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Gpnknf32.exe
        
        C:\Windows\system32\Gpnknf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Gdjgoefc.exe
        
        C:\Windows\system32\Gdjgoefc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Gghckqef.exe
        
        C:\Windows\system32\Gghckqef.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Gmbkhk32.exe
        
        C:\Windows\system32\Gmbkhk32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Ganghiel.exe
        
        C:\Windows\system32\Ganghiel.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Gdlcdedp.exe
        
        C:\Windows\system32\Gdlcdedp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ghgpec32.exe
        
        C:\Windows\system32\Ghgpec32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Gkflaokm.exe
        
        C:\Windows\system32\Gkflaokm.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Giilml32.exe
        
        C:\Windows\system32\Giilml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Gapdni32.exe
        
        C:\Windows\system32\Gapdni32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Gpcdifjd.exe
        
        C:\Windows\system32\Gpcdifjd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Gdnpjd32.exe
        
        C:\Windows\system32\Gdnpjd32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Ggmlfp32.exe
        
        C:\Windows\system32\Ggmlfp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Gikibk32.exe
        
        C:\Windows\system32\Gikibk32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Gabqci32.exe
        
        C:\Windows\system32\Gabqci32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Ghlipchd.exe
        
        C:\Windows\system32\Ghlipchd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Gjnehk32.exe
        
        C:\Windows\system32\Gjnehk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Hpgnde32.exe
        
        C:\Windows\system32\Hpgnde32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Hjpbmklp.exe
        
        C:\Windows\system32\Hjpbmklp.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Hdefkcle.exe
        
        C:\Windows\system32\Hdefkcle.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Hnnkcibf.exe
        
        C:\Windows\system32\Hnnkcibf.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Hhcoabbl.exe
        
        C:\Windows\system32\Hhcoabbl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Hjdkhj32.exe
        
        C:\Windows\system32\Hjdkhj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Hhelfapi.exe
        
        C:\Windows\system32\Hhelfapi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Hghlbn32.exe
        
        C:\Windows\system32\Hghlbn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Hanpoggj.exe
        
        C:\Windows\system32\Hanpoggj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Hkfdhm32.exe
        
        C:\Windows\system32\Hkfdhm32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Ipcmpc32.exe
        
        C:\Windows\system32\Ipcmpc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Ingnjh32.exe
        
        C:\Windows\system32\Ingnjh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Ihmbgqja.exe
        
        C:\Windows\system32\Ihmbgqja.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Iaefpf32.exe
        
        C:\Windows\system32\Iaefpf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:488
        
        C:\Windows\SysWOW64\Ikmkilgb.exe
        
        C:\Windows\system32\Ikmkilgb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ibgcef32.exe
        
        C:\Windows\system32\Ibgcef32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ihakbp32.exe
        
        C:\Windows\system32\Ihakbp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Ijbhjhlj.exe
        
        C:\Windows\system32\Ijbhjhlj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Ibjpkeml.exe
        
        C:\Windows\system32\Ibjpkeml.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Idhlgalp.exe
        
        C:\Windows\system32\Idhlgalp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Igfhclkd.exe
        
        C:\Windows\system32\Igfhclkd.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Jnqqpf32.exe
        
        C:\Windows\system32\Jnqqpf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Jdjimqjm.exe
        
        C:\Windows\system32\Jdjimqjm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Jgieil32.exe
        
        C:\Windows\system32\Jgieil32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Jjgaeg32.exe
        
        C:\Windows\system32\Jjgaeg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Jqaiaaoa.exe
        
        C:\Windows\system32\Jqaiaaoa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Jhhacopd.exe
        
        C:\Windows\system32\Jhhacopd.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Jkgnojog.exe
        
        C:\Windows\system32\Jkgnojog.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Jnejkfnk.exe
        
        C:\Windows\system32\Jnejkfnk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Jgnndk32.exe
        
        C:\Windows\system32\Jgnndk32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Jjlkpgdp.exe
        
        C:\Windows\system32\Jjlkpgdp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Jbcbadda.exe
        
        C:\Windows\system32\Jbcbadda.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Jdaompce.exe
        
        C:\Windows\system32\Jdaompce.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Jkkgjj32.exe
        
        C:\Windows\system32\Jkkgjj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Jbeogcbo.exe
        
        C:\Windows\system32\Jbeogcbo.exe
        81⤵
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Jiogcn32.exe
        
        C:\Windows\system32\Jiogcn32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Kkndpi32.exe
        
        C:\Windows\system32\Kkndpi32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Kqklhpgg.exe
        
        C:\Windows\system32\Kqklhpgg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Kiadimhi.exe
        
        C:\Windows\system32\Kiadimhi.exe
        85⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Kjcqqf32.exe
        
        C:\Windows\system32\Kjcqqf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Keheno32.exe
        
        C:\Windows\system32\Keheno32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Kkbmkhej.exe
        
        C:\Windows\system32\Kkbmkhej.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Kblegblg.exe
        
        C:\Windows\system32\Kblegblg.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Kifndm32.exe
        
        C:\Windows\system32\Kifndm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Kjhjlejb.exe
        
        C:\Windows\system32\Kjhjlejb.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 224
        92⤵
        Program crash
        
        PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 212 -ip 212
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daaofm32.exe

Filesize
364KB

MD5
d91ecb3172f1d17d46c54edf88fd1795

SHA1
f6de34a6b5fc5ca6afbfad2df1d61b65b12e318d

SHA256
32ed058363c87ccf9443a5b29160f532f3e50e895b399f577afa81de88be5830

SHA512
485ec9db90d6b7930dd68e0cfabd85fc4780a0e70bef07ef24b0bfda7d02c3863ac60efdd58bfde53827b5a8d5dd929d5243d02b059dfab102755bc4394f3632

Download Submit
C:\Windows\SysWOW64\Dameknaa.exe

Filesize
364KB

MD5
bad6fee37662724cd65bb5fa343742a4

SHA1
9ee56e4bcc9c617ee871bfa3bd941b022043b661

SHA256
e1310bd8153c312dd1d68189b2f34d9826742e4c0cf5521e49c2797aab0bb51c

SHA512
63449fd1d0da9049466e1424069a60e6a4341699a30d80be56e4627be3db619e64a0ddd0f8414c783ed97f9ad1adc951e6060025e3c23cb7f1adb8cda2064719

Download Submit
C:\Windows\SysWOW64\Ddnnlinc.exe

Filesize
364KB

MD5
be36d73165e285079b23f9cd951821a4

SHA1
5e4bf9ec823dfb3f1313238932325b9c53adbfa2

SHA256
72460d8b3cf04a77987036985508447d555bf7e4097f7d25feef04e13d7ea219

SHA512
c000fdf01675ccf485269466cff9b03184cf48921a265c1415a1a92fb3751a61ed66f8938a7f56dddc28b35230a9bf397c0f06805a762ab28aa81d8f2776d665

Download Submit
C:\Windows\SysWOW64\Dhdabhka.exe

Filesize
364KB

MD5
f2f667dd9d6d3485aac7c29124356570

SHA1
bcd28fbd2ec81b7f91210305e49fb4f5dfc55880

SHA256
e5ef8a56536e16527132d4baba0d9e57d2ba37fc3f4c7c7fc2c31d2ea3e285cd

SHA512
017ff87f7c1ea1517c6162d20434fd700bb536f8d168d20a023e7c69d507e79daf3be7cc8fc54d78a747d84f634172c54508aa91cc71337a6b13507524b7f31d

Download Submit
C:\Windows\SysWOW64\Diemiqqp.exe

Filesize
364KB

MD5
13504b0ca3e76556adfd4a1c95aac829

SHA1
d7aae394cd1ffefef8e03d2debdf3dbd05afdf7a

SHA256
6e35e7ac3d5a20a3f13efee9bb469ba4918befa7d6ad145c992a08c6ab8b9ba0

SHA512
c22e280be6e3df8d27078cfe570d2f0a288217e2e8d37c6ee88725200988849d90a0c12ddadd42c6a48e3d1b9c13a0913a72d5613035e47c2d4f70849858cbc1

Download Submit
C:\Windows\SysWOW64\Dihjopom.exe

Filesize
364KB

MD5
90d0eebb5c8208d8161586c8584eba3b

SHA1
46a6e7700866799570334eaca10a4e2fba89b963

SHA256
215b5fa1512409659cd57ce6f9d0a0428ec795232d6a03892f7063ff552edc4e

SHA512
e30d86a756d4f41f7d252c99092879afc666974f3fa41ae4c0b59c077a11e24f3d7519a952cbf31a07935ea5e0d3d4487562c1e60e4dcf00823bf12c5dd34aa2

Download Submit
C:\Windows\SysWOW64\Edinhg32.exe

Filesize
364KB

MD5
60543e7a36a3bb7937be2e3f1bbb1b55

SHA1
818726571137e0d4e08b64356485307c6f60071e

SHA256
c5bf7da8fc9fdc7b8133928965f274d57b79d112f6769344cf8a9c35965ca135

SHA512
685bc10d89b09029dc4636a27bdc000ae90de3f63c63741d69c1290e6b9a484ace42668172eea7cf9b3232458723806964da271483430993220c14bfbd586fd9

Download Submit
C:\Windows\SysWOW64\Efemocel.exe

Filesize
364KB

MD5
69e50eda2bf1277c0b50209471b539de

SHA1
047323502afd4428da7d8d65de786ccd3f2f4df4

SHA256
17ec182adbdbc13c065aa50120de31d9f585618944b62aec5088018f7e8616dd

SHA512
58259614d592ad33f7c9dade1fbc95d5b92dd3f4c62257c281f137ef84dfdd5551ff5e3699caa7ce23342c21592119e27d4977ea8d10c036ba894db4e375c90f

Download Submit
C:\Windows\SysWOW64\Ehkgbgdi.exe

Filesize
364KB

MD5
5e0772176832f4c9d83b35054b272678

SHA1
71c418dfa08c710ede17effe6477bebf30f67a7f

SHA256
ae12c6d5995db204f0dc426da8cb7bec2f8ecb5ec9a805320a2af2c25c3b883f

SHA512
44b94c230c00ab4ba5eed287c1e0b6340f78ba7338d6d5f27ad722d3112a361434e225067b97c8a9c8d7abb7ca042dbf1aded55582b4f3190e7c75c0880ae5c5

Download Submit
C:\Windows\SysWOW64\Ehppng32.exe

Filesize
364KB

MD5
3c62efed76f9c59eb841f8841adac8dd

SHA1
d470e4396eb48a4d994d5a7697d973ddec5ba5b2

SHA256
ac007874d8d7091f9ee57153201888d0fef2320f5faaaad6f0b147e2b83e07f4

SHA512
a1fde418e66243e719bf85cc7ae3b725210d27bfb73c56973c6133db864f7dc79e88e3ba892ef475700db14600b9f58f4160a3a909e694e2b5ef8ad8a133ad84

Download Submit
C:\Windows\SysWOW64\Eiameofb.exe

Filesize
364KB

MD5
6f31c670b1f1ce335189443d221c8f63

SHA1
ba5222d1ff23ba5240ac7ced71780bb5a941b599

SHA256
55079a68166803188099d5609300b6b7535b3363a142af59f3d81ec0a535c0d2

SHA512
ce776ef0dee8e3e787ddfc3d4204ef5740cbcfa35955608f4ef5d7d178e2f64bc26d99276f0b3f77f103b5324ac9b4371ce0a217fef46477834d4e2bdc00baeb

Download Submit
C:\Windows\SysWOW64\Eimcjp32.exe

Filesize
364KB

MD5
1806dcb81edec23d665e4e47553e8722

SHA1
6a792a698bfc8240248a001a4d1fd62434db56de

SHA256
6b5c8f379e5d0a874948678a57d739f803e01e477f36c2c29f4597cef78376f2

SHA512
4a4d5dcef9a601846cf403f8643e797ab8507d71db16a22dde993fa096964699c0960bdbb1b0e405303b5c26dbdc49a6dfe15815250ac20f9da9956390d12eab

Download Submit
C:\Windows\SysWOW64\Ejlpdbbj.exe

Filesize
364KB

MD5
194d8df9529fd30be3c218724623e6ed

SHA1
f4b2300ca61cca0519e59e33b4a679ae3c62da7e

SHA256
253f020d841b24839b54dea27f4ef9d4b880b0bef774ac694d32fc5952c2524f

SHA512
c6926bb22380f2a8df5fdf4fdd1d0bd63734fe5acdfb9e1650a41929c6e0f58a73a5af32a4abbb3c612971f822cc696e35fc987cfa881f959a1518dfb36fe051

Download Submit
C:\Windows\SysWOW64\Emabamkf.exe

Filesize
364KB

MD5
f3a9bb629f103f53c1d81db58f000d1e

SHA1
a4e110d70b44ab0c4a9eff8eaaaf305ae6a87e89

SHA256
e05f6f2d599abad3f5500ff0d4fe24214ec1b07b2729cb92febbb1ddc0af210f

SHA512
9c325c2c220393ecd74ee94c6b89665301e6443edcfcc861bb05aac85ff53a8301a4c914462744e256d93755f8acf14dc72db2a6fe5dd348b01775f4006ab577

Download Submit
C:\Windows\SysWOW64\Ffjgjb32.exe

Filesize
364KB

MD5
a4429270981560988fc279960c178110

SHA1
c9aa0a194733716a85c1ecfc7dbdcd7749fd647d

SHA256
6cd68e93c633ef81f6a73291611dcfbaccf32919645c4886355dc387d3dfaf42

SHA512
4361e7dcf81d45a4584a5bfbf646a996511d6ba23be0a6ca5032f343edecbfaba8cd8d733be393598f657f34ad6b7b2deb138690455d061b8ee7eea743bfbe31

Download Submit
C:\Windows\SysWOW64\Fflcobod.exe

Filesize
320KB

MD5
4c7261049271e336a639b132e4406d2d

SHA1
f14662dbc0f11acdedd262781017001ce8833ac0

SHA256
68765219cdd4d38a8622a69288e7c065641d1d75704a13c6230fc81b7b13dd92

SHA512
7c76ebce21a9515fddf8df224b149d229a937ad91777e1273f4bbe9868d3a1265afe0250e2dd59e22933b2aa63ebd942dac26fbc325514a909214b645b95f880

Download Submit
C:\Windows\SysWOW64\Fflcobod.exe

Filesize
364KB

MD5
49ccb0fc16bed6242ae4eb4fc28319b2

SHA1
e163e102f5f6e66aa7a074ff1011490d490c3716

SHA256
8461d80103773bdf1dfe6b0a24268aad96b9fba1ecdf4a58028b481cc29d5e06

SHA512
98ad96ea8f4d0e9c37b8c9f4bec002982156b61fefdc06604a9ddeca4b644b7c7a1c920237312a8c1dda8f16a0f492476a03c69e7d3acacd066521ad3e62361c

Download Submit
C:\Windows\SysWOW64\Fgcjpa32.exe

Filesize
364KB

MD5
93f34a7700dde366d19ca2f2dc0a1204

SHA1
d9687f18b1bce581438e03d70008c70527f024c3

SHA256
00d581ef4f942af39f181eb04c6a637586da8703b5df4d42a4bf339771550749

SHA512
4147e3cd7a1416167647aea7bd905f909c10806f12ca842768c75c30e75c110d98d0bbbefa64d735529d2a7823969b9897bc88e077cb1cb07ecad889238da48a

Download Submit
C:\Windows\SysWOW64\Fibflm32.exe

Filesize
364KB

MD5
148b29329df084ae064981c197e9f0f5

SHA1
4a651819d94b682300be635c2838af7f26520a06

SHA256
473ed2f50d60a992b42c2842c89f0a7c69710bcaa8a091a7a95c5c6bb3929a37

SHA512
3844d9ae3b75caea7c429269a8d44454f7c4ce1779e94e5c0fb995daf7310f4f4b1b06b0f1b1bfd4c55d1f3ad95b360b15d54892f170eb1a31332ba0e2e2c22d

Download Submit
C:\Windows\SysWOW64\Fkjleq32.exe

Filesize
364KB

MD5
f04cf3ac12f1d00e35bb5c4aa70c1dfe

SHA1
bf3db7ff62b717dc895bee5a5600e6f7c070b6ff

SHA256
a0f5f0d7ee64a3579db00a6ee59c6d7f1a850610b0cc29350086af88e2974821

SHA512
3e67610b7304888d109ef246adb906f8c3d988eaa4b1b96519151d4088efe3d1b18a2d5157a972e9b1c86083ea0116a0267abeaf3fab0519d84f4b5c89c58e23

Download Submit
C:\Windows\SysWOW64\Fkmikpcg.exe

Filesize
364KB

MD5
7b20d85bc998a560d5890aedba2cd993

SHA1
3888a0831be1853aa35e8a6fc3d96a5aac133fcb

SHA256
c9477b5581770c60bcbe3d22d2d2ed8750c8980ca783fa3252bad719d59590da

SHA512
fbc9b6a955a6aae7af6d27d8ac32a27d5a4cfb5fd495f3f08c5f8ea7643a064e5b693b2b75db35c552276f3da852e08e067dbb275cd3f14836e4e67a37a79a1b

Download Submit
C:\Windows\SysWOW64\Fmdofmic.exe

Filesize
364KB

MD5
3964ea3613e33ae301793e0b1596c1da

SHA1
e6f978c31badf6df5e984c70c9c11671bf25aa57

SHA256
ab4431bc171452c8c296a334e3cf22618a7779c4d955d64c810176e17a664289

SHA512
590f44f070023fb25c9cd780011434110ed1bfd58c5d919e254d1d6c7f2776386187173fc953b524bc658c87cefd167e9a5d17601e74febdadd03006951ac781

Download Submit
C:\Windows\SysWOW64\Fmflll32.exe

Filesize
364KB

MD5
5e612fdafd32a23b33773c03ccb64a75

SHA1
c0baec1f65cce1f39aeb413e3a51609d95941dba

SHA256
ee59ba2f4200a804b3851378ca95ff5240a6aa74385dff7d54fd5d09cfbee392

SHA512
c1f9b804cdae6fce2cb84527418cad39e37e7a862728bf4963dc65214fc3202cf7c227f0e31f87faacac7b208989950da5b1d43696d97bccb0328d829b217327

Download Submit
C:\Windows\SysWOW64\Fpgdng32.exe

Filesize
364KB

MD5
da9b8293e9bf23254661fa08695a0d78

SHA1
e42d17571891edff3e45f0c60fc386b7341fc87b

SHA256
d481c5657f726a2f75aa980c845d4fb16658841007122d99552a94f3c4ab0347

SHA512
cc1b185f83f453b64101093e59efcb40294babb7d399fd024a1e5b41d8685a4c0db1acb4b1b6c4dd171272d5c1abc754e8abefe9c3a6647ef8e1001210ba3336

Download Submit
C:\Windows\SysWOW64\Fpiacgbo.exe

Filesize
364KB

MD5
e0b3eee34079fc37484000452be514c8

SHA1
b2341bd359285ec1d2cb176400d535273979524d

SHA256
f11b419256d479da9208ff53cc9ab213c89931f205f8a6c00bd6e2c6a0394af4

SHA512
0419603cc010bc1ab1fa64b3385ce9c07f90ff7edf99b196e43e82b46b0573c85eb6291832cd2599eb5e96d34dfec9de653302fcb40c39acdbc4e1e7c97b07ca

Download Submit
C:\Windows\SysWOW64\Gdjgoefc.exe

Filesize
364KB

MD5
86dbac67d9a725b6c2df7b004c5e48e4

SHA1
054d580e1fc9c64755f9e2938466d248394f4408

SHA256
1673c6584b348f4f07d9aa0f7f1f3c7b6076cb94a88fc19171fc9dfed162f751

SHA512
2012a48c46f1dbb4fa6f8757240b380d2d1294003a491dd505da0eda45fc3ed820ae9f29a86a77a4d8d7264882f1fe36ef46072bff944f7aa19d2ae28b4a9c3b

Download Submit
C:\Windows\SysWOW64\Ggffeagi.exe

Filesize
364KB

MD5
1eeb2f417958a6c6054323d553fa367e

SHA1
39511539e3b72c0ddf73851e797a7982e9ca35bc

SHA256
48317db24c1c6b3c6f0cfde974ce544939dc8b6a37f52a072cfb40deb227df00

SHA512
b5c433664141a7d8eff7b6cd5ea17198939f030b78d8250031c0e5c8dc1f359cb47843a6aee564ba6fc8ce55337bb54704800384dba9727eaa785730ec5c507d

Download Submit
C:\Windows\SysWOW64\Gghckqef.exe

Filesize
364KB

MD5
6be8adae2eb0213d5fddcf44f890b1d1

SHA1
7ebb0ee9e636a3e5a27d72bc3d571ca11816230d

SHA256
feff4da3433b60ca3c11183141d5ad5e55c3ec543c373e6f96dc654d7056f6a6

SHA512
b888e1a104664c93f4be744043a005135e4bc19486bd46b4e3c96fe8f6f2ea7e4dda7a5a686cec53b546bd4699d8542f99d15cc469ae83427bd15b29582dfd30

Download Submit
C:\Windows\SysWOW64\Gkabfp32.exe

Filesize
364KB

MD5
2bcb3209436dcf9e1d266e3e052eea0a

SHA1
f4300cfd4c7d7fe8eb67d54947783c58aa25cf5f

SHA256
a4c624d14da4ff59e9adf4514c903d10dd2af189458a57fef775e63d7132f843

SHA512
e7736eebecc6929f008a431ad410992630027cc8025176c7e59902c8d0fed1df532c2543dd75ad945c6618ddbb4bfb716dd12752f1510abfc257f241c9f82f5b

Download Submit
C:\Windows\SysWOW64\Gmbkhk32.exe

Filesize
364KB

MD5
0c6b24426a2f7f0e126a64d868210e0e

SHA1
b61ea33726b0f9697ed0c2a19b8eecf9db0b103c

SHA256
55a9a8aeb06bf57fba24987131c261da61b519ccb6689927f5255fc220edeb88

SHA512
76d2191c6f43b9ebe8bf10b0d0df7afe704f7da635f7ebf7041250942000e9cf36bb9683ddf43ddb9b24ce35c605e5ab8c76725362223773678a44a01fef08c4

Download Submit
C:\Windows\SysWOW64\Gmpobk32.exe

Filesize
364KB

MD5
bf6b01d7e8c458c91715a5cd2b79aaaa

SHA1
b3746ab4273c47efd7345ec27c6a2f6b02f09707

SHA256
7b301464385c253b7387b5187f25ee3b67f30c07401860dc8854c44ba9d05018

SHA512
539740fc1ebe322024545cc4ef5499a59a15e273a447d7f72b1ef6a47bd5ec1ffdc4814de7c7dbd3116c43a1a3a21dbebec017e5a2920dc29b06bb9f45e37f97

Download Submit
C:\Windows\SysWOW64\Gplnigpl.exe

Filesize
364KB

MD5
c078ff725b12893e21e79bebdb01b61d

SHA1
2733922f470e3523e57d86a648b34b65e466440b

SHA256
b58d6ab775561a0839e7baad106585b3dc43979f8039be98fb0e57079d78643d

SHA512
418f957f0302c7f530b441d5f85bad9279df984dad42b8e96745fbb3ac11d5cad4edf115e87f16cd7c541182317d562f9fa64c62414036e67077877da26620c3

Download Submit
C:\Windows\SysWOW64\Gpnknf32.exe

Filesize
364KB

MD5
e0efdab2a426692d003a9bfbfc88aa64

SHA1
f234e8fcef860055cf033646bd8b466363a8ebb4

SHA256
6a7511093216a55039460aabd23b16abe9406e3193311d52b841d3a353618610

SHA512
919d7df3eeb86c60ad2d191a3e09459b874ed9d2b9bdc93dec3a2d101e6b9d0db6ba0c27bc1b3e03e7353b5839cbd0be620f4061ea7566ff9fcaa2a60a74b334

Download Submit
C:\Windows\SysWOW64\Hpgnde32.exe

Filesize
364KB

MD5
926bb2950890bc6a3c93d69043311d75

SHA1
1d6e17c05472fba23837985465ab447a193f8657

SHA256
2271747a7878003f3d98ebba7d34846e5fff3d69c3e2c5e75262d28567edb4f8

SHA512
95febb434888788ae7c163bedc9b7f158c81b43aba2eaea4e90fdf82d30956e7f28bc15a2f20c48fdd1ffcde2e4b80d86fb29a69d119cf05ad5640929d5c22ba

Download Submit
C:\Windows\SysWOW64\Iaefpf32.exe

Filesize
364KB

MD5
05e54b295003db9a9ed46e8b0896f4a4

SHA1
74723743d21bfe4297feae2c0738189e0bd57951

SHA256
9d0b8c510abc8532fd8c957809df82b878c3f3973c0b8c7b61fe01bff4192fb9

SHA512
c0ac04551d35e9534124f4703e3239a5540f25b9aa8b2d136baad01944a27f04f310d461293ad49c39e0b9066c8d4c4d50ae2ccf0bb8cbe902917a2f62b6d816

Download Submit
C:\Windows\SysWOW64\Ihakbp32.exe

Filesize
364KB

MD5
5a971ccec2a0040c8d3e43524247b88d

SHA1
4378523a3209bf6b77de7c4f5258d9ac5edf8c1c

SHA256
74bda2e55199e17e9bd4ca846682889484b5813509cda6558e208af0c3e41d0a

SHA512
e972a46a04133becd17c4d7e8b13d654b433895b34e6ff6e6e00aab8dc80a056f0cb4d3251f27c7ebb0cafb9fb9a4ce9c3af75a3cd81004d14513c322d3fbe2d

Download Submit
C:\Windows\SysWOW64\Ingnjh32.exe

Filesize
364KB

MD5
5e582647382886c1db2ad33ff4fff71a

SHA1
4eff661d3863bc64606d8fad5cfac7f5add250f9

SHA256
1abc5215605435010632559a142b07ee11006684c6c43016d7eae8fb8ea8fb86

SHA512
13cbf826ab403116c781edcd7aac49acb1ca188ce18056d467afaa0371c54c4f44714ed3cef7b4f7e4c739cdb831b5d1182f53781feb1c2380c27ced3cc0c20e

Download Submit
C:\Windows\SysWOW64\Jbeogcbo.exe

Filesize
364KB

MD5
eb68468af24552a15cfdab834e2593e2

SHA1
390c3bb37aa58b7ecfb36cacd01b91f6aeb27004

SHA256
86f2f66657b08605c0da4382a986c7b3987f05b363fab1cd9281ae2ebdb62abe

SHA512
340181710934ca806fd48e710c641a37bb69e1a9dab1bf0e03436b2316ce3416a76db5f974983fa2032a7272815139cf50e9fbb5275524533edb9a83c77eca4c

Download Submit
C:\Windows\SysWOW64\Jdjimqjm.exe

Filesize
364KB

MD5
0e9cd7db22c5b19cda2b66f363c3261b

SHA1
2ec116604134c2d16eba300e88ee0dc43341087a

SHA256
24284d4730fa22cefb83d988e23a6173560cd0d5ce8f82605a10c6d84e734f5f

SHA512
c818c560b7f03c73c9230ffad31ceab1d25ebb4cd3866e315416070a4e261f525cc8448c20a2198766dec75726f41d0ebb2a83ec571a5bb47badcb2a2ea422e0

Download Submit
C:\Windows\SysWOW64\Jhhacopd.exe

Filesize
364KB

MD5
6209d2ed23dbe29e28002c1cbeafee1d

SHA1
86514ceb7c2cc0660ee8268eb31cf328b021dac1

SHA256
899a915c166800e6902bdbb2f0e31e356049df8a18dcf786766799998a384abb

SHA512
d1df17ea9cc21612aff65640d5ec8eec2b091808085035a6ccd0abef06fe794bd0977555650e3af3f095e585aa9ae0a6707282830c67729bb76b6d90fc4c1b2c

Download Submit
C:\Windows\SysWOW64\Jnejkfnk.exe

Filesize
364KB

MD5
5f0a43da21fd4c4c23dc0b86c7de4dd0

SHA1
7d51c5656b4b31d6e966cf21f24c7410856fed79

SHA256
49076c6d70ea2366c92066ed1134f924cfc60c199b17ef72d8b12774283a59b3

SHA512
53e71616f5d480de3b928e02d3ce956c47b3e3ab1a7d3f033dae22e8e9aaa72cdb1224f733bc0d8186498455c4e570922cfc52c7daa9d0388e60cf59bf53bd4b

Download Submit
C:\Windows\SysWOW64\Keheno32.exe

Filesize
364KB

MD5
993340636ac3a24f85fd223b68bb4a30

SHA1
8a1c7aa1f7c929d9589ddd8e901a4e9bb8ff53ff

SHA256
fdcc2785a3bc464098180fa2af1a56ea1e265a3fc6f53e0d1cce7d2b1a8532bc

SHA512
e6f9a757cd1b798d7d83cef408976af6c051b3a5bc2fbcd96e1568047126bedb635aace7226242686a3918b6b3b4035e7b556e70c6f277cb2de98d66bf82b982

Download Submit
C:\Windows\SysWOW64\Kiadimhi.exe

Filesize
364KB

MD5
b28b6a292659bca86f82862448a5fbc6

SHA1
2b3da7e6c5556fec3ecc6eb97ecf341bbf7babde

SHA256
72a371a9740cb0b18787abab3e716188806a6bb21da629ca20219df7819e0e8d

SHA512
6d2879c5148e68783ca67f368d6f0b6665cd1206a95c7f48027be90a8a71369b5889e144bbc66a49009048fcefd028fb0b410cc17439d92e720ba53d49ca70bf

Download Submit
C:\Windows\SysWOW64\Kifndm32.exe

Filesize
364KB

MD5
a39f0c6c0b129ffb9dd9b2241d1f1e63

SHA1
e15544bcd290586c74863a2b0b946f7c0775e344

SHA256
e0576a58e8bf283015ffcd446fa4d27db3e7db30de1f2634512919620c145c9c

SHA512
2ce81f1f343196d8bac70bf9d188b6b72757b9c201ff19c68837a4960881e5a4b4fb9d907fe8779b1f615a400e50ba94b6b98b5c2591d6678621b22294f6b97d

Download Submit
C:\Windows\SysWOW64\Kkndpi32.exe

Filesize
64KB

MD5
786e4e7014bbbf8180668120be83de7f

SHA1
0ed99c16aefb1333634c9ca4f37d5ca65c8aff9d

SHA256
4e6c1ffaad7e58ae257384f2071566f13824b29ed22500a5d9e0151d0b0068ea

SHA512
c20395dc99cd69823299764c8516b312dbb92a2fe03724eeee93347cfeaa1c90bcb21c1998c4f88a5808b565e0fb2b020d7bc7b676f132cd2896d24d06a753eb

Download Submit
memory/116-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/488-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-686-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/804-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-687-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1196-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-626-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-700-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-669-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-644-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-641-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-679-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-657-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4644-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads