berbew | 70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1e

Analysis

max time kernel
63s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
Size

96KB
MD5

e7c4c0bc2e46303ef21d33570fb5a4a0
SHA1

88cadf8759e525b71a3008a3b6f5c8ca54543121
SHA256

70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1e
SHA512

e4c25392de4422ca34d827966ee4174321cd0901d61c87e73da94f9a68c3e4ff1549528a92594effce652ac0dddfd8fb012d260a40c722f16cfe1fd80e9dc8c8
SSDEEP

1536:J1FroB+S7FMj1FfYjV7YlMZYWyoSgIMo9K2UZiManWX/2tT574S7V+5pUMv84WMm:bZO0a7YliYWyoSdMo9K2U8MBX/iJ4Spv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinhdmma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iediin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lofifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kambcbhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiioin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjbmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikgkei32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 51 IoCs

pid	Process
2728	Hmbndmkb.exe
2708	Hoqjqhjf.exe
2864	Hfjbmb32.exe
1176	Hiioin32.exe
2656	Ikgkei32.exe
280	Iikkon32.exe
1928	Ibcphc32.exe
2980	Iinhdmma.exe
1936	Ibfmmb32.exe
584	Iediin32.exe
444	Ijaaae32.exe
788	Iakino32.exe
568	Ijcngenj.exe
828	Iamfdo32.exe
2376	Jfjolf32.exe
2388	Jmdgipkk.exe
2468	Japciodd.exe
1624	Jjhgbd32.exe
352	Jabponba.exe
1376	Jfohgepi.exe
2016	Jmipdo32.exe
1348	Jpgmpk32.exe
2420	Jedehaea.exe
1808	Jipaip32.exe
564	Jfcabd32.exe
1580	Jibnop32.exe
1932	Kbjbge32.exe
2776	Kambcbhb.exe
2604	Kidjdpie.exe
2172	Kekkiq32.exe
2140	Kjhcag32.exe
1680	Kablnadm.exe
348	Kfodfh32.exe
2836	Koflgf32.exe
1628	Kpgionie.exe
2644	Kipmhc32.exe
1504	Kageia32.exe
2336	Kbhbai32.exe
2424	Lplbjm32.exe
1456	Lgfjggll.exe
1220	Lidgcclp.exe
904	Lcmklh32.exe
1804	Lghgmg32.exe
548	Llepen32.exe
1564	Loclai32.exe
2284	Lemdncoa.exe
2416	Liipnb32.exe
2664	Llgljn32.exe
2928	Lofifi32.exe
2848	Ladebd32.exe
2716	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
2220	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
2728	Hmbndmkb.exe
2728	Hmbndmkb.exe
2708	Hoqjqhjf.exe
2708	Hoqjqhjf.exe
2864	Hfjbmb32.exe
2864	Hfjbmb32.exe
1176	Hiioin32.exe
1176	Hiioin32.exe
2656	Ikgkei32.exe
2656	Ikgkei32.exe
280	Iikkon32.exe
280	Iikkon32.exe
1928	Ibcphc32.exe
1928	Ibcphc32.exe
2980	Iinhdmma.exe
2980	Iinhdmma.exe
1936	Ibfmmb32.exe
1936	Ibfmmb32.exe
584	Iediin32.exe
584	Iediin32.exe
444	Ijaaae32.exe
444	Ijaaae32.exe
788	Iakino32.exe
788	Iakino32.exe
568	Ijcngenj.exe
568	Ijcngenj.exe
828	Iamfdo32.exe
828	Iamfdo32.exe
2376	Jfjolf32.exe
2376	Jfjolf32.exe
2388	Jmdgipkk.exe
2388	Jmdgipkk.exe
2468	Japciodd.exe
2468	Japciodd.exe
1624	Jjhgbd32.exe
1624	Jjhgbd32.exe
352	Jabponba.exe
352	Jabponba.exe
1376	Jfohgepi.exe
1376	Jfohgepi.exe
2016	Jmipdo32.exe
2016	Jmipdo32.exe
1348	Jpgmpk32.exe
1348	Jpgmpk32.exe
2420	Jedehaea.exe
2420	Jedehaea.exe
1808	Jipaip32.exe
1808	Jipaip32.exe
564	Jfcabd32.exe
564	Jfcabd32.exe
1580	Jibnop32.exe
1580	Jibnop32.exe
1932	Kbjbge32.exe
1932	Kbjbge32.exe
2776	Kambcbhb.exe
2776	Kambcbhb.exe
2604	Kidjdpie.exe
2604	Kidjdpie.exe
2172	Kekkiq32.exe
2172	Kekkiq32.exe
2140	Kjhcag32.exe
2140	Kjhcag32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Iakino32.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Llepen32.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Iinhdmma.exe	Ibcphc32.exe
File created	C:\Windows\SysWOW64\Blbjlj32.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Qhehaf32.dll	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Jfjolf32.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Japciodd.exe	Jmdgipkk.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Diodocki.dll	Iakino32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Ijcngenj.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	Loclai32.exe
File opened for modification	C:\Windows\SysWOW64\Kambcbhb.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Hfjbmb32.exe	Hoqjqhjf.exe
File opened for modification	C:\Windows\SysWOW64\Hfjbmb32.exe	Hoqjqhjf.exe
File created	C:\Windows\SysWOW64\Ibcphc32.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jabponba.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jmipdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Kambcbhb.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Hiioin32.exe	Hfjbmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ikgkei32.exe	Hiioin32.exe
File created	C:\Windows\SysWOW64\Miqnbfnp.dll	Iikkon32.exe
File created	C:\Windows\SysWOW64\Iediin32.exe	Ibfmmb32.exe
File created	C:\Windows\SysWOW64\Iamfdo32.exe	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Lgfikc32.dll	Liipnb32.exe
File created	C:\Windows\SysWOW64\Hoqjqhjf.exe	Hmbndmkb.exe
File opened for modification	C:\Windows\SysWOW64\Iinhdmma.exe	Ibcphc32.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Oopqjabc.dll	Llgljn32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Ladebd32.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Iakino32.exe	Ijaaae32.exe
File opened for modification	C:\Windows\SysWOW64\Ladebd32.exe	Lofifi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcphc32.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Ibfmmb32.exe	Iinhdmma.exe
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Ikgkei32.exe
File opened for modification	C:\Windows\SysWOW64\Ibfmmb32.exe	Iinhdmma.exe
File created	C:\Windows\SysWOW64\Dmplbgpm.dll	Ijaaae32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Kbhbai32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	2716	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iediin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoqjqhjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikgkei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iinhdmma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lofifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladebd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfjbmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhehaf32.dll"	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmjmajn.dll"	Hfjbmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinhdmma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll"	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll"	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfikc32.dll"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfjbmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Ikgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iediin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loclai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiioin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daadna32.dll"	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoqjqhjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbjlj32.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2728	2220	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	30
PID 2220 wrote to memory of 2728	2220	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	30
PID 2220 wrote to memory of 2728	2220	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	30
PID 2220 wrote to memory of 2728	2220	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	30
PID 2728 wrote to memory of 2708	2728	Hmbndmkb.exe	31
PID 2728 wrote to memory of 2708	2728	Hmbndmkb.exe	31
PID 2728 wrote to memory of 2708	2728	Hmbndmkb.exe	31
PID 2728 wrote to memory of 2708	2728	Hmbndmkb.exe	31
PID 2708 wrote to memory of 2864	2708	Hoqjqhjf.exe	32
PID 2708 wrote to memory of 2864	2708	Hoqjqhjf.exe	32
PID 2708 wrote to memory of 2864	2708	Hoqjqhjf.exe	32
PID 2708 wrote to memory of 2864	2708	Hoqjqhjf.exe	32
PID 2864 wrote to memory of 1176	2864	Hfjbmb32.exe	33
PID 2864 wrote to memory of 1176	2864	Hfjbmb32.exe	33
PID 2864 wrote to memory of 1176	2864	Hfjbmb32.exe	33
PID 2864 wrote to memory of 1176	2864	Hfjbmb32.exe	33
PID 1176 wrote to memory of 2656	1176	Hiioin32.exe	34
PID 1176 wrote to memory of 2656	1176	Hiioin32.exe	34
PID 1176 wrote to memory of 2656	1176	Hiioin32.exe	34
PID 1176 wrote to memory of 2656	1176	Hiioin32.exe	34
PID 2656 wrote to memory of 280	2656	Ikgkei32.exe	35
PID 2656 wrote to memory of 280	2656	Ikgkei32.exe	35
PID 2656 wrote to memory of 280	2656	Ikgkei32.exe	35
PID 2656 wrote to memory of 280	2656	Ikgkei32.exe	35
PID 280 wrote to memory of 1928	280	Iikkon32.exe	36
PID 280 wrote to memory of 1928	280	Iikkon32.exe	36
PID 280 wrote to memory of 1928	280	Iikkon32.exe	36
PID 280 wrote to memory of 1928	280	Iikkon32.exe	36
PID 1928 wrote to memory of 2980	1928	Ibcphc32.exe	37
PID 1928 wrote to memory of 2980	1928	Ibcphc32.exe	37
PID 1928 wrote to memory of 2980	1928	Ibcphc32.exe	37
PID 1928 wrote to memory of 2980	1928	Ibcphc32.exe	37
PID 2980 wrote to memory of 1936	2980	Iinhdmma.exe	38
PID 2980 wrote to memory of 1936	2980	Iinhdmma.exe	38
PID 2980 wrote to memory of 1936	2980	Iinhdmma.exe	38
PID 2980 wrote to memory of 1936	2980	Iinhdmma.exe	38
PID 1936 wrote to memory of 584	1936	Ibfmmb32.exe	39
PID 1936 wrote to memory of 584	1936	Ibfmmb32.exe	39
PID 1936 wrote to memory of 584	1936	Ibfmmb32.exe	39
PID 1936 wrote to memory of 584	1936	Ibfmmb32.exe	39
PID 584 wrote to memory of 444	584	Iediin32.exe	40
PID 584 wrote to memory of 444	584	Iediin32.exe	40
PID 584 wrote to memory of 444	584	Iediin32.exe	40
PID 584 wrote to memory of 444	584	Iediin32.exe	40
PID 444 wrote to memory of 788	444	Ijaaae32.exe	41
PID 444 wrote to memory of 788	444	Ijaaae32.exe	41
PID 444 wrote to memory of 788	444	Ijaaae32.exe	41
PID 444 wrote to memory of 788	444	Ijaaae32.exe	41
PID 788 wrote to memory of 568	788	Iakino32.exe	42
PID 788 wrote to memory of 568	788	Iakino32.exe	42
PID 788 wrote to memory of 568	788	Iakino32.exe	42
PID 788 wrote to memory of 568	788	Iakino32.exe	42
PID 568 wrote to memory of 828	568	Ijcngenj.exe	43
PID 568 wrote to memory of 828	568	Ijcngenj.exe	43
PID 568 wrote to memory of 828	568	Ijcngenj.exe	43
PID 568 wrote to memory of 828	568	Ijcngenj.exe	43
PID 828 wrote to memory of 2376	828	Iamfdo32.exe	44
PID 828 wrote to memory of 2376	828	Iamfdo32.exe	44
PID 828 wrote to memory of 2376	828	Iamfdo32.exe	44
PID 828 wrote to memory of 2376	828	Iamfdo32.exe	44
PID 2376 wrote to memory of 2388	2376	Jfjolf32.exe	45
PID 2376 wrote to memory of 2388	2376	Jfjolf32.exe	45
PID 2376 wrote to memory of 2388	2376	Jfjolf32.exe	45
PID 2376 wrote to memory of 2388	2376	Jfjolf32.exe	45

C:\Users\Admin\AppData\Local\Temp\70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
"C:\Users\Admin\AppData\Local\Temp\70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\Hmbndmkb.exe
  C:\Windows\system32\Hmbndmkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Hoqjqhjf.exe
    C:\Windows\system32\Hoqjqhjf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Hfjbmb32.exe
      C:\Windows\system32\Hfjbmb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\Ikgkei32.exe
        
        C:\Windows\system32\Ikgkei32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\SysWOW64\Ibcphc32.exe
        
        C:\Windows\system32\Ibcphc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Iinhdmma.exe
        
        C:\Windows\system32\Iinhdmma.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Ibfmmb32.exe
        
        C:\Windows\system32\Ibfmmb32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Iediin32.exe
        
        C:\Windows\system32\Iediin32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Jfjolf32.exe
        
        C:\Windows\system32\Jfjolf32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Lofifi32.exe
        
        C:\Windows\system32\Lofifi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Ladebd32.exe
        
        C:\Windows\system32\Ladebd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 140
        53⤵
        Program crash
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gmiflpof.dll

Filesize
7KB

MD5
71ab23039406455ff1d25d7262d9d815

SHA1
33df5496b9ccca37ac87b1d9ba8534f8672cd8f2

SHA256
4e899dea305ee5d187d833774d4e8a5a311bfbfddc502adfd93b85bd58e4fd08

SHA512
8bb41122cd8688bd81e9ccaa4844a17ea4c1443fa9c735c26952f22a1a322166ee4c0944491325fbdd19c1dac95bf342c0ec3c08ca230752fb5588ed2141a1fd

Download Submit
C:\Windows\SysWOW64\Hfjbmb32.exe

Filesize
96KB

MD5
c3d2ac71c81a814c9b9c0fb5e2561bf0

SHA1
69fdb2ce1be6b667f9a5ec73fddf36217461dc90

SHA256
a6b4c879eb7b2d6cfcbc9679b637d7688316c341b5375c3bc96cec1b72328dc8

SHA512
8f8bf0911728a9b9d494cda6429cd34584cef5e9455573334fd9d24e983c8c37afb545a0cf143c7d2a95551bdf0d1318ded0a04d3b096546779f003bac669961

Download Submit
C:\Windows\SysWOW64\Hiioin32.exe

Filesize
96KB

MD5
d540e7397c52045fbb7df1712be068ef

SHA1
50698424f1b02391b26a2042a17c165ec82d088e

SHA256
6a1af9a4f7d835966b71859f511699b0f315941d138bafad0f353357697b5c75

SHA512
3d6eb37d8b37c49a3c49b1aa52907a59d0a7047a7eab93bb7f58019264e59a4952ea0c0deab9ff1dae2bda5d970dd897fbd5610375059288d9cce98ed2e78e83

Download Submit
C:\Windows\SysWOW64\Hoqjqhjf.exe

Filesize
96KB

MD5
f1c21043fc725ccf4030d9124ef901da

SHA1
da201832073913e755bb8429d9f4664ae4776259

SHA256
0a8ad110c82b67d335ce6df22e816a8c3a18bd3ac2a864bf0837f0a54eb5e827

SHA512
c8d271d463f6874cd15d0524e88cd0dab0d5c4a0aed152ab38fd6f7123d3abc07ad67e4e425bfda19d67e10ee2d2438eed516bfc092789440bd8edcae8e5be88

Download Submit
C:\Windows\SysWOW64\Iamfdo32.exe

Filesize
96KB

MD5
f5463d9a6bb27e3b4daf1ab0e5c35539

SHA1
1fc87313249c9c95b9ff3b61677cb0f2c6346acf

SHA256
25da2bb7dae490112df22affa469d3b30026083e18f50740bfbd500fe8c75425

SHA512
3d0c991da0cb20e4984e3faf203de61a5e2234065b2b15cc88aee50ff593005dc7bad1b0415c977feb12b00bd7f3b9777a7b08ac6026b1a099eea917dd1213f0

Download Submit
C:\Windows\SysWOW64\Iikkon32.exe

Filesize
96KB

MD5
ecfba0bea4534262bd06c4349f6f2306

SHA1
a23af5148d8aa8f6e105d593e1ed75497f309321

SHA256
1415a7919967ae2699214689b6a2792026a144d7eda5aad45fe05de37d6116fb

SHA512
45418fcc67334dbb615ae70f7c2e48ae2d1e438255b554286c7f3b74ee00a3b68be50e01259e24f16266da0b4cbf39efd3c8ffdf3866eb3ce509ec430d8fdb98

Download Submit
C:\Windows\SysWOW64\Iinhdmma.exe

Filesize
96KB

MD5
8f36c952419075415c1b78f8b13204f6

SHA1
e6f6fa43bcd1c746524c6b053ae57c1dbd3ed198

SHA256
37d67c8b7de480509e6ebb8515e878e54f528700f247fa447b5602889217eeb5

SHA512
820159bf364cd4e5d31601c0a913a012ccca761dbb477715842fa22f4508e9cda2027aae8996bb1ec7ba793c177e1dd42102e09b67cce9e2b7582c65f1863143

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
96KB

MD5
7640b5a6c4aa4a1dccd6e617df1f17a7

SHA1
cc2bf1faf55219513b8c94454284106588faea77

SHA256
1a6bb0320c1fd16291108c7e06493d4fb4fafa38c068a7186b4a5bf122ea13da

SHA512
0d6aa006f1e2a43a1830f60da013a7d91eb5a4f38c3b24987e917eade3d4862bbf83484e25294fdcc7d6f6ee090115b2988ada3e4dd80bcaa9113571936a2fd0

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
96KB

MD5
09562024da44e3370bc393b0477a7f5a

SHA1
19f5a8efe313489fb396a965d4fd832dba8390aa

SHA256
c828e9b9393215100ca098022765c4d16a891e41477b06e32ea990e31c3e505a

SHA512
4737de8bce669de9f9d64c47bce9db045f697f7a30630277ddccd4594ea66415d2e004f93b20a2aee8854a59de93306f9bb98c69276896760f4cfcbe580b54cd

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
96KB

MD5
e7212f960b429b0032e9ca40ad5bf123

SHA1
58ab6234474305b77e9da51b1c83c62f8e7cb04c

SHA256
eada7581bf14d04a2fb338e4556c2021df69add76ba518ddadc71bb5a69a90fb

SHA512
5c48909d6ce3a5c368a60f24b661a4e0fd38325f888332608b169e90842894dfaebc7017e02e26c692ed5740adcdcc8e93b50bdc1431102ce189635e65467737

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
96KB

MD5
171be9144cf81389115ad785a3e7f89e

SHA1
172ae3b94495a4256242fd1b3c7f3821ce1ec953

SHA256
4e5ccd61308f20e0ab2bd4003cfcdbbc157b3507c169158be8d5457e9ef3c6f4

SHA512
194199cdfee48144e17242cb3e4b3f868576372be512059ffdfe507c5cb85b913c1ff71a1925e9cf370d7c00c28d0a0c6b0ed4745efe6ac94eb1471f5e8a1795

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
96KB

MD5
e8f7985531e17de2c3ddf77c91c09cf3

SHA1
41b5e917c129cbc82e869bb97568bd7378425838

SHA256
37a07ff5651451431cf95c2648edcdc18d55f6c3e3125976c41101320dad263b

SHA512
e75130aafbdff571b3fd43f823951a8a244d7fc94a1b24c1a7a1bd7ce1e7dd604bc3b48c95a069b43c357ac074f755ef0f427a4e55d1d77021ae9f0d7ab4d7b4

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
96KB

MD5
f639b1ad8da762c77e68b569cee0c5c9

SHA1
e37c0419730d32403a25b829183f1bb1753a8028

SHA256
c4d3aa71bdce635371f7bb94c2147fac9516ae2ed1a6b0f263ae51920e047b8e

SHA512
ef2b8d3be32671f7f5f9a5a86ddb96a9221761ac81e050fa566b960307fedbaac8844671aaac4bae05f52d8876a3d0a3f29c8304c2ce1223fed59430ed165b24

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
96KB

MD5
f215925a57e2910d2dd0b22e77865ebf

SHA1
c643468c3605b9a74734a82edd46f02ca822a427

SHA256
1072fb65b4f6d05a2d558e97d502593499b984017a829741afd354fa49c59e7b

SHA512
89d1408d45fb33774404b8a1455ed8be4f5edf5faf56989af0e110e623ff23ed68bb44c53edb0e984a02b804c1e79b48558c20b35988840bb61fe2bf76da8c27

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
96KB

MD5
7bae634234f5d174bd453b59fe9920ee

SHA1
775e4a953307c2f5c98597bc4e1ef119d81e9829

SHA256
93c30bc672259cd892c69d5474898b3327f67df5b8c2779d0a07fb8d82cf4a04

SHA512
bc634c8632b9fc2a175047531169a30396dbc947d9559a20c88b7767b16d597d8ec149e9ecfe81a591fd83c9bae3c03614b8ddb4dc3ec35ee588a3440c5f6d69

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
96KB

MD5
c83f0e9bf7286bcf85ed40309fb9ca9d

SHA1
90ad71bc32952009d66fe79ad54cf1090f7a115e

SHA256
9fa8087229872c4c84f3b47ef027648d66395d0f273166b8be2bd36a955be48e

SHA512
f43dd9da2cdaf4e160f34bb04f23cbe00da86d64e2c148dd57605bf2c4f2d1cc41ad1c7abeb7674494261f67add64dfb528bd440b5d840965a39fe4b9d87cbb9

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
96KB

MD5
6df8d6161020cf52eb5984230b6e2a2f

SHA1
c914f72c4d1fba98f591e4ef24e869b70ebfb3be

SHA256
3db28034dde1bce151448ec874267190666f8078b75ef1f1a46661a4e3ecd5e9

SHA512
bc8e7e061f68eb8a0d016cf3929f7b2895f2f58d23fdb4ff691fb6df2ba49fba22519dbac7d88a5e780dd753846b55ebd72da327467aa7a1ed04b2d0d902838c

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
96KB

MD5
598814abf5109e25082048d265f73dee

SHA1
39d0d2bff1d8eaf04168e0b9b2de097981ee720f

SHA256
4e8f64fc2fc86950a4e8c6580b4d54bd127e3b5212c33cf8dcf7bb08b10cf87f

SHA512
d24c1e3dc09fb298780144bd979c5b39ea3c66984d2eb3822fdd106ad5f0bf653b5c16e6b583004aae7c7ba27a0d59403f58fdee5b634bb04cf8032c62ccdf62

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
96KB

MD5
3cf129af0c7b4cc06c8d35af441f5da4

SHA1
0ef08e9dd5670922bad5a0a33429c0def1888469

SHA256
567c49ea1072fe5b56b9e70b6f8852903283068aaf096551ef00765c3875eede

SHA512
1920e1601cc03998e6006e90a402dfbde7e47a2586a534fc06a54d8af8b2861b8aebc21915de90d795ba03937f26f029712acbbe2f7efe9578486dc885e2c762

Download Submit
C:\Windows\SysWOW64\Kambcbhb.exe

Filesize
96KB

MD5
15f06f3097e64ad903acce3257332afd

SHA1
b1af443fd436468b59aeff8478d4d6feaedbc7c6

SHA256
3d56730942182165589e35dcde9daa4b22ee94a39cae0ab1bee83b79bce52bee

SHA512
6fdd0c66d3d5ff3cfe2489477a2e4569ab2f124d41d44704b05f4eb85a1fb62d83e1aa750d1c4b802117505b1a9d080d1d3cb0f65b65a83da113c910c21de578

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
96KB

MD5
674f750be9f834ecec410895d975dd70

SHA1
8a757af59156371b632a79c291a2c5d3ce92a44e

SHA256
6a2eff8391229b532977aba62454f1210d6064cbd0f60da0446daf98d06b3c48

SHA512
fde9131044d076582532d3de97a819b96c13f69a1a7a03edc9a789213e3aef8ba1f5dc208990bacf2e6caa5374b4be5262a725186c930ba70d2d7f6e46b9e667

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
96KB

MD5
817d70aadb20382f0cf55a35c7f7cbc7

SHA1
a92a19d4d22087e75e98b207cf4e9fa2df9a990b

SHA256
29acc709bf30869b6c085aace5ce72039e2bfee65382349cb0d2aba5fd73a187

SHA512
389f0f8c71b017a633ce9a963691396dd03ad0b6faa5da50dc36f1af7f47d1a4c81e67ae1c0c55934f4ded6cb9f08b5ab5866351f2f074dbe520312ba8393997

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
96KB

MD5
204a5ef6f21d704d8139195501796ab4

SHA1
a497935e469bc457c963df90ddc6337f7b879b2b

SHA256
12d059ff5b273d92eb15600de678147b26bb3652b62445062f8dfdd7917b3e8e

SHA512
1bb749ee21bfacc7e092953d14b53d4e9792edeb686a127b9b456ac8e8d9d9f3ffcff2d56de851d992da0c8ea9c023ee082a7950ca4d6d3d6e398b91582c62d6

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
96KB

MD5
f5a9b76587ab65ee4282178ddf9d517c

SHA1
6da492096db127d654ab5df1af141ce0da2f1405

SHA256
ff05527565bded85b683e55a328be20df03935d8d62906b093f4a818353d3694

SHA512
cbe437ad98fa41ce4f6c02d7eed16290589aa283c45c5ebd414de88cbdf783c15b7afac650371055a0818da69658cfc5f2a39f96fb0fe055a604b53d4fdc028e

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
96KB

MD5
4e6b4ba66bae53f1ecdf5d1c42a1193b

SHA1
3f6bf1e52ac6c9a84b8c9afbe15152488975adbe

SHA256
18046a97255e2d25df73c33f779ed389af439fa00c51c006f57c9c1221f461a1

SHA512
069ee9a541619ef5e4a2a00cdf15a1279e934f9a10f9f199add874711d2dc640d218e8c10c79f008b3d7cd1d374f22765fca2cf274b4d6ad9e8224248c81d889

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
96KB

MD5
169d17ffe731adaa1a80d0ae759818c4

SHA1
96d758373d92dc80cea80e438ffbb5949cdb3856

SHA256
24c277263d92e52e442a860c7dcb1e330d5688b8ceed14b3e084c1125a022bef

SHA512
37fef5ebcb798fd2e76bde95c2093adf75c8938aa311826fb960a6375a93a4d87550a6fd938a97cbd1199713ac8411097ccec93e8d2313da731ccf076f722792

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
96KB

MD5
f525f51e64355ab075899d58fd4fed7b

SHA1
fc274126b67594768c3988e74e2a5ea66272efea

SHA256
9431bc24b130001b578a4216f794f077c66d4f51554305308dadfdc29d8f8564

SHA512
4e9187550e26950360f0af30e4811a97f513e68094b1794422f1b565d88d24b86fe8bb896f23a3497f2ff756d1c17187643699a1477323aa8e781d6e0343c289

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
96KB

MD5
a47a0aa7e2b175bfabbeacc659d88602

SHA1
b5a2bda0ffd96a661e282bc912d6ced463fb42f9

SHA256
1232aabd34b7997ee3dcc11f923a3a69a90c634cf977cd475a8ac76548551fcc

SHA512
4286e856440a48455562534c174a62f3b05e5c4af5159a1bb30798384e3376815bf661431094dc1ade02314fa76d956c8b5b0d318b36af5b96fa0fdd9cda1f5f

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
96KB

MD5
622f8c6d34d291dbf5b307bd88734831

SHA1
908495140097bd5df05a4bcdbc17f0f27158e9cb

SHA256
db92ace64df5873ee3c50e7318337a3d8eecd8fbfd8ba5b431e3d0d2c8ebdc9c

SHA512
0810b8fa6b56d1b97d0e225a7d3ebb892be132100fdc38ed1795ca9509167cc628b06ec23e28c038bbf08d3f0469145f4a0b3365bc4613df273d019db017c618

Download Submit
C:\Windows\SysWOW64\Ladebd32.exe

Filesize
96KB

MD5
6354fbf31d1f1a3be94c4ee509170577

SHA1
87addc9f1040c7d3b676309f1616b68021f00d71

SHA256
82903c22ac4bd0c9f403ebb810d328484fe0a1bf0d0fcc0b18f3ab0d3bb26749

SHA512
d406b22ee2cb8056ccadbead0240228c65432e57bf70afa0020d139dfd89076da3a91ce852bc1e5bb7b04b1725e2d93b9b460b28a9b9eb1ed739e70f80e6755f

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
96KB

MD5
09e609e0eb105128c6a07e593acb161d

SHA1
96250d3ed41a4fb4b24c4569046b797677065e12

SHA256
528d3c304336012a8ee18e0a3bf2156e10c76fb3e68ffd88f8dc1797d5bcd6bc

SHA512
d61c82ad635a4876140cad815d9f4211e24ed65e93fdb6aa1084fecc6ecb9ecc6903025977c40a8545c0ada4448dfc7e1726ee02676c4ccb5861db2e1c850515

Download Submit
C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
96KB

MD5
6e2d13d85bf839d96892a67385d62da4

SHA1
410aec39b12cad2544a1cf81d3f81ec56111f28f

SHA256
5e55d495018bc99d47d132360078d38a031d0e969d4ab07064a56b3bf35ab0d8

SHA512
f1de527698254d7a84baec34b007553be374712c108f82e7a7a554292d287f804c99ce7ee5d416db2d911a148b7eb205a0f6cae636a16e762af733ae13027c71

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
96KB

MD5
8d1da388e1ba07d542e38e10ecda53b5

SHA1
da2ec829f2a14c8d174ad477edb6dfce816cda38

SHA256
5dacf22bcfcb2c6fa2a7fbc4b54ec77bd3e264c67431da179629b0721402b055

SHA512
3f7026a0560bda262ba9063a15ca82d360070b46260efb09fe9f3fec674a6d72c72f56275bff31bc3974495852145d3a47c6635583fbcc28498f8fa7e4beb150

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
96KB

MD5
e834ec9c0613ebdb7e3cf615cf085f8f

SHA1
f2dc61a67a59d1b95e6c8bc032a03b0ebcfc4f49

SHA256
55289a4945a6a4e6c0b19a54aa1092675dde0d7a9a99dd444ce035385479f47f

SHA512
d781762c8d6f84b700412dbebcd1f6418ea13205ff236d1f2c5015755de4876557c1ebc460fa79f565fa85861f3fbe73ec33f1557cc4c510a0a921b536fa971a

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
96KB

MD5
a60381fc7fca68f7b30775f927e0a8ac

SHA1
9af8ed93b04247b1a53dbcb20947a48a6034ed76

SHA256
fba0e4b5161d36ed3aac78c9193beb0951d02386a3f82d652f43312e1a9f5565

SHA512
b79340cb868305fc2d50b96d7ef8888c41b345c2e2f76173f0345599d12312e0044746062386a1cf0e0016852c2c6a9d68436dc110cdc43d8e80aef9e67a4fff

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
96KB

MD5
4521371c3612dc6b085329b2f502307a

SHA1
8f9ed521e458f5a04e53f63cdaec9505f1bb022a

SHA256
3fdd4b4b6eb2d72acca759f6603f1cd4720d39cfdfcd523889eaea02a76e44c8

SHA512
7dd0ddbc944a5adb51a3e07a885a8263833288a7baf9b6ade63499bb92378b0564782962c79b77504765f65bd59d7b8d54794b8374a067ffb85d1acdb5b62ba8

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
96KB

MD5
a7db9f8896122e70aa9db56ce89d34d4

SHA1
3b4b57e54d4725c0c474c6c588665f1edfcd5863

SHA256
dd258b1529cb6a0b3d0344d744fbd70d480623b14eda2e755e9bda795230d29e

SHA512
ad9bffa10d1db0045768831e59b6af252c17cb2e18ab1134104c17204b57b669b08dd61f9930ae4328414323e24f2029076c16f35e63709b1252a09f06522a58

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
96KB

MD5
ee4d3f97378a12137b234654f13b71c7

SHA1
0bee700cbcc3ca1662eaef20c4323f986b43ca47

SHA256
388e709e3247f49850d256d78951152a94100cf7f28dee4590757524f272aeaf

SHA512
0040eb04811326190554840862c9c50be23e87bcd899344ba9ad00c92afbe00bcbe6a41a1507c033fd6ee1a1e079c465a7c82045b7fafbe2c18421a2f85dc937

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
96KB

MD5
9533cbe156cc53cac31348acfe82821f

SHA1
2062b422a57d4b6abf57c9c92924262c0c76f868

SHA256
b488fd554d6aa06ac7d626f9bfe6850b4042505b715d71747c499946a2dc0415

SHA512
f6cb59e6701dc923885e373b19b9a4a3b7593b9e716783711ed840c986a43528f94721ed14c84e3e7a175e3f573f2b9821796635ac41da96f7bf38bdd5b9ac90

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
96KB

MD5
3c3b1a915d23945c457b1c55f902c44e

SHA1
5604c754ed895f86f44d4ac9e7744b71914112ea

SHA256
4867f276cb031d7d3b9bd8bd3f8237f7db6d11abbdb6494c26280d964654f693

SHA512
b0b795684d9a68753cbae896955f985475c8d6c025d87c915bcf5f3a93bf4b447ad7ce1dfafe4cef696653fc1dfbb09de31da9f558fd46d562abe0a980e2c2e4

Download Submit
C:\Windows\SysWOW64\Lofifi32.exe

Filesize
96KB

MD5
e6eb3eca4e5d5b8b4c20a22c2f531dfa

SHA1
439d26a9d6ad40390b44f2758e83eebefaff3fcf

SHA256
cb02d7960e26d7df0cffe1d8989d1e828a626eaa9dbab11804d7bf9819d3571b

SHA512
5008f5346d015b32bd1f86ee15f4b92ed64111a408e2055918b3f9d77ed00a43121c22cfab0c7fe9f03f7394a7bf99f9b14875d989f8525dd52b6c8b251b2fe5

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
96KB

MD5
7aad91f37ab79fdffd66ec9933d1c360

SHA1
b0c8e25c4f799129f3b1c579bf6923f9db4a9868

SHA256
9dd6d135accfe2c43a64f8d18ccfa950d1e0ad9e2829716e82fc1476307a8f6b

SHA512
bcd5638d8ac0ee724eb4205200f3a9cb1edb5e3746b6f075b352508e118afe601d33223bbecf34083ba60660ba8fbe44b92f82b38a11ad60236618953caa3eba

Download Submit
\Windows\SysWOW64\Hmbndmkb.exe

Filesize
96KB

MD5
61ab03cb55d079868ec4d5c38684e289

SHA1
fea2d87e0028e76db2e731b4d778969405704602

SHA256
bb7fa66bade8b7f76b45729b1aaece20bafb9c6e519308213987516c93790019

SHA512
64d9d06a5a8963c71ef47adbb6a41e47c3aa0fd89b28167cd4c16ab2337cc36f00fdfce0dd46b6dcc2c1d68bc734f4a06aa5e427967dec4e5fadf7251e90e07b

Download Submit
\Windows\SysWOW64\Iakino32.exe

Filesize
96KB

MD5
c02b75bdecf70465db25ec8bfcdf6268

SHA1
0aeff6c3250c8ff6f84e3b046df21aba7045e5a0

SHA256
52692e13bd58b836a6e60630f5cb797447bcc1f0eff305137236d22b06739afc

SHA512
724d591c5419fd1548c97f96212a4732178a76538b25506485b936b6b40b8e06035b8ccacc8fecf5dc4031ea1ca9e7c7a9c19b4427cd74d05b05ff830cd161c5

Download Submit
\Windows\SysWOW64\Ibcphc32.exe

Filesize
96KB

MD5
7c4fed34e0cd9e8a2b0f68b5a70727fe

SHA1
2180ba88417b283c50f15025eb1551eeda7faa33

SHA256
77bdd7f4825b19ee186826030b7786fea1c73577a7de38852af1ba82a0ff08f4

SHA512
e152e2d3590ed63c09285e86c3b6f3c8490f609673b1b1f82c1a4701c79828c6ccb17052fefe4303eb3128724ca2f647411290252a065a466abed4ab026be0e1

Download Submit
\Windows\SysWOW64\Ibfmmb32.exe

Filesize
96KB

MD5
b1165a6be026dcc43e25500b8a36d03c

SHA1
a12c606419999cd952d6ab7c45a8ee48150ad972

SHA256
74562df31d3bb8df4045b0af64b673270e9889ddac2b004bc79109f8bb6be1b4

SHA512
ac4c85094b535497ff5d114bb5adf4b36f6b3d4e4ad341516b7804ef3d0d3aa38e7f99c48948efeda83c9c139668a0f8414540f3e25fde7fe34dd0923df02ae6

Download Submit
\Windows\SysWOW64\Iediin32.exe

Filesize
96KB

MD5
3eb367eb3dfbac68f11743dc611f90c5

SHA1
67e7c509c877e2de39c25541b4e0096cb46720f5

SHA256
a86f3238ae4ee234d4e56863570120be7bddcd41713d4b9225d86452a23f7079

SHA512
9390c8033447401009736ba2b8bc3be59fb556af35e9ebcd708b016c53a385f3ca9b5f015e9ff0de2ff9a1e0c69687fecb9e123041fed695bccb5f6426dd7a91

Download Submit
\Windows\SysWOW64\Ijaaae32.exe

Filesize
96KB

MD5
dd439e6be6d04d97c61c0098b9d9c680

SHA1
65d94b45ca77e96fe2c6c99cea3ca645aec602dd

SHA256
c36121fcfc0fe65d8ac20879b918ec2476f984a4eb06e9254701d748b39e2378

SHA512
86da45efde7d8dbfb8d06ff0e2b368fd933aea3cb2897d171c90571e65bafdd9e8551196f317ccfce92060bf17a860d592816b550f77353dabd931f93761d0fc

Download Submit
\Windows\SysWOW64\Ijcngenj.exe

Filesize
96KB

MD5
7ecd11d671749d52a6dc325e023351be

SHA1
6306065e5d65cf6b78ce93ed393b9768a20016ed

SHA256
d8f4fbe294cdda044f1b2f6d35b6d3e85de053305ee1a5299c7bb25bf4c8d176

SHA512
aef88d1a205314bc5bf25b8598dad93449f2b113774fe52cfd8fcd7d36d2bfcd8bb01b80b05c641652abe255cd65349891d868b8f1bc28c8eb65ae31b81cf8d2

Download Submit
\Windows\SysWOW64\Ikgkei32.exe

Filesize
96KB

MD5
4d9af814b204c9e2d5bd227c0264c4ed

SHA1
c02b28e81a65ace64a9e49b6c924302bf5816e67

SHA256
440b70a9ff06223d23b3f53ce5087daef991783ac5c9007eec321499de2131da

SHA512
fb5674dfd8dbe19b338442f0cd8e205ea3b2388ce8840bd9a9b903552378bf97cf30272872d3916e2fbc55424f8615a78fa35e14b0bb8c9e377c2d36a9c82869

Download Submit
\Windows\SysWOW64\Jfjolf32.exe

Filesize
96KB

MD5
2c1d9b82f9437ae980c161301f093fb6

SHA1
6f10ad9cdedceaa568939b21909e8cea6f086bbb

SHA256
70361e352ddf49ba654b8b1159b514f810dd31d20b2363f12a7632c175fd0378

SHA512
a5d235a96a635a39ce4ba320930bd6bc589d1f9e21f5c233b7d17148a4fee5d22ecd10d6b8edda3d71dc7065c1ca4a704ec40b852854824a72a6bb0c6ec14932

Download Submit
\Windows\SysWOW64\Jmdgipkk.exe

Filesize
96KB

MD5
863a8c4a5169479ade7a6137ce228ef5

SHA1
42e0bfc36d2d4c8b7b623e4c27fa06e761e5734e

SHA256
9d70c79c107ab613ab8238112f0d19901f02603245c5afe43f0501cb59ce5e73

SHA512
e80d988d585c7c98e825f39bb1b41e40059f9f4454ea233c165a06ed4502aa71e15ce6808e67c617e822bb5b46af3115018ea7ef672c2a1c09fadf6a7c934d2c

Download Submit
memory/280-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/280-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/280-88-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/348-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/352-254-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/352-253-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/444-155-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/444-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/564-318-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/564-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/564-317-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/568-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/584-142-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/584-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-168-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/788-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-491-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/828-199-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/828-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/904-502-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/904-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-66-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1220-492-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1220-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-285-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1348-286-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1376-265-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1376-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-264-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1456-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-448-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1504-447-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1580-328-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1580-329-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1580-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-243-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1624-244-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1628-424-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/1628-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-423-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/1680-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1680-393-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/1804-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-307-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1808-306-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1928-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1932-340-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1932-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1932-339-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1936-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-129-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1936-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-275-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2016-274-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2140-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-347-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2220-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-7-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2220-12-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2336-459-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2336-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-458-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2376-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-221-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2388-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2420-297-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2420-293-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2420-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2424-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2424-470-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2468-230-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2604-358-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2644-434-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2644-436-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2644-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-26-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2728-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-348-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2836-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-412-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2864-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads