berbew | 96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
Size

96KB
MD5

d61eb957793b50f41594ae9a3f6b5070
SHA1

c159532b2a74b46a61f3ea463e5ce60203729ce6
SHA256

96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7
SHA512

ab60dd23c009c7709c971576db188b29615950d9ba80c6eabbd3172d960941ec798a02754fb23c54d0e8f1e629abdac090fe8eefb679b59a5cb16629c402d4c1
SSDEEP

1536:rVFes81cTLJPF2kysgnVzV2Il0F+4aBKX275CIqWuE3l02tv74S7V+5pUMv84WMm:xFesgcjKnVzV2Ifo275CInRaiT4Sp+7I

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igqhpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 52 IoCs

pid	Process
2728	Hifbdnbi.exe
2708	Hmbndmkb.exe
2744	Hiioin32.exe
2632	Icncgf32.exe
2704	Iikkon32.exe
1924	Inhdgdmk.exe
2000	Ifolhann.exe
2980	Igqhpj32.exe
1936	Ibfmmb32.exe
1472	Iipejmko.exe
2680	Ibhicbao.exe
2572	Iegeonpc.exe
264	Ijcngenj.exe
620	Iamfdo32.exe
2396	Jggoqimd.exe
2388	Jnagmc32.exe
2528	Jpbcek32.exe
2124	Jfmkbebl.exe
1652	Jmfcop32.exe
1676	Jpepkk32.exe
1756	Jfohgepi.exe
2340	Jimdcqom.exe
2384	Jfaeme32.exe
2416	Jipaip32.exe
1224	Jlnmel32.exe
2816	Jfcabd32.exe
2592	Jibnop32.exe
2640	Jlqjkk32.exe
2628	Khgkpl32.exe
3060	Kjeglh32.exe
2096	Kdnkdmec.exe
2144	Khjgel32.exe
2568	Kmfpmc32.exe
1792	Kenhopmf.exe
1480	Kadica32.exe
2084	Khnapkjg.exe
1056	Kmkihbho.exe
1904	Kpieengb.exe
1968	Kgcnahoo.exe
856	Libjncnc.exe
1312	Llpfjomf.exe
700	Lplbjm32.exe
880	Lgfjggll.exe
1848	Leikbd32.exe
772	Lekghdad.exe
1656	Lhiddoph.exe
2284	Lpqlemaj.exe
1808	Lcohahpn.exe
2956	Laahme32.exe
1636	Liipnb32.exe
2996	Lkjmfjmi.exe
1048	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
2220	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
2728	Hifbdnbi.exe
2728	Hifbdnbi.exe
2708	Hmbndmkb.exe
2708	Hmbndmkb.exe
2744	Hiioin32.exe
2744	Hiioin32.exe
2632	Icncgf32.exe
2632	Icncgf32.exe
2704	Iikkon32.exe
2704	Iikkon32.exe
1924	Inhdgdmk.exe
1924	Inhdgdmk.exe
2000	Ifolhann.exe
2000	Ifolhann.exe
2980	Igqhpj32.exe
2980	Igqhpj32.exe
1936	Ibfmmb32.exe
1936	Ibfmmb32.exe
1472	Iipejmko.exe
1472	Iipejmko.exe
2680	Ibhicbao.exe
2680	Ibhicbao.exe
2572	Iegeonpc.exe
2572	Iegeonpc.exe
264	Ijcngenj.exe
264	Ijcngenj.exe
620	Iamfdo32.exe
620	Iamfdo32.exe
2396	Jggoqimd.exe
2396	Jggoqimd.exe
2388	Jnagmc32.exe
2388	Jnagmc32.exe
2528	Jpbcek32.exe
2528	Jpbcek32.exe
2124	Jfmkbebl.exe
2124	Jfmkbebl.exe
1652	Jmfcop32.exe
1652	Jmfcop32.exe
1676	Jpepkk32.exe
1676	Jpepkk32.exe
1756	Jfohgepi.exe
1756	Jfohgepi.exe
2340	Jimdcqom.exe
2340	Jimdcqom.exe
2384	Jfaeme32.exe
2384	Jfaeme32.exe
2416	Jipaip32.exe
2416	Jipaip32.exe
1224	Jlnmel32.exe
1224	Jlnmel32.exe
2816	Jfcabd32.exe
2816	Jfcabd32.exe
2592	Jibnop32.exe
2592	Jibnop32.exe
2640	Jlqjkk32.exe
2640	Jlqjkk32.exe
2628	Khgkpl32.exe
2628	Khgkpl32.exe
3060	Kjeglh32.exe
3060	Kjeglh32.exe
2096	Kdnkdmec.exe
2096	Kdnkdmec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jimdcqom.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Laahme32.exe
File created	C:\Windows\SysWOW64\Ncbdnb32.dll	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Jfaeme32.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaeme32.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jlnmel32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Aonalffc.dll	Hiioin32.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Icncgf32.exe
File created	C:\Windows\SysWOW64\Npneccok.dll	Iipejmko.exe
File created	C:\Windows\SysWOW64\Keppajog.dll	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Jpbcek32.exe	Jnagmc32.exe
File created	C:\Windows\SysWOW64\Leikbd32.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Lekghdad.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Hmbndmkb.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Ibhicbao.exe	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
File opened for modification	C:\Windows\SysWOW64\Jnagmc32.exe	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Jimdcqom.exe	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jfaeme32.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Cbdmhnfl.dll	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Iekhhnol.dll	Liipnb32.exe
File created	C:\Windows\SysWOW64\Hifbdnbi.exe	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Lkjmfjmi.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jggoqimd.exe	Iamfdo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	1048	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnagmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igqhpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iegeonpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnmel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll"	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmjmajn.dll"	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbogkjn.dll"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhebh32.dll"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll"	Jfohgepi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2728	2220	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe	31
PID 2220 wrote to memory of 2728	2220	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe	31
PID 2220 wrote to memory of 2728	2220	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe	31
PID 2220 wrote to memory of 2728	2220	96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe	31
PID 2728 wrote to memory of 2708	2728	Hifbdnbi.exe	32
PID 2728 wrote to memory of 2708	2728	Hifbdnbi.exe	32
PID 2728 wrote to memory of 2708	2728	Hifbdnbi.exe	32
PID 2728 wrote to memory of 2708	2728	Hifbdnbi.exe	32
PID 2708 wrote to memory of 2744	2708	Hmbndmkb.exe	33
PID 2708 wrote to memory of 2744	2708	Hmbndmkb.exe	33
PID 2708 wrote to memory of 2744	2708	Hmbndmkb.exe	33
PID 2708 wrote to memory of 2744	2708	Hmbndmkb.exe	33
PID 2744 wrote to memory of 2632	2744	Hiioin32.exe	34
PID 2744 wrote to memory of 2632	2744	Hiioin32.exe	34
PID 2744 wrote to memory of 2632	2744	Hiioin32.exe	34
PID 2744 wrote to memory of 2632	2744	Hiioin32.exe	34
PID 2632 wrote to memory of 2704	2632	Icncgf32.exe	35
PID 2632 wrote to memory of 2704	2632	Icncgf32.exe	35
PID 2632 wrote to memory of 2704	2632	Icncgf32.exe	35
PID 2632 wrote to memory of 2704	2632	Icncgf32.exe	35
PID 2704 wrote to memory of 1924	2704	Iikkon32.exe	36
PID 2704 wrote to memory of 1924	2704	Iikkon32.exe	36
PID 2704 wrote to memory of 1924	2704	Iikkon32.exe	36
PID 2704 wrote to memory of 1924	2704	Iikkon32.exe	36
PID 1924 wrote to memory of 2000	1924	Inhdgdmk.exe	37
PID 1924 wrote to memory of 2000	1924	Inhdgdmk.exe	37
PID 1924 wrote to memory of 2000	1924	Inhdgdmk.exe	37
PID 1924 wrote to memory of 2000	1924	Inhdgdmk.exe	37
PID 2000 wrote to memory of 2980	2000	Ifolhann.exe	38
PID 2000 wrote to memory of 2980	2000	Ifolhann.exe	38
PID 2000 wrote to memory of 2980	2000	Ifolhann.exe	38
PID 2000 wrote to memory of 2980	2000	Ifolhann.exe	38
PID 2980 wrote to memory of 1936	2980	Igqhpj32.exe	39
PID 2980 wrote to memory of 1936	2980	Igqhpj32.exe	39
PID 2980 wrote to memory of 1936	2980	Igqhpj32.exe	39
PID 2980 wrote to memory of 1936	2980	Igqhpj32.exe	39
PID 1936 wrote to memory of 1472	1936	Ibfmmb32.exe	40
PID 1936 wrote to memory of 1472	1936	Ibfmmb32.exe	40
PID 1936 wrote to memory of 1472	1936	Ibfmmb32.exe	40
PID 1936 wrote to memory of 1472	1936	Ibfmmb32.exe	40
PID 1472 wrote to memory of 2680	1472	Iipejmko.exe	41
PID 1472 wrote to memory of 2680	1472	Iipejmko.exe	41
PID 1472 wrote to memory of 2680	1472	Iipejmko.exe	41
PID 1472 wrote to memory of 2680	1472	Iipejmko.exe	41
PID 2680 wrote to memory of 2572	2680	Ibhicbao.exe	42
PID 2680 wrote to memory of 2572	2680	Ibhicbao.exe	42
PID 2680 wrote to memory of 2572	2680	Ibhicbao.exe	42
PID 2680 wrote to memory of 2572	2680	Ibhicbao.exe	42
PID 2572 wrote to memory of 264	2572	Iegeonpc.exe	43
PID 2572 wrote to memory of 264	2572	Iegeonpc.exe	43
PID 2572 wrote to memory of 264	2572	Iegeonpc.exe	43
PID 2572 wrote to memory of 264	2572	Iegeonpc.exe	43
PID 264 wrote to memory of 620	264	Ijcngenj.exe	44
PID 264 wrote to memory of 620	264	Ijcngenj.exe	44
PID 264 wrote to memory of 620	264	Ijcngenj.exe	44
PID 264 wrote to memory of 620	264	Ijcngenj.exe	44
PID 620 wrote to memory of 2396	620	Iamfdo32.exe	45
PID 620 wrote to memory of 2396	620	Iamfdo32.exe	45
PID 620 wrote to memory of 2396	620	Iamfdo32.exe	45
PID 620 wrote to memory of 2396	620	Iamfdo32.exe	45
PID 2396 wrote to memory of 2388	2396	Jggoqimd.exe	46
PID 2396 wrote to memory of 2388	2396	Jggoqimd.exe	46
PID 2396 wrote to memory of 2388	2396	Jggoqimd.exe	46
PID 2396 wrote to memory of 2388	2396	Jggoqimd.exe	46

C:\Users\Admin\AppData\Local\Temp\96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe
"C:\Users\Admin\AppData\Local\Temp\96f50d2b1acc098ad2f24268d10d97e86497b1884fc4509ad33fad72d83666e7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\Hifbdnbi.exe
  C:\Windows\system32\Hifbdnbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Hmbndmkb.exe
    C:\Windows\system32\Hmbndmkb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Hiioin32.exe
      C:\Windows\system32\Hiioin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ifolhann.exe
        
        C:\Windows\system32\Ifolhann.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Igqhpj32.exe
        
        C:\Windows\system32\Igqhpj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Ibfmmb32.exe
        
        C:\Windows\system32\Ibfmmb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Iegeonpc.exe
        
        C:\Windows\system32\Iegeonpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Jnagmc32.exe
        
        C:\Windows\system32\Jnagmc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Jlnmel32.exe
        
        C:\Windows\system32\Jlnmel32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Lkjmfjmi.exe
        
        C:\Windows\system32\Lkjmfjmi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 140
        54⤵
        Program crash
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecfgpaco.dll

Filesize
7KB

MD5
aa7fc00ea54e7c7f20091a3c4d0e6341

SHA1
95a28ffc0be04bd4cac69392cce7cf011c2b099c

SHA256
0a2241e1cb661b45c629a8b56eafe4a28a926a4be410e60331c94294ef479979

SHA512
c43c00ff45479bdf3a33c071dd1eef920d15c8fefbc6a7a192c5ff43a9f70bc325870891726f45f5e3925ff528328f8d5fb270d476224db7c41d221a58515bed

Download Submit
C:\Windows\SysWOW64\Hmbndmkb.exe

Filesize
96KB

MD5
3c266e141c2777b947f443cd40e2f590

SHA1
26f36a241a9987927fd4325a51bd8f014a44b05b

SHA256
341b34dfd8910f20185fba69272f6bf9b49c767cb76cea1824a4a9468e296617

SHA512
a370d6640d6d527ab8b020a11474f849a226ce5928491864d030d012c9313ba29cb6a14a417a0e9c5368f1e07b7838a165d792f3ea948b1ddc9fc8d198e41672

Download Submit
C:\Windows\SysWOW64\Icncgf32.exe

Filesize
96KB

MD5
b9e59f458712e5098e80f7e0b754b19c

SHA1
274e4aa20d32697fe8fc6e96d1474ee8eddbb77b

SHA256
6933ee7a334c5272e323bf0e5d0fae8e1d5e8c4c216810432aee883a567f1dda

SHA512
bef6230d862988f21b430b5d0293d767f7dfc1024dd095d14ab35ac25b073130f96232cedd601be5c8be954a4dccad7455b79f002838d6e47a2dec104351ffbe

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
96KB

MD5
af0ff29ffe1f4d17ac6d339f78091859

SHA1
48fc73349f41944136d8d13ec5ac1c76712271e8

SHA256
a24562af4633a51e06b2b78a1f45e8bfbdd7d27d7455e64f87386478b4024650

SHA512
8bc8980859e77e4c9d20e372bd9cbee96a53d9f7012c6fd8a763b9c0d2c7396a889bad69d9974fd1794756d3340bf93e562538ff769efb4a06d36e0b9273daf2

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
96KB

MD5
cba9b3c16d4ac5eaef9e1631f7b5d32e

SHA1
b959ef8a07c2c1b41cfb2e0e4abb570b6b97d7ab

SHA256
56e6ec5dbfe03f922a2bdbd9fe405de4db2029b4bd9d8272cdb0af033b126ea1

SHA512
f146b1a46a1f33bb327d5e960902206233f19b9c8cdcd49492edbcaad9f6910bae64f5b5869b741c884fa5a768f51816446caf811826225292aad94fbbc2a351

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
96KB

MD5
cecd61c1d2b6711a8d369591cc36a8dd

SHA1
df3d4b1af3b2925de6811ee47adf31913bef9b0c

SHA256
295be92fd4e89918a0e627c260a44dec9c8b29b890bf4d1d79a25321ce8dd3f0

SHA512
23a3d23032f3aa0e3357202b723b3c02682e8efa05643e331f3cb018fe308eef7e2c28150f9485d13e8260b2497af800aae3635d5cd84045d5633fae12c1b61f

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
96KB

MD5
8654a8ae14e0f5fe5acf3816a9c895f0

SHA1
2811f4f0a824233fcc3129f7786c9d7d6c2972fb

SHA256
5bfabf5912979e7a46ce4523f3fbff5363d861a97e39044668b6b05b57fcd916

SHA512
182853b2e3fd30481dd0f8e03250a1194e2abcdac49bcffad1725f527877de5a4594ebfc13611fe2ce33df4d800ec35de3037ce79a329bf5036f0838ad9ca433

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
96KB

MD5
1b5c1712690c25c4514fd669cdab0d47

SHA1
7983937390b80259e9178dfc841918e4d08f9915

SHA256
0a0fc6741d023b3df631dd9ca36258f0e01310886eec4e6ebd2d6652829a973f

SHA512
af5ecc28da888186af99b5377553c9eda561f74ca38c8309744d6d0f48cfaf1094ccb5e37dd71c32d85197761198cea5693e5526bb839e358216247bf4d94e6f

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
96KB

MD5
58e6f475db50850c8eb98ef1dd8fcecf

SHA1
c7e1f01faebc91f0f7438b93fb53cc0c8f7b2cb4

SHA256
a4f321cc01e125674c8a3a77fd8f568e80d34c68ed1948869f1022966190b47e

SHA512
564541449e36d0e546542d84f30fd7ae42a2284a7ee05dc5f6d01ac06346448b0be37be245222facaee8238b9fc51d3c6463cb2aa31ea275f13e519ff1287194

Download Submit
C:\Windows\SysWOW64\Jimdcqom.exe

Filesize
96KB

MD5
dff1ee109638feb581fb716bde8029f7

SHA1
e9f6b30690329d69aafc17a2a81ac15de2cc1b17

SHA256
f8e2ba4e05e3c2c69c1cdcf7758a39248a08e03027748c7066b028e04f33bb4f

SHA512
e9f02ec76c99c9a5dd73e2f75e9bc1b5a793b70c0eb7d86a8d3cc7bc18279787575518e4868823a8d8ecc5cdecb59e36fb7ffaff9da43bb3a661b042f4d9fa68

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
96KB

MD5
f215925a57e2910d2dd0b22e77865ebf

SHA1
c643468c3605b9a74734a82edd46f02ca822a427

SHA256
1072fb65b4f6d05a2d558e97d502593499b984017a829741afd354fa49c59e7b

SHA512
89d1408d45fb33774404b8a1455ed8be4f5edf5faf56989af0e110e623ff23ed68bb44c53edb0e984a02b804c1e79b48558c20b35988840bb61fe2bf76da8c27

Download Submit
C:\Windows\SysWOW64\Jlnmel32.exe

Filesize
96KB

MD5
fdd4e9b2039f46a5a6a0411983185770

SHA1
1b4b64ca1848ddf68ef99a54047aa8fe69159d3c

SHA256
70e141e317e57781daea17b27efc9ba50954161e372e3b1738c4b1374189b0bf

SHA512
6050ced9eafafad4ad57f831ccb09c520c40e395ae94db74afff5cb322324be2942a042d7c3405472252fb25db2e2c1c38b0db7346c19d9f3c92b2eba27e5927

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
96KB

MD5
b1ce7260750c0704e07c1afe69dd5160

SHA1
f4e5afdeab8f69ab091b5f4f813d85fe23f05c40

SHA256
fcd1326c1989e0f3b3e44466c3517997dce48f985d66e5f85e91f49a0f716143

SHA512
494acdaf299fffaf88c06626905b08ca6263babff3c22de3678a17b5ee0f8fa3725c6708f29216ad503aa5561891bdaee3be4863370c304f5785c388d7106164

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
96KB

MD5
1ddd4a8d1f41a12b0752cc036308bd21

SHA1
58e14a928c6d794cf2d4c9b3e5b252da5560dbf0

SHA256
c96cc580d4bdfc663c4f6cdbbc8e6650a7fd2df01450af388a50dc1cd396c678

SHA512
7d842b5c049bd45b6448ea53343d4088680b61a324c0dfca65faacb2787e7413612d40a58c01a93dbfdcce5b0c469874ea5804a043a0f714dd32d00131c373e9

Download Submit
C:\Windows\SysWOW64\Jpbcek32.exe

Filesize
96KB

MD5
055c74e2d8040717f465173679a36c9f

SHA1
63793518a036742bf1b8207451b399a55acce37e

SHA256
99bff6b4b2a986d480b696d3eec13e59eb0570c3c1892eb64a407bff4fbe1290

SHA512
5135db32025037a304343b6693abb6fea63b62450384edff93b3cda51a6a7bfdbf2e783164fc26f677243a5d12b7d1b5bd7320fcb1e171ea4a94b1561fdf129f

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
96KB

MD5
15dd0b55218b414f58cb3d74aabe9784

SHA1
3c35df591be2eeca302ebeb2b2c2fe8e6c9cbd87

SHA256
b3da5dbf448b4929606748f48e0690dd2a9031597de7f52c08713d662e24766d

SHA512
f6d634b3c73501c988bea298e84e74c9f902b9d23b0ee4876527605d8f72b485b6d809fb7e8431d957aca77ea696a76a11f89719ee23950ec6204cc7486b2001

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
96KB

MD5
9eb4050aaa943d4560cb1918a4e6e3f5

SHA1
932d818457fe926eaf1d3784fd4f8fcca04a2ed7

SHA256
198c5b12d883d4c7eca1e9ba1daba3aff7491335e1c935a1b00b62ceb36c351a

SHA512
0cc90bd80d375e2c3e62fa4f735c71256c2e47a2c250438d87fe0d6b38e8cbe3bb317936d96ad877f16b464ffbee155eb6188cd284a2bf5093de8635aa58e36e

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
96KB

MD5
ceeee9e15c6a513372762c6d45c2e849

SHA1
867429accc2ee9163f03ae46899ab7720ee959df

SHA256
ca4d580263b27c7e2fef458af4a954f8dbe602d5cdfab72a54c4500a711b493d

SHA512
559a7ca014512430726b75e52947636a2fdc89a7bb095c81daac96e06a65c62a0dea954c7df324b8c5dc10427def7568fd58241292ce712ad794ce4ee4b4aaa1

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
96KB

MD5
4ea880d4ac489a2e467c908b5af1b0c6

SHA1
bceb6f939da0d532c2b9ac0e47a138b40db6e52a

SHA256
e6fe3e89d3c73f0fe05b22e3f211210f45e501ef7bc263efc4406d155c9c0507

SHA512
bd7a9452cfda22f2d0b5e188fc9af1143aa3a6fe9347a32a04eb8350efc18ad158b6101e1db97caa17c485f6eb8e2c6010403ffc61e3a4718d3479f03e96b0fe

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
96KB

MD5
782945d77ca0e0a26418a15b89a193d9

SHA1
a301b9ac132552db2ed713236b3aed180f442822

SHA256
00eb934f495c5c20b92800453727e8dc397d1f2dccb6dc23a18c908a96b2db15

SHA512
cfe2650a3511b5ec70a26088d9dde83539064decbf73f4d8bf71f98809a8d71938f94979a4c35d53ba00deb151deb87319228242f0e595b74e70a80b61c1973b

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
96KB

MD5
62ea0d32cfd10b5f79d0a0e88a2760c2

SHA1
fdd6c5bb21cabf8225d9efbdbd74e5e6f9e1d3be

SHA256
680bd1ddbb1c2823e7c0c0508780d0541600d3a5d39a2e4e391b29719bb85426

SHA512
b691de10bac875dee9eab4e3773f393e3eefc0f331b2f1b99ae014e6b6cc1bf987630f630167f616bd21e06771025e65741fe07a4f3b99dcdb6d3ec24ea536f9

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
96KB

MD5
c29282f14c18f899ed99132cdfa2c215

SHA1
bf42f5dd5914eeaf2b9aef23409842294338aa96

SHA256
97ec278a5e1276b5a766b001711bddef0a7b5ef055cc2c5cc54ca2a339fb1445

SHA512
8c5a26a608b8e55ee12f956382cf94a549ef35ee64963597c3b86bd2fb2f22a3fdf5b48d3e7c266c7f66edcc6f6379f32457d9be0575de22af2931cff93c96f5

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
96KB

MD5
16e7cc6abbed4fe2074d4b41c881c938

SHA1
34beda06ec38773a965a01b8378cc2295b3f90b9

SHA256
e7ad1eda4b101a6409ea444be5ad397e63926230c0224ead9cb9ed9bc44f315a

SHA512
5f707cf4208497d03c7c983b39e1776df6bc11683ffbd438ec69db787ddcc255e3afaf2d6e1ae01ea68b6a185d628df30e173fa3f781405ed74a940566e58b72

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
96KB

MD5
5fd6f84594739092c53bcf115ed485b8

SHA1
d33e29e2fee5d20ef2579b50924481a2533749e6

SHA256
174a1b2fb45e774b2ecc833337a4406038a6c372776069845e51b0cb2cf8bd29

SHA512
1fafb4ecaaffc92575f00068dc3fe88372ec8f1ec26ef11b0e5174c6e2d44ea2467e98349db9dd155816c8418d6586ab3485d1d54aa0984bf246a47a8f6fa3ca

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
96KB

MD5
21dcf12077fa5217d1636fcd858d90d9

SHA1
a962e26668b6714af6a8f307107665e1982a1db6

SHA256
d10dc92185882cf47a5d04f00491785d318c35a2474d1b3acba6964078fbda9d

SHA512
f9f906ea6fc21a8a3f0d4108762028449194c997adcfc62d05b04334f4770a9f6ed97c1c02adcf619b75f65e5392f17bbb31a2ca7d11e955b01df0b69199482e

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
96KB

MD5
20cb8bdbdec316b0a01f2e3a55f97f98

SHA1
4dde29bd1e029c5c1060fa74976f28f6ef807065

SHA256
bd59fa902815cd8fc84dca4d1090f4338d0458706a8137ab311257ae6fd6bbc0

SHA512
e9f99195b3458b136fc89dd525c6a41f25c08564ee808a610aa29a07feaed0d6b6f88edfc13cd9d578e3f4ec4c02d26926be8d55a7e4f32dd8cda5b583d4cbba

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
96KB

MD5
56f01acd5ac76b080ee2ea00499d82dc

SHA1
e38501a81aca54bcb3ede34f6739ea6a10bdbe04

SHA256
956d87f5900700af0ac4c387747da0f866e86579a3771d571fe974954a5d7624

SHA512
624f226f882ef7162d84cc8718c3b583f8a9c0c0fc21162bff45ceced6967bedc91c18330e72d67839c29475b21f88660ec2be572748bd769d39a5f001c69376

Download Submit
C:\Windows\SysWOW64\Laahme32.exe

Filesize
96KB

MD5
77344e7cd3a7b14c6cbbe8daec9f68da

SHA1
ae185d89b5ce930f30d49938ce7feced0cd74f30

SHA256
b1bd894647b872288a0d30dbbf2a449d75c1ef3c41a59b67d00ffa74dfe53fa0

SHA512
1dcf4d4bc6b6951a63df4203b02d76e4b9c50551c6082961c1a07f554e8c8efa12981672fdbcad27d27383fcae9911071066ee1dd7b3d0398a3452c4bd355b5c

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
96KB

MD5
645b57a304e40d705722777a99c4f6b3

SHA1
060973d36c1862ed589aa4764e2aa991554e5264

SHA256
0e2b0348a74838a0cebb3f738293cb1d3c9405e23ed8bd624fb7b71c2d5c4091

SHA512
372b23e00566cf7c883db3b5b69253d67825c8ca695ae6bf9424cb6ab703e709214e5b28af727107083e8d675c9c158f5c16ffe29b4a21b78c8e73a8d2d2c103

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
96KB

MD5
3f0098971db6144818b311d89a7fe9ef

SHA1
09f292a76d1123b3e8c0e857368133ca4d825aa3

SHA256
d2df4990b05f2609b32f7cb121ad0a894c598a5a7f5b51529188560b5090ebf8

SHA512
72a5ee4ec889e4f8d25af26712cd39d2300dc54137e573af7f3b439eb6d810efff161e5c6a337d64c4520b9230d0cae90550acb661ec516655957eda81787a9d

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
96KB

MD5
d84599962b97dbac0690e3734fe445b9

SHA1
54e842628dd00af637914b6e546327fb66724969

SHA256
7335fda2d40e1edbfe8ae766d3d93e05cb06bd3c4c9410caaceab7fa512402df

SHA512
6a01f2fc141a90c56c9e9634b80e8b5f6e169a6b62b522f9d04c2b9f1ea6bbe031c9888ccb55a70189ed7b73d45720b8c4640b2b91ceb8e7c1aa8419d3101287

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
96KB

MD5
08d986085b77a75c2f37334912714bbd

SHA1
c2c79285d0de82a5eb3e90d981c7d62c45ad3e36

SHA256
85a309ff3cbc42c801f5d8c6e39a0d4cc691033198f0209a84511e8dfc9f98a6

SHA512
656292192bd53c0968105d14834e59903a411117326c5f6b731e9cd6fa863fdf12e68f108f61de2ef55e75214521ce1721ff5762c833499cc0dfa35463061788

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
96KB

MD5
e834ec9c0613ebdb7e3cf615cf085f8f

SHA1
f2dc61a67a59d1b95e6c8bc032a03b0ebcfc4f49

SHA256
55289a4945a6a4e6c0b19a54aa1092675dde0d7a9a99dd444ce035385479f47f

SHA512
d781762c8d6f84b700412dbebcd1f6418ea13205ff236d1f2c5015755de4876557c1ebc460fa79f565fa85861f3fbe73ec33f1557cc4c510a0a921b536fa971a

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
96KB

MD5
6b179b0badd84ecf16c535f6c30a0f78

SHA1
4c2989f32e1ca57f607fcec4582030072bb06038

SHA256
bf1b7bfdd387d87d8aae1d42f7d498bb2c7b915df915793ee5081c703f8ba851

SHA512
38f0dba20c61bcc237afd0a9847c9890c01969d1690ea6ed3339dea995230fbeb1307ccc37b35fa6b4c5001369436dcf57c7b347c44beafee19cedebbf1f8c3b

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
96KB

MD5
5c2f7d5fd3608a0154b15653e5c21df1

SHA1
c2f56c3d07e01caa684a070dbfec89e4fe7b9b54

SHA256
ff3b8f05a7f883e40135083738eabd7f5d5ad8e0e0fd5f398c9cacdcacf9002d

SHA512
2f364a42b68ed924d196c1baa1257fe8df5f72d950199ae4e865cb1d6112787dbdfe5672f62c4e92b9a96541097950383038c6d0ad4308b22c10af050aabb662

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
96KB

MD5
48ca8b58bc438d3fbbd168c3dd65d84e

SHA1
9114129b5deeaf65f3b22de2dd18ec6d4526f40c

SHA256
8d35d9a8990ac550573f407bb26500c2825175b447b655820b7f8c715f3ba374

SHA512
430301178244bfa56a011209dc603e857ab38be6004696ab6035560d4fbbc3b3a9f6cb22240277548be63f68c464b93b1bb912c7cc9a02a3968ca608d07145bd

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
96KB

MD5
a5118319f2c3661ae5f1106338f1e8af

SHA1
3af3d044da42afaf9d6dfac9e802fc61ae1d112a

SHA256
174409fe91e80dd3c9a78edbae9b055510b7b5da68a50888eac486bed38f68c8

SHA512
cdbe993afb98a4075e8e52f76ea58c1aa8161789d88df6a76c193a08dbedbaf71ee98a04559c959e46053a57ec2632b11db4b134ccdd5de3db8e69c70e486714

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
96KB

MD5
c484e51d53591bfaf7f9d6f470610630

SHA1
22b2d137b601eccea4e9fef14f2bf6a8fae08ecb

SHA256
752266ff22ebcef0d84d70955b48c54be77f1a33128e4ade4ca8fd7b6ebe849e

SHA512
385ef412c801c24e890237afbd2d25df89cdf8ee429dd866952d1d8654a50e18d9f3059d6b0d061a286ba8045b0942a78bc96a4efd8f6b0d12796f9aa5fdbfca

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
96KB

MD5
7aad91f37ab79fdffd66ec9933d1c360

SHA1
b0c8e25c4f799129f3b1c579bf6923f9db4a9868

SHA256
9dd6d135accfe2c43a64f8d18ccfa950d1e0ad9e2829716e82fc1476307a8f6b

SHA512
bcd5638d8ac0ee724eb4205200f3a9cb1edb5e3746b6f075b352508e118afe601d33223bbecf34083ba60660ba8fbe44b92f82b38a11ad60236618953caa3eba

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
96KB

MD5
81a35815b089d6adf1d47775d4926299

SHA1
030699c542cbfe4f3da6fe513abf78bc1dff7faa

SHA256
653c6a207beb10117cf205ef12d03a80725e09bf2d542b23a818e9a40345534c

SHA512
a20a65a223c4a883ee29544e0de6d2b2156eb24a90dd9254d79d14bd7f1a5071fbc65d5bdbc910d4e1cd948d9322c7374423e6902a31d1262689d9b60a5395e2

Download Submit
\Windows\SysWOW64\Hifbdnbi.exe

Filesize
96KB

MD5
d5d580d59688d4c99cb54959634dcef4

SHA1
3a6d99d8d6e6a7188aa0a2097003915914842ed4

SHA256
f3f39a436855d08f15bbe73e85eeba0e9e1301bbe7f7023b024aa8bbf98494a2

SHA512
e160c2d47718ac232a6ca54a8d73980fc3948ca7e9029126233718eb01545a17f26d7dd356143c7ac1fbc5407a0ab367560fe296d1cb15b5a3d2c1adf426aea5

Download Submit
\Windows\SysWOW64\Hiioin32.exe

Filesize
96KB

MD5
02ca4ecfb92bf1a6d6645349ea79ec4c

SHA1
02916d39e1d3915d9c5b928f2e1e18b16978caf4

SHA256
cbfca120ccb9600d554c3197c6598275bf42f36def3ee502bf78ba0056b3dc54

SHA512
8c58d02ea29026471e197a547adcfedf3ea13ce7c1a3188495023b5020a23b503f88f02f4696186d7304da5759e214c8dd8784058e0ec942105697567ca84204

Download Submit
\Windows\SysWOW64\Iamfdo32.exe

Filesize
96KB

MD5
f5463d9a6bb27e3b4daf1ab0e5c35539

SHA1
1fc87313249c9c95b9ff3b61677cb0f2c6346acf

SHA256
25da2bb7dae490112df22affa469d3b30026083e18f50740bfbd500fe8c75425

SHA512
3d0c991da0cb20e4984e3faf203de61a5e2234065b2b15cc88aee50ff593005dc7bad1b0415c977feb12b00bd7f3b9777a7b08ac6026b1a099eea917dd1213f0

Download Submit
\Windows\SysWOW64\Ibfmmb32.exe

Filesize
96KB

MD5
a26dfce30bbf49a1b3a375ea4465f583

SHA1
799b063e5de8a39e2c0b3a746f25eee234155912

SHA256
07edabcc64478c6a5c4ded6ef5b5ce51e5cd023722ea3f548972f803b398af30

SHA512
dba513c2bcff6ca0253195558b8c0d6e7cbf64f24c233d45b250c6bb8b9b7c776d4576820cbabd0451d0e0762e78cf1b11dacab79ff1c1eb7d745262c0bf5b74

Download Submit
\Windows\SysWOW64\Ibhicbao.exe

Filesize
96KB

MD5
39290020e2db9c76fa139b45667f5821

SHA1
461c4e2e27006aa28c1e0e05d1530ffe2f891919

SHA256
78c8297f2a8aae75e80aea8d925964eddbb269683657b6c40cb3efcf17368755

SHA512
65b240ab05424ccd94554b7288c09962ed0887e0754201575401d99fbf357e54f9d375b0b799e66d0c1fe9a87cb9fc73e615f820c090c50291fb537d3a23dab0

Download Submit
\Windows\SysWOW64\Iegeonpc.exe

Filesize
96KB

MD5
40991fb304910ef18ab2763c1e7584de

SHA1
408771150740c2148fd82de64fcd5f76d98a5433

SHA256
5d15169d7210e1c66ee5834dc4beede3a3d21e4c8332f503cbca44ea30f99f3b

SHA512
c0926c9f2e96e2bda540d13937cd0dafe88045446e7fcb3d64ec5c87d8be9e6c57cd22cebd537be49c16f718ec469393e6f54eb6400c7953beaea2ebe62b6d2c

Download Submit
\Windows\SysWOW64\Ifolhann.exe

Filesize
96KB

MD5
8fbdf804b7707e4e9ea4ef22af7bc9a9

SHA1
9aa8bcf72c6e9623d35677cd73c160227e8f35e0

SHA256
340ed32763c08e70066fd77cb954145e3fbbeb449813a9c3fa6afcaf60105d4b

SHA512
6ff723bcebcf0e8a364cfc43bdbca31b4378afe6af6e30efc7ab16222c53b8acd27f1ef29b319fa21802097b945246d2a232c71afc4fb65a6de27b97a9ee6029

Download Submit
\Windows\SysWOW64\Igqhpj32.exe

Filesize
96KB

MD5
69af8714a92f63b69f6c219be14a8b56

SHA1
a89a84fc613ec3d1f2155bc76306a38546114d28

SHA256
15254bece16bd10eb26400900547a377fd6384f0393f27036a4324dddfa20b44

SHA512
82b9d377856453d176367c87295809e052702ac6b83966935c0b1b69d93661aac2d5b2d2c49c5bf08d895b09d88d7460e155e0cb185eabd0de56c97d54a45f3a

Download Submit
\Windows\SysWOW64\Iikkon32.exe

Filesize
96KB

MD5
28bda28f2652ed9e1adaabeb8ba7da4e

SHA1
9a039a1b7db8a2ae7e2648a6b0ebe06b81fc9863

SHA256
de40d21efd6ed52637586bab5835b2fd3d8f74533536f108362e371c102d0fd7

SHA512
650eb327a6886b2510294951f09d6a62b50c1d3ce3a6b1c3fcb68b467b5e0c2de3507fbac5efdba9fe7aa888340f10692e52aa2abec052a0e4a7f905783d8059

Download Submit
\Windows\SysWOW64\Ijcngenj.exe

Filesize
96KB

MD5
4b2c99d4bff65e1077b2ac6d7e21c89c

SHA1
ab45d6669e879f74f3e22d6115dc0244e762580f

SHA256
587541fc8dc316bcfa635365da95d97240f5b83f4737018a5088a8234257dc16

SHA512
62dd918856b4e7d75c0b45db1421c18c0443d7805cd2d7a2973c3f276b788b8d218f98eb3781bc89a3462ab1829899ef43aa797f6aec3692cb966a049b075efe

Download Submit
\Windows\SysWOW64\Inhdgdmk.exe

Filesize
96KB

MD5
9303f9164764f14e89cef71d8a4b4b23

SHA1
2a803be3b0e0dc52732970b6655d7ac12a640d1f

SHA256
512d827d64b61045385ca3b7f3e07351e43cec52493f76582c9d16a7570fa74f

SHA512
afdc6e5249e6c8b40c41fc3bc90759b30dd26f1aa5e3444fd42cc399ce8650e23879fe041936be445e947989505a4d500da2c448beb8557e219b4b4114fc5e13

Download Submit
\Windows\SysWOW64\Jggoqimd.exe

Filesize
96KB

MD5
dfd3ce6c64577a94b2a6b7e93de9cd56

SHA1
8d7d68a899003acb476d45f321bf16fa01f4c9d5

SHA256
0eadcaec4d4d1d232a82cd37cefa0ecc67684f76f18cbf11f9cbc5b22e8a831d

SHA512
28de26b36ea76be5ac469d3268b2a999e9503ca4d094071986b304d15c0ece4808044df25f30c0aa957b0b1472697e1ed94f6650a5d283c63779b67e2c079d45

Download Submit
\Windows\SysWOW64\Jnagmc32.exe

Filesize
96KB

MD5
b7f455508b1fef073e86ddaa5f55470b

SHA1
dd871248403b59508f07cdb60e6c9539811e8863

SHA256
aec2624aeab64ce8c00b10d3f1fa5df8bc65fb27021bda4412412c243b0d43e3

SHA512
b22553534a2f5a967e7e2f15e6b1a595e8b16cd10730addbee4bf9e6fda2411b955eaabdc7818a7002a14bd3a9883ea4902ab047113820e54982fd7d2fb27cdd

Download Submit
memory/264-183-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/264-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-195-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/700-501-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/700-503-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/856-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/880-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-451-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1224-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-317-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1224-321-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1312-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-142-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1480-421-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-431-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1652-255-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1652-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-254-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1676-262-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1676-266-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1676-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-277-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1756-276-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1792-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-419-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1904-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-90-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1924-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2000-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2084-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-386-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2096-385-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2124-244-0x0000000000490000-0x00000000004CF000-memory.dmp

Filesize
252KB

Download
memory/2124-235-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-397-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2144-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-12-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2220-355-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2220-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-7-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2220-362-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2220-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-287-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2340-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-288-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2384-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-304-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2384-298-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2388-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-222-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2388-226-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2396-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-310-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2416-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-309-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2568-407-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/2568-409-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/2568-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-170-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2572-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-491-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-342-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2592-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-343-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2628-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-64-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2632-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-354-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2640-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-487-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-420-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-35-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2708-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-26-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2728-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-54-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2744-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-328-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2816-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-332-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2980-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-116-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2980-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads