berbew | 6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461a

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
Size

74KB
MD5

b408a2955f815397c9291dc71f415df0
SHA1

0a24a2838e83058edbd7420e034f7744ce4a63cc
SHA256

6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461a
SHA512

1673d2a211b81ca455be1a00af9d57ea40663c150eb081a8a2c3da9eb7054a6bb6301efb00b0d006e298621286de314f93dda9aa64db6ee5a952775c38224336
SSDEEP

1536:yOI3ZzawWEifwfgtG5yCsoRgA1oDCOGqn7KdL75CjEWH2+t:yVG8i2gkyX/iOXn7w75Cjv2+t

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhdgdmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iknafhjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icifjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmpaom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hffibceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhfhbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffibceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqgddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfhfhbce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaimipjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqiqjlga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaimipjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbofmcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladebd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
1412	Hgnokgcc.exe
2892	Hnhgha32.exe
2660	Hqgddm32.exe
2924	Hqiqjlga.exe
2460	Hffibceh.exe
2696	Hmpaom32.exe
2600	Hfhfhbce.exe
3016	Hmbndmkb.exe
2604	Hbofmcij.exe
1360	Hmdkjmip.exe
1884	Icncgf32.exe
1476	Imggplgm.exe
1668	Inhdgdmk.exe
2900	Iebldo32.exe
2176	Iogpag32.exe
2156	Iaimipjl.exe
1896	Iknafhjb.exe
1256	Ibhicbao.exe
1632	Icifjk32.exe
2288	Inojhc32.exe
2064	Ieibdnnp.exe
2232	Jggoqimd.exe
2312	Jnagmc32.exe
2480	Jgjkfi32.exe
1684	Jikhnaao.exe
2192	Jbclgf32.exe
2776	Jmipdo32.exe
2656	Jpgmpk32.exe
2824	Jfaeme32.exe
2728	Jbhebfck.exe
3048	Jhenjmbb.exe
380	Kbjbge32.exe
2440	Khgkpl32.exe
1184	Kjeglh32.exe
448	Kbmome32.exe
1744	Kocpbfei.exe
580	Kdphjm32.exe
2160	Kfodfh32.exe
2224	Kpgionie.exe
1840	Kfaalh32.exe
2092	Kkmmlgik.exe
956	Kdeaelok.exe
1864	Kkojbf32.exe
2348	Lidgcclp.exe
292	Loaokjjg.exe
2456	Lghgmg32.exe
2052	Lhiddoph.exe
2672	Loclai32.exe
2780	Laahme32.exe
2544	Liipnb32.exe
2732	Llgljn32.exe
2556	Lcadghnk.exe
3012	Ladebd32.exe
1636	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2500	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
2500	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
1412	Hgnokgcc.exe
1412	Hgnokgcc.exe
2892	Hnhgha32.exe
2892	Hnhgha32.exe
2660	Hqgddm32.exe
2660	Hqgddm32.exe
2924	Hqiqjlga.exe
2924	Hqiqjlga.exe
2460	Hffibceh.exe
2460	Hffibceh.exe
2696	Hmpaom32.exe
2696	Hmpaom32.exe
2600	Hfhfhbce.exe
2600	Hfhfhbce.exe
3016	Hmbndmkb.exe
3016	Hmbndmkb.exe
2604	Hbofmcij.exe
2604	Hbofmcij.exe
1360	Hmdkjmip.exe
1360	Hmdkjmip.exe
1884	Icncgf32.exe
1884	Icncgf32.exe
1476	Imggplgm.exe
1476	Imggplgm.exe
1668	Inhdgdmk.exe
1668	Inhdgdmk.exe
2900	Iebldo32.exe
2900	Iebldo32.exe
2176	Iogpag32.exe
2176	Iogpag32.exe
2156	Iaimipjl.exe
2156	Iaimipjl.exe
1896	Iknafhjb.exe
1896	Iknafhjb.exe
1256	Ibhicbao.exe
1256	Ibhicbao.exe
1632	Icifjk32.exe
1632	Icifjk32.exe
2288	Inojhc32.exe
2288	Inojhc32.exe
2064	Ieibdnnp.exe
2064	Ieibdnnp.exe
2232	Jggoqimd.exe
2232	Jggoqimd.exe
2312	Jnagmc32.exe
2312	Jnagmc32.exe
2480	Jgjkfi32.exe
2480	Jgjkfi32.exe
1684	Jikhnaao.exe
1684	Jikhnaao.exe
2192	Jbclgf32.exe
2192	Jbclgf32.exe
2776	Jmipdo32.exe
2776	Jmipdo32.exe
2656	Jpgmpk32.exe
2656	Jpgmpk32.exe
2824	Jfaeme32.exe
2824	Jfaeme32.exe
2728	Jbhebfck.exe
2728	Jbhebfck.exe
3048	Jhenjmbb.exe
3048	Jhenjmbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Nbhebh32.dll	Hfhfhbce.exe
File created	C:\Windows\SysWOW64\Hbofmcij.exe	Hmbndmkb.exe
File opened for modification	C:\Windows\SysWOW64\Iknafhjb.exe	Iaimipjl.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Jhenjmbb.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kmkoadgf.dll	Icncgf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Llgljn32.exe
File created	C:\Windows\SysWOW64\Hqiqjlga.exe	Hqgddm32.exe
File opened for modification	C:\Windows\SysWOW64\Hfhfhbce.exe	Hmpaom32.exe
File opened for modification	C:\Windows\SysWOW64\Jbclgf32.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Ibhicbao.exe	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File opened for modification	C:\Windows\SysWOW64\Hqgddm32.exe	Hnhgha32.exe
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jingpl32.dll	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Inhdgdmk.exe	Imggplgm.exe
File created	C:\Windows\SysWOW64\Iknafhjb.exe	Iaimipjl.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Loclai32.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Icncgf32.exe	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Jgjkfi32.exe	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Hmpaom32.exe	Hffibceh.exe
File created	C:\Windows\SysWOW64\Iaimipjl.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Ccmkid32.dll	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Laahme32.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Bbdofg32.dll	Hgnokgcc.exe
File created	C:\Windows\SysWOW64\Faibdo32.dll	Hqgddm32.exe
File opened for modification	C:\Windows\SysWOW64\Hmbndmkb.exe	Hfhfhbce.exe
File created	C:\Windows\SysWOW64\Aqgpml32.dll	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Keppajog.dll	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Loaokjjg.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Lgfikc32.dll	Liipnb32.exe
File created	C:\Windows\SysWOW64\Hgnokgcc.exe	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
File created	C:\Windows\SysWOW64\Pnalcc32.dll	Hffibceh.exe
File opened for modification	C:\Windows\SysWOW64\Imggplgm.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Lbfchlee.dll	Inhdgdmk.exe
File opened for modification	C:\Windows\SysWOW64\Ibhicbao.exe	Iknafhjb.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jnagmc32.exe	Jggoqimd.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Gckobc32.dll	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
File created	C:\Windows\SysWOW64\Hffibceh.exe	Hqiqjlga.exe
File created	C:\Windows\SysWOW64\Imggplgm.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Inojhc32.exe	Icifjk32.exe
File opened for modification	C:\Windows\SysWOW64\Inojhc32.exe	Icifjk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	1636	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqgddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnokgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnagmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaokjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqiqjlga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iknafhjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffibceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaimipjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladebd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpaom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhfhbce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbofmcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbclgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imggplgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhebh32.dll"	Hfhfhbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imggplgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll"	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hffibceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfhfhbce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll"	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll"	Hqiqjlga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafme32.dll"	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgnokgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnhgha32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1412	2500	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe	31
PID 2500 wrote to memory of 1412	2500	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe	31
PID 2500 wrote to memory of 1412	2500	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe	31
PID 2500 wrote to memory of 1412	2500	6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe	31
PID 1412 wrote to memory of 2892	1412	Hgnokgcc.exe	32
PID 1412 wrote to memory of 2892	1412	Hgnokgcc.exe	32
PID 1412 wrote to memory of 2892	1412	Hgnokgcc.exe	32
PID 1412 wrote to memory of 2892	1412	Hgnokgcc.exe	32
PID 2892 wrote to memory of 2660	2892	Hnhgha32.exe	33
PID 2892 wrote to memory of 2660	2892	Hnhgha32.exe	33
PID 2892 wrote to memory of 2660	2892	Hnhgha32.exe	33
PID 2892 wrote to memory of 2660	2892	Hnhgha32.exe	33
PID 2660 wrote to memory of 2924	2660	Hqgddm32.exe	34
PID 2660 wrote to memory of 2924	2660	Hqgddm32.exe	34
PID 2660 wrote to memory of 2924	2660	Hqgddm32.exe	34
PID 2660 wrote to memory of 2924	2660	Hqgddm32.exe	34
PID 2924 wrote to memory of 2460	2924	Hqiqjlga.exe	35
PID 2924 wrote to memory of 2460	2924	Hqiqjlga.exe	35
PID 2924 wrote to memory of 2460	2924	Hqiqjlga.exe	35
PID 2924 wrote to memory of 2460	2924	Hqiqjlga.exe	35
PID 2460 wrote to memory of 2696	2460	Hffibceh.exe	36
PID 2460 wrote to memory of 2696	2460	Hffibceh.exe	36
PID 2460 wrote to memory of 2696	2460	Hffibceh.exe	36
PID 2460 wrote to memory of 2696	2460	Hffibceh.exe	36
PID 2696 wrote to memory of 2600	2696	Hmpaom32.exe	37
PID 2696 wrote to memory of 2600	2696	Hmpaom32.exe	37
PID 2696 wrote to memory of 2600	2696	Hmpaom32.exe	37
PID 2696 wrote to memory of 2600	2696	Hmpaom32.exe	37
PID 2600 wrote to memory of 3016	2600	Hfhfhbce.exe	38
PID 2600 wrote to memory of 3016	2600	Hfhfhbce.exe	38
PID 2600 wrote to memory of 3016	2600	Hfhfhbce.exe	38
PID 2600 wrote to memory of 3016	2600	Hfhfhbce.exe	38
PID 3016 wrote to memory of 2604	3016	Hmbndmkb.exe	39
PID 3016 wrote to memory of 2604	3016	Hmbndmkb.exe	39
PID 3016 wrote to memory of 2604	3016	Hmbndmkb.exe	39
PID 3016 wrote to memory of 2604	3016	Hmbndmkb.exe	39
PID 2604 wrote to memory of 1360	2604	Hbofmcij.exe	40
PID 2604 wrote to memory of 1360	2604	Hbofmcij.exe	40
PID 2604 wrote to memory of 1360	2604	Hbofmcij.exe	40
PID 2604 wrote to memory of 1360	2604	Hbofmcij.exe	40
PID 1360 wrote to memory of 1884	1360	Hmdkjmip.exe	41
PID 1360 wrote to memory of 1884	1360	Hmdkjmip.exe	41
PID 1360 wrote to memory of 1884	1360	Hmdkjmip.exe	41
PID 1360 wrote to memory of 1884	1360	Hmdkjmip.exe	41
PID 1884 wrote to memory of 1476	1884	Icncgf32.exe	42
PID 1884 wrote to memory of 1476	1884	Icncgf32.exe	42
PID 1884 wrote to memory of 1476	1884	Icncgf32.exe	42
PID 1884 wrote to memory of 1476	1884	Icncgf32.exe	42
PID 1476 wrote to memory of 1668	1476	Imggplgm.exe	43
PID 1476 wrote to memory of 1668	1476	Imggplgm.exe	43
PID 1476 wrote to memory of 1668	1476	Imggplgm.exe	43
PID 1476 wrote to memory of 1668	1476	Imggplgm.exe	43
PID 1668 wrote to memory of 2900	1668	Inhdgdmk.exe	44
PID 1668 wrote to memory of 2900	1668	Inhdgdmk.exe	44
PID 1668 wrote to memory of 2900	1668	Inhdgdmk.exe	44
PID 1668 wrote to memory of 2900	1668	Inhdgdmk.exe	44
PID 2900 wrote to memory of 2176	2900	Iebldo32.exe	45
PID 2900 wrote to memory of 2176	2900	Iebldo32.exe	45
PID 2900 wrote to memory of 2176	2900	Iebldo32.exe	45
PID 2900 wrote to memory of 2176	2900	Iebldo32.exe	45
PID 2176 wrote to memory of 2156	2176	Iogpag32.exe	46
PID 2176 wrote to memory of 2156	2176	Iogpag32.exe	46
PID 2176 wrote to memory of 2156	2176	Iogpag32.exe	46
PID 2176 wrote to memory of 2156	2176	Iogpag32.exe	46

C:\Users\Admin\AppData\Local\Temp\6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe
"C:\Users\Admin\AppData\Local\Temp\6c83f367a2a731a800605ba4bfd7c37e90e06927b624e15803dcaef7187a461aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\Hgnokgcc.exe
  C:\Windows\system32\Hgnokgcc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\Hnhgha32.exe
    C:\Windows\system32\Hnhgha32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Hqgddm32.exe
      C:\Windows\system32\Hqgddm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Hqiqjlga.exe
        
        C:\Windows\system32\Hqiqjlga.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\Hffibceh.exe
        
        C:\Windows\system32\Hffibceh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Hmpaom32.exe
        
        C:\Windows\system32\Hmpaom32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Hfhfhbce.exe
        
        C:\Windows\system32\Hfhfhbce.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Hmbndmkb.exe
        
        C:\Windows\system32\Hmbndmkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Hbofmcij.exe
        
        C:\Windows\system32\Hbofmcij.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Hmdkjmip.exe
        
        C:\Windows\system32\Hmdkjmip.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Iaimipjl.exe
        
        C:\Windows\system32\Iaimipjl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Iknafhjb.exe
        
        C:\Windows\system32\Iknafhjb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Jnagmc32.exe
        
        C:\Windows\system32\Jnagmc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Jbclgf32.exe
        
        C:\Windows\system32\Jbclgf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Loaokjjg.exe
        
        C:\Windows\system32\Loaokjjg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ladebd32.exe
        
        C:\Windows\system32\Ladebd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 140
        56⤵
        Program crash
        
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hnhgha32.exe

Filesize
74KB

MD5
991174ad436d78a077d141f6a74cefdb

SHA1
554f380925c76d458229bf6cc887a2822ec78961

SHA256
5557fcff54f6b3019c31f5e749940faf3379af9db2499578a8a1a1310af43c48

SHA512
0d51516d48238cd574c11801ed5c946a8dae4ee532e2af52aa11c01007bbba9b207d5d3f78fe6d316b4c680ceeb0b0b47574a834744dd1ccb56dd99d11bd1d9f

Download Submit
C:\Windows\SysWOW64\Hqiqjlga.exe

Filesize
74KB

MD5
08e85dfce82e236819b543a22d16eea4

SHA1
a4c17d1e3bf5b47c01f6bd0f535726f24a4645a8

SHA256
bf14806fbdef5834523b9b6a45dda36339c05827d60eca5bd5def802325384d2

SHA512
f5ec06f5e1599c944542c726174384afde7fc355c38e3c17d02ff67bebec84ac9f907878026c54b31e2ed9e40cb18a7bf0fa197327aecbf7fec2142b1608358d

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
74KB

MD5
20ee81dd660f9e1b74c056f26afd3d39

SHA1
a5ed900f23591ecdf26dd6be833d90e1c799c768

SHA256
e2e6d11461d8d404f48a9f8c14b7a140a83fb26b685112b5d6dace5041167d60

SHA512
0f54551cf3dfc12f65d96752ddee9dec03cab08778e88fedba8e7280e7d582ce0222486adc95de33ef64f9be7448cf31f49b10236963bfa615d76db16494a07c

Download Submit
C:\Windows\SysWOW64\Icifjk32.exe

Filesize
74KB

MD5
6d5521425761e9f1e906e1fc66e9d367

SHA1
1d25bb931652a1f87ea3757e587464a4a0d1f3dd

SHA256
f3b6a707fe4e29ce364731f15af396fb8a34b6f867462eccf4154f84fff9edbf

SHA512
1fe146e769f84319848ce63c03025935acdd32969de72922b062ba59215b6a995d7749784ce0d44eabb6d1d974800414488a6bfa6ec86cc02417cafbbdc0d27d

Download Submit
C:\Windows\SysWOW64\Ieibdnnp.exe

Filesize
74KB

MD5
8d0193bbf25c188b25a82bb008fd6731

SHA1
8445e5a35ca98cd98d142293bc7e7a3c98ce6e56

SHA256
d2371a1ce5a502a4b6e7979a031131a67886ea01f01fae89cfa3c9c67e2a7ac9

SHA512
584dfdc255dc4cc2d07cdf96d7d1ebd3c6a38a3a0bc6af9500afd109939f2cc018ecc03172ac399162b1d99debf4a1a29e128ca1ad6ef1b62ec73ef1b98ce6f5

Download Submit
C:\Windows\SysWOW64\Iknafhjb.exe

Filesize
74KB

MD5
3ce84018c662c4bba2b29458335b7e06

SHA1
939d8a4fd14fe0dca496ec618f2652be53783c45

SHA256
f30b32286a34eb59ea71b149eaa41d3773f903a02568d48b0993158a52992f35

SHA512
697b04cce209aa4b2c19c60ef28ee3223ca29bafc8864babf5df893b7ba83c5d8ec7d72416e39566731bec4a8a4ae2c43c289728e5a3ead86e568fb908a0cb98

Download Submit
C:\Windows\SysWOW64\Inojhc32.exe

Filesize
74KB

MD5
70d38d0fcdfc3d91a9f404d10f3a728f

SHA1
07deb3363eb6971ba08bc773be51b3ff0173fc81

SHA256
09b41ad031068fcd57399a172d2b7f1ad20e06fb4b463b8e3a206f47fbfd703c

SHA512
6a22d556d00dfc431c92e51a58df431cd3719294e2f32af8675d2af63047d7fb640a33f491e7169df0b2739f8efb1608afdef063a6f76c7894e528b6938b5ee3

Download Submit
C:\Windows\SysWOW64\Jbclgf32.exe

Filesize
74KB

MD5
120a0906cb899f75b34aa5b79f962228

SHA1
fd4111b24eecc39974696807853626ee0afe9ae5

SHA256
e1bc0d5d35c35fd275f0438d88949f7b7552120dbc29e16c129a49010ff21220

SHA512
f9dd19c022adc32f58928a18f08742c5880ccaa2d3e452f575081c810896bc1fe943ff435f31c40107df0041745831fe884c5bac75097451b6596fd12b61806a

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
74KB

MD5
be3546278e17b532e08a007a534f67e1

SHA1
b126a69385d529bba9f4e9a5bfcc83df28555a5e

SHA256
3d39f665a25dac2caa9dc39adb65169957dad2b74e7ef84589e49fce67225ce4

SHA512
d3957f3204236ac62dfa1459965128d23709b88040c7ba6587c2cc2c231e61835da33a705e005f86d2367068b444358a1f6d528e19d36109f62f9d11742a6c1c

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
74KB

MD5
4e8ec686c9430605c4580ba3b579c24a

SHA1
f344d4450a3d6bedca48fb96c9bf09e3bcc87ac0

SHA256
6fc4327974d3a517d1b654f4f54ef5b8bb398f173b2bd5168cf729f73f40051b

SHA512
64ea6adb49af603c05be21cc901a83e826bd7c52f0afefe977c1fc4e35beb06032f8a068c1d1f5aa329c34b760d99e06484035e6d617a5fe8e859798d36d0a6c

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
74KB

MD5
3cc4ead1f7b22af07d6a3f5bbcb30b6a

SHA1
7ff4b8b6bd676ffc9b560cd3992f2075beae7097

SHA256
5c58a724a8bdfdcf0b40f5ee9a8620df4cf3721de6349f1f68d174e528b74cbb

SHA512
95dedf65e8b45e46100027915b61a91d5f54504357591781aa0fb855458135efa7f2eaa8050a87ee58e017ee02a036aacf22babef2e4ba475b0ffccadd327033

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
74KB

MD5
bdd2a47a954c5233d763def12443f3b1

SHA1
268d2d60216464326621a5be59dffab695567325

SHA256
ad18747951c78b3ccfa098b574ba928e7065834e25ed6f02901d1a64c0063909

SHA512
004d890abe698c162c0ea221d44ca9fcc842e2f047ee409063d54703d13f69ebcf36f89446fda279eece35242814119c7ae0db49936534112e317c99a9317b1b

Download Submit
C:\Windows\SysWOW64\Jhenjmbb.exe

Filesize
74KB

MD5
be940fd1a980a0a0a196e835defbae95

SHA1
d4eedddb999e3af14c688215670193d101a95c83

SHA256
af076152f1ae558b6326597950b278de01808329d8b66623c11ade67bd3500bc

SHA512
1e074fb34eff8d8bc87b73d5d0a5376035c6eb0264f93b463a0226b28b96626a7c85a31cff98a4ea838e4d968320e572eb871661f7d1f4f9b9ffbf520f946810

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
74KB

MD5
bb2e3948cb375fcbdb8c57a0641bcdb7

SHA1
f177c8132c437bc791f7584585f2919bbdc86b22

SHA256
6da4c82ebdcf77af5a1930a7ca7a06fc81187918415ca59f879eb5abec6fd442

SHA512
bcc1f3a3584d4e8527211cc00f13d6de4f618d4eef35fefa526574f826f24d60b73a19bf9d9b7b57c1675c8e264bf51685fca182810aaa89fbce557fc2c02c22

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
74KB

MD5
afadab6458197c77925b03db29345d00

SHA1
7b34dab60ea178e2c2248778fbed6687b09d674b

SHA256
d6064f746e6ff3dd1350b7ee5480d92e71165ce0f4e0eaf96d22451ddd2139b2

SHA512
b1611d76e82c0d29ed9a0ce7c26e8b882d2f3264362639e21f48281ef3399182487c8b92b5e71109005786b3e094b1ad7e0aa69b36e7baf53fa34e03f0d4366e

Download Submit
C:\Windows\SysWOW64\Jnagmc32.exe

Filesize
74KB

MD5
3b3019638b626ddef00fbc1003d66f18

SHA1
988b97e108d1f713dbe32151246b030ceb203141

SHA256
a5d8f8ea4d88e340bf5203d546761b38ebd24ef6be833e7cb8024765eb1f59e1

SHA512
c34653442a5eb4883f30cc92224adc4d4c544c70d62d5b54cb03dc79a709d43e5c328a52da6142810e1d7efab3086910db4ec3ddc4c2b5ae5ac1130525d9660c

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
74KB

MD5
da68016ee5cb67e082e5716c49ebfd40

SHA1
1061ab9de69dadbc179f71cedf5cf5551227235c

SHA256
e4a19d3c9242e6671cf79820ac912f34cd171850d7af0b0f48f1698db7252c4d

SHA512
fb38b3cf8a34d6333abee593aa8472fb306ac48c2928c46d8b11ed34f59149e382d9a28eac64567556c1310246dca85a65824b00927248dba506db933c67968a

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
74KB

MD5
ce1f1647f82d854d1c2d8fa2dd9758ea

SHA1
3fd10bb5532a433d72510b9e3b7d4daf2fccbf65

SHA256
9f7458e12835d4417d9ff3065b7c54cf9b23037d59ffd0fc2aaa6e6d087bf648

SHA512
66723f06204b9f0da2793e77aff10f5fe640bc904e9a453a421bec365c2115feffa4a685f8e851aa6709f67fb65ae3e25e07cae88a2623a94c40c057275d3f8b

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
74KB

MD5
30737afde66f6b69397bccf96cbe53c3

SHA1
9d8e4fd83f941751d626a1288747d51c42450612

SHA256
7e7d863019a4dcf09074e409de7fc06e6d238eae3277d47203311987cea9427f

SHA512
588f225407a39bd16892dfaeb33ed757b5d2cbfd950e2799e9567392fe86521f784f3b8f0b03076499825461c00716fcf3a557e6d477a33f591a2767f9627a96

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
74KB

MD5
8a5975367026d328aedcff43abd11e25

SHA1
6625c3e85ec056ef708a7d372f222cc956f55b2f

SHA256
35463c96be22496b1920eb82c597b8d2ac6be11dbfa491cd46f5b32d8c6a151e

SHA512
1f41f27ae8e8ad984d2c2689b255432a9b24c741cda737729a963423d7dd09a09e2a60e345b470863c3f42dff9ac96eeefaf94148be142b2dc5a7a7b5a22c573

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
74KB

MD5
ccd6062e63a04f632ddb6e6e44f2383e

SHA1
d3f18378b9fc00b6b3d8b334eaa32bfe8633f788

SHA256
2fa38b43d32e457333382c13da3ee0f6b1e0999b9fc34eae10114c94187000d9

SHA512
f82268b72acd5b77bdbafd6eec859420850664853fc39a3b3e201a991574429f3badb16a9b8282794befa0fad47d81a62b7cd3c89771b9dd37d0cb52adc0226e

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
74KB

MD5
63f745ee0b5a2f40a9448abca21551f2

SHA1
ad28c806512fa15ce31c64704d0adb7ba49a8ae6

SHA256
74157aba68cc16bbb96d71fc7e2d45a261edb498dc1fd81dab5c0c1559c785e9

SHA512
789c2d1f74998dea1cd59a2f8c8c110fe285c8e16ec25b42a0d11b7ea27273afab583b4fc97d7f8055c87659436280e18a2017a03f5ef0f8ad4eedf2335a4790

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
74KB

MD5
b82581a24e816bc53043468768ac5216

SHA1
8d8acdb4ef7d1f8bb7d351aa8c88f24b6b41f497

SHA256
61f922bab62e7ced269e2217e703d356c670da439f2e779aabdf0332a5757552

SHA512
650a4bcfb0773519b5c1c6274ded099a2b83357f16e58dcdbcafae9faf68b886cce7892653ce2eb9bf1b0a9496a4ec9f37c9c2e42e7558f5f376997b35a600d5

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
74KB

MD5
d9aae12ce3231772293c35259cc716af

SHA1
497f4e7f4dbbde4dc8e0dfe66d90c3e01bc1ca80

SHA256
ebb40ef15bf01b2bcb51857d9599d7e8b3fd940cc2d19a1cfa53397da6a0e60f

SHA512
4fe0276a75bbfae3873add2a7dea2ddc380bfe8503aef41d03aa028be94589bb24ca4616bab0fba8b003d3036a606b45e2883c7430a11a147fad1c0344295c8a

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
74KB

MD5
cfbf0d8dd7eb538f6077533934a17e4b

SHA1
c66416a6297cba355682893c1765a54662adadbb

SHA256
fc6b485a991567906906a16dacea17dcff8fd8171e59b443ff10569303c7aca0

SHA512
f16ce908179f3371112f66b7a4c130b0f7ec02360c3fe48d6f5b66e7c37e976fd72ed7bb66cc4d7d1348c00d5b644b78fe9ac3e515d041e517766a8bbfc83c24

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
74KB

MD5
491bccea443712a932fdeeb982cd9bdc

SHA1
63d70765398c4faf114e28188cb4208a87cf833a

SHA256
05bec635357d105c1790cc6ad223960264c065a86e41085332fcd8ba78abc486

SHA512
15787024a5916eddf3afc33c5cf245220cfe0a00c23ae883689d69ea9bf4dcd1163b3430b24e2369b433500211a85e358bf4b7166d4d9ddf17d6d2f238664db3

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
74KB

MD5
d0ac9e8fab392d911042d51c02bbfa2a

SHA1
8ae40a87ca58f3b055d1807d124da5acb448dccc

SHA256
a85dbe02eed51fa066958966b553028f89f593107258a8481d34ad55ae06f0b2

SHA512
97e350b927fe2475b62eb32b7b3df7164bf4e3df97d33cf449d7eec86ed0691d003cf74bebcb9cd87906f63301115f3e24d5aae9e7cdd886908bc1242078d527

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
74KB

MD5
ed5ae376833cf36f1c2c4dbd30c53bee

SHA1
a2c20740932dbf70ccba95df40e7b1cd573fff2f

SHA256
3122b94643331740e4afcc2903497ccde4800b6b3333ff4466a55761cd3c5e9a

SHA512
70c05bfc4a6663139ce819a58ac7b9fabf2c5bfc35d45d8399b12bfaa1aedf68f9ef5fd9785835e594b4d5d504f27bfd1054d9762befa2bac42fdf442fd0d409

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
74KB

MD5
db3d3a511ce3bd43197a24ddd6be909d

SHA1
e660565eaafc3a2c1bde8caf6defd4a8a820543e

SHA256
3ac3377957cf65db485e376915f6d3a199fc9e64efffadc75dca118170110ab2

SHA512
d92054954eec29429d27b63dd9ec8518b50d4e81df238f6cc4ccc425f3d8f3195dcbbea58ef946901529ed59d2c5498387e7c4df46c1601cd0c64632daa96830

Download Submit
C:\Windows\SysWOW64\Laahme32.exe

Filesize
74KB

MD5
d7cf2375d8a84cd7684dbf5670c66eef

SHA1
eed7332b5d6c9a9e536b1cfc596447aae3cdb4d6

SHA256
28a53dba54ebc5bc8545fdbd2898b093a9508c387d7352194ccb6872f1ea0314

SHA512
eb23609949ee6dbdbb9394caafe944648057715e85ac0652a8811ba82419ed682908b7fd5b19b1ac24878a7f693113176375408343bbb646073ff46b4a3c5a19

Download Submit
C:\Windows\SysWOW64\Ladebd32.exe

Filesize
74KB

MD5
71deedc51fd9e4675b65932a7c855ff3

SHA1
7309ed5204000560731210d1c4edcfe363cc6107

SHA256
9e8836fc2c1b6b3d9f8501f56463003efc4a976d98c379a93b0fd45ac0914ae7

SHA512
348cbc6b973fc9b215e831243682fd357c57a95d0d41a06817f93e8b8559a8ddc828269ab59072b857f271867396c11e6449727237f3fa7b2717b353272f5e76

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
74KB

MD5
2bf930555b7a5536506b26162269359e

SHA1
8ae63650ea1c4f1fd74bb88e3608839b71fa8fd7

SHA256
e40abc6a0f09315d56ccb8da0e52b602938d9aa2adcdb6a80268749f5a7b28f9

SHA512
ad3240827512bd1efbe8e1fa2733ae13159adc0f3aaf6ac4d2cb98e32c57ceaadb20948f7251e9f8bb29dd1e20ab10f5ef692597045fe37bb232148cc340411e

Download Submit
C:\Windows\SysWOW64\Lcepfhka.dll

Filesize
7KB

MD5
2f92c3ae5d92aedb5392a7220f648713

SHA1
86d6cb99b6641012cd9bbfadb0d3422c4eae1f94

SHA256
65ef03d625254eb9905aa6291fe4ac91ae95bcc73d8bc29f2da699ee444cbedd

SHA512
22a41642e5497907be0375ab701493fc32007f0cb007dfdd75651a6edc7c69fab70717f391780b1c2d1d27348deca56bc14590604fe10b08332b9016b8526df8

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
74KB

MD5
e32161e146b11429cd01ac8d4a0f1d29

SHA1
3be5fce8cf3f2d40017b81dcc882bc1d4cb4afe0

SHA256
55eac927cb272ddf8cb83c2513cc699a8accab9d7ba2e2adab1446da8d945244

SHA512
ffc2453e26b36377506a8b279f961697ec3672c8970c0b84fa755fcbae0fe3fcdc5e4280ae8a2299ede2a8538c711b58d8eef0d1cfcdb72d468366f14cd181e8

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
74KB

MD5
da4d50de8c700cd1c1b0a7d51b3e5152

SHA1
4ccb34c735d0fe7718fa4649e54bc18ab29fbb1c

SHA256
e7070269a30b296e9f987c8c49fc93bde590316cc2fb61facec9d0d4a6b16f19

SHA512
978b6d415b3f054568a032d71885ab745fed0c8d7360b044cfa610e0c19c6d7f31abc1dd3909cd424afef01fa56e0732e691ee1a1d342a422aae0fce1aca539f

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
74KB

MD5
4f1a578c0d6c863c0c3421d25b9f4a02

SHA1
e37ae70953043c6c4a0e885fc2d9307dfbf933eb

SHA256
d93e6462b1bb7e4de2540aec3fd1232be7bb51387dc311e8d13007be54aa053a

SHA512
8c86fbc3964098e44f7aa280d24322e80a8208a283e2e499fa127520dfe75e6ba5483dc5cd16582936bd578c97f6f17eef6c108f986ce04491ddf7d7c5647666

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
74KB

MD5
9dc764bd36ad7638b67c555ce2eb6285

SHA1
7d447920c0e7eb9135d3cbc8dbabd41c9d950a68

SHA256
9fd6f3a4c328b38036d330c8cb69c180ec4326346b42b404bd16fb88082a9fb5

SHA512
f9eaa7732bc597445fbe990b98283bd66e7a46123dde19aa268ce63d87114268ef010f6e2e848e74d3feb230a5eab1ec50741de8beca024f9bd1e17d212115a6

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
74KB

MD5
f943dd03c5e4599d66eb8b76073af74e

SHA1
086f27590ee1753c7a63b0ad644f6517c11a7404

SHA256
8535de42ac5b815549bfd220d5cd797147b1560c3540dbe4f7065a9822063b12

SHA512
113e79939ed28cf2dc35ae010409a8cf4b77519682f4bcda6bbe1a266b712250255e6d3dd2e85433cda1b59bf3bd80d2c29294e4f1a9d437a7528e81cda462d0

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
74KB

MD5
8cd9a3b1e1368043effc4a0fcabc8b11

SHA1
c2fe0cae2b86008f4da04f3ccc3c23a4ccc89cfb

SHA256
c808be8c4d181dc9b9b493abe409b08cd33f16ba1c61ffbffd2d05f09f8912a7

SHA512
d0a2fb7521722c21f7fde58dbf7300a78d59d6e2d3d76911f30de45c5c6a6129de2b339ee6a28c335a006f6b993d44e197f480a90dccf54eca6a80973a437d49

Download Submit
C:\Windows\SysWOW64\Loaokjjg.exe

Filesize
74KB

MD5
587eaca26b5568b210d7282507c5f917

SHA1
4dd7aa4312976e48af84bdcf1f108efa6372f91c

SHA256
adef0b7096f9ca6f32d8288b3b45e4ddd343dfedb75ae877b70b650adbaa5342

SHA512
7f0a96284f617ddef8ac5c99639c2def661860da185f5072dc08f5dba30aa0708a4084692ca8aea6a0fc3d2661b9296d621296b6f6bd094b912e1189f98955f9

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
74KB

MD5
cda3cb5910154c4dc11bfe0cab4ec8e3

SHA1
1ea7308083c185c9dceab6a1336f95c112db7fd0

SHA256
050926ff1e732f453e2d22cce656578cae6d5a3c519d8fbd757e8599d2d4f714

SHA512
d3cc89a774b7421a57bf510a5b5694f261b19fdc8172aade0733c2d21c56b3f10871ded05b33148c9bdc52643a006375b507d75ceb965dd4bf9f48e7dedf8f51

Download Submit
\Windows\SysWOW64\Hbofmcij.exe

Filesize
74KB

MD5
bb1a0f7a1e3482434f17f43fc78fd8cc

SHA1
e6c7863ec1281a265ade573b5591e04508e6a507

SHA256
f32a43564b748d7a9bbdf978071453ab149bfadc5a4f60bc5ede3675581baad4

SHA512
c3da376eee9ec6e2a274ca4d0902d058707263b098dbb635fff3f2b4966aa9c79edfb837aa89add224c99ed990c943ac5168b1a2119627a640fcc95432606f1c

Download Submit
\Windows\SysWOW64\Hffibceh.exe

Filesize
74KB

MD5
fadfc10d4b8be8afc2fa6c995041f20f

SHA1
8b213e3224de727d9d2ef98976aeb134b61fba60

SHA256
59d671091a0b24cbf3a7063aa357745ca30f945e8e53d1000b457e6dfe8d0adb

SHA512
5fd7662dcf6263fd60a298c0dd073af1cd188066aab4c450e95d2165a56bcb0344ae56af17f5a415f3546a3c19998ce583d780f69e53e600b94c92f61855d2ab

Download Submit
\Windows\SysWOW64\Hfhfhbce.exe

Filesize
74KB

MD5
02be30be5d7fe767f52ae47a14fdc153

SHA1
59050e6268003dadc4b1e103e586ff6ad6b0542f

SHA256
3efcaa85c0a1c904f26447a02f53052a5956a337502392239b24c1e082cc3211

SHA512
6f2130efe2c7643f714d7c78960011c1c63b8d6bd54180d36d9b8c832080761231e2d1e329a29e6bd1e4754ea155a53c9a4a6ced37e3cde90bc96387b0fdd063

Download Submit
\Windows\SysWOW64\Hgnokgcc.exe

Filesize
74KB

MD5
be4dda474ba9bde656cb13cab8f8dcf6

SHA1
1904971ec89f23494c8bd6c698f7d67345ca768f

SHA256
29b1dc5787b7412aa19c36cd2b73bfecdea1fd8b33d59c70e928ec3864f346da

SHA512
3c42df2a0c5c2429887bd6e2dec92687d8e30cbeed900c834df840d40bc298dd077be1157953d71977dc689885531e01096234138706a0f8c47b9047de67b6a0

Download Submit
\Windows\SysWOW64\Hmbndmkb.exe

Filesize
74KB

MD5
947c95db84d7731b792d911f52216c32

SHA1
ea651df3c115198d3af3c6623df503cf1292b63c

SHA256
d5ae7162fcef323c691e0bb325a69a4b27eb7e1974234db1251c3cf47d79f5ff

SHA512
2be339771631dd34017b80004da814d4950ddd186fcdee6bff50268d8c564785ab34a5c54d8a1296a98004be073d13980341636be21f6460ad6f9c83b159f642

Download Submit
\Windows\SysWOW64\Hmdkjmip.exe

Filesize
74KB

MD5
7aa893433c5262c7067a647f8b4f3f6c

SHA1
d066da1c64076f326ec39c244788fb1de49f45a4

SHA256
b08ef36b9e531052b201474cdfa91d692d6dcc1ab35984a88a2fc2597d1075b0

SHA512
f8e30c32bfab98f41c083467af14f3298fccfd19e8cc65945e3d8685e303d3db93168262a7eae52ce2b0a1f920e974e3c72e4cffb405e739641e9c952fe6cb54

Download Submit
\Windows\SysWOW64\Hmpaom32.exe

Filesize
74KB

MD5
a7e55222991d191a58bc408a3f33b0a9

SHA1
6990a9523403f53ba1632c99c470cb6456d0da35

SHA256
b8c4a0500704b2d9192e7991dc3ab2196df3532062056f72b8b1e7ab76f91b5b

SHA512
32e59b1d4ab4188997dd26b9a6959f1d6c56123f3f22324c518b2f376b5d8dcf1c6c8b2ad1bd3c1d5e2d3ca66a637c506f946dd910204c35b30ac400bb0af800

Download Submit
\Windows\SysWOW64\Hqgddm32.exe

Filesize
74KB

MD5
c9f9a4cb724af7abda2eb8af501eb4de

SHA1
80a8061804808e497565dd9851cf7606e86f752f

SHA256
0c9582c9d79691240912fedc198a7a49284c39390718f2366bf6617f81c309a6

SHA512
770cc049261cc8b9e5bbe874029fa8d74409ef86702d84ffd5ccc8bff9be1d878c99a2e1e7ceb254d28d7c7f24c69e8a3ef06c2b4e682bccadf156def3f18f2b

Download Submit
\Windows\SysWOW64\Iaimipjl.exe

Filesize
74KB

MD5
b4b48f637a71e13730a53e45f84f08cd

SHA1
98cda59fd0e77e79bf4b76a0db6bd5d16075d94a

SHA256
5284a5bdd64796569f5446e57cba42ca897bf2803c499ee8f1878d921e53cd2c

SHA512
405e41f616ac66cef10dc7af68842307eb242fd94f5da7adef0b2acfc510a0329e5b4fe8840fbaeb0900d52067992a746f866784cc9715bd715a12e757fe436d

Download Submit
\Windows\SysWOW64\Icncgf32.exe

Filesize
74KB

MD5
4606c719f0bc6547008387251bdd0b2d

SHA1
9189090b55b5a427d22816927c99aa9a261351af

SHA256
832d2c9c2a0697ca46beefd115e45e449820370e6b63a2fbeac4820ba3bc49fb

SHA512
46add7a7c0b6b6b6a537fe0a5a3e6d1314bec47127b97d7b0a1a29ef079034ecb026ea982ffb659b985a7b5579dfcd26a12c13222d8e72862422d2e816b1eafa

Download Submit
\Windows\SysWOW64\Iebldo32.exe

Filesize
74KB

MD5
42a7286632abbf8b28191170eec5a94b

SHA1
2c570d08b5c5ccb9d266d63e95dca54c6b5e077b

SHA256
f919897440e33c436088212c4d04a36d95afe8ca0230c3bc432c9448179e9f59

SHA512
99e64a7630891799f052f7fdf91b7549a8ec552d2a0313ee8a08af8d030152899bf793c52855b0e04b10e067eda50b2fa489787e5384c0490d8f5e8366c0e81a

Download Submit
\Windows\SysWOW64\Imggplgm.exe

Filesize
74KB

MD5
f5c5844e20cfebe862774bbb095024b5

SHA1
21303b7712d371db3a3ae56b885b26cab1699811

SHA256
d7d53d1cfbdc14f71f4616e00ac8f8c74c8a4883276696029933b99f3aeac294

SHA512
946f74aa9db9a93c8ab476e399d85b5e9a1623f3e943889f408dc351723b49b2bcd10270a0065c885c72ba4acdefe510f8227fd3678abeb47e1e9601b5708bbc

Download Submit
\Windows\SysWOW64\Inhdgdmk.exe

Filesize
74KB

MD5
416ca9e39238d219b3f1a1d615ce5ddf

SHA1
bfdfd476921f93cbcfa895048f96184f5f2133aa

SHA256
57fd5ece7bee4ec46402c0a9ecd0ed7436b56b974a56870d58d1826d886da900

SHA512
6588ddbfa2241300e1922b3ab05ae8acb1ec1db96723dd2eb4386cb26566081354dcc6a9ba8f5e452b3e952f8aefd8068dc8b0edf84e151908e6582754d9888e

Download Submit
\Windows\SysWOW64\Iogpag32.exe

Filesize
74KB

MD5
72af296b361e8f9cb085d268b78d96b7

SHA1
312764cf438d2f843e7caf51fbb6c6955bc96967

SHA256
5816b017d497edc8ea28620bd2e2564a6d01d0f2f7409ec27faba05758053e54

SHA512
b0e0ebcef44644932a858b7fb51fa806909cfc5919f399c4e380c331338bd4d08db3973d01d17e5a8619ebb772fa14155833c058f791d76f269918e5a215611a

Download Submit
memory/380-390-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/380-381-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/448-423-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/448-414-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/580-447-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/580-441-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/956-494-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/956-499-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/956-501-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1184-412-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1184-403-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1256-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1256-237-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1360-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1360-139-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/1360-456-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1412-21-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/1412-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1476-166-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1476-486-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1632-241-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1632-250-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1668-500-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1684-313-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1684-314-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1684-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1744-435-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1744-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-468-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-479-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1864-511-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1884-478-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/1884-469-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1884-153-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/1896-222-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-271-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2064-261-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2092-480-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2156-218-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2156-211-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-457-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2160-445-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2176-209-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2192-324-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2192-315-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2192-325-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2224-463-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-467-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/2232-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2232-281-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2232-276-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2288-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2288-257-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2312-292-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2312-291-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2312-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2440-401-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2440-392-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2460-402-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2460-73-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2480-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2480-302-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2480-303-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2500-357-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2500-359-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/2500-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2500-17-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/2600-93-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2600-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2656-337-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2656-347-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2656-346-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2660-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-413-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-86-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2728-360-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-336-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2776-335-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2824-358-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2824-348-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2892-33-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2892-369-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-507-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-192-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2924-391-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2924-60-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/2924-52-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3016-114-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/3016-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3016-434-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3048-379-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/3048-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads