berbew | caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614c

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
Size

479KB
MD5

e16fc45bdedd9ee96e2093b3a9afe700
SHA1

c4cf6f47b10619cee3ed46b7ee0a1d6b2df910b2
SHA256

caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614c
SHA512

42748975b060764833debd1210cba780722ac4d115c5073c3230a2068e1020da5e077bbe96af64b3d37871ead3a51f238c425439a54bfd9adbc9862c88104f76
SSDEEP

6144:Yoa9Fd+sycRJ6EQnT2leTLgNPx33fpu2leTLgm:JuRJ6EQ6Q2drQB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhkin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghgfekpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmdin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebqngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijbco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghibjjnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcjmmdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcepqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fefqdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpidki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjmmdbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfhfhbce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgciff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epnhpglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eafkhn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefqdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghgfekpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadcipbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcepqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadcipbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncnmane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebqngb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnhpglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghibjjnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnfkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgciff32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
2912	Epnhpglg.exe
2684	Ejcmmp32.exe
2800	Ebqngb32.exe
2816	Eafkhn32.exe
2676	Fefqdl32.exe
1028	Fmaeho32.exe
904	Fijbco32.exe
1728	Gmhkin32.exe
2260	Gpidki32.exe
948	Giaidnkf.exe
380	Gcjmmdbf.exe
1288	Ghgfekpn.exe
2960	Gncnmane.exe
2248	Ghibjjnk.exe
2300	Gnfkba32.exe
2436	Hgnokgcc.exe
1740	Hadcipbi.exe
1524	Hcepqh32.exe
1960	Hmmdin32.exe
2100	Hgciff32.exe
1544	Hqkmplen.exe
2920	Hfhfhbce.exe
908	Hoqjqhjf.exe
2288	Hjfnnajl.exe
2704	Icncgf32.exe
2776	Imggplgm.exe
2812	Ibcphc32.exe
2668	Iogpag32.exe
2556	Iipejmko.exe
668	Ibhicbao.exe
3008	Ijcngenj.exe
2192	Iclbpj32.exe
1796	Japciodd.exe
1940	Jikhnaao.exe
1504	Jjjdhc32.exe
572	Jcciqi32.exe
2964	Jipaip32.exe
2528	Jbhebfck.exe
748	Jplfkjbd.exe
2136	Kidjdpie.exe
1788	Kapohbfp.exe
2368	Khjgel32.exe
1820	Kocpbfei.exe
2756	Kdphjm32.exe
2948	Koflgf32.exe
436	Kpgionie.exe
1624	Kmkihbho.exe
1988	Kdeaelok.exe
1368	Lmmfnb32.exe
1144	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2340	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
2340	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
2912	Epnhpglg.exe
2912	Epnhpglg.exe
2684	Ejcmmp32.exe
2684	Ejcmmp32.exe
2800	Ebqngb32.exe
2800	Ebqngb32.exe
2816	Eafkhn32.exe
2816	Eafkhn32.exe
2676	Fefqdl32.exe
2676	Fefqdl32.exe
1028	Fmaeho32.exe
1028	Fmaeho32.exe
904	Fijbco32.exe
904	Fijbco32.exe
1728	Gmhkin32.exe
1728	Gmhkin32.exe
2260	Gpidki32.exe
2260	Gpidki32.exe
948	Giaidnkf.exe
948	Giaidnkf.exe
380	Gcjmmdbf.exe
380	Gcjmmdbf.exe
1288	Ghgfekpn.exe
1288	Ghgfekpn.exe
2960	Gncnmane.exe
2960	Gncnmane.exe
2248	Ghibjjnk.exe
2248	Ghibjjnk.exe
2300	Gnfkba32.exe
2300	Gnfkba32.exe
2436	Hgnokgcc.exe
2436	Hgnokgcc.exe
1740	Hadcipbi.exe
1740	Hadcipbi.exe
1524	Hcepqh32.exe
1524	Hcepqh32.exe
1960	Hmmdin32.exe
1960	Hmmdin32.exe
2100	Hgciff32.exe
2100	Hgciff32.exe
1544	Hqkmplen.exe
1544	Hqkmplen.exe
2920	Hfhfhbce.exe
2920	Hfhfhbce.exe
908	Hoqjqhjf.exe
908	Hoqjqhjf.exe
2288	Hjfnnajl.exe
2288	Hjfnnajl.exe
2704	Icncgf32.exe
2704	Icncgf32.exe
2776	Imggplgm.exe
2776	Imggplgm.exe
2812	Ibcphc32.exe
2812	Ibcphc32.exe
2668	Iogpag32.exe
2668	Iogpag32.exe
2556	Iipejmko.exe
2556	Iipejmko.exe
668	Ibhicbao.exe
668	Ibhicbao.exe
3008	Ijcngenj.exe
3008	Ijcngenj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gnfkba32.exe	Ghibjjnk.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Ghgfekpn.exe	Gcjmmdbf.exe
File created	C:\Windows\SysWOW64\Ibhicbao.exe	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Fijbco32.exe	Fmaeho32.exe
File opened for modification	C:\Windows\SysWOW64\Ghibjjnk.exe	Gncnmane.exe
File created	C:\Windows\SysWOW64\Fefqdl32.exe	Eafkhn32.exe
File created	C:\Windows\SysWOW64\Fijbco32.exe	Fmaeho32.exe
File opened for modification	C:\Windows\SysWOW64\Hadcipbi.exe	Hgnokgcc.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Ibhicbao.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Cocajj32.dll	Ebqngb32.exe
File created	C:\Windows\SysWOW64\Pjddaagq.dll	Gpidki32.exe
File created	C:\Windows\SysWOW64\Hfhfhbce.exe	Hqkmplen.exe
File created	C:\Windows\SysWOW64\Jjjdhc32.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Aibijk32.dll	Hgnokgcc.exe
File created	C:\Windows\SysWOW64\Pgejcl32.dll	Hcepqh32.exe
File opened for modification	C:\Windows\SysWOW64\Hgnokgcc.exe	Gnfkba32.exe
File created	C:\Windows\SysWOW64\Hmmdin32.exe	Hcepqh32.exe
File opened for modification	C:\Windows\SysWOW64\Hfhfhbce.exe	Hqkmplen.exe
File created	C:\Windows\SysWOW64\Icncgf32.exe	Hjfnnajl.exe
File opened for modification	C:\Windows\SysWOW64\Iogpag32.exe	Ibcphc32.exe
File created	C:\Windows\SysWOW64\Hpdjnn32.dll	Iclbpj32.exe
File opened for modification	C:\Windows\SysWOW64\Gncnmane.exe	Ghgfekpn.exe
File created	C:\Windows\SysWOW64\Hgnokgcc.exe	Gnfkba32.exe
File created	C:\Windows\SysWOW64\Hadcipbi.exe	Hgnokgcc.exe
File created	C:\Windows\SysWOW64\Imggplgm.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Miqnbfnp.dll	Imggplgm.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Ibcphc32.exe
File opened for modification	C:\Windows\SysWOW64\Japciodd.exe	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Aaqbpk32.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Ebqngb32.exe	Ejcmmp32.exe
File created	C:\Windows\SysWOW64\Hellqgnm.dll	Ghgfekpn.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kmkoadgf.dll	Icncgf32.exe
File opened for modification	C:\Windows\SysWOW64\Eafkhn32.exe	Ebqngb32.exe
File created	C:\Windows\SysWOW64\Pkbnjifp.dll	Ghibjjnk.exe
File created	C:\Windows\SysWOW64\Jfmgba32.dll	Hgciff32.exe
File opened for modification	C:\Windows\SysWOW64\Hoqjqhjf.exe	Hfhfhbce.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Ghgfekpn.exe	Gcjmmdbf.exe
File opened for modification	C:\Windows\SysWOW64\Hmmdin32.exe	Hcepqh32.exe
File opened for modification	C:\Windows\SysWOW64\Icncgf32.exe	Hjfnnajl.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	Japciodd.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Epnhpglg.exe	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
File created	C:\Windows\SysWOW64\Hcjdjiqp.dll	Eafkhn32.exe
File created	C:\Windows\SysWOW64\Iclbpj32.exe	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Bieepc32.dll	Epnhpglg.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Iogpag32.exe
File created	C:\Windows\SysWOW64\Hgeefjhh.dll	Hadcipbi.exe
File created	C:\Windows\SysWOW64\Hgciff32.exe	Hmmdin32.exe
File opened for modification	C:\Windows\SysWOW64\Hgciff32.exe	Hmmdin32.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Eafkhn32.exe	Ebqngb32.exe

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnhpglg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmhkin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjmmdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghibjjnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcepqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfnnajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebqngb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhfhbce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iclbpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpidki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imggplgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmaeho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadcipbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgciff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqkmplen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoqjqhjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefqdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghgfekpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmmdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giaidnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnokgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcmmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gncnmane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnlnhm32.dll"	Gcjmmdbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gncnmane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aibijk32.dll"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgejcl32.dll"	Hcepqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll"	Ebqngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffadkgnl.dll"	Gmhkin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikedjg32.dll"	Fmaeho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnfkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebqngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghgfekpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcjmmdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghibjjnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpidki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhkin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejnl32.dll"	Fijbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giaidnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkoadgf.dll"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijdkh32.dll"	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epnhpglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgoqijf.dll"	Giaidnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll"	Ghgfekpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadcipbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghgfekpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll"	Hmmdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll"	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll"	Hjfnnajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebqngb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jcciqi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2912	2340	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe	30
PID 2340 wrote to memory of 2912	2340	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe	30
PID 2340 wrote to memory of 2912	2340	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe	30
PID 2340 wrote to memory of 2912	2340	caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe	30
PID 2912 wrote to memory of 2684	2912	Epnhpglg.exe	31
PID 2912 wrote to memory of 2684	2912	Epnhpglg.exe	31
PID 2912 wrote to memory of 2684	2912	Epnhpglg.exe	31
PID 2912 wrote to memory of 2684	2912	Epnhpglg.exe	31
PID 2684 wrote to memory of 2800	2684	Ejcmmp32.exe	32
PID 2684 wrote to memory of 2800	2684	Ejcmmp32.exe	32
PID 2684 wrote to memory of 2800	2684	Ejcmmp32.exe	32
PID 2684 wrote to memory of 2800	2684	Ejcmmp32.exe	32
PID 2800 wrote to memory of 2816	2800	Ebqngb32.exe	33
PID 2800 wrote to memory of 2816	2800	Ebqngb32.exe	33
PID 2800 wrote to memory of 2816	2800	Ebqngb32.exe	33
PID 2800 wrote to memory of 2816	2800	Ebqngb32.exe	33
PID 2816 wrote to memory of 2676	2816	Eafkhn32.exe	34
PID 2816 wrote to memory of 2676	2816	Eafkhn32.exe	34
PID 2816 wrote to memory of 2676	2816	Eafkhn32.exe	34
PID 2816 wrote to memory of 2676	2816	Eafkhn32.exe	34
PID 2676 wrote to memory of 1028	2676	Fefqdl32.exe	35
PID 2676 wrote to memory of 1028	2676	Fefqdl32.exe	35
PID 2676 wrote to memory of 1028	2676	Fefqdl32.exe	35
PID 2676 wrote to memory of 1028	2676	Fefqdl32.exe	35
PID 1028 wrote to memory of 904	1028	Fmaeho32.exe	36
PID 1028 wrote to memory of 904	1028	Fmaeho32.exe	36
PID 1028 wrote to memory of 904	1028	Fmaeho32.exe	36
PID 1028 wrote to memory of 904	1028	Fmaeho32.exe	36
PID 904 wrote to memory of 1728	904	Fijbco32.exe	37
PID 904 wrote to memory of 1728	904	Fijbco32.exe	37
PID 904 wrote to memory of 1728	904	Fijbco32.exe	37
PID 904 wrote to memory of 1728	904	Fijbco32.exe	37
PID 1728 wrote to memory of 2260	1728	Gmhkin32.exe	38
PID 1728 wrote to memory of 2260	1728	Gmhkin32.exe	38
PID 1728 wrote to memory of 2260	1728	Gmhkin32.exe	38
PID 1728 wrote to memory of 2260	1728	Gmhkin32.exe	38
PID 2260 wrote to memory of 948	2260	Gpidki32.exe	39
PID 2260 wrote to memory of 948	2260	Gpidki32.exe	39
PID 2260 wrote to memory of 948	2260	Gpidki32.exe	39
PID 2260 wrote to memory of 948	2260	Gpidki32.exe	39
PID 948 wrote to memory of 380	948	Giaidnkf.exe	40
PID 948 wrote to memory of 380	948	Giaidnkf.exe	40
PID 948 wrote to memory of 380	948	Giaidnkf.exe	40
PID 948 wrote to memory of 380	948	Giaidnkf.exe	40
PID 380 wrote to memory of 1288	380	Gcjmmdbf.exe	41
PID 380 wrote to memory of 1288	380	Gcjmmdbf.exe	41
PID 380 wrote to memory of 1288	380	Gcjmmdbf.exe	41
PID 380 wrote to memory of 1288	380	Gcjmmdbf.exe	41
PID 1288 wrote to memory of 2960	1288	Ghgfekpn.exe	42
PID 1288 wrote to memory of 2960	1288	Ghgfekpn.exe	42
PID 1288 wrote to memory of 2960	1288	Ghgfekpn.exe	42
PID 1288 wrote to memory of 2960	1288	Ghgfekpn.exe	42
PID 2960 wrote to memory of 2248	2960	Gncnmane.exe	43
PID 2960 wrote to memory of 2248	2960	Gncnmane.exe	43
PID 2960 wrote to memory of 2248	2960	Gncnmane.exe	43
PID 2960 wrote to memory of 2248	2960	Gncnmane.exe	43
PID 2248 wrote to memory of 2300	2248	Ghibjjnk.exe	44
PID 2248 wrote to memory of 2300	2248	Ghibjjnk.exe	44
PID 2248 wrote to memory of 2300	2248	Ghibjjnk.exe	44
PID 2248 wrote to memory of 2300	2248	Ghibjjnk.exe	44
PID 2300 wrote to memory of 2436	2300	Gnfkba32.exe	45
PID 2300 wrote to memory of 2436	2300	Gnfkba32.exe	45
PID 2300 wrote to memory of 2436	2300	Gnfkba32.exe	45
PID 2300 wrote to memory of 2436	2300	Gnfkba32.exe	45

C:\Users\Admin\AppData\Local\Temp\caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe
"C:\Users\Admin\AppData\Local\Temp\caf1eb95b55b8303ec3c77886f5ee6fe3f452066ff61dc0eb5f8e3032004614cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\Epnhpglg.exe
  C:\Windows\system32\Epnhpglg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\Ejcmmp32.exe
    C:\Windows\system32\Ejcmmp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Ebqngb32.exe
      C:\Windows\system32\Ebqngb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Eafkhn32.exe
        
        C:\Windows\system32\Eafkhn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\Fefqdl32.exe
        
        C:\Windows\system32\Fefqdl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Fmaeho32.exe
        
        C:\Windows\system32\Fmaeho32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Fijbco32.exe
        
        C:\Windows\system32\Fijbco32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Gmhkin32.exe
        
        C:\Windows\system32\Gmhkin32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Gpidki32.exe
        
        C:\Windows\system32\Gpidki32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Giaidnkf.exe
        
        C:\Windows\system32\Giaidnkf.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Gcjmmdbf.exe
        
        C:\Windows\system32\Gcjmmdbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ghgfekpn.exe
        
        C:\Windows\system32\Ghgfekpn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Gncnmane.exe
        
        C:\Windows\system32\Gncnmane.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ghibjjnk.exe
        
        C:\Windows\system32\Ghibjjnk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Gnfkba32.exe
        
        C:\Windows\system32\Gnfkba32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Hgnokgcc.exe
        
        C:\Windows\system32\Hgnokgcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Hadcipbi.exe
        
        C:\Windows\system32\Hadcipbi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Hcepqh32.exe
        
        C:\Windows\system32\Hcepqh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Hmmdin32.exe
        
        C:\Windows\system32\Hmmdin32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Hgciff32.exe
        
        C:\Windows\system32\Hgciff32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Hqkmplen.exe
        
        C:\Windows\system32\Hqkmplen.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Hfhfhbce.exe
        
        C:\Windows\system32\Hfhfhbce.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Hoqjqhjf.exe
        
        C:\Windows\system32\Hoqjqhjf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Hjfnnajl.exe
        
        C:\Windows\system32\Hjfnnajl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Ibcphc32.exe
        
        C:\Windows\system32\Ibcphc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Iclbpj32.exe
        
        C:\Windows\system32\Iclbpj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eafkhn32.exe

Filesize
479KB

MD5
dbcdfb13f09cb533450e30f90e06faeb

SHA1
019f387f01dec624125aa87088007522139d5ed3

SHA256
0cb6fa3c9edb96dc4f00872e5dd8db81cb63df6aab0d9514e23476ed0fc81fea

SHA512
b1abcc2e40bf09edf71a7618370932e238e6d757382f9b8996a7204b332a8aa1b6f7ebb392704f1aa636b90be257dd898156c221891686986ca4c7aa6e6c36e6

Download Submit
C:\Windows\SysWOW64\Gcjmmdbf.exe

Filesize
479KB

MD5
16c2bd3eddd0f1841c52abbb09d1b335

SHA1
eb4493af669017d569e2e47cb1f618620e1b47ef

SHA256
465c17fd04ca4f1d61ca9f11bd852d9092361ca7d8920950470340fdc54ed359

SHA512
d21ab11bcc24abb06ff62760d910b9ac2f1b51ade402e7dd7a57ed2e19843ed71cd557e81188defe9118c4c96f123c5672a26fa49d9bdfac859ff98be5060e59

Download Submit
C:\Windows\SysWOW64\Ghgfekpn.exe

Filesize
479KB

MD5
077dbb4cb36c0a508f22600532fa2e6e

SHA1
79aa626be50aa94a0093598aaee571e08d6f2178

SHA256
87694f40931cf35fca1a4eb50758499a1d906727755d75afdabe1363850fbc46

SHA512
302b5e860db5fbd3f1ce741c628c94e867e14a72889d2115257200a10e6d75d318f859e01b7ffc5ec2a355847d047918cf1e3056b70515982513749fdafb32eb

Download Submit
C:\Windows\SysWOW64\Ghibjjnk.exe

Filesize
479KB

MD5
c38f17ac81352e45fb3c6fd225a787f6

SHA1
eb69a21ba350807e6f584a923cc87c1d4edf59d3

SHA256
6932a4c1db2e12bf3422d9a74dadf1b718c5f5d6914b1aa4584115068b730340

SHA512
e64cc174472d1c3a829c987b76f8153b768462c5b1610f27b3dc9259925abb48b917c94b758fac335bc481d824af11c891449bc9e65599049d0eb087f60ac6f2

Download Submit
C:\Windows\SysWOW64\Giaidnkf.exe

Filesize
479KB

MD5
bffb1065e5324201699749fe35cff0e4

SHA1
d1805a3939d36bf70f2867e30ff59d56467f88af

SHA256
2ece5531eee0e4e58b9fea43f8548beaa3d3aa210c0aa1e2405db08754660db9

SHA512
30e5e2d9ffef28ca7cd7ad8200762998359d7fe64bbc561cf3f607cc915c894397d94e30bdd3d0e25bf85ee10ea8e27b6f0b3750d9c0b60e2e3d763c064833a9

Download Submit
C:\Windows\SysWOW64\Gncnmane.exe

Filesize
479KB

MD5
b5de7712f2735e8e0639b7f228aaed4d

SHA1
fe3a23b49f75ed8dc089c9a3952bea115c0e7855

SHA256
bdf59327f43de500204d7ec7bc1b696e7a28f79359fc3fbbc8d0363a4674a621

SHA512
0d6c37099542cb56239c115f2502ce6a602ffaad27df5977778e253b6c3405b3db883c70b0d62bc2c798437ecc476884c760b82f4c7d405d939996b64dd40d8e

Download Submit
C:\Windows\SysWOW64\Gnfkba32.exe

Filesize
479KB

MD5
cf9429e973af82d3fd2b1f4988b6ce9e

SHA1
ae9d3636358f466c75c088108c898ee3eeca9564

SHA256
8c04005afc0a9e416ba7da219be88eafb7268e94cb69939d4b430a9aa7ddb47a

SHA512
4f076ac13c786d2399f91e8eaa6bf9d87241cf286fe06ce64c0c6f7d36f56eb0b98e8b72968bff5b3f8178ab8bd85d1df8569fdd155170927c7f8d287aed988d

Download Submit
C:\Windows\SysWOW64\Hadcipbi.exe

Filesize
479KB

MD5
3dc6d9556f7f532ce6cdc31ecf93956a

SHA1
2fabc8bb44209ab3383f6157a5fcc45ab50cb6b1

SHA256
09dd5be7efb2e01da6e214bb8f149a7d1cec7e973d7b2b236d2a96c613d0b557

SHA512
d5c85871111cfbabb7056448b854201598232384b11935aeeb5ddb74289a0f4ee4cae9dfbb1dc1c69b7fd2cae0312847e287a2810df2d8cb0aa3aeea68b7bd43

Download Submit
C:\Windows\SysWOW64\Hcepqh32.exe

Filesize
479KB

MD5
09ab96d454539ee028ca70b87ea1cde4

SHA1
015256484492febe2c2ab715f7e42aa2f8aec2fa

SHA256
18d31d48c8c9b65f241225b43a71bdfae0296d5f1f1c3725952cb540d5fe6a44

SHA512
bb921871dd47aa3071487e6631ef69a2a9e90cfe4bca7b16e2c3d797a45b785d2af657453bb5de461aba17b7e32f3859e147668abecfdfc60844a6f6daef86f8

Download Submit
C:\Windows\SysWOW64\Hfhfhbce.exe

Filesize
479KB

MD5
4797670dfa83f5e294a8867e0287dcfc

SHA1
b40bdb1860c278f21a38526b46f4d13762474bc1

SHA256
bee90ea4ea1272e866ee66ce92bcde8af366ded50a7e01de6c36fe5ee050a7b0

SHA512
12bf15054e389a06de8bf7b65ec4a54f09d9369cefd16b4218af6c4fd04f51cd2dfe192ba755345e3722ffe980cea0a32f17072540acd23363360bb426e5b7ca

Download Submit
C:\Windows\SysWOW64\Hgciff32.exe

Filesize
479KB

MD5
5f227f015e428632bb95e2ee7f1cb3f6

SHA1
df019ec44941ed56c4856691b5cac0d26bb6f5f6

SHA256
f2df70d3dd9cd4252f20580f41afc5cb5a29a523593e900744ddd89ba61c9644

SHA512
b3f2b6fd9bcdf39829b733e829d32be48b233c9f201fa32df48c83899497f1a2d9c9da4d3f2c6fe4affe65cbb1f8e2a87a9476235c39a347d3a2f081d28cb188

Download Submit
C:\Windows\SysWOW64\Hgnokgcc.exe

Filesize
479KB

MD5
8a4fe61cbb1fd0ffc35b7ac4f6f07b0b

SHA1
7e6835b526872b40a13dbb8cff82d1c38d4e176b

SHA256
6d0882ae8d7529a9d752046dc8b67fe1a98dab84ad6bad008fed70e810344f78

SHA512
663ab3ea81d4f826cd6a02cd16b7e92297ee059e748a904c824dd5c66603b3f76a71f6b90dadba1f6aaa48f4ca0bb88bdd730a4eb3028b71ef01863ffc1c53a4

Download Submit
C:\Windows\SysWOW64\Hjfnnajl.exe

Filesize
479KB

MD5
702d23a7e2d2d2b970ae4817428f0dcb

SHA1
88520e49c3957bf516b9208a72a43059a837faae

SHA256
b0aecb3976dea4c45730812c43ab291e67b6692a3691c85ea9deef675465f23a

SHA512
28a75603587875285cdbfebf1599381467c661f82e4fea94604d394a486df5b9267dfd84e486a0b32ab014cae9bbd73bcadb6b3648231f35c15ee837f8f3a49e

Download Submit
C:\Windows\SysWOW64\Hmmdin32.exe

Filesize
479KB

MD5
97cc09fb920f89a28976bc0a0a3b92d2

SHA1
ac522fe9269714c4d082e31da69209120fc0c5f9

SHA256
67b25b5c748e953db88e845740a1a516aa1675a59e04fb4f6ddbafaf995e230b

SHA512
e7d7d17b15eafdf26611af520365bd9b0e12197b1a99709529317028505bf14a9de2d5c7daf358137e49b469f99044b12eed20d9a03f6f8cb5c02da46eba2c41

Download Submit
C:\Windows\SysWOW64\Hoqjqhjf.exe

Filesize
479KB

MD5
4b10c93f64c4e0ac26274f7d547d768a

SHA1
e8ea7f3178222c721ea62f3cf4d996fc2e9b7cb6

SHA256
3779934ed6eaa1a1b4be2d99a7c6ad2842fa7b5aee28e0c2eb0885e55d377129

SHA512
a39477090ec7c92d54b4553c105a7d16adc40a7947d3792c15cbf8abd590e9873d1c894fc1510aaea17e4c4ec7e59193634b3bd6e2868ac28ee8ad5490adb0fb

Download Submit
C:\Windows\SysWOW64\Hqkmplen.exe

Filesize
479KB

MD5
619afde33dab1a0d21334ca13eddc718

SHA1
ef4454b8c4cc746ecdc10d8e9989d1bccf441d1e

SHA256
34d1900e636d039ab2e096a838c3f6fc1b1225f14c2adb1880e391b33bb77ed3

SHA512
fb77cc5d913ace2baa1c006b5e9e8ff052974ba6ed9f5f4207ed1de0481df8e9c2268fc512a36f160ee771f948f077701e9c24ffc94c3a80a0f5531fe8cc4abd

Download Submit
C:\Windows\SysWOW64\Ibcphc32.exe

Filesize
479KB

MD5
7d31677b038f9acb1d6b6d710056c9f2

SHA1
f56ec1f1d08c096a4efcd27fb2392000440efc92

SHA256
f9ef3631e035974f5fae0a71e7775d7f90fc38d48a93a17844fc699896dfe61e

SHA512
633f63aea6f53e85ff50b42f478459fc74684cb34687ffb4674f31a66b94887daba5879290c55e3559ad394ba260fb160476c0a20dd28dd2abf55043b2f09289

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
479KB

MD5
aa6b1fa14c6073a979eaf4b167156370

SHA1
7b6867e1458101a8e5f3f8df2889fd524114fbfc

SHA256
cd4591785d4fd109ae33f298c28bcd03ea7096ab11f1d6d48749e72e1a762aca

SHA512
8b6751c97048c5c112d634ba53732bd666e76bd45a13e2a4300ce262c107630b2628a0eb5094ab834ecea700127985c376c1ea68f89dbaabed4cc9f939932045

Download Submit
C:\Windows\SysWOW64\Iclbpj32.exe

Filesize
479KB

MD5
c03b60c603b2f5e6a2220e78258b4472

SHA1
f222f7dfd961fd82e558dc918423183d5434386b

SHA256
60eed11ecb3079611a69b1aff3aab4b71c6c351a1b2e0a09f751f7559dd2725e

SHA512
8a9b442fc16f7cbce638e88b89b958aa4b217f9333eafcdfc84fc4e215b5945dea4179046a419b8c7199711a42f0c105f8bddb476de742242ae6f7231ff0405f

Download Submit
C:\Windows\SysWOW64\Icncgf32.exe

Filesize
479KB

MD5
048d2fc0de76ae8d26275ca559af5550

SHA1
7966560c5c0b898609617f589c80e62cf4b1e5b3

SHA256
dc7b68bc5fc8c021847b6bba6635a1e118ef6785987704ffd75968ab54cf06fe

SHA512
e390f9d2387d979085539a8d0be4b430e330876a62e27d953a30e47ab4c03b1fc642d1a14812ba4ee1518b8d2e66a7eb85807bb7aa70da0c3a858930390c789d

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
479KB

MD5
3c506ba6cd4ff32f730821dfd378e025

SHA1
e811b39eec1a3162429110b09912936e7191a8ca

SHA256
07d4a3c0605bf6528173c88c57e8df0366351736f6d58f30506942017a10b1d2

SHA512
d618d6ad336888f3adb35e5548f0f1c54240ddadcbf5df5501149abc2efe9a627e3b3390fe948bf27ba2f359d0b36d6c3e4c4b1d93cc1bc6c1639852db0835f6

Download Submit
C:\Windows\SysWOW64\Ijcngenj.exe

Filesize
479KB

MD5
4af34d3497e9e4a5aff335bf2f76e786

SHA1
275e7297e098e0d3bd26dd014592877530969e88

SHA256
46c7dde57b3887cd7e22a173ba42c4a6eb938ee8c4433ae8ef789bdcd65ff22c

SHA512
97f095d96025d0ab4a067061d5cdc0e30809c1a30d3c5f7f64850c935e338ae09cb3cf07f529743c9706d1ccaa491c21dc7dec4f59e038257ff8cebd70dccb81

Download Submit
C:\Windows\SysWOW64\Imggplgm.exe

Filesize
479KB

MD5
8a7232a796e2b6bb63d56b101112eecd

SHA1
13539f60c2bf4002b293dd584253f4f9273dc87c

SHA256
a4fea93cd09349263a2bd33cd2393159b8057b38e1bdcd72d9ba9aba386d4158

SHA512
9564558d0d3be5068927790d1214e14d07c689eb5b8bb0e38d8412d849ba511b8f0d42f413f561d00a90a2728488078f3babc4f6e91d2d2c3828bd28f5744bfb

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
479KB

MD5
cba236ae2f9d90efcd863578ca776071

SHA1
cd3f138d5f2fdab4746ac0c0bfc1d006477800da

SHA256
6e5b50ca99ce32c18b940b29134d023691d5c1482d1d099936e6f69ba28e61f8

SHA512
edd6870713de29191c2768cbd2f5506602a6a126bd080a1c3ad2121734eb7f0f8b85d1fe4dc565429197e7ff9e23a66f43e182f549638d9ffbd514e0321aba7f

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
479KB

MD5
3110f4227c1c6837e2898e7f2ef980a0

SHA1
db153502ecaf0f13f5b7605e4294ee05ac7411fd

SHA256
d402562508b3e38eb49eb14b082d72fd6f7f97a1a63da736d5e1f0c5917087e7

SHA512
9f2a22644870ab49d41ffb19ffb182aa52311012c0b8624c4b3e38e0aaa5ced10c8d72efca585ddfe3f3b2e7a61e64836e66afeae79f5413ed3133f6703032e0

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
479KB

MD5
5981b17c6737cf3c75e096a7dff2fdb2

SHA1
980114d3559c0dc511fc4f5e4e6af40b25097c4d

SHA256
86d0276b94a0b56695dba447fb343c20c3cb4df829ae981ad4a1e89b306f7cbc

SHA512
910a87db0eefdbc88ba02c4d0b43274a917b1097c93ca2da1047dba71f1267f012822da35fa9a2eac324d4e5c1295d1ccf49479dac50a72702a54498c42d6cdd

Download Submit
C:\Windows\SysWOW64\Jcciqi32.exe

Filesize
479KB

MD5
e9192a6d584edc34adb5034ca566f6ef

SHA1
74b128ee79f1a046beed9d7b889960ef2679bda9

SHA256
13ff59fb44a7ab8b9f12fb72359446b5ef08f1f24fe6dce74862f19e3d3adeb0

SHA512
5ee715f648a39e70cbd1e14cb4029c1d0093a7e3f64b23425807fe4c06460f812e405a15919ce2a672d65af82a3819daaeeca46d8f894ea707cf486fa73a3286

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
479KB

MD5
7bd236aefce7697822d5b9347344e8c6

SHA1
7ac489e84bb01275718665553c98e827d662d1c3

SHA256
136d2ad0b08509d176fb1c1bec01a82d16bf1f248d7dbfdb5f8d498491e812e6

SHA512
e43e0b7226ae59fc098bd0c61edc9c235ce417503d69a21ca6d5796746e656503f1c4ca22d8bbcfcd60034e9d4364e05c97b315b1b5229ae10d0b658a15aab76

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
479KB

MD5
9bec97b16b1025931fadb10588aafa6c

SHA1
a02bec8a3f64d96db0729a745cff2e7dae356a71

SHA256
436969d022d4658b548d5794b597b07242edc333534773595bdde186a203d835

SHA512
3ccd5b3bd75e81997ed51a6e690d199152c78dbdce07a412bfc9186469bbd7f3cd2e16a5c40b52505709db8381e6d131e5b2d87dd45c3a35c6967ebee0457c59

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
479KB

MD5
d52d16b80411cc193a5b57c194c0e17f

SHA1
ad3819fda9fcbaca818c7cf7a3fe207709c2f14c

SHA256
8898049fd0b9e8538e7c539b6c20d7bbfe107839a667dd337e5f99952c04a5e6

SHA512
3f9e2acc87ac93090bb82f5ff9b6656941d541a3ea52432d08c94da39f34ad691fdf3b8407851bbbc35c41d06a7d56c7eab7df7b76d74f32e9567e87f463ed08

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
479KB

MD5
0fbe9c5df39e86f88afbd1855a7c2196

SHA1
851d42de3d872f729f857d512b5fa60b56e10abe

SHA256
9870d0d6152603f505079908f28d5e22a5f5a692ab548a19d147d09a4100a00c

SHA512
a6243b5f86711592759e5b590f84dacc0326ad9d205d01d195b2826902ee529f08aee91bb806be8f25d8e509c0aff28de73f3b77815c0d9958b04347de7f0d54

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
479KB

MD5
ed003c6158671f1bdb7a3f56c8e61123

SHA1
d41123ede15ee8ff6a33e279fc566ae825d4641e

SHA256
00f3590e204dc4260259b5cc23cb748e1302672268259de8d9b094e978663bf7

SHA512
bf7e2028d785352864745bf5a34beac7553e70511d4ae2efeb734b7bc9d0f06da476ba5391349d3e573fdb7dcc6ee3e20c3a2f2f6b05393f112b8fd8200ea075

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
479KB

MD5
0cc1b484a473a82ad6fc04433a07ff98

SHA1
497cf5018e4181241e321860e79a3b0a4622b093

SHA256
ed79e95fd01d259ef2a5e8103a4a612cba54d42407bdaf5c2ef178c39682585e

SHA512
0f269707a5a7e9f0e32bd5303572bf11ba075d4793c09fc5177952877153a33aa60d147bdd07c54f9d3da81fa19d68f8d8d8fc1f146d59fd309242685677854e

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
479KB

MD5
ca42c77828a7c5dfbd8f5b562653b8e2

SHA1
cbf6f79b56d580941d233ef744d1e6f1db1f7836

SHA256
1934d19ece6178cbb5795bb6742b7742ae19bd9db5d00375ab51b1c75990a876

SHA512
9bd1e0d3f623fa906b087445ddc94c6116eb615ca0e62065593ebd58d4657a71161bad5c73d93572ca8bbf9f45677b7e274003fafb2b8ccdfaebaa89fb5f1372

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
479KB

MD5
e9be0fd00c203c4ef6324b1e0a563c31

SHA1
6d4f585a9b2a8dacc88e2f90cd2bf001338e6501

SHA256
9dc98071dd70f4a772a845dd19a989154a19c3902bb466fdbe897be934f5ceca

SHA512
4b5dfd39e0ccca1b40d708d296e556e492db643490c48d1755c3d1e3ec0eafed5b829abe378ddcfb05617340b40be8ce49a6466d0d4918a2b0115b1617959103

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
479KB

MD5
da0df7e0a27a5d5e01a41939728d2c3d

SHA1
49cca53e8d52bfb1b7dc7df565adc2be9158a921

SHA256
df3140a494722c3660cac9af26314ce7cbc60f8b078b19fe59ef20fff94cc663

SHA512
39896cbdc74e39f08ab77d08b4fd56a4f994534af6e2234b95b9a85c21794fd0bb66be4ee120507cb3ea875565a05e9a9b524317de82500f8429a0738cb63988

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
479KB

MD5
286663df0f1545074a2c8209085097c1

SHA1
048030defcd09737f1303f161a1f82e4231d5110

SHA256
a321f2a6d57ce5ef27e01cad99e46ed326c3fbcc75e9519e25e1868f77496c4b

SHA512
abbf0c689025d9ca4e773bd944ed8650bcf4a6bf46ce6003599b35063dfb040a2c0b8c999d67274a1e6720c98b22533bdca15037d642df77eee2c0d1ab37be47

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
479KB

MD5
643d26e0b56287f9de0429ea31760b40

SHA1
200c32443be1acf91a2d0fbc7eb831538cd4e418

SHA256
846f794da77cce0b0340dccba1ba6ff038448a5b921c2bcaafbb876b1d4c26a1

SHA512
a820ac6e5dc418f1d1f9ae28ad09a402ad599d58e80b806dda2902b4a1c2a1c36dffd7755106a16dbc04425a53f53b86161ff98c3714d186089b3c4e4158f548

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
479KB

MD5
fa5da826c5816c7141ec857c7e8a87a7

SHA1
2f5fd6770ef9c4ac3ac1b95683c91bb3fc44873f

SHA256
e5765db5a0fe59fd6539b3caf64d542e26588a5833db148c199ae9b1e2a8a660

SHA512
295a09b1f28f71336183901ba0f528709d1a666adf2e524afde814100fd15690a8f6b576987f8f5f13424d446c08a42bbda18edf462ad97fe3aa6a216a6d4e5f

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
479KB

MD5
2ba6bffc8d8f9f0db0dacd855b1719c7

SHA1
7300b68ff97034fba049099971f859d955086f5a

SHA256
6cb8fbd53064fa507b2c9fe0fdbd9f34ca545c17ece30df9a2ad8988882c65f1

SHA512
93c8ddd9c829fea7ac3f923acd646b55983d7cbdc99f287fa7c7a6ff78de97efd461f80069db2301202b5765cfa14cea47fdef3e52050205218a13fdf8a514ba

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
479KB

MD5
f712807d15ba81896f8ab2cd94ca40ff

SHA1
82a70690cc516d8c97d199b59cceb73003864310

SHA256
fc06464197075bb7396b83db944379477e0ca13ade44199c949ca96fbc407dc3

SHA512
95ffac65183ea09885c0ec1657678f9c2c370ab3e98d791ae91efefd2ffab6030100e81082569dde549f6ee3486e650a19d3e1478f658e6afa652dba8c401875

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
479KB

MD5
ed7e86073a69c1a39606350dab2f6f12

SHA1
e98d7d2248ed27116602ae05e4aaf3c8aa6d7e7b

SHA256
4876e96d2665d32ed2efb420af8700d2ec4809bce3706ad3e094966f2c720885

SHA512
80dd8c3a10992ecbe22e8bc819646d8605ac971274930178a430e69548166a267f63fa91db28273cab3c2b6ab6413909e2464f5188d9ce5bb627f3a0d89aba12

Download Submit
\Windows\SysWOW64\Ebqngb32.exe

Filesize
479KB

MD5
b9541e5f6199115291258cdd5b7fb22e

SHA1
778132e8a9785778375e2bd028563ab6ef19c889

SHA256
3820d32869556abffd4c2c6590fb782184cf0f2ad45f582eed14832cc4f25325

SHA512
b04a204c9e97e3567349eea3dfb6460aa8ce4225127bd1912983ae359865b62b9943cd8756f3b4fd78f2e41681e5f6f6efbf91125e1586d1df333f53bdf0a96e

Download Submit
\Windows\SysWOW64\Ejcmmp32.exe

Filesize
479KB

MD5
49cb5143a4741d682980b69005ad7d72

SHA1
7e564aba8c8ab76a929e706ff307c43f6d92e2e0

SHA256
419487cdca536adda7ec7fe6e66b3eed0b02d8dfda7b0c06bf96cefd9de71eef

SHA512
db6e61706f30196b79f91629901530cf331d39270e97d549e250d4e874cd35328ca0b8b99c56eaa802fe79fb686eb4532ce6863e507fbdccaeb35b1b67967c64

Download Submit
\Windows\SysWOW64\Epnhpglg.exe

Filesize
479KB

MD5
cdeb11f690836e803f7e2777bb5477c1

SHA1
93d6e6f98780eeb3b7616a9751e1b060c7572ec9

SHA256
b74322e3ab3ea955cdbc5bee9e14aa98b6b934989301324e6de2c42f05dd71e6

SHA512
3e29dc5782acd3f7d320547b5148e159b55af712233ac3f7d2cd6d3bb2874ded202a85bb420848d80ef64c39561c3a1a01384ca332eae9f6d92d6c1885239b62

Download Submit
\Windows\SysWOW64\Fefqdl32.exe

Filesize
479KB

MD5
afb25eed675f8b67b9cfb7f169f9a413

SHA1
0d4830b6eee8827814ed838f8c87bb060830a743

SHA256
01fb5be1de010209cd0fd3c3d4a110b28985505b66e3bce452d4733269532cf8

SHA512
804d4fc3e84a2d1aa026d1f0a020b8abe9b2d79414dd8e58f2e0d8929df2455282f83f52a8c4839324d845d3596b4718bec90b34649cd31c1f8b4df7e7f90d20

Download Submit
\Windows\SysWOW64\Fijbco32.exe

Filesize
479KB

MD5
58c628426ca5f587b359d1eba6c16f18

SHA1
02ba8540a5fb5ab3663f1d33907345396e99c2a0

SHA256
4f49fa677d1355b54c5af9b6b6b71af1f75027fc2d25f7a8e0dd3ff46c0eae7e

SHA512
a276f3e140959a113fc681686a07367171fef2381ac98bd76b5355707c662458404e9f18481aeeee6a1da25f8970d3a3c69e23a6b5ce9d8ff2ca7da0e0972241

Download Submit
\Windows\SysWOW64\Fmaeho32.exe

Filesize
479KB

MD5
1eb08b962bb323d4406a73024bc44c67

SHA1
18935474f09ea38ee28045c193890c70f24698eb

SHA256
e94f2834125fe6052d0852f5bca2c5536a0967116f472f8101f58ca16db58be5

SHA512
a558e200c51e19c55d8ddd771b9d879abbb726ec92b142a88dcdc50370ac8fdbc18abad3afafbea4504ef158e7bd1a680442a8b4aa8badce7278fa15ad6d11fa

Download Submit
\Windows\SysWOW64\Gmhkin32.exe

Filesize
479KB

MD5
9b6562dcbfd192f4b7a28e412fac5fd3

SHA1
047c484c28ed2fba81bffe250b7262aa02639f52

SHA256
0511433a4f18de58ae34bdf6de864f8885df85ef8f77cf58b5cf5e175926f98a

SHA512
12be93f33473a5456fc9e5c97ebc796aae89bdd5de8fa9ec5f2dfbda119336c235041dda71d38c7381df6cba16e256109648bcccbeb6f64e59ddbc58d0b26d7d

Download Submit
\Windows\SysWOW64\Gpidki32.exe

Filesize
479KB

MD5
2319f7bf0ae0af617e849b4fbc3c67da

SHA1
4b3775520f2706ce18561e60fbd4a4101acb1f3d

SHA256
b4cefa7c3e272c237f6bcae178f34d1234d1fcdd60a257b518bfe729b233c379

SHA512
3bf60d4fa700bfb062c9d1d94c54b368061910de6af45c318875a06da95b1d6d7ad5cb3a9e7cbba58ae9ea4f64e1e1fb3d748ee6b94cc6211217dba5ad7c96ae

Download Submit
memory/380-154-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/380-167-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/380-162-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/436-645-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/572-663-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/572-451-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/572-445-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/668-383-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/668-389-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/904-108-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/904-96-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/908-689-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/908-316-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/908-312-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/908-306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/948-152-0x0000000001F80000-0x0000000001FF7000-memory.dmp

Filesize
476KB

Download
memory/948-455-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/948-147-0x0000000001F80000-0x0000000001FF7000-memory.dmp

Filesize
476KB

Download
memory/948-139-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1028-414-0x00000000002E0000-0x0000000000357000-memory.dmp

Filesize
476KB

Download
memory/1028-93-0x00000000002E0000-0x0000000000357000-memory.dmp

Filesize
476KB

Download
memory/1028-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1288-169-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1288-182-0x0000000001FD0000-0x0000000002047000-memory.dmp

Filesize
476KB

Download
memory/1288-177-0x0000000001FD0000-0x0000000002047000-memory.dmp

Filesize
476KB

Download
memory/1504-665-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1504-435-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1524-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1524-258-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/1524-262-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/1544-295-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1544-294-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1544-693-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1544-285-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1728-122-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1728-110-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1740-247-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1740-241-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1740-251-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1796-415-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1796-424-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/1940-431-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/1940-425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1960-273-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1960-263-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1960-272-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2100-284-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2100-280-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2100-274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2192-404-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2192-410-0x0000000001FE0000-0x0000000002057000-memory.dmp

Filesize
476KB

Download
memory/2248-207-0x0000000000320000-0x0000000000397000-memory.dmp

Filesize
476KB

Download
memory/2248-212-0x0000000000320000-0x0000000000397000-memory.dmp

Filesize
476KB

Download
memory/2248-199-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2248-707-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2260-125-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2260-444-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2260-137-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2260-136-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2288-687-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2288-327-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2288-323-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2288-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2300-226-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2300-227-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2300-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2340-360-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2340-18-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2340-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2340-12-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2340-350-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2436-705-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2436-240-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/2436-236-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/2436-229-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2556-373-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2668-371-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2668-361-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2676-76-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2676-69-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2684-372-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/2684-367-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2684-35-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/2684-27-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2704-338-0x0000000001FB0000-0x0000000002027000-memory.dmp

Filesize
476KB

Download
memory/2704-337-0x0000000001FB0000-0x0000000002027000-memory.dmp

Filesize
476KB

Download
memory/2704-328-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2776-345-0x0000000001F70000-0x0000000001FE7000-memory.dmp

Filesize
476KB

Download
memory/2776-339-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2776-349-0x0000000001F70000-0x0000000001FE7000-memory.dmp

Filesize
476KB

Download
memory/2800-382-0x00000000002C0000-0x0000000000337000-memory.dmp

Filesize
476KB

Download
memory/2800-52-0x00000000002C0000-0x0000000000337000-memory.dmp

Filesize
476KB

Download
memory/2812-351-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2816-393-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2816-62-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/2816-54-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2912-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2920-302-0x0000000002020000-0x0000000002097000-memory.dmp

Filesize
476KB

Download
memory/2920-296-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2948-643-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2960-196-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/2960-197-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/2960-709-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2960-184-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2964-661-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3008-394-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3008-403-0x00000000002E0000-0x0000000000357000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads