berbew | bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
Size

890KB
MD5

95ca6e40117142efad6e8a3045dfd415
SHA1

372b2cac2927e42be192610a8360cdec97481d98
SHA256

bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3
SHA512

00bacdecf798367331f48377a349c0106da8bba746c18b0289947d9dab1f13ae0facfcc8e724b97fa825660a81e71e4c6a471c3cd4a0fd00224236f319eb811a
SSDEEP

6144:1/6btox7PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKrl:1/hs/Ng1/Nmr/Ng1/Nblt01PBNkEy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciokijfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cceogcfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioeclg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cceogcfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbegbacp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknafhjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdpgph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknjfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgeelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcmmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmhjdiap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmhjdiap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciagojda.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcgmfgfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcgmfgfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnmacpfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdkkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgifgnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgnokgcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Japciodd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogijnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbegbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaagcpdl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
1768	Anogijnb.exe
2716	Ajhddk32.exe
2644	Bknjfb32.exe
1908	Bgdkkc32.exe
1064	Cmhjdiap.exe
2044	Ciokijfd.exe
2852	Cceogcfj.exe
2504	Ciagojda.exe
552	Ccgklc32.exe
3024	Ejcmmp32.exe
1316	Fbegbacp.exe
2976	Fhgifgnb.exe
2096	Fijbco32.exe
2948	Fdpgph32.exe
1040	Gaagcpdl.exe
884	Hgnokgcc.exe
1780	Hcgmfgfd.exe
1984	Hnmacpfj.exe
1088	Hgeelf32.exe
3028	Hifbdnbi.exe
2024	Hclfag32.exe
1952	Hjfnnajl.exe
772	Ikgkei32.exe
2444	Ifmocb32.exe
2256	Ioeclg32.exe
2668	Iebldo32.exe
2744	Iogpag32.exe
2680	Iediin32.exe
2684	Iknafhjb.exe
2532	Ibhicbao.exe
2016	Icifjk32.exe
2520	Inojhc32.exe
1696	Ieibdnnp.exe
1992	Jfjolf32.exe
2484	Japciodd.exe
2500	Jfmkbebl.exe
2196	Jpepkk32.exe
2784	Jimdcqom.exe
2072	Jbfilffm.exe
1256	Jnofgg32.exe
1284	Kidjdpie.exe
2936	Kbmome32.exe
1736	Klecfkff.exe
2084	Kablnadm.exe
2420	Kkjpggkn.exe
1640	Kpgionie.exe
2672	Kipmhc32.exe
2828	Kdeaelok.exe
1324	Lmmfnb32.exe
2068	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2020	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
2020	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
1768	Anogijnb.exe
1768	Anogijnb.exe
2716	Ajhddk32.exe
2716	Ajhddk32.exe
2644	Bknjfb32.exe
2644	Bknjfb32.exe
1908	Bgdkkc32.exe
1908	Bgdkkc32.exe
1064	Cmhjdiap.exe
1064	Cmhjdiap.exe
2044	Ciokijfd.exe
2044	Ciokijfd.exe
2852	Cceogcfj.exe
2852	Cceogcfj.exe
2504	Ciagojda.exe
2504	Ciagojda.exe
552	Ccgklc32.exe
552	Ccgklc32.exe
3024	Ejcmmp32.exe
3024	Ejcmmp32.exe
1316	Fbegbacp.exe
1316	Fbegbacp.exe
2976	Fhgifgnb.exe
2976	Fhgifgnb.exe
2096	Fijbco32.exe
2096	Fijbco32.exe
2948	Fdpgph32.exe
2948	Fdpgph32.exe
1040	Gaagcpdl.exe
1040	Gaagcpdl.exe
884	Hgnokgcc.exe
884	Hgnokgcc.exe
1780	Hcgmfgfd.exe
1780	Hcgmfgfd.exe
1984	Hnmacpfj.exe
1984	Hnmacpfj.exe
1088	Hgeelf32.exe
1088	Hgeelf32.exe
3028	Hifbdnbi.exe
3028	Hifbdnbi.exe
2024	Hclfag32.exe
2024	Hclfag32.exe
1952	Hjfnnajl.exe
1952	Hjfnnajl.exe
772	Ikgkei32.exe
772	Ikgkei32.exe
2444	Ifmocb32.exe
2444	Ifmocb32.exe
2256	Ioeclg32.exe
2256	Ioeclg32.exe
2668	Iebldo32.exe
2668	Iebldo32.exe
2744	Iogpag32.exe
2744	Iogpag32.exe
2680	Iediin32.exe
2680	Iediin32.exe
2684	Iknafhjb.exe
2684	Iknafhjb.exe
2532	Ibhicbao.exe
2532	Ibhicbao.exe
2016	Icifjk32.exe
2016	Icifjk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fbegbacp.exe	Ejcmmp32.exe
File opened for modification	C:\Windows\SysWOW64\Ioeclg32.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Jfjolf32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Fbegbacp.exe	Ejcmmp32.exe
File created	C:\Windows\SysWOW64\Odiaql32.dll	Hgnokgcc.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Ejcmmp32.exe	Ccgklc32.exe
File created	C:\Windows\SysWOW64\Bieepc32.dll	Ccgklc32.exe
File opened for modification	C:\Windows\SysWOW64\Ikgkei32.exe	Hjfnnajl.exe
File created	C:\Windows\SysWOW64\Pbpifm32.dll	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Ghdjfq32.dll	Ciagojda.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Chpmbe32.dll	Hclfag32.exe
File created	C:\Windows\SysWOW64\Ejcmmp32.exe	Ccgklc32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmocb32.exe	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Lpfhdddb.dll	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Japciodd.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Cceogcfj.exe	Ciokijfd.exe
File created	C:\Windows\SysWOW64\Qdhjoc32.dll	Bknjfb32.exe
File opened for modification	C:\Windows\SysWOW64\Ciokijfd.exe	Cmhjdiap.exe
File opened for modification	C:\Windows\SysWOW64\Hgnokgcc.exe	Gaagcpdl.exe
File created	C:\Windows\SysWOW64\Iogpag32.exe	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibhicbao.exe	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Npneccok.dll	Iknafhjb.exe
File opened for modification	C:\Windows\SysWOW64\Japciodd.exe	Jfjolf32.exe
File opened for modification	C:\Windows\SysWOW64\Bknjfb32.exe	Ajhddk32.exe
File created	C:\Windows\SysWOW64\Acfgdc32.dll	Ajhddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ccgklc32.exe	Ciagojda.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Ajhddk32.exe	Anogijnb.exe
File created	C:\Windows\SysWOW64\Hgnokgcc.exe	Gaagcpdl.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	Hgeelf32.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdkkc32.exe	Bknjfb32.exe
File created	C:\Windows\SysWOW64\Fdeonhfo.dll	Bgdkkc32.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Gbmhafee.dll	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Anogijnb.exe	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
File created	C:\Windows\SysWOW64\Gckobc32.dll	Gaagcpdl.exe
File created	C:\Windows\SysWOW64\Hclfag32.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Lbfchlee.dll	Ioeclg32.exe
File opened for modification	C:\Windows\SysWOW64\Inojhc32.exe	Icifjk32.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Heloek32.dll	Cmhjdiap.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Cceogcfj.exe	Ciokijfd.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Ldeiojhn.dll	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Fijbco32.exe	Fhgifgnb.exe
File created	C:\Windows\SysWOW64\Mdmckc32.dll	Fdpgph32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Bknjfb32.exe	Ajhddk32.exe
File created	C:\Windows\SysWOW64\Ifblipqh.dll	Ifmocb32.exe
File opened for modification	C:\Windows\SysWOW64\Jfjolf32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Oehiknbl.dll	Anogijnb.exe
File created	C:\Windows\SysWOW64\Nhmbnqfg.dll	Fbegbacp.exe

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogijnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpgph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iediin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciokijfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnokgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmacpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciagojda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbegbacp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhgifgnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaagcpdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hclfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknjfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmhjdiap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cceogcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfnnajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdkkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcmmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikgkei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcgmfgfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iknafhjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgklc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioeclg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmhjdiap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqacnpdp.dll"	Hcgmfgfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbegbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikedjg32.dll"	Fhgifgnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcgmfgfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll"	Cmhjdiap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcgmfgfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogijnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedamakn.dll"	Cceogcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll"	Bknjfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbegbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccgklc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhafee.dll"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmhjdiap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnfdpam.dll"	Ciokijfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknjfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeonhfo.dll"	Bgdkkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciokijfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdkkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdkkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll"	Ciagojda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnmacpfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiflpof.dll"	Hjfnnajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgnokgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmiogi32.dll"	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1768	2020	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe	30
PID 2020 wrote to memory of 1768	2020	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe	30
PID 2020 wrote to memory of 1768	2020	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe	30
PID 2020 wrote to memory of 1768	2020	bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe	30
PID 1768 wrote to memory of 2716	1768	Anogijnb.exe	31
PID 1768 wrote to memory of 2716	1768	Anogijnb.exe	31
PID 1768 wrote to memory of 2716	1768	Anogijnb.exe	31
PID 1768 wrote to memory of 2716	1768	Anogijnb.exe	31
PID 2716 wrote to memory of 2644	2716	Ajhddk32.exe	32
PID 2716 wrote to memory of 2644	2716	Ajhddk32.exe	32
PID 2716 wrote to memory of 2644	2716	Ajhddk32.exe	32
PID 2716 wrote to memory of 2644	2716	Ajhddk32.exe	32
PID 2644 wrote to memory of 1908	2644	Bknjfb32.exe	33
PID 2644 wrote to memory of 1908	2644	Bknjfb32.exe	33
PID 2644 wrote to memory of 1908	2644	Bknjfb32.exe	33
PID 2644 wrote to memory of 1908	2644	Bknjfb32.exe	33
PID 1908 wrote to memory of 1064	1908	Bgdkkc32.exe	34
PID 1908 wrote to memory of 1064	1908	Bgdkkc32.exe	34
PID 1908 wrote to memory of 1064	1908	Bgdkkc32.exe	34
PID 1908 wrote to memory of 1064	1908	Bgdkkc32.exe	34
PID 1064 wrote to memory of 2044	1064	Cmhjdiap.exe	35
PID 1064 wrote to memory of 2044	1064	Cmhjdiap.exe	35
PID 1064 wrote to memory of 2044	1064	Cmhjdiap.exe	35
PID 1064 wrote to memory of 2044	1064	Cmhjdiap.exe	35
PID 2044 wrote to memory of 2852	2044	Ciokijfd.exe	36
PID 2044 wrote to memory of 2852	2044	Ciokijfd.exe	36
PID 2044 wrote to memory of 2852	2044	Ciokijfd.exe	36
PID 2044 wrote to memory of 2852	2044	Ciokijfd.exe	36
PID 2852 wrote to memory of 2504	2852	Cceogcfj.exe	37
PID 2852 wrote to memory of 2504	2852	Cceogcfj.exe	37
PID 2852 wrote to memory of 2504	2852	Cceogcfj.exe	37
PID 2852 wrote to memory of 2504	2852	Cceogcfj.exe	37
PID 2504 wrote to memory of 552	2504	Ciagojda.exe	38
PID 2504 wrote to memory of 552	2504	Ciagojda.exe	38
PID 2504 wrote to memory of 552	2504	Ciagojda.exe	38
PID 2504 wrote to memory of 552	2504	Ciagojda.exe	38
PID 552 wrote to memory of 3024	552	Ccgklc32.exe	39
PID 552 wrote to memory of 3024	552	Ccgklc32.exe	39
PID 552 wrote to memory of 3024	552	Ccgklc32.exe	39
PID 552 wrote to memory of 3024	552	Ccgklc32.exe	39
PID 3024 wrote to memory of 1316	3024	Ejcmmp32.exe	40
PID 3024 wrote to memory of 1316	3024	Ejcmmp32.exe	40
PID 3024 wrote to memory of 1316	3024	Ejcmmp32.exe	40
PID 3024 wrote to memory of 1316	3024	Ejcmmp32.exe	40
PID 1316 wrote to memory of 2976	1316	Fbegbacp.exe	41
PID 1316 wrote to memory of 2976	1316	Fbegbacp.exe	41
PID 1316 wrote to memory of 2976	1316	Fbegbacp.exe	41
PID 1316 wrote to memory of 2976	1316	Fbegbacp.exe	41
PID 2976 wrote to memory of 2096	2976	Fhgifgnb.exe	42
PID 2976 wrote to memory of 2096	2976	Fhgifgnb.exe	42
PID 2976 wrote to memory of 2096	2976	Fhgifgnb.exe	42
PID 2976 wrote to memory of 2096	2976	Fhgifgnb.exe	42
PID 2096 wrote to memory of 2948	2096	Fijbco32.exe	43
PID 2096 wrote to memory of 2948	2096	Fijbco32.exe	43
PID 2096 wrote to memory of 2948	2096	Fijbco32.exe	43
PID 2096 wrote to memory of 2948	2096	Fijbco32.exe	43
PID 2948 wrote to memory of 1040	2948	Fdpgph32.exe	44
PID 2948 wrote to memory of 1040	2948	Fdpgph32.exe	44
PID 2948 wrote to memory of 1040	2948	Fdpgph32.exe	44
PID 2948 wrote to memory of 1040	2948	Fdpgph32.exe	44
PID 1040 wrote to memory of 884	1040	Gaagcpdl.exe	45
PID 1040 wrote to memory of 884	1040	Gaagcpdl.exe	45
PID 1040 wrote to memory of 884	1040	Gaagcpdl.exe	45
PID 1040 wrote to memory of 884	1040	Gaagcpdl.exe	45

C:\Users\Admin\AppData\Local\Temp\bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe
"C:\Users\Admin\AppData\Local\Temp\bd6a4b90b50cdd803e8c896e3a83ddc600f46529be7fbfd5831587b1c51ecbb3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\Anogijnb.exe
  C:\Windows\system32\Anogijnb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\Ajhddk32.exe
    C:\Windows\system32\Ajhddk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Bknjfb32.exe
      C:\Windows\system32\Bknjfb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Bgdkkc32.exe
        
        C:\Windows\system32\Bgdkkc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\SysWOW64\Cmhjdiap.exe
        
        C:\Windows\system32\Cmhjdiap.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ciokijfd.exe
        
        C:\Windows\system32\Ciokijfd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Cceogcfj.exe
        
        C:\Windows\system32\Cceogcfj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Ciagojda.exe
        
        C:\Windows\system32\Ciagojda.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ccgklc32.exe
        
        C:\Windows\system32\Ccgklc32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Ejcmmp32.exe
        
        C:\Windows\system32\Ejcmmp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Fbegbacp.exe
        
        C:\Windows\system32\Fbegbacp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Fhgifgnb.exe
        
        C:\Windows\system32\Fhgifgnb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Fijbco32.exe
        
        C:\Windows\system32\Fijbco32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Fdpgph32.exe
        
        C:\Windows\system32\Fdpgph32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Gaagcpdl.exe
        
        C:\Windows\system32\Gaagcpdl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Hgnokgcc.exe
        
        C:\Windows\system32\Hgnokgcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Hcgmfgfd.exe
        
        C:\Windows\system32\Hcgmfgfd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Hnmacpfj.exe
        
        C:\Windows\system32\Hnmacpfj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Hgeelf32.exe
        
        C:\Windows\system32\Hgeelf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Hifbdnbi.exe
        
        C:\Windows\system32\Hifbdnbi.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Hclfag32.exe
        
        C:\Windows\system32\Hclfag32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Hjfnnajl.exe
        
        C:\Windows\system32\Hjfnnajl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ikgkei32.exe
        
        C:\Windows\system32\Ikgkei32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ioeclg32.exe
        
        C:\Windows\system32\Ioeclg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Iediin32.exe
        
        C:\Windows\system32\Iediin32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Iknafhjb.exe
        
        C:\Windows\system32\Iknafhjb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jfjolf32.exe
        
        C:\Windows\system32\Jfjolf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajhddk32.exe

Filesize
890KB

MD5
1d310000e341c9056ffac672c8a3dd5c

SHA1
df3b2928ac0ff08d4cf80d0b4d372734a54ac4a6

SHA256
ae18137c86d1d02f8eae5089c49aae5ba8b1e5633637847d4ecc5d394b188750

SHA512
773c451c4ce58f0e00b89c5e78760ccaa61721a3c16014fd248fec869d9ad2fc603abd28d57ed6d68abfec4f812bf5e2d2c31d0b1648a747accc4b4ee2f47777

Download Submit
C:\Windows\SysWOW64\Cceogcfj.exe

Filesize
890KB

MD5
96235fbbbb52339693dea61e5735927a

SHA1
aae15e409003a2427c88571013fd6b4c6da249d3

SHA256
f310114c04e670411e96f8c67a3731373d8fece04bbfb7f4df4277741e833aaa

SHA512
3ebf1271b279f0dac972c9899b555d62df77c81513104b70ec16b6f64d80a7ed2412764328bb3c3f444405eabca17efff196c4209bb6259997912de84186ec06

Download Submit
C:\Windows\SysWOW64\Ciagojda.exe

Filesize
890KB

MD5
15ecf42492d7d3b788c1acd2f2ed85fb

SHA1
954036b32386909dd8c4ed7834c167fc415ba494

SHA256
21b1621a9c34c172b4b5a88b14c3ecfa0d27aa39031ddf3732b68bc6ab3b28b0

SHA512
ff28ccc8571a1d0c5b3c72c2ca234da69cfbc80e3b7bd8423c9802bf051afde014e97c42f0ce11b730871f137d092dff1c7baf0b8aac8dd840b44cc76391fcad

Download Submit
C:\Windows\SysWOW64\Ciokijfd.exe

Filesize
890KB

MD5
d8f7641ee961c2baf51c2ae1ea6fd304

SHA1
558fba4139ce60dd76ab257f1fc54780d2133e0e

SHA256
5a0e4c70bd449d4c674f86d1fb3886ff41cdd1a32ba635f6a6a4f93a2e1cdbe0

SHA512
c39e54494f2634f8509d357bf7683cc9c5592b7ac7549077e6949c5d5da42cd70eec1e5006c1774fe6544b8251f1a75659907d2de2ab62c1afc34a8121aa2bb1

Download Submit
C:\Windows\SysWOW64\Fdpgph32.exe

Filesize
890KB

MD5
4becca61476161d4cd0bbf2d9f8843bb

SHA1
33cefa2f1b0b5baef87fa86c4949e76138520a11

SHA256
79f8e95ebd5659a9b21a6ad4a8d864f63c38de5fd1dcc5cc6621fac9da17b86a

SHA512
24ca3c72afa0e5fbaea2f6f3196402dde7bad079900a493901b05588456748f11ad7a372509575e692baf8c406b256d4a572e4e0e9d7bfd3bb560d9b32adffc4

Download Submit
C:\Windows\SysWOW64\Fijbco32.exe

Filesize
890KB

MD5
f611beb1c6f9b2fd56a91177a1024d68

SHA1
b7bb9a2682701f3500308b013ed861289f76f2b4

SHA256
cbe3f8e80606c136dc76dc04b9d31ed327d6b7de5c7635d2f7dd5cde691c31fb

SHA512
fc3d7b39437dcb1c47c033cac74a6f4b3b0f6442c656c9a8150ba2f4b71cac02e7dbdb4671198cad6ae419fb0294e241ee5d4090d4bdf8b3d1b83ba58c2280bc

Download Submit
C:\Windows\SysWOW64\Hcgmfgfd.exe

Filesize
890KB

MD5
dc3ebe1679ac82dd93ac5873e3ed7629

SHA1
c8f51293e5843218955acd2dc9c4606f5cc5703b

SHA256
c8544da650bc20d3692d89a80987858ff8a9ea7731fc2a9c2b320166149fbcbd

SHA512
b6ad767ed32c3c5961f63a2edb4a48eba5d0972d43b7e461b93acc98559997de6b28b3b3dac962a1e908eb132d5651c6664bc4219f76a234ffc591bb40a5a6be

Download Submit
C:\Windows\SysWOW64\Hclfag32.exe

Filesize
890KB

MD5
e8dd3dd08cd18ee15ae686f95ce61a09

SHA1
e8410d5eba25d57e4eb16a3cb97bdc841bf7d211

SHA256
744077d6fedc0cdb915375b2164d6cdccf6efd92f87e51a9220966d7df323fc8

SHA512
06abe772bcf6140f402da69a16d2f5044d24826b6aef0246a6fdf77b0b9cc16e6a276f4cddac5d99e9ac1ec3a6b4b4228ca5c2c8787db83be3faa8eeb5c0e53a

Download Submit
C:\Windows\SysWOW64\Hgeelf32.exe

Filesize
890KB

MD5
293e651a2a16931d64f851a902e56e96

SHA1
5b23b5f65b95941b77ef3a7668c33262825f78b5

SHA256
32830f139e595717ebba7fce23d2d595137650068122c5b732d7ea326aec32a6

SHA512
ff7ac59912e75d8a8caadb5039818a0cda804c46713a37266272cb85555e54301709c67af36da6978adf10507f4274e2d86f9dc5cf81ac7c018f5867d997f588

Download Submit
C:\Windows\SysWOW64\Hifbdnbi.exe

Filesize
890KB

MD5
db7c36324b07eae7b4eef7326e165b45

SHA1
ddb89bd522b54d5a2332c0e27d154501f0095e72

SHA256
48e089eba3074a1d55109d2d444493114e260073879d9bd1ef1f112feb51d28e

SHA512
489dc4158f62c91551bb7bf23bcd50ce3a94daa3c29c0fe12d53b088eb1924d087891d700e37612c141f06482502017eac3e6fc827dc3e2539788956fd372142

Download Submit
C:\Windows\SysWOW64\Hjfnnajl.exe

Filesize
890KB

MD5
796bbd0e92eeaf782d428b0dd3231b08

SHA1
f70cf9808cfe1b577c04de2a44f4b30bf54f0479

SHA256
7db098cf8ccbcf3986a5d6d7a3c70db34802dbf39a5994efedb1556330661a5f

SHA512
cf308bd74928670f7090f9770861466f6fdc9cc968cc835a0c76c3a670a852e62db112a026affc2d0df34824c1d19391f7b5c103017a269f5e018c89716a349d

Download Submit
C:\Windows\SysWOW64\Hnmacpfj.exe

Filesize
890KB

MD5
3ab7ba0030db82315af42e051c3b656a

SHA1
a32faf8fd7dcb7178328b7cd19bcf52ea425f7f9

SHA256
70ba87a7d48485c9150917cc95c901fd4b5e5e5935b582ddca6ff93e825e15dc

SHA512
29577b886bc1597e1a4e541f2e3c027b801907047086328af446ed01ed1fcb1e30e0b63aa4b60c9618fa753ae7494d3c921e972127323acd23cfb9ec52d448b8

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
890KB

MD5
c391a9e92049573ef145244783ccf8b9

SHA1
c7f4c84f1822ef7d094bbac770d0bd3aef3cbf44

SHA256
fd7690084cb01a5f7cfe82e8cd81473a9d2c486bc1c0e8c3e675826ecf944876

SHA512
7040e8fd68de72d73bd726f16005d0f7c07149a27e94c35a8489fc8af8f3a25771dedcdbcfb3353db1b307e2a2d9e262ee682e6badface39345ccd93dd412c85

Download Submit
C:\Windows\SysWOW64\Icifjk32.exe

Filesize
890KB

MD5
eb93e16707896a785599c6bf2037f23c

SHA1
5f035fbf00f6e65df3664130966b7bd0babc9747

SHA256
39486a02314c2f89dd2be5ed499f0200e0a25a3c27893aad58b130b8a85726b1

SHA512
47154011784e2a37f9abc958fd7e25d226d70ebf4158076753cd7e61d93a9b61080dafbe4d04d63dcaa9c7655b24e710dc5b7979e06487f146ab297091543351

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
890KB

MD5
5bc723b837cbe7d8c6d81a8a8e51a8d5

SHA1
643ba1a5a83227c8275db4c030f2434fdd1bfa05

SHA256
14a1b1d3c3a2ac23f76e1fdcd8f2f06d1f5b70d632b7f952419301c958fa8ddd

SHA512
93342eee3eb591d3f27317f7712f3cd9401b7d279885c3bd12cc32f32456374c954f8798956e5c9baa4b6968b4a21b89e4cd2431d7434de3b18d5ef105b809cf

Download Submit
C:\Windows\SysWOW64\Iediin32.exe

Filesize
890KB

MD5
63ad38a1e9028543c25e83378cb2029c

SHA1
c2fc78b9d7b45c76d0074c5330e2cc65f9a19c99

SHA256
1bda0ff75c44bfc84f0d3f19c9b03944bbe77f2c2a948dd80f46fd0f06237f4f

SHA512
da55f1f49db2065080b2e0ee55eae3b33429042f60c141fb166817b72e54e144caf7042276b1a9beb5a70eb086f52457139092e4bf748a8225ca18804902125e

Download Submit
C:\Windows\SysWOW64\Ieibdnnp.exe

Filesize
890KB

MD5
35e694cfc296a5a03301ee8e98a4ac59

SHA1
d7e10a92473e2e8305a5dd3c0a27c9a8fbe083c3

SHA256
7c4f250f6b4120204dabf66395d67b75f879df33d30260f2da55298e554501dd

SHA512
a739e70b3a36014d5e7d09fb242f1037dd060c34cb596a70216640a2d334197e8e3bd4fcfb0364cb1d271deaf43f037e82ca4179a67605ab4a6876c614549473

Download Submit
C:\Windows\SysWOW64\Ifmocb32.exe

Filesize
890KB

MD5
34b8a0387276cffa1a785160970248d6

SHA1
983c01144c7186e614ccdf2180a0a9c597e8ebef

SHA256
65b15e56a519f6019e9642a2f0f3b3ae8ff9369a9b8a638c6221953934d90606

SHA512
ad9bf264479ca93fe8c0162af0dfe5017e5e05f5b048a7c408e8e7320f2b9928e92e23ecbb70ffc33ee37334e1137cf80aa37883351711903831c00b00292693

Download Submit
C:\Windows\SysWOW64\Ikgkei32.exe

Filesize
890KB

MD5
d3b5bef5bc20e12cb3e30d1b876a2540

SHA1
0d5f8d392574bac4dbc9e1badd41217030cb58bd

SHA256
420fd1e66149472928f7d8cf9a488113088e9bed81bea4d6159c983bf3b23a0d

SHA512
9a9353d80918df48fa021e9d4b0aa3329b469eccdb46be56686a537114f6a423df2b34d3e5a4efe5600a616a41d1b88804dbe44d99b31628953e9e39ecea2d44

Download Submit
C:\Windows\SysWOW64\Iknafhjb.exe

Filesize
890KB

MD5
eab76275cd793e2890618271cd3dde2d

SHA1
7bbfd7bdbef4fe6a98c666176c8a28f3e3b4b4b2

SHA256
7b558f8ba4f18adeef94ea54c2d150a7476f5b31b5c71de138fea4a715da212c

SHA512
4524e099d225f2165623278b67aa90e506da721a42f880fcf6eaaa8659fd96b34d9516df665f9bd1533f8598a04cb1ad37d310f7334e077ede6be16b93f8a87e

Download Submit
C:\Windows\SysWOW64\Inojhc32.exe

Filesize
890KB

MD5
aa5dafb3562dd1ffe57532339a8af402

SHA1
86e6363e12c8aa955b67f124fd091126e2c89194

SHA256
14de2bb5d15a627657de8e698a351e2001d56cef6ee70037fcc0a12762c1ee3e

SHA512
7df7956f94f4cc49c819e2ea9996f095529f448babbb9b20de8c993640e950d1c7c80a9c48b1e1d16567c6b84e85cff02d80634f0fad341e185eea85df1aac7d

Download Submit
C:\Windows\SysWOW64\Ioeclg32.exe

Filesize
890KB

MD5
b4cf70fca03369438f73d50320a6c613

SHA1
5de63a4897ffb69dc29f82955e0e740e18a81710

SHA256
64de0521ad71ecb26e21cba0f039daafd5338018a4909d807f4c5ee34781dc70

SHA512
10d35228cf02194590af8f7fcb7507c2cd952dbdbcba1bfdc026893334c726aa5189e1158d4ec3f38a8aa7a2ce304c9e08b157482ad5b8ca05dd554216a417da

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
890KB

MD5
0d9323fb2e5cbf630518dc61555300d9

SHA1
2c93766d06c30f50844d262b632c68f281922540

SHA256
1e48c00e84d5e8eb53e012c0ce72a276a23ca8028ff9ce2b940a39772d13a154

SHA512
ffc9917c0e42cb6749ef89f53f4bb51d1f8eb05a83edbdc9e054d87979f9f3c1c860ecef56cec5a75e6e6208fde0632c17a3174d6dfd4b653784c162d6b7c67b

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
890KB

MD5
b75695d216d46505b4e4db5bf7d99b60

SHA1
c9cb5790127223cb88ec52aab59c77b9e58c9039

SHA256
3d32d8866fd4450925b9a0ffceaad54103d9cae9f215a19a23416c1aca4ba5ef

SHA512
c33608f52b653b45d7e10abe20933ca093f8668b797f1b22eac5eafa29ea5f173febc2f6e37f1f0f47d340d87c85e934d0d714191d29f7b705773e1231a6204d

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
890KB

MD5
213e2e32c1a81bd84726e950773aef43

SHA1
b296b505a36a588db670874f5a08e1a5f828d736

SHA256
35440c334e4a1c7c9ad081d55b5fd803cdaaad99553cbb38446368afa192f7e9

SHA512
6c9b1f41b3a32e9456f757670396119ec7d4f665f88ec39315360bfc73568df5c3e83bf59c0a8da70446a37eb012b48126577e427487fc409bac1d64ce99cbf8

Download Submit
C:\Windows\SysWOW64\Jfjolf32.exe

Filesize
890KB

MD5
48e0c21793e4687178f7ab31f7f79276

SHA1
0f4c84da2521396618917d950564fa3ccd8b0862

SHA256
ed48ee8e89ae3bd043f8ee10e692c5cb8b1cf234105eb641469eabf4cf2e3781

SHA512
e65bdd7d76c32c87bcef8e8e8e7bd02b7343b1c5d9c7d86699c038c6d00fafec9043b6bbfc0cd183f168e53b3b761291ebee6486dc789fa89b2059e82e46e760

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
890KB

MD5
d5dbd08c58d9aa33890fa2bfcee1d90b

SHA1
75091a4db0ed65e45272ab8bc9380efcf6d1d720

SHA256
1d456e18d84c38b2e216a0d7d8e21968e44b2158d3fccb7138e1a7ad63950635

SHA512
dc925f841ef01c5172e60d0e8303c93accc72d81d7ea6de10a2190b5931f32b3e3a02794badf1460480f24b33ed980c9810ad47c1598b47e1a428674e2cd24cd

Download Submit
C:\Windows\SysWOW64\Jimdcqom.exe

Filesize
890KB

MD5
a94acfcdea602e0359537dda4be4f36b

SHA1
43317f7b3f191c1176f143cc811be84dc07f2534

SHA256
3b6d90bc51620467425c5d6fedbf467e5a05d88e2ab47a73711386b3b18861fb

SHA512
af8759fef6ca9ae3cb77638c93c663f12b074caa1a82dd1a22d92dedeba7fdc69dff11719746f11adaf18e6cddfa79dc3c969286976bf104468517c1cd787727

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
890KB

MD5
73c307ab1a6e7d2ac6c6c0130aa0bdfc

SHA1
a154c9d73d7a8fe9c277076dac4aad5e04b37f35

SHA256
072634f2853cd0923a57f994b1f12e68e233b33275dbab67d842fd88bc2c7fa1

SHA512
584c6c515a32edaa3f629a3286dc11d498052932d60e9e0e510186449954a6aa31d700d8f016c66929bf13f088970243b42000c495e7a1d46c6f6e5d2178039d

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
890KB

MD5
6e52934145cb18f81b0f89c70d653d1d

SHA1
fca117fc75db5c963a4957fc1734635c4ca81921

SHA256
2cdfdb8d0e135423330b4937cab4c936542762917f562ec3083ea86b1359868f

SHA512
597656f19f24642c6c4ff345d7c80f2bc354445f3a632e1a6ce2c42853ff4960be50c8ee05f0f76ef44142c010b2979f11156648b5cbdf296a77d1e5943005c7

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
890KB

MD5
c74ab67d363d55d9abb64cf2423774ae

SHA1
a1b486e2b080b36ce5db15b442fa3b08a3f9fdbe

SHA256
a09c22f2b7f7c3ee3cee4ca80fb81e0d752ad892d94c236cddf017f4c3213a6c

SHA512
9147ab3049f857744f1a03115d5aaca01e07edb9dc17dc188a4c7e871f6b47f5aa094dd9911c8339e456aa9943394c3d110cb668faf13bbba9ce3c0f2a62a892

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
890KB

MD5
f3b62fcebf266fc212b7617ec458076b

SHA1
e4bb31b1f4761e88efb4501e99ec1664f71be2c5

SHA256
a060b7b719ed9adb6f88fe8deef29666f3b422b10065ee03a8a6364a763a744c

SHA512
f1175542f25b419e4ae5496cb6c5e3413b2eb264038cf49b2d15eba482a243d775982b396c00fe97260f2b405536a20798eae12f76fe8a2629e8edae5f52bf6d

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
890KB

MD5
4a361c08208c7cbd34066d67ddcaa079

SHA1
79a5e795e511b4032b9f10a6b4e381d0cc703e83

SHA256
46a6060c2c74441cbdc92ab5a399f1407bb9381c78f6d802deb183c01d630113

SHA512
26f116c2077062bb23302ca5d7cc5c41a8c0eeb2655d4e48891081b345abcb9490cc9d0711a3e53a3cd024352f5bdfc7debca50e6ba6dfa0d8461898e2370ac9

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
890KB

MD5
7d10d9abd420d2e8cef94330ef77b6c8

SHA1
2cb3edc6dfec68b07b095f9f1f420c5be55337b2

SHA256
a16ab3bbb7adf7d4359e63495d4a0c577bcfa1cf3410431931955dc931035f2f

SHA512
a6e0cda5240ba1b0d5f3eaa5d73d064f6ed63817b8511f2061d1ec72cf2df273a3b05adc4f89e5fe1bec2864a2b9b32a0613c2691f5621dda3f0314f75bcc0a4

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
890KB

MD5
0922e414a0546b9931a100289b1bc59c

SHA1
58af1f4b19fafa4a49bc8412b3e2d9dc838dfd84

SHA256
c9d6fc2b143deeaa2b5f1e054e9a595130aa325a31594c0c5e6f07c87cc3c130

SHA512
c9ef6d9fd4eb6308723199a4a83e2955c855c570a0d8402bf0ae91be5d508d65242d66e453b8edc91fa223b5134daf433fc8dd0725baef00c2550b7775e382bb

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
890KB

MD5
018b381945021328282a3cb71d9f27be

SHA1
8215080c7f65ad33fbec5c79d612dfbfbebdd02c

SHA256
50e84e4dac209dd3632b0f5342f38c4067e4ac53e83af13073d2f996aeaf9f97

SHA512
e7cf5ddb2f89a1600f7bf7e715422fb600e1473a3552967a8866c9ba19fe400f9bcf11fd4be7592d23826da959d6ed422478faefadad6a20314b8ff8d1166b4e

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
890KB

MD5
9948b3bfad6f6956476fbeb8810ae92c

SHA1
b1a3bbb886835d72fe0976682d39f674d402ec9c

SHA256
b77186a6f5eafcdec58b64836b15dd493aee8045854f4cb98d853c4b4503738b

SHA512
429ff50ec157742afb26b03c56fd5de53e3e4afcd552debe5ddd65fec581c976bc847929df5aa7eb2732e8b751d17085309aceca283e7062357336255b96c9fc

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
890KB

MD5
1788c8577537a6bd0850e2215b4fbd27

SHA1
435dd04c1e1374d84a5a4ff195df82831599e6ca

SHA256
bc3f885df07ac3e27aecee02b006d0abaaa01d2f537b7754080ca94672c16578

SHA512
8bb7cfaeb9cdc41d8a5c3504b49edec3bc93f6493bb7cd7c3773951daefaea842b04fd49cd929c7564ba2a29491c54103b8889010dfa7138421c2fff8ff314d0

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
890KB

MD5
022f04a091fa5292675836e1f4c62d91

SHA1
6748e6490b91628663b73280df9b2275367a4185

SHA256
2cded9a1abbfb5bb720f91543a964587bb7a51bb3817b2524774ebf5315ed96b

SHA512
940ef26db91b6bfbf6fc5350c9baeb9c9df619e754b0e23db74f83b66acc1aeb30c02a1b60d04126fa072cc933d45f37793e7d2df1fb2660ed184b4929d1a0f1

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
890KB

MD5
a249632cc751259bf79e63849b8a2f71

SHA1
0489d2f2e0e9b3da5be52197aed31194b0367bf8

SHA256
7b026781c7596f878cc2a74bba4ea9cfe0aec393b557d6d99ed76f6b77e52b69

SHA512
5aa1eef13ef041b7697196bcda25ed5fe0bfb272a9fad1e5db54bffb0a77497659c30bb7b01465face2b45a0790fe31930b0ae53d94c3b890c5810d1b120cbc8

Download Submit
\Windows\SysWOW64\Anogijnb.exe

Filesize
890KB

MD5
9f4659df6ce2ab487176b1677242df78

SHA1
ad5f7b19f5e5ffacc6e0cd6f956e3754301766a0

SHA256
e707a3e460d0db7be4c20a012287201d5a0b65c21542fe3491f36989e034a40b

SHA512
94dc52cb5da59af45dc3ce49226e8f116516f386e9f37109480a39688bdb3ca6e0f38b3f13b885f9792087be0e07a47883e4155b3dbf70e2dfdb5a7f8f47a556

Download Submit
\Windows\SysWOW64\Bgdkkc32.exe

Filesize
890KB

MD5
83dd408948ce41cad0c42a484f78f4bc

SHA1
a6b98f8de9447c4d81b1a5ed050c3b3799fd5e07

SHA256
536c4a0e9cd911e3cba734fa1b1a2b8a38523bec7f8c074b64630e227ffa9318

SHA512
23c1dc2afeaafda896b9d5aec787ac2e53c1db2591ee5ef97ccdfacf483dd65be38a9cc0f3efb9a0658b5c96124f89232de5a11c7cdc7e3d89bb5cd3b1ee78ff

Download Submit
\Windows\SysWOW64\Bknjfb32.exe

Filesize
890KB

MD5
95eafe4cb70555b4c1337b37f0923148

SHA1
7785e454ddaebf388f190288e8f89a5afd893bf6

SHA256
c1b17dfc28324a0057cc247a9a76c71460aee4177b47d25212a3018427c21fe0

SHA512
0bff0c7db7dc4fa2c084538b384463da65879582a5765de08ec03fc7c3971eb92b14608749468d6acc4717afca1f5b2383c05e942465c87c46d3404a9a9d3f88

Download Submit
\Windows\SysWOW64\Ccgklc32.exe

Filesize
890KB

MD5
284ffc8a4f382e4b4344691b18e57f9b

SHA1
3673ffe813296ff7bcf458157876fb14158ed077

SHA256
d0dc66d864f4bc54f2fe9515587558ee844789628f20a0aedad0d52894897e37

SHA512
2db50e36d02fb31ba32748549b69fdaa4cf2e945937a6bb2d5658737f08b3fdaa9ce3be546677685128947575e9d9d9c0176d9c94cd6b7435976a9eb31c82853

Download Submit
\Windows\SysWOW64\Cmhjdiap.exe

Filesize
890KB

MD5
3757e68ce0f02d09f9c606d53276faa1

SHA1
600a93ec9cc99bd9666b198d8a6ad841dcdd6d1c

SHA256
0cc8b743ed343ce519df844662c1c830972e5e8bcf8fa2497a81b8635317d774

SHA512
f57ac12d2c52268e0e848f0dfd0c5efcb80c5d47dc472a340a76d0458005b9ad499e9b3e132fe77541273d9a866dfc72a9bbf1c0631eb8f471b66f35c3a1665a

Download Submit
\Windows\SysWOW64\Ejcmmp32.exe

Filesize
890KB

MD5
350dabfb65658170713fb20d711b1ae4

SHA1
a60159e7256cc56ad1cfe9ee4e45a9f200a447fd

SHA256
3c24aad2b767a2e168045c67427478d5c4acb6e66fb36a6fd0f39d4597b91b81

SHA512
34b0f662beec8efd996acdc0b2191d163b7c0837859d9dc3d49729f4da79d31277a574fed08f220613f74c79284f30327d6f35e7ab401ddda2159cea01e223a4

Download Submit
\Windows\SysWOW64\Fbegbacp.exe

Filesize
890KB

MD5
0c47ac9c2666d8ad6d6e2c6099b9a962

SHA1
efd3dda3986f4fa2b335c6efa975fdc92473970c

SHA256
53af62fcf13873a268f585076c422433a9daafc874e9e88cfded0d494c4f8512

SHA512
7ad08ea6124fdc13cc90ee63dc0aaa5a76a00867946f6edc726acd5856074dc9a02aaaf4ece78b3fe5acffda8d37aef2a9435e17b9136af6b99080e467470f24

Download Submit
\Windows\SysWOW64\Fhgifgnb.exe

Filesize
890KB

MD5
bee6b17e890dc8cfdaadb1b7d8533743

SHA1
322bd1c86a0b4a2d52f561bf344bbbff6a04c96e

SHA256
ed4d7d8eb4842303d046853e4d391c95f3176665bc10a48da6254d42cdbc9e7d

SHA512
f060828929aad9aac1df4141c7327e5bbe842846d1f01edaec54b4c7f55f680bb2ce10bba384787469a3cd028cbb41c141db420097256d4e389ef27df02087b5

Download Submit
\Windows\SysWOW64\Gaagcpdl.exe

Filesize
890KB

MD5
122c89c1d88baa91b810e0327babb453

SHA1
a939d39d1fc0cef0671c47cb4b5801a4d7f9e8a5

SHA256
45967973578e351486dba12f7bf617f6737de841034f5cdf43bdb2e896189a90

SHA512
d30b82bfe99ea2900f307210fb26f6ac925e01dbfc4d5dd3b5bac43dbeb2f69e9cb80d226e0fdc54442e32e9684bf46b6021a6112e76696acf41cf184617ab53

Download Submit
\Windows\SysWOW64\Hgnokgcc.exe

Filesize
890KB

MD5
2bae3d3d305b5a72210c2a62d7b87c2f

SHA1
028de5691211a6ca7cf0fd697200be6c08a48e2a

SHA256
c9155670cba8601e76aee8c6c73a102de56e145bd39e7e231761d83690488676

SHA512
a3d75a37da026456beb4589da53f26ada49caeb5b826b35a7443c92e404f1a02723cd952fa65b9128bc61de51fee3b60037ff1aef6c6e36c7f33ca06a5b03530

Download Submit
memory/552-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-311-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/772-312-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/884-239-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/884-235-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/884-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-222-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1064-404-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1064-81-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1064-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-80-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1064-405-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1064-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-269-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1316-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-168-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1316-167-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1696-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-24-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1768-355-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1768-356-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1768-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-249-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1780-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-250-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1908-391-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1908-66-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1908-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-301-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1952-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-297-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1984-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-436-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1992-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-402-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2020-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-6-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2024-286-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/2024-290-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/2024-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-417-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2044-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-96-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2044-424-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2044-91-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2044-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-198-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2096-197-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2096-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-333-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2444-319-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2444-323-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2444-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-125-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2504-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-412-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2520-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-392-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2644-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-48-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2644-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-379-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2644-386-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2668-340-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2668-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-363-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2680-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-33-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2716-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-377-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2744-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-110-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2852-111-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2852-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-429-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2852-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-212-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2976-178-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2976-183-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2976-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-148-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/3024-153-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/3028-279-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3028-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads