berbew | 3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
Size

93KB
MD5

90d2d82522f537c4af0e626c39b0fa44
SHA1

1e32307d86ed51d8ec23aeedb69178258f629a6f
SHA256

3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec
SHA512

5f13bffa0bbbf218a1b6f2cf625a6dba4c3d68f95271e8d5d8026f446dfb5ca11111dcbc54890a19a1eb9293ad34f847a33c39c52b9b8caa5a1f3483d6876b38
SSDEEP

1536:mzMsGgLXi8e5hR/mLO89aMizWNIb4sOAZF90vyzWmYFRQaRRs3cO57OWxXPu4n61:mBchl2o1zWNIcjUFNSmYFeaE9pui6yYN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inmmbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmmdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfhfhbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hklhae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igceej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcjilgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibhicbao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioeclg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkmmlgik.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
2764	Hadcipbi.exe
2664	Hklhae32.exe
2772	Hmmdin32.exe
1584	Hffibceh.exe
1636	Hnmacpfj.exe
1040	Hcjilgdb.exe
2160	Hfhfhbce.exe
2844	Hifbdnbi.exe
332	Hoqjqhjf.exe
1976	Hiioin32.exe
1404	Hmdkjmip.exe
552	Ifmocb32.exe
2180	Iikkon32.exe
2340	Ioeclg32.exe
2164	Iebldo32.exe
916	Iogpag32.exe
3016	Ibfmmb32.exe
1648	Igceej32.exe
3008	Ijaaae32.exe
1764	Inmmbc32.exe
1724	Ibhicbao.exe
2436	Icifjk32.exe
2964	Ijcngenj.exe
1752	Iamfdo32.exe
1396	Iclbpj32.exe
1608	Jggoqimd.exe
2568	Jmdgipkk.exe
2556	Jfmkbebl.exe
2536	Jjhgbd32.exe
2144	Jmfcop32.exe
2912	Jfohgepi.exe
2124	Jfaeme32.exe
1672	Jmkmjoec.exe
2240	Jpjifjdg.exe
540	Jibnop32.exe
2592	Jplfkjbd.exe
2220	Keioca32.exe
2168	Kbmome32.exe
2336	Kdnkdmec.exe
2172	Khjgel32.exe
1284	Kocpbfei.exe
1384	Khldkllj.exe
716	Koflgf32.exe
2256	Koflgf32.exe
1640	Kadica32.exe
2856	Kkmmlgik.exe
2400	Kmkihbho.exe
1540	Kageia32.exe
2076	Kdeaelok.exe
2660	Kgcnahoo.exe
2348	Libjncnc.exe
2528	Lplbjm32.exe
2608	Ldgnklmi.exe
2384	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2636	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
2636	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
2764	Hadcipbi.exe
2764	Hadcipbi.exe
2664	Hklhae32.exe
2664	Hklhae32.exe
2772	Hmmdin32.exe
2772	Hmmdin32.exe
1584	Hffibceh.exe
1584	Hffibceh.exe
1636	Hnmacpfj.exe
1636	Hnmacpfj.exe
1040	Hcjilgdb.exe
1040	Hcjilgdb.exe
2160	Hfhfhbce.exe
2160	Hfhfhbce.exe
2844	Hifbdnbi.exe
2844	Hifbdnbi.exe
332	Hoqjqhjf.exe
332	Hoqjqhjf.exe
1976	Hiioin32.exe
1976	Hiioin32.exe
1404	Hmdkjmip.exe
1404	Hmdkjmip.exe
552	Ifmocb32.exe
552	Ifmocb32.exe
2180	Iikkon32.exe
2180	Iikkon32.exe
2340	Ioeclg32.exe
2340	Ioeclg32.exe
2164	Iebldo32.exe
2164	Iebldo32.exe
916	Iogpag32.exe
916	Iogpag32.exe
3016	Ibfmmb32.exe
3016	Ibfmmb32.exe
1648	Igceej32.exe
1648	Igceej32.exe
3008	Ijaaae32.exe
3008	Ijaaae32.exe
1764	Inmmbc32.exe
1764	Inmmbc32.exe
1724	Ibhicbao.exe
1724	Ibhicbao.exe
2436	Icifjk32.exe
2436	Icifjk32.exe
2964	Ijcngenj.exe
2964	Ijcngenj.exe
1752	Iamfdo32.exe
1752	Iamfdo32.exe
1396	Iclbpj32.exe
1396	Iclbpj32.exe
1608	Jggoqimd.exe
1608	Jggoqimd.exe
2568	Jmdgipkk.exe
2568	Jmdgipkk.exe
2556	Jfmkbebl.exe
2556	Jfmkbebl.exe
2536	Jjhgbd32.exe
2536	Jjhgbd32.exe
2144	Jmfcop32.exe
2144	Jmfcop32.exe
2912	Jfohgepi.exe
2912	Jfohgepi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfhfhbce.exe	Hcjilgdb.exe
File created	C:\Windows\SysWOW64\Ijcngenj.exe	Icifjk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Ibfmmb32.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	Jjhgbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkmjoec.exe	Jfaeme32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kqacnpdp.dll	Hffibceh.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Jggoqimd.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Icifjk32.exe	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Gkddco32.dll	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Aibijk32.dll	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
File created	C:\Windows\SysWOW64\Hifbdnbi.exe	Hfhfhbce.exe
File created	C:\Windows\SysWOW64\Qhehaf32.dll	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Keppajog.dll	Iclbpj32.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Hmmdin32.exe	Hklhae32.exe
File created	C:\Windows\SysWOW64\Ifblipqh.dll	Iikkon32.exe
File created	C:\Windows\SysWOW64\Faphfl32.dll	Ijaaae32.exe
File created	C:\Windows\SysWOW64\Iamfdo32.exe	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Hiioin32.exe	Hoqjqhjf.exe
File created	C:\Windows\SysWOW64\Lpfhdddb.dll	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Ibfmmb32.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Jmkmjoec.exe	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Hnmacpfj.exe	Hffibceh.exe
File created	C:\Windows\SysWOW64\Ibhicbao.exe	Inmmbc32.exe
File opened for modification	C:\Windows\SysWOW64\Iclbpj32.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Icifjk32.exe	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Jmdgipkk.exe	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Iogpag32.exe	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Icifjk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Jfaeme32.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Bgcmiq32.dll	Ibfmmb32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Hcjilgdb.exe	Hnmacpfj.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	Hfhfhbce.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	2384	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioeclg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inmmbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmmdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igceej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhfhbce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iclbpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffibceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmacpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjilgdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadcipbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoqjqhjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkmjoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hklhae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqacnpdp.dll"	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmmdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhafee.dll"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hffibceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmkmjoec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hklhae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhehaf32.dll"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfhfhbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmjmajn.dll"	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Lplbjm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2764	2636	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe	30
PID 2636 wrote to memory of 2764	2636	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe	30
PID 2636 wrote to memory of 2764	2636	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe	30
PID 2636 wrote to memory of 2764	2636	3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe	30
PID 2764 wrote to memory of 2664	2764	Hadcipbi.exe	31
PID 2764 wrote to memory of 2664	2764	Hadcipbi.exe	31
PID 2764 wrote to memory of 2664	2764	Hadcipbi.exe	31
PID 2764 wrote to memory of 2664	2764	Hadcipbi.exe	31
PID 2664 wrote to memory of 2772	2664	Hklhae32.exe	32
PID 2664 wrote to memory of 2772	2664	Hklhae32.exe	32
PID 2664 wrote to memory of 2772	2664	Hklhae32.exe	32
PID 2664 wrote to memory of 2772	2664	Hklhae32.exe	32
PID 2772 wrote to memory of 1584	2772	Hmmdin32.exe	33
PID 2772 wrote to memory of 1584	2772	Hmmdin32.exe	33
PID 2772 wrote to memory of 1584	2772	Hmmdin32.exe	33
PID 2772 wrote to memory of 1584	2772	Hmmdin32.exe	33
PID 1584 wrote to memory of 1636	1584	Hffibceh.exe	34
PID 1584 wrote to memory of 1636	1584	Hffibceh.exe	34
PID 1584 wrote to memory of 1636	1584	Hffibceh.exe	34
PID 1584 wrote to memory of 1636	1584	Hffibceh.exe	34
PID 1636 wrote to memory of 1040	1636	Hnmacpfj.exe	35
PID 1636 wrote to memory of 1040	1636	Hnmacpfj.exe	35
PID 1636 wrote to memory of 1040	1636	Hnmacpfj.exe	35
PID 1636 wrote to memory of 1040	1636	Hnmacpfj.exe	35
PID 1040 wrote to memory of 2160	1040	Hcjilgdb.exe	36
PID 1040 wrote to memory of 2160	1040	Hcjilgdb.exe	36
PID 1040 wrote to memory of 2160	1040	Hcjilgdb.exe	36
PID 1040 wrote to memory of 2160	1040	Hcjilgdb.exe	36
PID 2160 wrote to memory of 2844	2160	Hfhfhbce.exe	37
PID 2160 wrote to memory of 2844	2160	Hfhfhbce.exe	37
PID 2160 wrote to memory of 2844	2160	Hfhfhbce.exe	37
PID 2160 wrote to memory of 2844	2160	Hfhfhbce.exe	37
PID 2844 wrote to memory of 332	2844	Hifbdnbi.exe	38
PID 2844 wrote to memory of 332	2844	Hifbdnbi.exe	38
PID 2844 wrote to memory of 332	2844	Hifbdnbi.exe	38
PID 2844 wrote to memory of 332	2844	Hifbdnbi.exe	38
PID 332 wrote to memory of 1976	332	Hoqjqhjf.exe	39
PID 332 wrote to memory of 1976	332	Hoqjqhjf.exe	39
PID 332 wrote to memory of 1976	332	Hoqjqhjf.exe	39
PID 332 wrote to memory of 1976	332	Hoqjqhjf.exe	39
PID 1976 wrote to memory of 1404	1976	Hiioin32.exe	40
PID 1976 wrote to memory of 1404	1976	Hiioin32.exe	40
PID 1976 wrote to memory of 1404	1976	Hiioin32.exe	40
PID 1976 wrote to memory of 1404	1976	Hiioin32.exe	40
PID 1404 wrote to memory of 552	1404	Hmdkjmip.exe	41
PID 1404 wrote to memory of 552	1404	Hmdkjmip.exe	41
PID 1404 wrote to memory of 552	1404	Hmdkjmip.exe	41
PID 1404 wrote to memory of 552	1404	Hmdkjmip.exe	41
PID 552 wrote to memory of 2180	552	Ifmocb32.exe	42
PID 552 wrote to memory of 2180	552	Ifmocb32.exe	42
PID 552 wrote to memory of 2180	552	Ifmocb32.exe	42
PID 552 wrote to memory of 2180	552	Ifmocb32.exe	42
PID 2180 wrote to memory of 2340	2180	Iikkon32.exe	43
PID 2180 wrote to memory of 2340	2180	Iikkon32.exe	43
PID 2180 wrote to memory of 2340	2180	Iikkon32.exe	43
PID 2180 wrote to memory of 2340	2180	Iikkon32.exe	43
PID 2340 wrote to memory of 2164	2340	Ioeclg32.exe	44
PID 2340 wrote to memory of 2164	2340	Ioeclg32.exe	44
PID 2340 wrote to memory of 2164	2340	Ioeclg32.exe	44
PID 2340 wrote to memory of 2164	2340	Ioeclg32.exe	44
PID 2164 wrote to memory of 916	2164	Iebldo32.exe	45
PID 2164 wrote to memory of 916	2164	Iebldo32.exe	45
PID 2164 wrote to memory of 916	2164	Iebldo32.exe	45
PID 2164 wrote to memory of 916	2164	Iebldo32.exe	45

C:\Users\Admin\AppData\Local\Temp\3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe
"C:\Users\Admin\AppData\Local\Temp\3c7855629f3aa289c4667c3f8d587550e339c6268c1065b43a7c6080631ff9ec.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\Hadcipbi.exe
  C:\Windows\system32\Hadcipbi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Hklhae32.exe
    C:\Windows\system32\Hklhae32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\Hmmdin32.exe
      C:\Windows\system32\Hmmdin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Hffibceh.exe
        
        C:\Windows\system32\Hffibceh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\SysWOW64\Hnmacpfj.exe
        
        C:\Windows\system32\Hnmacpfj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Hcjilgdb.exe
        
        C:\Windows\system32\Hcjilgdb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Hfhfhbce.exe
        
        C:\Windows\system32\Hfhfhbce.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Hifbdnbi.exe
        
        C:\Windows\system32\Hifbdnbi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Hoqjqhjf.exe
        
        C:\Windows\system32\Hoqjqhjf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Hmdkjmip.exe
        
        C:\Windows\system32\Hmdkjmip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Ioeclg32.exe
        
        C:\Windows\system32\Ioeclg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Ibfmmb32.exe
        
        C:\Windows\system32\Ibfmmb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Igceej32.exe
        
        C:\Windows\system32\Igceej32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Inmmbc32.exe
        
        C:\Windows\system32\Inmmbc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Iclbpj32.exe
        
        C:\Windows\system32\Iclbpj32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Jmkmjoec.exe
        
        C:\Windows\system32\Jmkmjoec.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 140
        56⤵
        Program crash
        
        PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hmmdin32.exe

Filesize
93KB

MD5
0a6a456096eb7e4f0921e85fd2179366

SHA1
cd580ae09da321fca0d8c2541b5d38ee34cec521

SHA256
aac83f34b38d71408237736396f51f47ce451ed65536317c24c4fe8c8ac7f9be

SHA512
7c2255b6fc7b82a27941b2b18dfb6ae8818c48cea3fd244b6ed4f35a131faf135c68da2d97a1b29643fe99cb9499456c627ea0f2cf96146872f730633c80ecaf

Download Submit
C:\Windows\SysWOW64\Iamfdo32.exe

Filesize
93KB

MD5
277a57a1e7ca602c1ed036723d9486bf

SHA1
1f9b09ac8049a8f4dda169a387cda1be93c20f27

SHA256
cdef32678316eedf7a090a36a71294e0ef3e199bcb08d12e53f228dbea6e7034

SHA512
b80e6d76664a05ac9d1a0ecc967d0922986bd745d75d92099a62f5f2af87c0bd7eddee2195df25cd9172b839b3fe4603a236f6ef1f27689ee15619c0192a7fa5

Download Submit
C:\Windows\SysWOW64\Ibfmmb32.exe

Filesize
93KB

MD5
c1459a10188dfd2a56d640891026cb31

SHA1
157ad061b65ceb77715eae5840208e90c7bcae7a

SHA256
19bb87ecd10c0018f6ba1a4ce5e80e85f5fe013b5b805105f43733a33a286049

SHA512
0aef975ae4e69ca7d4633f7990e6d75ae651cd7a2b7e655b38df68ff8c221ee7b9770c4f90d39be6ef54880145ad07a2105e41054419e474877038b531b2b967

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
93KB

MD5
ede50ef17744c30586167d9e4308e23c

SHA1
224c750543b5eba54c2b1bca820dac52d0242954

SHA256
8b034636b5931c8e9c86f289cd485b8c62daca442b75bd381372a4c18918e26e

SHA512
cd29cd4eb7ce4e43438d261ac5178cc552495015b6b12d899dec96ead3897710d60135b25d8f67b75ea9db312fa41a33d07a23ebdb4e2e9817477fa789b10d05

Download Submit
C:\Windows\SysWOW64\Icifjk32.exe

Filesize
93KB

MD5
f00d6319b81d1bc8a4988aa8645ee82b

SHA1
b8481801ca627a81eef1259d114765354234a04c

SHA256
7b16f4cff7735cb0ed94c2a85a13bf975f63884a01b2efc474ce300df6bf19b9

SHA512
eec69f15c7eea74cb081512255d80a8c095e84de14a29b587d255e211c78a74854f06ed32ee13bdce6b943079a2678295dcf41e2683e4ec1f805164ffc5d6d5c

Download Submit
C:\Windows\SysWOW64\Iclbpj32.exe

Filesize
93KB

MD5
76d6bfb296efc7f015129df138db1682

SHA1
ace928a84c997402c574e789a95f68e7dc4b16da

SHA256
7a365accc012c0f9f3be2794a644395e196bcb383075cd8628f18d1a919df58b

SHA512
b622ddf87bb0d1cc1cc6e34707cb7e40f175fb8eafa358f79a09da0ac58ef031db04fe8d472c8ea76e88db02f25cc5cd773b9ec5eff231f00394e449f213df59

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
93KB

MD5
4d557a81240da35a17f51926cea255b7

SHA1
6ab8ba33fc93701eb34ecf642b712955c96ca1e0

SHA256
fffac5c4a405af627d0f80eae69c4a390207f33181bca710087d18cf9121a7a2

SHA512
f1710867b7b844289b67e1c4032e0ecbec7c57c390c64393eb7ea38624722182df922a9eff36fbe70e821cd3263f065006248546ee2cad6f86b70e9a91cef53b

Download Submit
C:\Windows\SysWOW64\Igceej32.exe

Filesize
93KB

MD5
158895463e3bcbd844b737c701e392c9

SHA1
07d6535053d4f18fe2dcf860d7bb644d0d801701

SHA256
0032310f4735785a23904dc66a2cc21dbd11e2c73a7107bb0b0b210a1043db36

SHA512
de03f4e546c05e1bd0468c163dc31df6c4dfdd633b39cb496a61d8e205b0af552ee4b1133bb87c8de4993e73eb47efdd6739a5b6bb63a9912400c688a8fe9c17

Download Submit
C:\Windows\SysWOW64\Iikkon32.exe

Filesize
93KB

MD5
c35fa96f6265fc4aaa3cdca0ebebb57b

SHA1
a98325359c10837cec63ffac0dc7dba38db62d3f

SHA256
d219e2fb20c6a4def2bcc1b1e295add70358cc5ffa01e48d8e33bd964f04c64c

SHA512
b39edd43d06196b8bbe68589645b37b8a41e3c92ce42635282546c83a125cbb85e816f4de18685af06a6b8ab19e16c7309aa6a3098a21944f1fb79a538d62915

Download Submit
C:\Windows\SysWOW64\Ijaaae32.exe

Filesize
93KB

MD5
3e3513f7ebc0b923452bd5190718eb49

SHA1
313b3583bfd5e94afe1120522cb1a096d9d0c11a

SHA256
c48cec6127582fbb626958add79de7d86769ff411da52f95137390d806621bd1

SHA512
a89680031a7375fd4aae1809d1172a8407a857d52a5a09d5195f672700bedbafc53c6e775f7df9e4b4fa26c94e657c1aafa6f5f3363e56985086f17da6e1bb01

Download Submit
C:\Windows\SysWOW64\Ijcngenj.exe

Filesize
93KB

MD5
ab533b0bc9cb4ee676aeeafa5e5e8057

SHA1
cf807ab4d1334184d562c4b5ffcdee94eb9c8573

SHA256
c8794786df9f98793a6816801377809b49d7e5d68e740ba7964eb5f5ded054fd

SHA512
65e8c9ba3bcecc1c731c8dbe0e91906fa931c0fc581ddbdaedea632a63e244f697ee4262e85cefbd495f4ba706d3a53e01b6b66acd8e3038cc8e5d9bde1d1f24

Download Submit
C:\Windows\SysWOW64\Inmmbc32.exe

Filesize
93KB

MD5
202547ba2704bd1d8969f76e1b902064

SHA1
c24df4eb7477fcc7632b4512090cc3f4a611fa16

SHA256
b7c091028cf87bbb80a49de73a17d5fa355994d17e1b15b2cac9153693694d91

SHA512
4858214fb9a1b188a54b2e39911f86e7bdd78c25535c65583f68b4645229c978ffb0adf0ec919b4827614cf5b555a6a6bec839fd518d305cf992ea37591a2b0e

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
93KB

MD5
19717a314843cd1aba15254c6b0da2e1

SHA1
4b000e5ca0fec3a6caecc98560641233daa4c96b

SHA256
825dc90c563252cd83ccc13f3adf0fd6a39376b1507d2cc9f0d4ab0e7544b3c2

SHA512
b40efa212705a22dd349daadc4bd5c822956f48d2c7f83931f2c911ca9c51807640ca0a9271bfb12671c5cc686d30a56ea274e2c32b2ee10012ac1659ba5e8d5

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
93KB

MD5
1cb074be0ba4d2606667066ca610b87e

SHA1
693152aa1d5ef93b5e79d73a6b82bf7174eca32b

SHA256
24512d34e72bafd1abf3dfce563fdcdfe3339eb9bb88a8e7a3d1ef238dc3b9d7

SHA512
34242f03c48bb48c50db17abede0050eb8368f3657804ba6bfe40c969fc51ef1889c274ada2ce5ad144d6b760b8364a7a71e449cd6c6c089fbd0df202b290e24

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
93KB

MD5
1da9b7cee49a0089f0130325b337c4d0

SHA1
7ed7a07154ec3cea00e93dab55889f2cb1885474

SHA256
afc27854ff24238ee25462b52f0e04fd916454a12c91026b0fcd46ff58a775ac

SHA512
99c74928c2d0536fa416a182e40cb0ff18e6f4112926f3ca2bce581cabc540afece408b3350d92e2fc2475ac82e9f2871ef8791eded19151c776dc114f953b5b

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
93KB

MD5
7517f648ec4399a6dce2ec3e16530172

SHA1
61cffd60d023851f110312e60e38fb3ce93cc71a

SHA256
d82793ad6328d30c46949f798fe81756bdc1fbe59fe3ee71dae0790786de762f

SHA512
2ef7b6854ffb4d543b74c554dc643f8a548f10973abd95e3a4e931849b3c6f6b85c105566ad9cdeb30d4f161f2743810c24f23990c5f907c7e274cc83778e0bd

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
93KB

MD5
f126ecc75150d7be385be05561ed60ab

SHA1
b0e658f7df8d305e251d167505c61ffc62af8ea7

SHA256
80290f7e84c932ff72d39a3486f09a66f2a1e35cb67984a8279c6797722450e6

SHA512
068773f9270b55fd14c84ca9d4e9779da6c0bf3bd7b4058e348642701042c1c09796eb9cf6ac3bc647a006a386bbd069c11c954e8c5c81b9fdc08d8a6a7732e7

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
93KB

MD5
18da9a47bdeea987fafc908ae596928e

SHA1
212842044f31549be661026dabb7d37e6b31d282

SHA256
ae1c526488356f624a9f6d1cc4c3da665b83fe4a723402baca6161aab063ee11

SHA512
c5e4c28971fea3c12445e2b8c67595d2073e11a2a1be531acae8d0ca2b67a7b76295c306457b1ffc9e845692912e36bd87695fccde2b16b47ba229b76709720d

Download Submit
C:\Windows\SysWOW64\Jmdgipkk.exe

Filesize
93KB

MD5
986c287cd19bc9595b2d2c370126ca0c

SHA1
24d3628b874d4abfbe948a54c946b0cbe6f7b097

SHA256
620effd888a7b3391ff1807a2807c7f64543f7e0d9ee0459f6b19e236d8a5400

SHA512
08bf4e437f478e96dbbefb89f9b68851a560a157ff6e905c93ba8e9355107ad276165afe47bb52adc738b0ee699d8fbc40202aa7d77959124893e4611a99ac36

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
93KB

MD5
d5aa3cc60631cca6bb20527763a5ac52

SHA1
0642f77f4671e50e7ecd15b64740ce9c71def6f2

SHA256
4b5644ed674a2cb242d5f7b549c1543bed6a279aa3afabbb0e3cb84ce265ff60

SHA512
a39000648b77addeb2adb179ca5c914cbcab89be9c3cc5782bc9108c0b3e26c7f060ef4b4f21b4d0a89893869ef87c26a3b62bf99f7f62bd22e3b429bed16d3f

Download Submit
C:\Windows\SysWOW64\Jmkmjoec.exe

Filesize
93KB

MD5
0e533dfebd2186344d754ed6794b25de

SHA1
b6218db58482c1f4db4daa97882a9ecdc36a6821

SHA256
0a671a342aa36ab03f8dfe4d000d42ac2c52b7b16a1ede7f50a357eefdf3a480

SHA512
2a14fff38a99fc19820846522103cca91a3a8c250153919d772c0e441438931c32925806ecdc067e25b754f86bb2ee4e601c0b28348e05a1c0e906005f16d1d8

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
93KB

MD5
fe5cf4de6fcb89c7aa4574c7f78b1055

SHA1
bb86d0045eba21f52c9ce2422a628b930a83a4ce

SHA256
4e902af8380677c95b000314c1182251f9fa4556e26735d5248d13cea5690eb6

SHA512
a39b60f9aed0669b301ae1d1be9aefa3b461cc87705d843a2ad543097a244d43c33d5e693ef4a4ad43d6a69cd31e77cc3fe0de2161e2b2fa11f19b348457f75f

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
93KB

MD5
51461ce99d2b2e9ae62f6b15173ae723

SHA1
0ec6afe59e04e3d03133d2e9db13ca799b5b057f

SHA256
5e4dd6d70e3afa0909ee15f50d9502478d933d91b72f96484dc57e0fdde014c8

SHA512
81c0d984470524a1e42006aa76da842e1e10d81f8006b25645855ca164e62034b52c8d4821d877131b07b5ffe09035a71557c4fd239939145f0f4ee1e05bb0d2

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
93KB

MD5
e777deb598b21ce8a5bfa6de5479b2eb

SHA1
6de2f92e79ec1b853856b543f7941186bddd581a

SHA256
bfd7dd2ba00e6ae1f1f5baa0a72aeee0c212441be4390e50ed112cd3463c402d

SHA512
2b9dfd2a786c363b32954e0aacd1538926206197238bbdbce3de49f7bfe3468074e7701e8f9694861cdabd556cf1d43da76728fc4a160a1093fcebeb14c42151

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
93KB

MD5
d45065e6b6cf5742e539586733ed79c0

SHA1
ada9eea4fe1da02cfb9609f123c6056b199f6b2a

SHA256
fc463213cba230228360fcaae113146ebb3649801ef2223ffe5b52903ae664bc

SHA512
f5f2db2102fbcc512295fe1533779b1093a80a43894e50e8e527b01d1ab58e2c97449fd06b2d706395867a1ef1800d5fb626503ec68a206ed1d680361c5f8f55

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
93KB

MD5
fba03d03076a12f81837bb15ad2483ff

SHA1
c0722463cb4d52525025f3069e4f8db3cac8b3f0

SHA256
3eba4ca10bbff8093429f92284f567f351e670ee4250811c58ee9ce9c2d9af1c

SHA512
bde9cece25f0d9bb76d71a4e077fa0cdaf3f51475688ca0427ba504e0c1d4e37f499e6e4084d7d98206ac11338fe346f4ce3409ddf2537900f63c005df6c9d79

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
93KB

MD5
e14da1437ef625a23c13f3bf52fcb116

SHA1
50cebd7439a9c8120a1d08298aa1a2f240244219

SHA256
d55a7a00b4b6d784fbbac17ff4d1f387060ab4feee827f374f5f73eb2d651e07

SHA512
b08befb37a472ac63b1b24342715fdccaa86cb1f0dc97444abb6ee645dc373bda8a3be6cb61ca979f7cc8c0906ede33ce5ca22141b1985d5ff1a14264c1c0838

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
93KB

MD5
31ded565c0a02e9eab85267923c6e72c

SHA1
f17636d5f22531a2e4ba4447951e34aebe81779c

SHA256
de113016c50484b9349b7ded46431f063be8b764943c83b6274091fb8cf1f99a

SHA512
f839734676cfbde207d9f656dcf4efd8db8dfef95679cbf7811d645d28fc10233ce7d63bf14d4c516fa9a0bffb129c5b8acf5d8f39757a4fa014eff732ed52b8

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
93KB

MD5
1a504d4acc7d3ed3d0fbdb4dac149701

SHA1
f005a2229fb3bcd089bd4210df1bb13b1169e62b

SHA256
94cba70c0cc4560f5fec82807f37ca625383c7a48f4947306a648c8da95ea4fc

SHA512
694fdc9965b145f335532ba6ce1075a60610f5feb8daeb7669dfff8f2e41949f4e2c7baeb84d1139b40d14f889bd71d894c91cc3eb3dec124e174a863fa43231

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
93KB

MD5
642d7fa58b146c1f32e28f812d057fe1

SHA1
803166c3e34ca1f7e84dac2eb89ecc9aa37a7214

SHA256
24ca4103ceb29044b108266a2ef5ebb8df1d408bd772fa22e2f8add8e9b254b8

SHA512
9e36ba3bc9589b40b3519c37eced945d42a2bf06e4fcf24305250dc5e60c4f0e70aaac51027e0dc24a809c40a84ff32f859013e6c03e9223d4d97b12941b107a

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
93KB

MD5
132898196ba8824487f43336cb29f618

SHA1
310ef2217b5bcb8f76b55289c335cbdff6468942

SHA256
f704f43c39e197999da05e8d8cc79d13a347be3848d9854efd42a314bbfaba0f

SHA512
fc2c977269e5fe7b3d20e40f54ade1e589572f51b43e3529dae46c6ce963bf0f696923ae5b7a793dca0b5087b8e92c85a565117562700926cd00530597fb661b

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
93KB

MD5
3a1276242af9e890b62b2c838af356fc

SHA1
4cd67b16f77bebff23a0575e15e545acca68a76c

SHA256
2d2c051dacf472b8fb2f19c465b95e5f117f014d1f8693515c8446eaf5b31ed4

SHA512
1723ac6016d306ef1df9ece6233a4e1ac42df70dfc841d96cb04bca92b3f46263be76f010b5394a1952640b0baf7f7565ef77406cc7bc4c8c09c06fc6328b41a

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
93KB

MD5
ea5f360b7ded830def3945bd0f7d9847

SHA1
e11bcc572b57202b82d0a4cf2cfcf105735ddb25

SHA256
3c620f1e83721fcb0a10d84ee061ef55eef8b3763e830cf78a51beb04ed6222b

SHA512
15660fe16d862e3acb4477ba0ebfaff2d60e71062d26326cf6b2a3045dcdd1b315fe365f63ba0d61334859040b2aed5f824a480748d475939cd4bb92c23aaffe

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
93KB

MD5
90987fe4f8f0cb69c2adf9a4e2ddb3c1

SHA1
ae1e9cf85e3e84d26e9cc0bbafd21153bfbb9b05

SHA256
a967f8593458e95b5bd6c2cca2e2b547b13a01c513d123301374d6d1f6385f17

SHA512
46d8d4fcfc9ec463f89e680ac8cbf7ebfb2fd66631245cf05267244f3bfcd2c46375545d046d130bd6b22384d88cbcc4aa7837f7dc42e04797a8411668a5bf60

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
93KB

MD5
c46551294db3317a49a0c040dff53548

SHA1
3a9277a4cba2bae1df2a62702ecd07e6709e69d2

SHA256
81aeaaa9e8203b4eeb4bdbfc2d40374f4760b6768621e44b68589450d22d4ad5

SHA512
8174942c0ccaaea28c0aca0c53b36f934dc93755117921cf4190758b035a6f35957ec10b76fa5d2d68267fab8bf30d353ca15dfba13cfb841fcf6d5210937af5

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
93KB

MD5
4c2e6142b2b84aea88d6100fc2c6a8ae

SHA1
47e19eb763fbeb1c5433b6804019ebb0fb7cb292

SHA256
796fbc21f9c6938243a4b976d72bd10202b01035d2bdaae56da5813b3567640c

SHA512
bad5d931a520964584dff88b2f2c52060255c1329018af8420f516d4edd2b2e8e6d0b17366e7c6069816f142eead4ad5a7bb5d8d828e4ea002b9f5cc84197280

Download Submit
C:\Windows\SysWOW64\Kqacnpdp.dll

Filesize
7KB

MD5
32adcf7533701122e289e5301d9b1014

SHA1
9819a60d08f4377b1fe4c56da3a27e38bb0fb3ea

SHA256
f7496228196c5e39dee6a98c016cb3d3df8cce3ae166a434890bb8a4916879c1

SHA512
52567ee559ada4476a961e3b83bdff896197d91e5656c7149af751fb2e674344f9eda8c2412a58e6cf44afb92c4c48e3bce84376536a2a63210c2d063cd6808b

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
93KB

MD5
d900a1f8d32b1286f96ea9aed6c5f9cb

SHA1
223f75b0106bdb9eaaf37c2d158e26d601d57a59

SHA256
3cd79c9051e38bfe15e54f930b250df6a6de7634970e2b4509738d2beb2f32d1

SHA512
4f9f63ce7ed0574868e0c6d6493163f3961c3d18a419c2395e7395fb2e34d23af7d79eb7331e0b82c5804842762b869b2504f8ae23e1a73606dfae47017ca144

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
93KB

MD5
598ae20abd91caf6883be63cabda7025

SHA1
4cc1f356240ac5b8bc0cce478801923000a9abb9

SHA256
658aa43d5075a0f2515e191ba9791591b681949f42c069a59e449efda82d910f

SHA512
9a6056e14295b4b8e17fa9c6ab79e5d701fe6202f52504e0b5ccc5ff76c55544513b93afff90a675137d37318619cfc435b8cb185cc86fd7317bb6493094bf5c

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
93KB

MD5
8941b487700a30f84ed70ff2dc2c51b6

SHA1
e1d89c936c38e5842a3ff3426a38a79c45edc37a

SHA256
ffbcec2ba388b925d7fed9b7ea93c3f3705a4c0a8fb8c3e13f7750bf38be38d4

SHA512
942523661b3a369450291aaabc6bcd0c98435918c81f3b945de3e003ce490248df6e1d046973744fe96d68e22f2d3292eb331855643ae61022e56bd84b326a05

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
93KB

MD5
e867c9d7cb830366d00e3ae8dbee4779

SHA1
6e3e57e49ce40f45bd7a2df2c9719079b0a2faef

SHA256
fdd3bbe16af15c7b9524f4e347ab1748f1a42a3b6afbb00dd4157d25f8f5de7c

SHA512
f0aa9ec7864c852b64c0c62eca4e7195f70b4647dd43acd2932e171a18b377411102276c2cb058f301a0f6ab5bc9ac28ecd7839d5ad3f2c1f8337d876a8b01cf

Download Submit
\Windows\SysWOW64\Hadcipbi.exe

Filesize
93KB

MD5
b5ff29ef1711ee928616b07d47685414

SHA1
20d519d6cc870f98da3d6c1d91f4787afb552b50

SHA256
17714972cd531ae667135bb9553986cee71e2970371332ad8aeb499864c2c128

SHA512
d27d46d4f0ffb0afea868cb14a46c6ce7beb882b52bfcd07db5570a07c2e72b519a9836b97c2d46be685a747b2743fe015fc369059d2f00330349aef39f722e2

Download Submit
\Windows\SysWOW64\Hcjilgdb.exe

Filesize
93KB

MD5
6852cd6f94d9313cc5e1fe5135803765

SHA1
93ff62da171213e766c246bbb2299e2689df0bff

SHA256
a476f05e4efd280f7032e812f6903e6e83b0b2d1478f4221f1ef3465fd212d66

SHA512
7d7309ebfa4d58b64d7fafab3f9ff1bc62d396f551adb9ba6cb662fb3fe9186f727e5e7038e608bbb9ca7eaf0b328113a87d7628740779e709b892cc6f3558c2

Download Submit
\Windows\SysWOW64\Hffibceh.exe

Filesize
93KB

MD5
9c4dc6636dea6420898d054f6adb0ea8

SHA1
da47506310b2dd4fe0467b345cde37b78b8ce7c1

SHA256
4894f7bad55a6e9a19cff6c8306d24617aedbc03a7cce9a3d8e7748d6e1d2678

SHA512
c4b385f561c2526fce008bde5a653208c91a25bfe4c70aea801ffd2a157493c6211542476f0a53f2e9211cd1db3cc8c8543e01960139175f8bc54db2fd8120d0

Download Submit
\Windows\SysWOW64\Hfhfhbce.exe

Filesize
93KB

MD5
50bd9c4a1d0cf6b954d225c39fea8cd2

SHA1
69d6aa971ff1b86df7c7bd3582788750cec01be7

SHA256
a34802900817b7508f1d9a9d29fdf5ce7f420f307ed79036a22b9f0498c76cd8

SHA512
9c8760d7237d25683c13647530c76090f70135e58dbd2bf2ca9d6bd76b8687f2a1dbc5492d8dcbda12d8ef03f27b45e918523823cdbde6f1bb0987681b27c543

Download Submit
\Windows\SysWOW64\Hifbdnbi.exe

Filesize
93KB

MD5
c8b3148ddae3a337949a2049fed60279

SHA1
c8ce80f666c1921e467deb3d626761bb8cf20acc

SHA256
c0c82df93986d3daf6f060bbaf966cfb0ded16987b9587b3947a102ff80affe8

SHA512
9c7cc725913d461cd9929b0c5ece20760ebab11540fedf21b06ef411c3014683608b9f0c0bcd02a3963fd60daac27b2a99e0ac6c0ba90ee919310b6d74bafaaa

Download Submit
\Windows\SysWOW64\Hiioin32.exe

Filesize
93KB

MD5
21c359cf89a581bc2058017db86b1af4

SHA1
b3634fac7dcd8717d95b0c1977cb0338c2e8ea6c

SHA256
1b69e7ad8656069b4212a29ee46ff9b6424785d7696f4677d4e7a2e909df479f

SHA512
ab3d973f0c2f6fbdbd841eb016412777b3eff502b5030cf6c3bbc69ad3a7c5a418c93ecaf4fad151b83b21ed6ba8b079874342520d135300837ee44083cbf5ca

Download Submit
\Windows\SysWOW64\Hklhae32.exe

Filesize
93KB

MD5
a0922e7726f2cd4621b7bfdf545e6338

SHA1
985baef92fb3933085ff46623510bee9644fb5d8

SHA256
8eb9bbd93ccb1d562ea72be60487a227147fa0c82290ffed95a86e76f47c3ede

SHA512
48e41f16237f3a850314f82b67f316ca996c9403317cedbd6e86017142899e0310f9eef9107f51e131fccb1c4f4efe653ea97609e8c46f48cf906c83701352b3

Download Submit
\Windows\SysWOW64\Hmdkjmip.exe

Filesize
93KB

MD5
a96aa29393afa96956f2726ed1b83f1c

SHA1
495fe83f0dc076dc6e6e2b7039b54b639a1b879c

SHA256
4889a13effdbb5e7a3753d34bad606df56e036ce624c8820cd5b5480bff9f9d2

SHA512
e78cf6f64621ad027754bd500ec98483ba5cde51463af2cf738b08807959e0ab9c550f40fc5accb9d58d3c865d4501d38aff38136fe796291a2daac484927646

Download Submit
\Windows\SysWOW64\Hnmacpfj.exe

Filesize
93KB

MD5
44b3351d55e35d6cdea9705d786f150e

SHA1
f378d375f3dcb29fe2762c0b986d33fdb33c8463

SHA256
bf7e3bf4f91ab92404416508d87bbcb8e70ae6a659b52467893e11b7fc0de5c9

SHA512
adf6562163acedf658b0174d0df711d2ed80e13fb88d7cb6dbe22df09492cedd42098a527c785883ffbef775752ef7699fe512e1d495f4e82b186a6792880c77

Download Submit
\Windows\SysWOW64\Hoqjqhjf.exe

Filesize
93KB

MD5
97a48b0e0e3aa129ce5f944fd5fe3102

SHA1
22508b62b3dbba37f7bc153253a8ecb55b5593cb

SHA256
38235a92df17f3d8546a350568111d83f4b84296e8302da1e91b4acbfa7fa95d

SHA512
50746e0642ee4395ce00c20e74f762ced5a881c34a5e4bf5b2633df712ba3b88f3b1c84738c4e93ae8a78eb71fa54c5b27433110331456c72d840a05434b1c2d

Download Submit
\Windows\SysWOW64\Ifmocb32.exe

Filesize
93KB

MD5
5b709ec75821102896356cc8a8789a1d

SHA1
b95d9fa5533ba9612761d5d4c89f3da7a15e7b31

SHA256
d62c5f76dd5430b0a9798501cf4a97ecc904ae9df145e5ea387322adcfb867ce

SHA512
c3fdade3eb1b4047d2d8626d37b3bc02382d27c0e69670080fe97fb16341b41dfa53ef233ead4cb89743642d0232c1b9e61742fa5ad17c149e3497957fcf7381

Download Submit
\Windows\SysWOW64\Ioeclg32.exe

Filesize
93KB

MD5
43c7e727a57227ff7347a4f5041c7694

SHA1
c0dc9dd8514015d4af0710bf51577dd833f1588c

SHA256
b2039f6fae933e5cc18b14a1e2ba061a9ed126565f090fc57a319335df0588f5

SHA512
f003cc8cae6e9a4f0d907790ef36ac3963b8ef4db1c76bd359c4305daf55725fa249f766310501ae750a6217f03c3c931c51c8f6c1427c24d130c05487d9df0c

Download Submit
\Windows\SysWOW64\Iogpag32.exe

Filesize
93KB

MD5
eb94ddfb65c8292248fe68139e817e45

SHA1
79aa812dbe188e7f602a6da8a184c8d7a0e1cd61

SHA256
8da6510d5c27d9c5a7e706564dc65051a23bfffbbfb3b897bac14124715ca4c9

SHA512
64b4f3a7a894d92459ef00636e1c4fedd7344821788c699ee0f0769f15977a8cf039db8e49a2e52a2956228c4e1474ae3b610be8815ec85ece8fce8801960b8b

Download Submit
memory/332-135-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/332-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-428-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/540-429-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/552-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-94-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1040-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-488-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1384-498-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1384-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-318-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1396-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-317-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1404-162-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1404-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-66-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1584-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-326-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1608-321-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1636-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-76-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1648-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-274-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1752-303-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1752-304-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1764-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-389-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2124-390-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2124-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-368-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2160-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-107-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2160-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-216-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2164-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-477-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2172-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-184-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2180-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-446-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2220-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-413-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2240-412-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2240-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-512-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2256-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-474-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2336-475-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2340-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-362-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2536-361-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2556-347-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2556-346-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2556-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-344-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2568-343-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2592-435-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2592-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2636-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-401-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2636-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2636-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-414-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2764-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-26-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2764-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-49-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2844-122-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2844-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-378-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2912-379-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2912-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-293-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/2964-294-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/2964-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-255-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/3016-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads