berbew | 334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Size

352KB
MD5

808e310a971007781627d0dc31f6595c
SHA1

7b4f88029bb44176d4890ffc79f1270422b4a29e
SHA256

334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40
SHA512

429429050a9aa61160f5f89d8f6db3e571a765ff74cbe893c694bbf197c3ad5e3fce3e6d44a037269a6ceb037bfdaa3b284604d13963cded3d72b734aee20b1d
SSDEEP

6144:Y+MLd47gVO3pr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFf5N:prCZYE6YYBHpd0uD319ZvSntnhp352S7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfhfmhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdplmflg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfbaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfbaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifkmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flphccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jifkmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipimic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kifgllbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcendc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moloidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifgllbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbepplkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egljjmkp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehbcnajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flphccbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbibli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbjon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcbjon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaajfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnqbhdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfhfmhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egljjmkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggbljogc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaajfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggbljogc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Incgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcendc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Incgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdplmflg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hefibg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbepplkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hefibg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipimic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbibli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khnqbhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehbcnajn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2524	Ehbcnajn.exe
2784	Egljjmkp.exe
2916	Fcbjon32.exe
2972	Flphccbp.exe
2860	Gaajfi32.exe
2752	Ggbljogc.exe
2176	Hjfbaj32.exe
3016	Hbepplkh.exe
2588	Hefibg32.exe
1472	Incgfl32.exe
3036	Ipimic32.exe
1640	Jifkmh32.exe
1908	Jdplmflg.exe
2584	Kbjbibli.exe
2136	Kifgllbc.exe
1468	Kihcakpa.exe
2212	Khnqbhdi.exe
2652	Lcnhcdkp.exe
1536	Mnfhfmhc.exe
1096	Mcendc32.exe
1084	Moloidjl.exe
588	Nbodpo32.exe
2384	Nkhhie32.exe
2520	Ngoinfao.exe
2344	Nqijmkfm.exe
2088	Nmpkal32.exe
2880	Ofklpa32.exe
2424	Ohnemidj.exe

Loads dropped DLL 60 IoCs

pid	Process
108	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
108	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
2524	Ehbcnajn.exe
2524	Ehbcnajn.exe
2784	Egljjmkp.exe
2784	Egljjmkp.exe
2916	Fcbjon32.exe
2916	Fcbjon32.exe
2972	Flphccbp.exe
2972	Flphccbp.exe
2860	Gaajfi32.exe
2860	Gaajfi32.exe
2752	Ggbljogc.exe
2752	Ggbljogc.exe
2176	Hjfbaj32.exe
2176	Hjfbaj32.exe
3016	Hbepplkh.exe
3016	Hbepplkh.exe
2588	Hefibg32.exe
2588	Hefibg32.exe
1472	Incgfl32.exe
1472	Incgfl32.exe
3036	Ipimic32.exe
3036	Ipimic32.exe
1640	Jifkmh32.exe
1640	Jifkmh32.exe
1908	Jdplmflg.exe
1908	Jdplmflg.exe
2584	Kbjbibli.exe
2584	Kbjbibli.exe
2136	Kifgllbc.exe
2136	Kifgllbc.exe
1468	Kihcakpa.exe
1468	Kihcakpa.exe
2212	Khnqbhdi.exe
2212	Khnqbhdi.exe
2652	Lcnhcdkp.exe
2652	Lcnhcdkp.exe
1536	Mnfhfmhc.exe
1536	Mnfhfmhc.exe
1096	Mcendc32.exe
1096	Mcendc32.exe
1084	Moloidjl.exe
1084	Moloidjl.exe
588	Nbodpo32.exe
588	Nbodpo32.exe
2384	Nkhhie32.exe
2384	Nkhhie32.exe
2520	Ngoinfao.exe
2520	Ngoinfao.exe
2344	Nqijmkfm.exe
2344	Nqijmkfm.exe
2088	Nmpkal32.exe
2088	Nmpkal32.exe
2880	Ofklpa32.exe
2880	Ofklpa32.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Khnqbhdi.exe	Kihcakpa.exe
File opened for modification	C:\Windows\SysWOW64\Lcnhcdkp.exe	Khnqbhdi.exe
File created	C:\Windows\SysWOW64\Ofklpa32.exe	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Flphccbp.exe	Fcbjon32.exe
File created	C:\Windows\SysWOW64\Gaajfi32.exe	Flphccbp.exe
File created	C:\Windows\SysWOW64\Ckkmkh32.dll	Ggbljogc.exe
File created	C:\Windows\SysWOW64\Ipimic32.exe	Incgfl32.exe
File created	C:\Windows\SysWOW64\Khnqbhdi.exe	Kihcakpa.exe
File opened for modification	C:\Windows\SysWOW64\Nbodpo32.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Gdfpegkn.dll	Nkhhie32.exe
File created	C:\Windows\SysWOW64\Dpolmb32.dll	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
File created	C:\Windows\SysWOW64\Hcdoefdh.dll	Egljjmkp.exe
File opened for modification	C:\Windows\SysWOW64\Ggbljogc.exe	Gaajfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfbaj32.exe	Ggbljogc.exe
File created	C:\Windows\SysWOW64\Eehkmm32.dll	Mcendc32.exe
File created	C:\Windows\SysWOW64\Moloidjl.exe	Mcendc32.exe
File opened for modification	C:\Windows\SysWOW64\Moloidjl.exe	Mcendc32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Keniknoh.dll	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Egljjmkp.exe	Ehbcnajn.exe
File opened for modification	C:\Windows\SysWOW64\Egljjmkp.exe	Ehbcnajn.exe
File created	C:\Windows\SysWOW64\Ggbljogc.exe	Gaajfi32.exe
File opened for modification	C:\Windows\SysWOW64\Incgfl32.exe	Hefibg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdplmflg.exe	Jifkmh32.exe
File created	C:\Windows\SysWOW64\Ehbcnajn.exe	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
File created	C:\Windows\SysWOW64\Hoakai32.dll	Jdplmflg.exe
File created	C:\Windows\SysWOW64\Kifgllbc.exe	Kbjbibli.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Allben32.dll	Hbepplkh.exe
File created	C:\Windows\SysWOW64\Incgfl32.exe	Hefibg32.exe
File opened for modification	C:\Windows\SysWOW64\Nkhhie32.exe	Nbodpo32.exe
File created	C:\Windows\SysWOW64\Ngoinfao.exe	Nkhhie32.exe
File opened for modification	C:\Windows\SysWOW64\Ehbcnajn.exe	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
File created	C:\Windows\SysWOW64\Hefibg32.exe	Hbepplkh.exe
File created	C:\Windows\SysWOW64\Nbodpo32.exe	Moloidjl.exe
File opened for modification	C:\Windows\SysWOW64\Ofklpa32.exe	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Ngoinfao.exe	Nkhhie32.exe
File created	C:\Windows\SysWOW64\Fcbjon32.exe	Egljjmkp.exe
File opened for modification	C:\Windows\SysWOW64\Kihcakpa.exe	Kifgllbc.exe
File created	C:\Windows\SysWOW64\Lhjcendg.dll	Kifgllbc.exe
File created	C:\Windows\SysWOW64\Mcendc32.exe	Mnfhfmhc.exe
File created	C:\Windows\SysWOW64\Klilah32.dll	Mnfhfmhc.exe
File created	C:\Windows\SysWOW64\Jifkmh32.exe	Ipimic32.exe
File created	C:\Windows\SysWOW64\Jdplmflg.exe	Jifkmh32.exe
File created	C:\Windows\SysWOW64\Fnnnoaop.dll	Jifkmh32.exe
File created	C:\Windows\SysWOW64\Bhoqqojp.dll	Lcnhcdkp.exe
File opened for modification	C:\Windows\SysWOW64\Fcbjon32.exe	Egljjmkp.exe
File created	C:\Windows\SysWOW64\Niqcoabo.dll	Fcbjon32.exe
File opened for modification	C:\Windows\SysWOW64\Gaajfi32.exe	Flphccbp.exe
File created	C:\Windows\SysWOW64\Dqnkig32.dll	Hefibg32.exe
File opened for modification	C:\Windows\SysWOW64\Jifkmh32.exe	Ipimic32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfhfmhc.exe	Lcnhcdkp.exe
File created	C:\Windows\SysWOW64\Hjfbaj32.exe	Ggbljogc.exe
File created	C:\Windows\SysWOW64\Hbpccf32.dll	Hjfbaj32.exe
File created	C:\Windows\SysWOW64\Idpademd.dll	Incgfl32.exe
File created	C:\Windows\SysWOW64\Imhgkp32.dll	Ipimic32.exe
File created	C:\Windows\SysWOW64\Nnoaan32.dll	Kihcakpa.exe
File created	C:\Windows\SysWOW64\Hjcnol32.dll	Ehbcnajn.exe
File created	C:\Windows\SysWOW64\Kbjbibli.exe	Jdplmflg.exe
File created	C:\Windows\SysWOW64\Cdkklgcn.dll	Kbjbibli.exe
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Ngoinfao.exe
File created	C:\Windows\SysWOW64\Nmpkal32.exe	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Depojmnb.dll	Moloidjl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	2424	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehbcnajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbibli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbodpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcendc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhhie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Incgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipimic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnhcdkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flphccbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdplmflg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnqbhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifkmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kihcakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfhfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egljjmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbjon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaajfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hefibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifgllbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngoinfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggbljogc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbepplkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngoinfao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpademd.dll"	Incgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnnoaop.dll"	Jifkmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khnqbhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoqqojp.dll"	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfpegkn.dll"	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kifgllbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khnqbhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flphccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclmgema.dll"	Flphccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flphccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkmkh32.dll"	Ggbljogc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfbaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcendc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egljjmkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Incgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moloidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcendc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpolmb32.dll"	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffgqn32.dll"	Gaajfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpccf32.dll"	Hjfbaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipimic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkklgcn.dll"	Kbjbibli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kifgllbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depojmnb.dll"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhgkp32.dll"	Ipimic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbibli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfhfmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcnol32.dll"	Ehbcnajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaajfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Incgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll"	Jdplmflg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbibli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll"	Khnqbhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaajfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqnkig32.dll"	Hefibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdplmflg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkmm32.dll"	Mcendc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcbjon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqcoabo.dll"	Fcbjon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbjon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipimic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjcendg.dll"	Kifgllbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klilah32.dll"	Mnfhfmhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggbljogc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbepplkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll"	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofklpa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2524	108	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	29
PID 108 wrote to memory of 2524	108	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	29
PID 108 wrote to memory of 2524	108	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	29
PID 108 wrote to memory of 2524	108	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	29
PID 2524 wrote to memory of 2784	2524	Ehbcnajn.exe	30
PID 2524 wrote to memory of 2784	2524	Ehbcnajn.exe	30
PID 2524 wrote to memory of 2784	2524	Ehbcnajn.exe	30
PID 2524 wrote to memory of 2784	2524	Ehbcnajn.exe	30
PID 2784 wrote to memory of 2916	2784	Egljjmkp.exe	31
PID 2784 wrote to memory of 2916	2784	Egljjmkp.exe	31
PID 2784 wrote to memory of 2916	2784	Egljjmkp.exe	31
PID 2784 wrote to memory of 2916	2784	Egljjmkp.exe	31
PID 2916 wrote to memory of 2972	2916	Fcbjon32.exe	32
PID 2916 wrote to memory of 2972	2916	Fcbjon32.exe	32
PID 2916 wrote to memory of 2972	2916	Fcbjon32.exe	32
PID 2916 wrote to memory of 2972	2916	Fcbjon32.exe	32
PID 2972 wrote to memory of 2860	2972	Flphccbp.exe	33
PID 2972 wrote to memory of 2860	2972	Flphccbp.exe	33
PID 2972 wrote to memory of 2860	2972	Flphccbp.exe	33
PID 2972 wrote to memory of 2860	2972	Flphccbp.exe	33
PID 2860 wrote to memory of 2752	2860	Gaajfi32.exe	34
PID 2860 wrote to memory of 2752	2860	Gaajfi32.exe	34
PID 2860 wrote to memory of 2752	2860	Gaajfi32.exe	34
PID 2860 wrote to memory of 2752	2860	Gaajfi32.exe	34
PID 2752 wrote to memory of 2176	2752	Ggbljogc.exe	35
PID 2752 wrote to memory of 2176	2752	Ggbljogc.exe	35
PID 2752 wrote to memory of 2176	2752	Ggbljogc.exe	35
PID 2752 wrote to memory of 2176	2752	Ggbljogc.exe	35
PID 2176 wrote to memory of 3016	2176	Hjfbaj32.exe	36
PID 2176 wrote to memory of 3016	2176	Hjfbaj32.exe	36
PID 2176 wrote to memory of 3016	2176	Hjfbaj32.exe	36
PID 2176 wrote to memory of 3016	2176	Hjfbaj32.exe	36
PID 3016 wrote to memory of 2588	3016	Hbepplkh.exe	37
PID 3016 wrote to memory of 2588	3016	Hbepplkh.exe	37
PID 3016 wrote to memory of 2588	3016	Hbepplkh.exe	37
PID 3016 wrote to memory of 2588	3016	Hbepplkh.exe	37
PID 2588 wrote to memory of 1472	2588	Hefibg32.exe	38
PID 2588 wrote to memory of 1472	2588	Hefibg32.exe	38
PID 2588 wrote to memory of 1472	2588	Hefibg32.exe	38
PID 2588 wrote to memory of 1472	2588	Hefibg32.exe	38
PID 1472 wrote to memory of 3036	1472	Incgfl32.exe	39
PID 1472 wrote to memory of 3036	1472	Incgfl32.exe	39
PID 1472 wrote to memory of 3036	1472	Incgfl32.exe	39
PID 1472 wrote to memory of 3036	1472	Incgfl32.exe	39
PID 3036 wrote to memory of 1640	3036	Ipimic32.exe	40
PID 3036 wrote to memory of 1640	3036	Ipimic32.exe	40
PID 3036 wrote to memory of 1640	3036	Ipimic32.exe	40
PID 3036 wrote to memory of 1640	3036	Ipimic32.exe	40
PID 1640 wrote to memory of 1908	1640	Jifkmh32.exe	41
PID 1640 wrote to memory of 1908	1640	Jifkmh32.exe	41
PID 1640 wrote to memory of 1908	1640	Jifkmh32.exe	41
PID 1640 wrote to memory of 1908	1640	Jifkmh32.exe	41
PID 1908 wrote to memory of 2584	1908	Jdplmflg.exe	42
PID 1908 wrote to memory of 2584	1908	Jdplmflg.exe	42
PID 1908 wrote to memory of 2584	1908	Jdplmflg.exe	42
PID 1908 wrote to memory of 2584	1908	Jdplmflg.exe	42
PID 2584 wrote to memory of 2136	2584	Kbjbibli.exe	43
PID 2584 wrote to memory of 2136	2584	Kbjbibli.exe	43
PID 2584 wrote to memory of 2136	2584	Kbjbibli.exe	43
PID 2584 wrote to memory of 2136	2584	Kbjbibli.exe	43
PID 2136 wrote to memory of 1468	2136	Kifgllbc.exe	44
PID 2136 wrote to memory of 1468	2136	Kifgllbc.exe	44
PID 2136 wrote to memory of 1468	2136	Kifgllbc.exe	44
PID 2136 wrote to memory of 1468	2136	Kifgllbc.exe	44

C:\Users\Admin\AppData\Local\Temp\334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
"C:\Users\Admin\AppData\Local\Temp\334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\SysWOW64\Ehbcnajn.exe
  C:\Windows\system32\Ehbcnajn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Egljjmkp.exe
    C:\Windows\system32\Egljjmkp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\Fcbjon32.exe
      C:\Windows\system32\Fcbjon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Flphccbp.exe
        
        C:\Windows\system32\Flphccbp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\SysWOW64\Gaajfi32.exe
        
        C:\Windows\system32\Gaajfi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Ggbljogc.exe
        
        C:\Windows\system32\Ggbljogc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hjfbaj32.exe
        
        C:\Windows\system32\Hjfbaj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Hbepplkh.exe
        
        C:\Windows\system32\Hbepplkh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Hefibg32.exe
        
        C:\Windows\system32\Hefibg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Incgfl32.exe
        
        C:\Windows\system32\Incgfl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Ipimic32.exe
        
        C:\Windows\system32\Ipimic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Jifkmh32.exe
        
        C:\Windows\system32\Jifkmh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Jdplmflg.exe
        
        C:\Windows\system32\Jdplmflg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Kbjbibli.exe
        
        C:\Windows\system32\Kbjbibli.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Kifgllbc.exe
        
        C:\Windows\system32\Kifgllbc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Kihcakpa.exe
        
        C:\Windows\system32\Kihcakpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Khnqbhdi.exe
        
        C:\Windows\system32\Khnqbhdi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Lcnhcdkp.exe
        
        C:\Windows\system32\Lcnhcdkp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mnfhfmhc.exe
        
        C:\Windows\system32\Mnfhfmhc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Mcendc32.exe
        
        C:\Windows\system32\Mcendc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Moloidjl.exe
        
        C:\Windows\system32\Moloidjl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Nbodpo32.exe
        
        C:\Windows\system32\Nbodpo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\Nkhhie32.exe
        
        C:\Windows\system32\Nkhhie32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ngoinfao.exe
        
        C:\Windows\system32\Ngoinfao.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ofklpa32.exe
        
        C:\Windows\system32\Ofklpa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ehbcnajn.exe

Filesize
352KB

MD5
bf93e1d8ccdde573473516343706a41d

SHA1
ac05bf6b5376d1d2bb3ab8cd205a189d4da619ed

SHA256
d5f54a5a3d508da86d5af6d813c0cbd9ccca33efcba7cc3c248cfe6c3839bb73

SHA512
3aee98fb3f54821b0fc2a294caf78ddd44e98d03086a80a822cbb73457d65fc62ec92d3478c8549dae40b0127ef354821ca6421033bd358b4819126de00d8047

Download Submit
C:\Windows\SysWOW64\Jdplmflg.exe

Filesize
352KB

MD5
37d70bf15c67402ff7aa458b4a0288b7

SHA1
fc5e4a0ee63e1e9c11b8765c3a1f0bfea77c9b20

SHA256
d44d402024529d094aacdf01b050173de1e93d681c459cdc6e69169a73210472

SHA512
474449886405a5cdeb10c4d3158ea6aa2e4501aa6d757361606ca119f5274200d1004fb2ce14aa8c0c33c73efe1ad9d193d5ecd7785f7d5bf4295d2b6300a0cf

Download Submit
C:\Windows\SysWOW64\Khnqbhdi.exe

Filesize
352KB

MD5
8f038ae23018338cca85a439124910a5

SHA1
9eb351cf9dda1803efebc0c3a65804be6fd37149

SHA256
9b0e0463dabf9125bb35315469d7d1209b84e4e53a814ff8623a9d258b38a6dc

SHA512
4c26927ab0292eee89e5d1930dc5898dc0d2a03953d561d44a4193d85719dce565dfeec529333df3ec2b7a6754ee451842e9261991622f52fd66397dc4f2c471

Download Submit
C:\Windows\SysWOW64\Kifgllbc.exe

Filesize
352KB

MD5
e32b37b5885c0314025ce4607e5fe232

SHA1
dfb5485f30406e67d76d5c1bad22eec3fedfdf99

SHA256
e6938ecfd4101f59d959476c2b024ffbf61ac30cb4c1175683ecc26371f0fce1

SHA512
64210670527d133bfc0b2baea8f47105282bb255415e4a64b7f73dd30edb965f9beb6fd84441848dd7dc1ba83b429ea4d4f9328daf381171706cd04784e495c6

Download Submit
C:\Windows\SysWOW64\Kihcakpa.exe

Filesize
352KB

MD5
1237b0a42c125c64ec1616816f4ea34f

SHA1
05f0bd5b03e41e5492f6e281bd1c9989a01f877d

SHA256
613041fbf81ef3864c127f6aab402687756d0bd14e6ef601515a08ae18791d6a

SHA512
f9660cfeee976cda83869b5430ac12a6d5ec63a46b9ef814d1cdf830030b37db2ddecfd12a9dce5b0ece20412f0640b1c57cbf7dc407061ad24af943d4297034

Download Submit
C:\Windows\SysWOW64\Lcnhcdkp.exe

Filesize
352KB

MD5
174308daaa8c0397c4289292f74c1d86

SHA1
f54c628778afbfa24405f7ae9cbf135433b4d5fb

SHA256
202597850f2a5101939da0bc257de70c617dbccdf70c3e03010a8722438305f0

SHA512
8c1d3666012a4deeb0727b3e4141561b39a030775a2ca3f2029dbb994696e51bf6c332b03f019e0f72e7137255a8ca67549de5cc12d61b42c5b75d872032f026

Download Submit
C:\Windows\SysWOW64\Mcendc32.exe

Filesize
352KB

MD5
447c17363f168d0d171a20158824c026

SHA1
e0fd98b3b72f32ce773211b0a6f376360cfe8c82

SHA256
fc841e15da8c8d0b65885f0ee16068386b822a9e1773a759ba1bfff97c9190bf

SHA512
6247fcb8ac4d1e01fae08ed760368eb4853a3585d2942d1c2b5929df059c22956c615a65740c2e6a171dc9ab2e198e5fbd25fa664702a5fa79a5841699471868

Download Submit
C:\Windows\SysWOW64\Mclmgema.dll

Filesize
7KB

MD5
f35878f42e418c41dca9e5c34e9ab3b9

SHA1
222afb30efa235ea91d33c71fdc4b3c1b835dca3

SHA256
a76a0cae6a1f160878b5afb24db9fee27e82510ac1dbe4456116fb3d8d8200f8

SHA512
7b7df72c37919be38ba33479b496dc6482885e80a6937e35b5b7e7a67e9c9b1283630b8fe08218bcc239c0a4619271972982f10e248c3987573a94d4858d7da9

Download Submit
C:\Windows\SysWOW64\Mnfhfmhc.exe

Filesize
352KB

MD5
013603782603d52b0ede4c9983526e78

SHA1
57e442312c13bb5cf49eb56a836c59d4b6dbf9ae

SHA256
5753019daa0cc9cada53b40d08caec7b403ee3c1a860d73670cabaed5ac8ad5b

SHA512
4868f6d3116c4b014b3a326d1cd915bfe36378322cc59a2473eea00b9e76e792dd1efa1c7709099e79ff136dc3252c6e35ee39b15abe0740e9c0c5185e739439

Download Submit
C:\Windows\SysWOW64\Moloidjl.exe

Filesize
352KB

MD5
20581417bb16eb4ed051788683942f6b

SHA1
03139e2d088293f9623920c8ed163fb06915e124

SHA256
96617ec9e4fd17e10cf6f2c49cd84c3985dfe27830110d03a9d9c49c520dca40

SHA512
811e849b1d5daf1169507b5d66b36b3c9817880dd1471c98ef231ce2f94cb27f495ed94cb819a7365aad8de52afc480135baa65ea79f566397e0fef30334ca92

Download Submit
C:\Windows\SysWOW64\Nbodpo32.exe

Filesize
352KB

MD5
f861e16a2e6cc0dcd198b87e25ed4623

SHA1
857157e467042819338c98b59938746eed3b1594

SHA256
56fe4c1be2e260dc49f6f17b6b55b11461f67fe181b81233970b05dd0085acd3

SHA512
5b7878657d29755332e185272fc04d7a68224abc7b471ac580cdfba6024625c1ae8be1b3fb3f88c7afd266867cfacf1d84631ea847389274fded4efac6a3ea35

Download Submit
C:\Windows\SysWOW64\Ngoinfao.exe

Filesize
352KB

MD5
629beaea3b2a4e02dd29d255a3444514

SHA1
a2a257a4a48880730e8f734bf91f218c69f7eea8

SHA256
e6b6237267c63083a1deffd5d93d226811ecdac58db8e62614e9cc06348d8b89

SHA512
7a3bd759c90860ebe7a8ee725d612e46eb1e90b5e57db8bdc85cd472e6727c19b230df70bf73d6a408a396981a67c227b13726a93dea119a6ef2d58f516a8843

Download Submit
C:\Windows\SysWOW64\Nkhhie32.exe

Filesize
352KB

MD5
8ccca48e959f40ebd6d4138aac6b9fec

SHA1
81634a610271dbcf685d99d1e6786c32bd846ed7

SHA256
d4370986db965c7a03b259d9004b972ca50fc0dd2eb9ffd1e4eca7026e79d97b

SHA512
2329f85bff7cda4c6de4f8b5a55454df7877e9c69324dc30c30f5ac16b1330dbf6302e5996bde036921e6943a0e285956cde4836791d5abbdbc670b45a5a45dd

Download Submit
C:\Windows\SysWOW64\Nmpkal32.exe

Filesize
352KB

MD5
eb7b4ee4744d5f88e4438cd7fd8b4cd6

SHA1
be8a65d631e0540202c9850ac50c37ec71be9dc7

SHA256
52e3bf8683c01a3e5c7707c72d31ff36b37220fc34f5ee4cc930dc6bcc9bc003

SHA512
2becf0ee111b12eb46667213e968ef65aebe84cc501eac312350bd1d4864f8902c5ec626415768f16d80bee6b29158bcd33eb003bd95979d1f65a6dad8bcd45f

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
352KB

MD5
6a4eee5be7c64181cbc578495d7a49fe

SHA1
825173b0b76360c543bda0c4326817980df5bbf6

SHA256
31ebc3db414a09bd551dc37b10656508751d1cdf8630263c0db578cb9b5633ef

SHA512
0769ff44e16e627c7a096685077fb592dcdfd2261c5af9553b0824a41535be084175b186f20c5744516774938ff2acdb73195ac0ab6ebeff66e203849ebb8ad0

Download Submit
C:\Windows\SysWOW64\Ofklpa32.exe

Filesize
352KB

MD5
378d5e4488da8b233e176ac1025c5aaf

SHA1
6b5511e18f777febbec001b98383bff3eff54a1b

SHA256
48b331233583c7de51508a515c68f7baa4eb8c006d10a8ec41a8f1c8c87f3d16

SHA512
cec7e649ce798ab79e5b62d7ff15bd7728915c7f9169d54cf4ffd0fee35196b3c80e408d2dfb4ef582812a7d4b61e314cb958af983a4d35d15b6da7c54a31a7f

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
352KB

MD5
ff32762cea9b823a45895974f1cc2228

SHA1
e2fe71924ba554f3efedeceea02ac0bbe95a11d5

SHA256
d3d1cd23ce1fb7782fa9a42e5fd2c6c75b4e182d8ac20df7765e24f546b397ea

SHA512
9c5c91d52b959e7c206f8afac3a41925ac304732a5ef64d7514af27e5b0a8b1f2a5bcaa8f26a6ed9ceb3452fde28e69693f2e5583e76b6c0b5089728707b0b3e

Download Submit
\Windows\SysWOW64\Egljjmkp.exe

Filesize
352KB

MD5
ffba2bedbf1e7ea6f2b6e3eee3293050

SHA1
501fbaf676a8be00e6868f15f5e609109ab46469

SHA256
acf7372c4a9c879a4a3e1f750cf8dab333b6691782398c9939ce7fc29ba649e9

SHA512
a65fa4935ea1d2bd292ddb5d8612b720fa675d5cdc44aae2cc4422fa7f8c217052f7de8006778e794b7db85ed870f3c2d0dbe9c09ecc98629328882aec896bd6

Download Submit
\Windows\SysWOW64\Fcbjon32.exe

Filesize
352KB

MD5
29e93f013ba21f84d1841186950bf4b8

SHA1
34b1204c3dbfc898846c649cebbc65bc06b7764b

SHA256
720f103736607a378196525ae133013207d10742f48c7c7fe09007a2228fee0a

SHA512
0d6fcbe417080782f4d80587d6e5996b11e3bc54108993f93eb249dabffc4f947cbb6aa7aac2050b8885386a712ca6e173a23172fcb72ea08afb201b717e00a5

Download Submit
\Windows\SysWOW64\Flphccbp.exe

Filesize
352KB

MD5
84a2413cf70db2c987f32377d5f41e53

SHA1
c86f75018fa646a8457005fc1ec45c50b9c81271

SHA256
44de6e4322487f51fab820d458ca5277f9e53308e22e36afb314f5f3a04e8738

SHA512
1cbe497160b3f67ac881d934c32405c68d2cdac82448d25e1dff2fd0fbafc9a4abc39a5ba8d65317955b370c4ac162820c24d1f6e0b73b9bdc3d8ee68bb82556

Download Submit
\Windows\SysWOW64\Gaajfi32.exe

Filesize
352KB

MD5
2e77e09a58122212efc40966ad26a9b1

SHA1
d07bb73d07c4e1878c8afe5f256866af1d78561e

SHA256
1dc2d421014d3665fa2b0c225e3015a147bae7efcc3cd528c0519fc46f14f6d9

SHA512
e2dc6fcc256c78f9bfabfc474b446ab27d38821d3ab8f49a52dfa899edf8a948c6ab328ed01ebdbb362e410a41f10b5871cb03f0d042d803288436d36c3d1697

Download Submit
\Windows\SysWOW64\Ggbljogc.exe

Filesize
352KB

MD5
7310d906a28b1d571e1c493d2f357a37

SHA1
ff5e3128a8cca4b5eb07315af414951687f76dde

SHA256
16c3afa431b87ac0407b2c0000c841405d8a96a60a63dec3b9e3725d4eea3075

SHA512
aad442985e81466c780fe15660b569704526c9c5e615468a79a37848b8efae3f81f2ed0f6714de84d922391eb0228d9bf1d65b15ad45b261c85964f014e221f9

Download Submit
\Windows\SysWOW64\Hbepplkh.exe

Filesize
352KB

MD5
83758492da90cb8430f8f72a643802b1

SHA1
ae34c70b0369dc8001ccbb73f50010af0420c07f

SHA256
d11310e15e87bae5f0fed13082d6ff148b8a41e1a1d0e1d658625797dbc5175c

SHA512
3529a8be0ca5157b4a017393af2a1dea0b81b635a3c46d21be779569ff16eb8c8582f076f97796536fefe302ac99b55878180a09db4643469b5a8d9ee7670d2b

Download Submit
\Windows\SysWOW64\Hefibg32.exe

Filesize
352KB

MD5
997bcf17a0dcd69baeea091fa673d770

SHA1
857d1f47feb0a82ec69d1022b1aea290c04a2da9

SHA256
5192698f29595e8edb70d057a7fcadd254e2e2e694ae7f9699f3174bc22d2390

SHA512
6c020ccff934a599f759fb579e921bd9f7423822af401f4ab14e37ad604b2b107f52167f5951e2ed5f611f14e18ec6704256bf7548835774bd2e1d7adc57ef62

Download Submit
\Windows\SysWOW64\Hjfbaj32.exe

Filesize
352KB

MD5
7b91699a28b19aac3abc4ca031478164

SHA1
b3eeb37caacdd088bbef1c62b87b557c4b8e7434

SHA256
96b315f0916e07e4bf070c46b5a0f06c1040c9fdc24cdcd5d108d0ab69047ffe

SHA512
0383742592580b67c2ee59871a2aa8c0af765c593ec8c09c3cab477343265d873556d3948ce6b254d3a5f632b2db0353bf2df7f92395c0e3cdbe8ea82ab0fe9f

Download Submit
\Windows\SysWOW64\Incgfl32.exe

Filesize
352KB

MD5
fb1093da267566ccdd9ce34fcdcc025e

SHA1
ca41d63e09f44eb87b6d4d2f80a4de4d9d02a4e6

SHA256
8e459c39515e0e6b4bc2fff0fc8e16f8038ff73febdfc67fd5781f0202211410

SHA512
de0b2567949c9f34805c483e565c2d57cab2abd5a4fbaaad03de191621b8911735cff162e140d32496fc277b9000e5dc14b5b09f966818f8c1386a5a2c878833

Download Submit
\Windows\SysWOW64\Ipimic32.exe

Filesize
352KB

MD5
43a9a955c45fe77db7a6ec98063c0d7d

SHA1
093af8ee5fa1f0bbdd93849d392f543fc6dfa529

SHA256
d08898c91f9f528c41b3f97cbcf8ff6ee76d6005b9e12464ce33d74f6daa30b7

SHA512
3c87c592528c71357729b444b05fce04fca85f4acb70205057e7a77b541e0ad5d43a46f544b4f9fc0b455d9bb4f9e1f09746201b662b251a02edbd64ba54c6d1

Download Submit
\Windows\SysWOW64\Jifkmh32.exe

Filesize
352KB

MD5
8b3f589281d3311e32a748bd5aebc690

SHA1
9948ea825a01d042084965a29423a47255b5aaac

SHA256
480e904b68955de293f4e89836fced3768bd7df8ba317c24b8df6ef9436cee64

SHA512
402e900d75d79345a7d18879f41421f2bce50f37218042d19ff21215640cea97896a0ddbf4bcd301b6eaf033f90db856659076211614d5764f510763cf214b7b

Download Submit
\Windows\SysWOW64\Kbjbibli.exe

Filesize
352KB

MD5
1b93020958772fdc68240884c0a4019d

SHA1
289e2f8e8adfaf9aae0a0632c12a6c4096339182

SHA256
2fb7da82ceec7d32c8cb6bc248d2303dd6a34eb1023aa175cf85b34f9b983c63

SHA512
90d9d53db6eed1cb85357ab8cd62415c871e3f61409a0eed9235ab877d225dbc512210bb134d1828fd17c9bc15d8e57749d2ab6fb2889b210f4f60c4b4b315ee

Download Submit
memory/108-354-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/108-13-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/108-12-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/108-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/108-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/588-296-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/588-295-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/588-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/588-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-285-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1096-275-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1096-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-271-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1468-361-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-235-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1472-153-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1472-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-261-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/1640-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1640-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1640-182-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1908-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-190-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1908-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2088-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2088-339-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2088-340-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2088-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-224-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2176-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-107-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2176-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-242-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2344-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-328-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2344-329-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2344-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-303-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2384-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-307-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2384-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-318-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2520-317-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2520-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-26-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2524-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-211-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2584-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-140-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2652-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-97-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2752-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-36-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2860-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-350-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2880-351-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2916-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-56-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/2916-50-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/2972-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-65-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2972-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-70-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/3016-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-121-0x0000000000600000-0x0000000000636000-memory.dmp

Filesize
216KB

Download
memory/3036-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-163-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads