berbew | 5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Size

217KB
MD5

487fee5b19b0874c23afc3bfc750cafe
SHA1

602ad5801400a88e63b81f3832e0f34085fc4dc4
SHA256

5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f
SHA512

3996beb3dc127e3e3412d4f2ef3c9f551b1e76acec8a0159624f7886809e8b34a496c06638c8ee64186ab7b3720244130a09933ebbe05a596cb4bd62dc6ae139
SSDEEP

3072:IDC1MGepAgSuOarFAd0srUjgjGkeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQX:I21nxgtO2AdTrXCkdZMGXF5ahdt3Z

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmpaom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Honnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkjkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoqjqhjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hddmjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hddmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Honnki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmklh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
2796	Hkjkle32.exe
2540	Hnhgha32.exe
2620	Hddmjk32.exe
2532	Hmpaom32.exe
2584	Honnki32.exe
2940	Hoqjqhjf.exe
2628	Hjfnnajl.exe
2504	Icncgf32.exe
1720	Iikkon32.exe
1144	Ibcphc32.exe
2768	Ikldqile.exe
2036	Iediin32.exe
1780	Ijaaae32.exe
1524	Ikqnlh32.exe
1092	Imbjcpnn.exe
2052	Jfjolf32.exe
2500	Jmdgipkk.exe
1968	Jikhnaao.exe
1788	Jabponba.exe
1632	Jbclgf32.exe
2924	Jjjdhc32.exe
1656	Jmipdo32.exe
2292	Jpgmpk32.exe
2756	Jbfilffm.exe
2684	Jipaip32.exe
2656	Jnmiag32.exe
2560	Jbhebfck.exe
2580	Jibnop32.exe
2552	Jnofgg32.exe
648	Kidjdpie.exe
2160	Klcgpkhh.exe
1680	Klecfkff.exe
1684	Kmfpmc32.exe
1000	Kenhopmf.exe
2916	Kkjpggkn.exe
2236	Kdbepm32.exe
2328	Kkmmlgik.exe
1688	Kgcnahoo.exe
2176	Libjncnc.exe
2064	Lplbjm32.exe
2256	Lgfjggll.exe
1728	Leikbd32.exe
2460	Llbconkd.exe
2816	Lcmklh32.exe
1396	Lekghdad.exe
2200	Llepen32.exe
2612	Lpqlemaj.exe
2788	Lcohahpn.exe
2416	Laahme32.exe
2840	Lemdncoa.exe
1636	Llgljn32.exe
1300	Lkjmfjmi.exe
2380	Lcadghnk.exe
2852	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2496	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
2496	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
2796	Hkjkle32.exe
2796	Hkjkle32.exe
2540	Hnhgha32.exe
2540	Hnhgha32.exe
2620	Hddmjk32.exe
2620	Hddmjk32.exe
2532	Hmpaom32.exe
2532	Hmpaom32.exe
2584	Honnki32.exe
2584	Honnki32.exe
2940	Hoqjqhjf.exe
2940	Hoqjqhjf.exe
2628	Hjfnnajl.exe
2628	Hjfnnajl.exe
2504	Icncgf32.exe
2504	Icncgf32.exe
1720	Iikkon32.exe
1720	Iikkon32.exe
1144	Ibcphc32.exe
1144	Ibcphc32.exe
2768	Ikldqile.exe
2768	Ikldqile.exe
2036	Iediin32.exe
2036	Iediin32.exe
1780	Ijaaae32.exe
1780	Ijaaae32.exe
1524	Ikqnlh32.exe
1524	Ikqnlh32.exe
1092	Imbjcpnn.exe
1092	Imbjcpnn.exe
2052	Jfjolf32.exe
2052	Jfjolf32.exe
2500	Jmdgipkk.exe
2500	Jmdgipkk.exe
1968	Jikhnaao.exe
1968	Jikhnaao.exe
1788	Jabponba.exe
1788	Jabponba.exe
1632	Jbclgf32.exe
1632	Jbclgf32.exe
2924	Jjjdhc32.exe
2924	Jjjdhc32.exe
1656	Jmipdo32.exe
1656	Jmipdo32.exe
2292	Jpgmpk32.exe
2292	Jpgmpk32.exe
2756	Jbfilffm.exe
2756	Jbfilffm.exe
2684	Jipaip32.exe
2684	Jipaip32.exe
2656	Jnmiag32.exe
2656	Jnmiag32.exe
2560	Jbhebfck.exe
2560	Jbhebfck.exe
2580	Jibnop32.exe
2580	Jibnop32.exe
2552	Jnofgg32.exe
2552	Jnofgg32.exe
648	Kidjdpie.exe
648	Kidjdpie.exe
2160	Klcgpkhh.exe
2160	Klcgpkhh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hddmjk32.exe	Hnhgha32.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Iediin32.exe	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	Jmdgipkk.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Honnki32.exe	Hmpaom32.exe
File created	C:\Windows\SysWOW64\Ikldqile.exe	Ibcphc32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jmipdo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Hmpaom32.exe	Hddmjk32.exe
File created	C:\Windows\SysWOW64\Jmdgipkk.exe	Jfjolf32.exe
File created	C:\Windows\SysWOW64\Jbclgf32.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Ibcphc32.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Jbclgf32.exe	Jabponba.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Lkjmfjmi.exe	Llgljn32.exe
File opened for modification	C:\Windows\SysWOW64\Hoqjqhjf.exe	Honnki32.exe
File created	C:\Windows\SysWOW64\Icncgf32.exe	Hjfnnajl.exe
File created	C:\Windows\SysWOW64\Miqnbfnp.dll	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Hnhgha32.exe	Hkjkle32.exe
File created	C:\Windows\SysWOW64\Bbdofg32.dll	Hkjkle32.exe
File opened for modification	C:\Windows\SysWOW64\Jfjolf32.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Gkaobghp.dll	Iediin32.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Ikqnlh32.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	Ikqnlh32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Laahme32.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Laahme32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Ppdbln32.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Hkjkle32.exe	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
File opened for modification	C:\Windows\SysWOW64\Hjfnnajl.exe	Hoqjqhjf.exe
File created	C:\Windows\SysWOW64\Lgjdnbkd.dll	Jfjolf32.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Aonalffc.dll	Hjfnnajl.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Leikbd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	2852	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Honnki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpaom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqnlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hddmjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfnnajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoqjqhjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjkle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbclgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iediin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhehaf32.dll"	Honnki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laahme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hddmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Honnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalcc32.dll"	Hddmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll"	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoqjqhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iediin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkmmlgik.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2796	2496	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe	30
PID 2496 wrote to memory of 2796	2496	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe	30
PID 2496 wrote to memory of 2796	2496	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe	30
PID 2496 wrote to memory of 2796	2496	5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe	30
PID 2796 wrote to memory of 2540	2796	Hkjkle32.exe	31
PID 2796 wrote to memory of 2540	2796	Hkjkle32.exe	31
PID 2796 wrote to memory of 2540	2796	Hkjkle32.exe	31
PID 2796 wrote to memory of 2540	2796	Hkjkle32.exe	31
PID 2540 wrote to memory of 2620	2540	Hnhgha32.exe	32
PID 2540 wrote to memory of 2620	2540	Hnhgha32.exe	32
PID 2540 wrote to memory of 2620	2540	Hnhgha32.exe	32
PID 2540 wrote to memory of 2620	2540	Hnhgha32.exe	32
PID 2620 wrote to memory of 2532	2620	Hddmjk32.exe	33
PID 2620 wrote to memory of 2532	2620	Hddmjk32.exe	33
PID 2620 wrote to memory of 2532	2620	Hddmjk32.exe	33
PID 2620 wrote to memory of 2532	2620	Hddmjk32.exe	33
PID 2532 wrote to memory of 2584	2532	Hmpaom32.exe	34
PID 2532 wrote to memory of 2584	2532	Hmpaom32.exe	34
PID 2532 wrote to memory of 2584	2532	Hmpaom32.exe	34
PID 2532 wrote to memory of 2584	2532	Hmpaom32.exe	34
PID 2584 wrote to memory of 2940	2584	Honnki32.exe	35
PID 2584 wrote to memory of 2940	2584	Honnki32.exe	35
PID 2584 wrote to memory of 2940	2584	Honnki32.exe	35
PID 2584 wrote to memory of 2940	2584	Honnki32.exe	35
PID 2940 wrote to memory of 2628	2940	Hoqjqhjf.exe	36
PID 2940 wrote to memory of 2628	2940	Hoqjqhjf.exe	36
PID 2940 wrote to memory of 2628	2940	Hoqjqhjf.exe	36
PID 2940 wrote to memory of 2628	2940	Hoqjqhjf.exe	36
PID 2628 wrote to memory of 2504	2628	Hjfnnajl.exe	37
PID 2628 wrote to memory of 2504	2628	Hjfnnajl.exe	37
PID 2628 wrote to memory of 2504	2628	Hjfnnajl.exe	37
PID 2628 wrote to memory of 2504	2628	Hjfnnajl.exe	37
PID 2504 wrote to memory of 1720	2504	Icncgf32.exe	38
PID 2504 wrote to memory of 1720	2504	Icncgf32.exe	38
PID 2504 wrote to memory of 1720	2504	Icncgf32.exe	38
PID 2504 wrote to memory of 1720	2504	Icncgf32.exe	38
PID 1720 wrote to memory of 1144	1720	Iikkon32.exe	39
PID 1720 wrote to memory of 1144	1720	Iikkon32.exe	39
PID 1720 wrote to memory of 1144	1720	Iikkon32.exe	39
PID 1720 wrote to memory of 1144	1720	Iikkon32.exe	39
PID 1144 wrote to memory of 2768	1144	Ibcphc32.exe	40
PID 1144 wrote to memory of 2768	1144	Ibcphc32.exe	40
PID 1144 wrote to memory of 2768	1144	Ibcphc32.exe	40
PID 1144 wrote to memory of 2768	1144	Ibcphc32.exe	40
PID 2768 wrote to memory of 2036	2768	Ikldqile.exe	41
PID 2768 wrote to memory of 2036	2768	Ikldqile.exe	41
PID 2768 wrote to memory of 2036	2768	Ikldqile.exe	41
PID 2768 wrote to memory of 2036	2768	Ikldqile.exe	41
PID 2036 wrote to memory of 1780	2036	Iediin32.exe	42
PID 2036 wrote to memory of 1780	2036	Iediin32.exe	42
PID 2036 wrote to memory of 1780	2036	Iediin32.exe	42
PID 2036 wrote to memory of 1780	2036	Iediin32.exe	42
PID 1780 wrote to memory of 1524	1780	Ijaaae32.exe	43
PID 1780 wrote to memory of 1524	1780	Ijaaae32.exe	43
PID 1780 wrote to memory of 1524	1780	Ijaaae32.exe	43
PID 1780 wrote to memory of 1524	1780	Ijaaae32.exe	43
PID 1524 wrote to memory of 1092	1524	Ikqnlh32.exe	44
PID 1524 wrote to memory of 1092	1524	Ikqnlh32.exe	44
PID 1524 wrote to memory of 1092	1524	Ikqnlh32.exe	44
PID 1524 wrote to memory of 1092	1524	Ikqnlh32.exe	44
PID 1092 wrote to memory of 2052	1092	Imbjcpnn.exe	45
PID 1092 wrote to memory of 2052	1092	Imbjcpnn.exe	45
PID 1092 wrote to memory of 2052	1092	Imbjcpnn.exe	45
PID 1092 wrote to memory of 2052	1092	Imbjcpnn.exe	45

C:\Users\Admin\AppData\Local\Temp\5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe
"C:\Users\Admin\AppData\Local\Temp\5186a4b2463398efa2e21b39a7aa4811a93ce1cd557b51fc940725ca1b33058f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\Hkjkle32.exe
  C:\Windows\system32\Hkjkle32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Hnhgha32.exe
    C:\Windows\system32\Hnhgha32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\Hddmjk32.exe
      C:\Windows\system32\Hddmjk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Hmpaom32.exe
        
        C:\Windows\system32\Hmpaom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Honnki32.exe
        
        C:\Windows\system32\Honnki32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Hoqjqhjf.exe
        
        C:\Windows\system32\Hoqjqhjf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Hjfnnajl.exe
        
        C:\Windows\system32\Hjfnnajl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ibcphc32.exe
        
        C:\Windows\system32\Ibcphc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Iediin32.exe
        
        C:\Windows\system32\Iediin32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ikqnlh32.exe
        
        C:\Windows\system32\Ikqnlh32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Jfjolf32.exe
        
        C:\Windows\system32\Jfjolf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Jbclgf32.exe
        
        C:\Windows\system32\Jbclgf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Lkjmfjmi.exe
        
        C:\Windows\system32\Lkjmfjmi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 140
        56⤵
        Program crash
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hnhgha32.exe

Filesize
217KB

MD5
e27ecea1d9de291b42bbca0c8f03c329

SHA1
1196b4f40d4814f4e053f25c52767c7271025bf0

SHA256
4e852de1b7eba9a10b2b38a9add405cab181ccfd40962fca1ae47d066c40ce73

SHA512
97311c4713bc711bb5f433305145a3818da39d9f8c17ee908826a2cf9c13a67f9efdc4b7a168d40b3981da6370065cf2d0615e463ce34d8080d7fed2bbba593d

Download Submit
C:\Windows\SysWOW64\Honnki32.exe

Filesize
217KB

MD5
d2febc16dca5b9b9359ed3427d6c25e5

SHA1
a07e415a54d3e8fc8466b0855fb3fdd47dc129ae

SHA256
cb7551458afe50ce2bd04e45d198a0ff973ae7cbc154cbca1cfcc6bbae5d1655

SHA512
20dc55950605e83087c3f418161265bfc2e88e7698be546096465ee75fa6187547af7835e6c51c50e15b6059e2194b6c683583f271579bb003a8dce28471f4d6

Download Submit
C:\Windows\SysWOW64\Iikkon32.exe

Filesize
217KB

MD5
0986e48eabf56aca1bbd5a70cc02eeab

SHA1
b1cd8ddfdcab8fc66bd6781792d43799a1005d79

SHA256
62ababd1d4464972394d34f268aa8fcfba32306ca97bbc6f5d4c0ccc71cc2c0f

SHA512
a07bbd7ff2201ec9518be3d2442989a12a180af35616662224ca6e21ade48157ddc3da09a6fdcac82fe28e4360eb2450ecc39f0c469b36abdbe073af165d576a

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
217KB

MD5
a19cde71f56d9ce79a8220341254d866

SHA1
c49bc854b338611863438280a5989c8ebfd520e2

SHA256
3d2113df697cdb8f45f56c0af1ea8741a4c86c3dd35a2e71b235d568c5a175a3

SHA512
390c425fcbb3656b83a2c15c318780335569731dc67bc83c51fddaea8d572d2fdcaa19eacd9c915b7883f81147b8d2f3c9ad0cb8f4042ccc3a88f9b2d94a03f0

Download Submit
C:\Windows\SysWOW64\Jbclgf32.exe

Filesize
217KB

MD5
b0215f595a04ca27e3253aaa0842da6e

SHA1
3304585131252c80a16772382460a665f2aaf814

SHA256
177f7374f6cad44040e991a5b79b7511faedf5e351bb8ddf4f29fa200a0504ab

SHA512
a4a8412a498cbc960151ef3653964993b3f4e5863e034ea04c126639cbcba3b5e3f617d035969e2645084f6e694b5817b58a410e58d9cc923d388564eadf5f5e

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
217KB

MD5
d27754fb1e47462e65d52ca483f08ee6

SHA1
09bda67d480e71ac435222b928d5ad43cba995ab

SHA256
5ec1be2ac54292fad0aa1b713d7e0532ffea834f4ba92675947251c28b96c7b8

SHA512
f21cdf2640449605c7f54d77c5b64cbf5008a6401819d670d4aaefb384c931bc78518a6bef05666a8769b375ca7ac85cf6e175257290b07c6fd1ddb698351c93

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
217KB

MD5
0426889fa32814ccdbb16789cd953d53

SHA1
0e87c76fd137e8714337eccea4bdb7bc0eb88f9d

SHA256
9d14c23caaace93261c6b197d3710e7abc2e71f7f1366f6087aca0caa5acdd1f

SHA512
dc2bcfc215772d99987891c8e7dc211c008cfdb740c5939656ac19207e3b6e2a20cb002817c47b09d7d541f1f399db9d035b43557a65e007fe4716ff722745cd

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
217KB

MD5
91d01c40f261c3a0f0f2bc60de5cd96f

SHA1
3904b91eeea9278c043aca6d15aa2b683947c1f0

SHA256
4c0b83d75d5d1e8af424c4b04cb4a57dea5fd6cc88be53d0c9a99d2d2ae48ab3

SHA512
47aaeaee89f298328327c47d322f283ce07c00359e5314b1530f43f45f93d86705d08704e55e8266eeab53671039769a6764c5e1d4f044b77234b744e0ede46f

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
217KB

MD5
2a88d645f7fc04245952f810085a142f

SHA1
ca9fde0c52435587ff9c7f26ca67aeea9759b708

SHA256
c82825fe9b28fe4f0b864d55e12215c4f61fd49863840368598daab78855e7b4

SHA512
080ba74771ced43fbba8ac2df529e31ec84b81ed62766dc74124c1db079fe4b123c28d467a4ce840cc1373322be1ef55da1f14bfb2d713acee0294791e18949f

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
217KB

MD5
27943b3a16f1c17830d8cec23c55b74e

SHA1
bbe2710e9737fff3011f48d7515bdf48b6f9478e

SHA256
bf89e91e3e0192be1196039bcddbfc7bf906fe541526620679e5a7afe1a5b73f

SHA512
705f9694a3f910a8b918ca51aa5804a6d307b5c52b7c819f624ccdbf981f630b79e809e091f8f351f8a62371518292accceca11a1f97439a343e0618545668ea

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
217KB

MD5
d701d2f97a5833ff4c5d43f578a3cbf2

SHA1
5dd97d6dc2b5a8b1b1f3ae1361355dfea3d9a4e2

SHA256
4e776f9e0351322530bdf70afee5e335467773ec8e3c5d1587bae847adddd1f4

SHA512
b8b2057ae742f10ce0ce72d0fc55cb5315cddd414985e82212a09def6b3441f075d0a87262d90132550168c5be46a59521b8ab761366cc8832fb5f6390b5c97f

Download Submit
C:\Windows\SysWOW64\Jmdgipkk.exe

Filesize
217KB

MD5
cc2484816a06dbe03c24af569da03ca2

SHA1
2d89c917ebc58c71eb615464974444edef21f622

SHA256
d37aed14861752205ed4c5e1e6b105f20aebbc008232d68094f05c073169dbad

SHA512
f959af7784cc8b491e58cbe0dacbfe1c7eec25ac261522fdb2fbc92dee0bd894d34fbfd1c11afcf205747ef509458b0a423b27d334b9755fa47676ed70e58934

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
217KB

MD5
6fcc88b99014493b6c2c936c9b0f6232

SHA1
e3ef77a8a5d7a65b2510abddcd8afef17ce7693c

SHA256
576ae2d6ea2bbcb1c4d7b9e029420f0630c14e31d28ea2984aff0ff3f6728bc6

SHA512
60b5d710ac5f89af028f4609cf314c56bdaf900494f8c5862ea3b34fa6a1360c3f716c48472a5fa6c957452328609364a051e6e47be5c10730bd07734d94d3ea

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
217KB

MD5
1cbeb515ede250c09ac4257490e279db

SHA1
a45812f3139ea3a11ff8dca0630f7a7561db8358

SHA256
c954fe60fdd4611fdc0f9b4d2026e342830acd412a762decbfc6ca165ce4d035

SHA512
94c87d85bf8e50cec23e536f918a5cc923ee488e4686d9de4d9fac48698a2b0404902a07f2e8e7927508e9ca022db91f03cd4fab429ed4c614341c852ffeb7cc

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
217KB

MD5
867a4c761d43d0718428e6bf94012e5b

SHA1
42404f018a890241f1e3478e5645a8fd3dd2eaf8

SHA256
ca28bbe180a690ac642eda3a427870fd54e786e1bb171ef9693626c8af2da1bf

SHA512
a9d04a8ae0fdd59d77f100299317ecd66ae9192967c38e57e8d8df1d64ff3123cd8a0f8ffb1c0ab8869952525393766fd9f9e1674e551736be36e04a9117c203

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
217KB

MD5
419f4cacee500f070c1cef980e290b6c

SHA1
cbd2e1b7030bae1ee7c7ba5add04a7765277fce0

SHA256
9067cc46313ed88c8401fd9637c65937b90d4c57cceca7e9374601ba22014388

SHA512
7c76e74cea2f33ae02de8602f98093258f6bb949402032d03154c1f88b5161b57b68923e2cba1e0f64824d1eb05336757d65d9f4dcfe15abb9ac7c98afd19f93

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
217KB

MD5
e0335fccd76a5f97662ed7c6684781c7

SHA1
97ee9ef2dd16b616737a0dcbb1fc1b8b3785f185

SHA256
fa352b7ce72aec492833b6bce67d758d24633e0393dfd01aea3ce87836ccb770

SHA512
15c0475252b4ce15df876cbfa41b3d5fb788c6385587bdcbe0d87de7c055448df892eb791e572bc480ff0a476c78c33a609019e9a4aadba0e094656e086f486f

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
217KB

MD5
73300b3d770e9cde191fb554447ed364

SHA1
539b0793c8c4199102fac55d166dfd6bb21a609c

SHA256
0125914b68069ca15ad1a10ba5f39501fbbfc470487cc2c8eea7590ceb0cd493

SHA512
804cb913e1d8efc38ffad8c10e761b7b2cb5522c64cc2015170e17c1766b69e94eca6d0770a96c136de6bc47e699a14730412b469d78a8a47ff36072fdda6a39

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
217KB

MD5
b871f49c45aa3cde688a55685971e914

SHA1
d698b5a8d4be1117fdcc25105d7b8cc5ab825d98

SHA256
da0074bc630bf770a492cbd4bcebf880f9cefeda9224a5cfdd737d1b1263113e

SHA512
1d7c47efdbcf73e05a6e3b08d376d1a49435f958e53499402569a1068e074bed8855282ec2254d7db5e7544077df2360e6282be980570353c87d105515c35f6e

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
217KB

MD5
5c3c2d9799cd531a5a45c70320c2a118

SHA1
d94718ad925765926d84522236b6ba2cfe2d459a

SHA256
5c4b45e8d554c92f27c8749827264cd9604993f7539e36e073deea56804f37a1

SHA512
735194eda10aa71d43987a3bf9a2f0819c2282fd08cf9f34ba7ecbaedfdfb6cc22093a28d16cd958a9c80d8cf3b100124ac1d2b86e1cee4dddbb19e3cabdc857

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
217KB

MD5
6b05a24b8c6fba397dc138d374ffbf3e

SHA1
e0dc197432498ff611f8b3ee87c0520987c6431d

SHA256
66c35d5766a8fc1c19f1ab0b6a71806f708e7a31257d1e4e41e77acb5cad9cb0

SHA512
9905111180abde7fd9fffdd56cd31672d4cc9f53a7888b01607acb9c9fc4d12118cdcb234aa15f2a50b5549d2dac03e8bf2c0327ef69d14d05275ba8b6eac05f

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
217KB

MD5
e889642e47b1ad4808ac185fb11e6533

SHA1
e9cbdc152f011ed86162145d9639828d46adbbaa

SHA256
0a5a12bafc1e891991f4f0443602124d15f6a2c04e2a4df0e4fe17422d2806b7

SHA512
7e1d3586c1fa39e532e7e93c1cf98b1268c145be96916fcab5793bbf742b7e229815df574bda4938254324ccbed66c9527f16750f6ac52ba33abd35a66ac6592

Download Submit
C:\Windows\SysWOW64\Klcgpkhh.exe

Filesize
217KB

MD5
2e314f0dd299ae64544f609f22a610e0

SHA1
742e9b65d47aa0802a725faf6be8b6d6ccfeaf3d

SHA256
e7b24ad9f0f02253c817f181baa37715f70af8605790bfd255d2d905db665ce2

SHA512
a050b45aa938c562ccdafdced8f227ea44508962eb8d18a68447081b85d2ec77625425cc8dd7df68b6b9f43b0018ab8cefc05a8ce6bf561fd161b0c118146679

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
217KB

MD5
44e7ce9b843a767807bf8e8ccc415754

SHA1
52d0fe1c95f02f67388f5fa6b37cd885c7143a02

SHA256
e950554edaaaae1a01f9e711aa2bc05d6302b5477a19c9fb6a82efcd6adda645

SHA512
a0da82a0b5c0c95bbde3d3c102463ce991e9027ba61bef1003e2708e69ca5c46c147a27af0b7818bf68d25de780662668f53b9dd615872640e631de824470b26

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
217KB

MD5
ce6fb53a28e672e8cdc51606026e5425

SHA1
bb2ae5b66cf3d0970159c142a7118cc701c11cb5

SHA256
adfc46e5313976e949be5f1843426d07af7b4e9629c1ad5087c50b0a71916d18

SHA512
5b72d75d8404c0437cbaf947ab7b00ecc1a808e2229fcff5a62893ed2e534cc12b36f6444d024de628be37475b95e60518b4aee5af1c3ee45e9089dfbfbe1a88

Download Submit
C:\Windows\SysWOW64\Laahme32.exe

Filesize
217KB

MD5
56a0ede9d77aefccdbb0994fa8aa4755

SHA1
01f0c176d3c26367637c7d880b51608491140fea

SHA256
ee30c09c679f7bc838097bd16bef3edf0e913674166239c8dc797bc3557654be

SHA512
68e7988ecb6036abf35a4edbe82473e6eb47ee7e19e0019e8ce77193dbdc5fbde4e2c189e9c5a01f9ddb336234fefd62c0ff9694d7d67f33f79ed40679412244

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
217KB

MD5
f6564969f338d0260c7822d612160375

SHA1
d45038c583f38b123b5152ae1a95de054c600aeb

SHA256
486127ce8c12cdb5eb9088f2a0d0beb01fc875e2b899c739f5e616712ae27618

SHA512
676651f44b73ab3914d28242f8520306278d6ebc9402466b7f4cc104d74f608475df0fb80d1bcbc978fd423f827e917a8f30c337ef5d3d57abcfc1233630b356

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
217KB

MD5
a576ece19efb8e55ee134848026d9b42

SHA1
faa1124cab7dd0fc336cb6fa464f2baa8f9aef0b

SHA256
1bb159e9b145901e2463614f7fd8fc7a4c5df579b7ff7e63ef169c277138979f

SHA512
642df9178af64cc963bdaddc366bf6f8ed0b13713f15d94731c241a98c6535e52fe202e727e23a67577d593860d9350d344d8d94bbf96e44a2f3dbad0b563161

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
217KB

MD5
a7d13079c8df22eaa6120e3c4f58dfaf

SHA1
4e023b0e3070c8b971ef2091140727adb9c1e491

SHA256
00b72100530590efd39c5adf277f56bff68eb5821a8cfe37cd1af8b8a1c8df09

SHA512
d82650990dbd68ae24c63ded1e625ad45a301c224c5a86ea0598222dcfa9c3a1320051bd85bcb174ef99c3765b580939467e4d021f012cc223c774df05f3dc64

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
217KB

MD5
6ff7462de0d0e213f89a7f28a05fbfc3

SHA1
6aec8d96f02face8ea1d07e7c8a1517207b5f71a

SHA256
58ecb19bcd6118c18527064291003c28933e1df7def9fd72e69d5ac72537e98b

SHA512
f3fd529ecdf6d1de725955d3fd9e869692dcd03391ffaae5296fc340eb69734b98bd6a5395b77050ee488f86f88a92dd82015c5c6c275564cf2ba3097f06cdb4

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
217KB

MD5
02c0fcb80c2aba039bfb9ce6b1525fcb

SHA1
552e4e9f683f4dcb243dbc71da96228e9066898d

SHA256
4048a41f2b87708ba579ba67c4ab25887148c317df8f89b7102b5bb13899afd7

SHA512
c1125ac5b63faca8f5d87ca76aa3be74a84c8b74b3c90226f2b02697992e7e93b9580f4ee3074e06e7d04e906c65e0a1bcc938a59595b2ae2b3dc3f3b1e6565e

Download Submit
C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
217KB

MD5
25c659680984108ba21cb244e339684b

SHA1
e303796908f93424d730efa0ef69a4e75db1acba

SHA256
bbc9b3b2863ff3e55d90073f92865f9c1b17705551e2612f1dcfd44a71bd68a2

SHA512
6cfa6918cf282cbd064f4a6d6b43c92bcb99a4457ae0551c7db19a67a6fe94aee8b3d9ced2344b7b269d790db0cc21eee158af41a2805e7ae8efe75904ca0f1e

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
217KB

MD5
e22f3fd9693af523d0c342d681656a39

SHA1
be92507ca2b59cda3e5aca745b1824c5649c9630

SHA256
af055134548fa235baf9873fdca1aaa55415446543c914747b109fba06fc4a8c

SHA512
130ab631d925973c102f9436cd40f3355e36b209612d43810366318bb3caeccd306dee7f10809c52e0693882ab13e4d3fc3f58146d953b727c3d9009f6d536df

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
217KB

MD5
c92634f2c43c0c9c359b78b557c35ad2

SHA1
912318d54b885d8e3f47fd97b68d602c6226b599

SHA256
df4a17b7f115f04f5e65121479ef2e1f274452fdc21a32d848062086336a8081

SHA512
816d1ee8ca23c30aa65a55b5f2ad5d209284002cbde0f792e93ef3267e197ca4cc3abeef03bb19393dd1b52a6ee12eb6defa8122d7ff60b4957eab42512b7b20

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
217KB

MD5
6441a564693d8fee40cb2588b0a917c8

SHA1
ea501e6e26b027ea904623173ef73b6e9a8dac0a

SHA256
73d59303992e462bf0d9f41119dd3f13671f3b06fdad2ae7c460bd494b51cac8

SHA512
dedea7c659815288a6afd6fa9cac66c1452592ddf0972f6fb700850f88f108247d0b234c386ab6545032df3916cea88ff9c75ddfe8f39e6abeab1eb374453aba

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
217KB

MD5
c9e4acb146a9de20470d8afcdb624687

SHA1
af91e985f82c6aa7ac4d3293a94d3cde4a8c89ec

SHA256
1b441dd0c8abef2be9d08151b80b5e03de4783dd48e70d1baf29e24e9a7acfa5

SHA512
fd37c88af213e5f019463bf2fcfb5646f94efa2a39b680a2d21c69f8c036c096316f2e6461de2a41c8c08c0710eebaa28c2963d6c186f92f66122b2f0d2d4dcc

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
217KB

MD5
13eb9e14c4beb932823ac4fbeefe84fa

SHA1
746526e581c4451820cc660c62daf3c868f39ae1

SHA256
3639c23ed43ccf28319c7576ecb4e63c0d24e425993c36ea0d3d392506c85ec2

SHA512
9b59ea20e9bba16b9c2689494b8e9f1a6a5a25bf390a1d7fe57d77bead9350f4ce808141f9f155a1e4c8f602f5e3ec7fc03fb6ad3bb4703dc295b81f89314ddd

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
217KB

MD5
020354a974d2ee6dbda11dcc73bba0e4

SHA1
3ea6f1e83a532316adcf93aa8f248151bd050ef8

SHA256
8526d5c64cbdcbecce36cc89ac7a5d8ff7bfcd4acb393c6217e1060fe2189e06

SHA512
54bb04736588bf1a28bddc1fa0a111b27ee78cf1277f78980fb4649ac6d2832b6c29d96970deb33d21258f31960697d0c92572a70490ba1a182315188864fd51

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
217KB

MD5
d58496da128fe4c88c1e69173e6ef2ee

SHA1
587ab268f676f0661c383ffc3048fb384b386e11

SHA256
dda534355825e5e3b69673efa7b3476e2d9f8d204d4bf070888f03106e6cb65f

SHA512
7edcae7988c9a5a692a676df1c4d5205c5a3eed3bc00e0faf6414fb804bd429c77ec823371862ab359eba0646df85db3f494406d57778cd9b659cdb966c1567f

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
217KB

MD5
368b18c9572d40dba05eaf4ea7fbcd6c

SHA1
4cfbdea2f21cb9b9d21d774d4702c3ae3940e6c0

SHA256
5c531e6f0da545984b8e8e0a3e8d329bb0e5cf61d946d03f805f52096dc6951c

SHA512
5ee04c2ee0973f87af8d09e3db1a40eb4a089561fb32b2a162c592b7c302370c6a792e28c187780bb96b571cbf133a900563675d29c45868af10b78238aad1bc

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
217KB

MD5
4d4ccfcc5e06bb94e2130c67f1edb941

SHA1
657f67511e9c23f527aa5bc5913b4c14152c867c

SHA256
f315468476fac1529ffe05e52cdd8b6b780b663de899e0c8db93e312cfa0a2b9

SHA512
9823f95ed6e0bdd6c395ae3f2bae02f0050a6a1c8cf3489da678a10afbaeb86c34f1b849117219f445da4b97eb2308cc28f97e10e609ecf21c9f22b1a2af58e1

Download Submit
C:\Windows\SysWOW64\Pbonaedo.dll

Filesize
7KB

MD5
0737eed2a0e330ff139a4801fa483715

SHA1
1e42f6aa44020d98c82203cf85cd41ac4ad5d44e

SHA256
710761b6d479ea37985aa0220f6e7d6956febd213fcb59a1b6e04ac5de4af1b9

SHA512
a6fbd8d5087ef9d67a41c7c62b7d13185cbe2d90ee2d4795fdb9819cd39b5469f94f61d0a8b7a29e6831276fe5ab0503b05a60ad72d227c9618654dfcee8bd50

Download Submit
\Windows\SysWOW64\Hddmjk32.exe

Filesize
217KB

MD5
d919291a644a0d2b109e3c352d5016b3

SHA1
5b77815dded32c8ff6c523c9a8ce13f51ed9bc48

SHA256
cfd9812fe69fde55b7c6cc61c019bb5ed2133fc0d673af10f28b019e03189139

SHA512
706cd2cfc401ca6503efc459669a56c616becc20b0e9da5e2f47619520703c99dd2afb1c3852b57e3fa01116b74f9c28eecd4921f88f040b8ff246f18a4d0916

Download Submit
\Windows\SysWOW64\Hjfnnajl.exe

Filesize
217KB

MD5
4efd8808cb1c6846c61956262d755b76

SHA1
dc51518b7e279dbd1474ba2d9d00a5455e3b4787

SHA256
a3fcd30efd16da05d93c7dcd19c4c299c5baae5883d4022ce9d85bd7a68a4e06

SHA512
cd722e468492cd886d60dfe367e572ed68ba354aa0d89321f6b120d542fd6ef638265c246437c60dc0e6c67488155dab76f92110ab6b829906226477321db950

Download Submit
\Windows\SysWOW64\Hkjkle32.exe

Filesize
217KB

MD5
2ffd2ca185449253e8276ded010761d7

SHA1
366a8946901f9e0d8871655ef9dc2137781c83c6

SHA256
b6b00b4a58b0a798d9b69ad707a228b7589ff67a8be07a701825a4c74289bf10

SHA512
7b43d94e2386401c786a6caf306c18ae573d9e1536414d96eda2913cf2609c8b93f19781e8bd075b70c1e559feaa0b670db75a6ccca64074450d9b08a3b3c8d0

Download Submit
\Windows\SysWOW64\Hmpaom32.exe

Filesize
217KB

MD5
1c180e2c29f71ac0a815061c966c6ebe

SHA1
7a336f2bee18fee3ea3feb7c224363eaaaacdd6e

SHA256
46e1daa28db9eb92e3f141a6a585c62149425ba6283cc0be08bf83ccfb14a091

SHA512
c8e30a78278f5204e95887fbc5c5a441a7c1dd9486eb3dea95e8a482b49ddade03d8c3d2d382189f20b7fe428677329a38266601d1410dca4f04a6da9edf447f

Download Submit
\Windows\SysWOW64\Hoqjqhjf.exe

Filesize
217KB

MD5
1e13fd6caca1f48b73cbe65517531db0

SHA1
504d27b48d94a55aa81cce9bf9048a2687959d14

SHA256
6cff33437f5f112683686c79156bc0f2df7ef78e8d3662a1c4240654f628b8f4

SHA512
eafd6403a235e35861836d250c64fca0064cda45ca21ab387d3316e74fc2e62deaa1f2ea7f58aed987df4e4e2036b4558ed81cb7f4342eb1cd78cb746651edc0

Download Submit
\Windows\SysWOW64\Ibcphc32.exe

Filesize
217KB

MD5
ce5939efed3b9a5bff0ca973ca3e159a

SHA1
46e271b7c26d910412388e394389bab77bd1bc40

SHA256
1fb1dde781c4289347ab188984b4a10ab675dc718b36d566327b7535a6efdaae

SHA512
1426a4a289e7f2e6b7e3c60df379ed5a5378a9d30619feeabbfc0bdda43e30528dab98c0c96cc27ff06f1f81498682895fe85b4b5dc0936cd424397a652d1e3f

Download Submit
\Windows\SysWOW64\Icncgf32.exe

Filesize
217KB

MD5
85d42202d9903cdcde709fab6a08dd00

SHA1
4fffd78ec6203b9db90c076895f065a5e7a36315

SHA256
b0ea6f80be32207afbbf53574abf656e0c9693f46026ec5e833783bce97ed998

SHA512
5910f3ef32d959cbb1cf6b050370588fcd6bd26edcfeabf1a2938d51b5b27c0f2c62f6616f4f65bcab3d1954ec71e9c155e7fd3adc90c4bbe570a98193352d46

Download Submit
\Windows\SysWOW64\Iediin32.exe

Filesize
217KB

MD5
9743ed3e839e4c8694f60c3e336a7cd8

SHA1
0b59b97c4a30229d4f85d2520a3d52b6898fa215

SHA256
79bb11b8675aad9ec07cfd1e8c2a4e6fb069009b363e52f51ea8ad51d255c961

SHA512
62188098a225d32674a18fca4e9172e7dcd1b10c1aad5297fe97a6fd418be7808891fb875b508c58668a61954e27d84fb50437b4da30ffc7cbc456f90d88a27a

Download Submit
\Windows\SysWOW64\Ijaaae32.exe

Filesize
217KB

MD5
fdf36f24736a407261c4e9ab61e2489e

SHA1
a10e76a1d4ad58e1dc3380bc230564195476b6fb

SHA256
3c6b27ee291297d1923979e603e8372d7261bc0531a0b804c6d7719da2c7e555

SHA512
c48432e91b9bc31f99ec259c60c7f51473cda32983bcad680a62b89e110fb6336c769e3892415ae015deee0dabf38e006da1d893960a54b29d200f4353bae533

Download Submit
\Windows\SysWOW64\Ikldqile.exe

Filesize
217KB

MD5
b58175502e9ee9879a1ae0ffe58ca1c5

SHA1
01faeacbb7dd16cee05aa15d10bdb1dbd83bef93

SHA256
b511a7d0e950120f39eff76851fcefaa90ef3192e705173b1b76227035007bb1

SHA512
4ec8e173018f6b8bb21e611db6e17da7c7a94d52f218af3e5c17e947d86eb840bd37f99e0ff9702322ed30defe985ad1c4a4bc88d086908130e0a3250ddca383

Download Submit
\Windows\SysWOW64\Ikqnlh32.exe

Filesize
217KB

MD5
e3192dfbbb042f5d0adfe77076863a2c

SHA1
7945e238b5c393e4f21082675e380ee5ca379c98

SHA256
d990ef6e9ea8152ea5ce359b038740c29d6e9595d08c0c089134433493b61914

SHA512
ee738a3f4cb6b5d86670be1893e3c585d11f12611a587e2842015127a21a52657f30972a352c0dd00d072c6deb26c4098770a5974a6e732680aaf7b8901f6e9b

Download Submit
\Windows\SysWOW64\Imbjcpnn.exe

Filesize
217KB

MD5
e62e9c86a095e3d956513742a06bf14a

SHA1
eb775fd947a05dc3c35c6c3bc68807ae501e1013

SHA256
7e4587ccae6dc082b2dfd188406c70d3cb5082a989c1eeaeb8edd58e55808ad9

SHA512
04cb592b2549a675f52b384797cb35857e355f38693c4e63c0517f1f3c0cceb83afcc88ea27aee1f28f532599b5f084acb96ec28a060b76a68314d9f49aeee96

Download Submit
\Windows\SysWOW64\Jfjolf32.exe

Filesize
217KB

MD5
137cc3f092a67996f9f0920025a5f285

SHA1
4b3961c6d81e0f53bbfc1316944463ea43794a47

SHA256
297f6679e5bb3cb6107abcf3620dab7dd9147a7248795ce3b6caf825048f6dd2

SHA512
07bc28bd67cd053ca37eb1aee26b99b5bc4cbac1647608dfac91d29218e7adc3cb4aa31b4599470ff4fe62b4a6edc227da22226187e240e595c685681d71b114

Download Submit
memory/648-374-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/648-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-378-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1000-425-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1000-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-424-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1092-221-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/1092-213-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/1092-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-149-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1144-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-657-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-205-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1524-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-269-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1632-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-649-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-289-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1656-290-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1656-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-679-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-402-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1684-702-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-412-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1684-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-681-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-130-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1720-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-185-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1788-259-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1788-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-249-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2036-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-227-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2160-390-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2160-699-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-662-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-652-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-445-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2256-661-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-300-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-301-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-459-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2328-461-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2328-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-701-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-658-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-656-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-12-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2496-399-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2496-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-13-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2500-237-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/2504-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-437-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2532-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-67-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2540-418-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2540-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-366-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2552-367-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2552-672-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-345-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2560-673-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-344-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2580-356-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2580-355-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2580-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-75-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2584-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-659-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-47-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2620-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-102-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2628-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-333-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2656-334-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2656-678-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-322-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2684-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-323-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2756-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-311-0x0000000000370000-0x00000000003A4000-memory.dmp

Filesize
208KB

Download
memory/2756-312-0x0000000000370000-0x00000000003A4000-memory.dmp

Filesize
208KB

Download
memory/2768-164-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2768-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-157-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2788-653-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-654-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-695-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-436-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2924-279-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2924-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-460-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2940-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-93-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads