berbew | 4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
Size

88KB
MD5

4a49577c33f65d898bf4c8d6a7e76376
SHA1

e16986c4c8fa0b370811a880a9ca105984c50afd
SHA256

4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b
SHA512

da1c48cd2dceda62e10c67460cb3f57bcb0597f54acdb11e8728c6cca0bc37de9b66e695e3c8a981f7c4dfc4412af434814ff861fe970403165a9157923c286d
SSDEEP

1536:z+TcHXJYWEQXrzlkANsd6C2ivPF/xLtneReyHf6oA/DbO+xn:CaXJYWEQb2AM7NrMGDbO+1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepleocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llqjbhdc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3148	Ilkoim32.exe
2476	Iojkeh32.exe
4988	Iahgad32.exe
1312	Ilnlom32.exe
4660	Iolhkh32.exe
924	Ihdldn32.exe
3048	Iondqhpl.exe
840	Iamamcop.exe
4192	Jhgiim32.exe
4276	Jpnakk32.exe
2256	Jekjcaef.exe
864	Jhifomdj.exe
2700	Jocnlg32.exe
1344	Jemfhacc.exe
4388	Jhkbdmbg.exe
216	Jpbjfjci.exe
3760	Jadgnb32.exe
5108	Jlikkkhn.exe
1104	Jafdcbge.exe
4996	Jhplpl32.exe
4872	Jpgdai32.exe
2428	Jbepme32.exe
2268	Kiphjo32.exe
4944	Kpiqfima.exe
2144	Kibeoo32.exe
3716	Klpakj32.exe
1276	Kamjda32.exe
3596	Khgbqkhj.exe
2872	Kcmfnd32.exe
4604	Kekbjo32.exe
4304	Klekfinp.exe
4892	Kcoccc32.exe
5104	Kiikpnmj.exe
1308	Klggli32.exe
1208	Kcapicdj.exe
3608	Lepleocn.exe
696	Lhnhajba.exe
4708	Lljdai32.exe
3180	Lohqnd32.exe
2160	Lafmjp32.exe
4072	Lindkm32.exe
232	Lhqefjpo.exe
4188	Laiipofp.exe
3208	Ledepn32.exe
1724	Lpjjmg32.exe
2116	Lchfib32.exe
400	Ljbnfleo.exe
4912	Llqjbhdc.exe
1472	Lckboblp.exe
2588	Ljdkll32.exe
3248	Lhgkgijg.exe
3632	Lcmodajm.exe
3136	Mjggal32.exe
4540	Modpib32.exe
596	Mjidgkog.exe
1948	Mpclce32.exe
2724	Mfpell32.exe
4624	Mohidbkl.exe
4048	Mqhfoebo.exe
4732	Mbibfm32.exe
4572	Mhckcgpj.exe
1708	Mqjbddpl.exe
1988	Nblolm32.exe
4492	Nhegig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pmhbqbae.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Jhgiim32.exe	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Kiikpnmj.exe	Kcoccc32.exe
File created	C:\Windows\SysWOW64\Lhnhajba.exe	Lepleocn.exe
File created	C:\Windows\SysWOW64\Fldeljei.dll	Mfpell32.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Ofegni32.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Oflmnh32.exe
File created	C:\Windows\SysWOW64\Ojgljk32.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Jafdcbge.exe	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Apjfbb32.dll	Lchfib32.exe
File created	C:\Windows\SysWOW64\Imqpnq32.dll	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Cnokmj32.dll	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Hcmhel32.dll	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Inmdohhp.dll	Kcmfnd32.exe
File created	C:\Windows\SysWOW64\Fpenlneh.dll	Nfldgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ilnlom32.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Klekfinp.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Ipdbmgdb.dll	Lckboblp.exe
File created	C:\Windows\SysWOW64\Nbnlaldg.exe	Nqmojd32.exe
File opened for modification	C:\Windows\SysWOW64\Pblajhje.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Kcoccc32.exe	Klekfinp.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Mjidgkog.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Kcmfnd32.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Hcoejf32.dll	Mjidgkog.exe
File opened for modification	C:\Windows\SysWOW64\Oflmnh32.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Pmhbqbae.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jpgdai32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Nblolm32.exe	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Igkilc32.dll	Noblkqca.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jhifomdj.exe
File created	C:\Windows\SysWOW64\Jlgfga32.dll	Kamjda32.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Kcapicdj.exe	Klggli32.exe
File created	C:\Windows\SysWOW64\Fegbnohh.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Ooibkpmi.exe	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pcbkml32.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Nqaiecjd.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Hpoejj32.dll	Ojemig32.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Ljdkll32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Noblkqca.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Nfldgk32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Ocnabm32.exe	Oqoefand.exe
File created	C:\Windows\SysWOW64\Deaiemli.dll	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Jpnakk32.exe	Jhgiim32.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lohqnd32.exe
File created	C:\Windows\SysWOW64\Mpclce32.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Mohidbkl.exe	Mfpell32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5244	6140	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iolhkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhifomdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlikkkhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljdkll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhgiim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmfnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooibkpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhplpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnhajba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbnlaldg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqaiecjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbala32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafdcbge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgdai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjidgkog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnlom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jadgnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klggli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledepn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocnlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiikpnmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookoaokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqoefand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paihlpfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcoccc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljdai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbeml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgkan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojcpdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamamcop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcapicdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lindkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmcpoedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padnaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iojkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnakk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhijd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihmedma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblajhje.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgnfq32.dll"	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll"	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll"	Llqjbhdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klggli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhphpicg.dll"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejqcdo.dll"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbmgdb.dll"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klpakj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3148	4380	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe	85
PID 4380 wrote to memory of 3148	4380	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe	85
PID 4380 wrote to memory of 3148	4380	4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe	85
PID 3148 wrote to memory of 2476	3148	Ilkoim32.exe	86
PID 3148 wrote to memory of 2476	3148	Ilkoim32.exe	86
PID 3148 wrote to memory of 2476	3148	Ilkoim32.exe	86
PID 2476 wrote to memory of 4988	2476	Iojkeh32.exe	87
PID 2476 wrote to memory of 4988	2476	Iojkeh32.exe	87
PID 2476 wrote to memory of 4988	2476	Iojkeh32.exe	87
PID 4988 wrote to memory of 1312	4988	Iahgad32.exe	89
PID 4988 wrote to memory of 1312	4988	Iahgad32.exe	89
PID 4988 wrote to memory of 1312	4988	Iahgad32.exe	89
PID 1312 wrote to memory of 4660	1312	Ilnlom32.exe	90
PID 1312 wrote to memory of 4660	1312	Ilnlom32.exe	90
PID 1312 wrote to memory of 4660	1312	Ilnlom32.exe	90
PID 4660 wrote to memory of 924	4660	Iolhkh32.exe	91
PID 4660 wrote to memory of 924	4660	Iolhkh32.exe	91
PID 4660 wrote to memory of 924	4660	Iolhkh32.exe	91
PID 924 wrote to memory of 3048	924	Ihdldn32.exe	92
PID 924 wrote to memory of 3048	924	Ihdldn32.exe	92
PID 924 wrote to memory of 3048	924	Ihdldn32.exe	92
PID 3048 wrote to memory of 840	3048	Iondqhpl.exe	93
PID 3048 wrote to memory of 840	3048	Iondqhpl.exe	93
PID 3048 wrote to memory of 840	3048	Iondqhpl.exe	93
PID 840 wrote to memory of 4192	840	Iamamcop.exe	94
PID 840 wrote to memory of 4192	840	Iamamcop.exe	94
PID 840 wrote to memory of 4192	840	Iamamcop.exe	94
PID 4192 wrote to memory of 4276	4192	Jhgiim32.exe	95
PID 4192 wrote to memory of 4276	4192	Jhgiim32.exe	95
PID 4192 wrote to memory of 4276	4192	Jhgiim32.exe	95
PID 4276 wrote to memory of 2256	4276	Jpnakk32.exe	96
PID 4276 wrote to memory of 2256	4276	Jpnakk32.exe	96
PID 4276 wrote to memory of 2256	4276	Jpnakk32.exe	96
PID 2256 wrote to memory of 864	2256	Jekjcaef.exe	97
PID 2256 wrote to memory of 864	2256	Jekjcaef.exe	97
PID 2256 wrote to memory of 864	2256	Jekjcaef.exe	97
PID 864 wrote to memory of 2700	864	Jhifomdj.exe	98
PID 864 wrote to memory of 2700	864	Jhifomdj.exe	98
PID 864 wrote to memory of 2700	864	Jhifomdj.exe	98
PID 2700 wrote to memory of 1344	2700	Jocnlg32.exe	99
PID 2700 wrote to memory of 1344	2700	Jocnlg32.exe	99
PID 2700 wrote to memory of 1344	2700	Jocnlg32.exe	99
PID 1344 wrote to memory of 4388	1344	Jemfhacc.exe	100
PID 1344 wrote to memory of 4388	1344	Jemfhacc.exe	100
PID 1344 wrote to memory of 4388	1344	Jemfhacc.exe	100
PID 4388 wrote to memory of 216	4388	Jhkbdmbg.exe	101
PID 4388 wrote to memory of 216	4388	Jhkbdmbg.exe	101
PID 4388 wrote to memory of 216	4388	Jhkbdmbg.exe	101
PID 216 wrote to memory of 3760	216	Jpbjfjci.exe	102
PID 216 wrote to memory of 3760	216	Jpbjfjci.exe	102
PID 216 wrote to memory of 3760	216	Jpbjfjci.exe	102
PID 3760 wrote to memory of 5108	3760	Jadgnb32.exe	103
PID 3760 wrote to memory of 5108	3760	Jadgnb32.exe	103
PID 3760 wrote to memory of 5108	3760	Jadgnb32.exe	103
PID 5108 wrote to memory of 1104	5108	Jlikkkhn.exe	104
PID 5108 wrote to memory of 1104	5108	Jlikkkhn.exe	104
PID 5108 wrote to memory of 1104	5108	Jlikkkhn.exe	104
PID 1104 wrote to memory of 4996	1104	Jafdcbge.exe	105
PID 1104 wrote to memory of 4996	1104	Jafdcbge.exe	105
PID 1104 wrote to memory of 4996	1104	Jafdcbge.exe	105
PID 4996 wrote to memory of 4872	4996	Jhplpl32.exe	106
PID 4996 wrote to memory of 4872	4996	Jhplpl32.exe	106
PID 4996 wrote to memory of 4872	4996	Jhplpl32.exe	106
PID 4872 wrote to memory of 2428	4872	Jpgdai32.exe	108

C:\Users\Admin\AppData\Local\Temp\4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe
"C:\Users\Admin\AppData\Local\Temp\4186a9bd1c81e334981da9206ca78b7e706f5dcfcce5e7bb79e627d1a856911b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\Ilkoim32.exe
  C:\Windows\system32\Ilkoim32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\Iojkeh32.exe
    C:\Windows\system32\Iojkeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Iahgad32.exe
      C:\Windows\system32\Iahgad32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        26⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        54⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        65⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2960
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2228
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3952
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        87⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        98⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        99⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        104⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        112⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 412
        113⤵
        Program crash
        
        PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6140 -ip 6140
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iahgad32.exe

Filesize
88KB

MD5
f45e5efb57ad47aee135a32214fd1fe6

SHA1
f69ada42d70f7928223e1bb9c32f22c416973881

SHA256
32fa945d02ed580ed5337c7a8aeacae85adc56dd1f861a1765fd920b55a785ff

SHA512
8848b81c60ee26ba8b21d5167ed6ce432a99ee11dea23ccdee12d36835957dd53f1c07695c4fe48d56d636880977dd7df2cade87e51b0f1b351c55f069ac59d0

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
88KB

MD5
add1ee3f6803a76780e20adc551f89da

SHA1
4c4fafab9a5d0b64b76d7985d513c809ff2af38a

SHA256
b13ac2f8ec5d8c09aef99a030d307af14a2cadf7d10091abdd6cc487e193e87c

SHA512
bcd62e65a32bb145a71cd6fa22a6685cbd3ac6af294ed4ea220cc8acecae7f6daed201dddd7c56c3bc8974f3055797029b3b41474f1872bb7fa75532eaf1005d

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
88KB

MD5
ba72a7719a99df1610cbbad4c225ac24

SHA1
6f9b37543e607fe0876a968637fa612c18b7c13e

SHA256
0a87d308303f54e6e1f2aa13427bedd36305bc442cc841823fc20b220b07bebf

SHA512
c67da9eb18cf98d35ff9a0712430b5a00dfbc6b4140cfe3f5990d2ce20690a52a66822fc364ce064e8e37ef6fbcc7b16b2577288e30090de8d3a48d23c3e405d

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
88KB

MD5
3ad29dbdd275da88fd57330221864eae

SHA1
b52e041b025702d9e8676a4736d8533de22a038d

SHA256
52078c4f14fa8bde77d5106b373c207454e63e3c9b74f8c8f9b844301e1faf03

SHA512
932c4ca6e099da66629a52d7f9c61c2f18099f456f65c7434ba8bbdbaf5c5090438501f1b879e79acd53aa5df296ac70777707d6e22d89a9a49fa397adc4a365

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
88KB

MD5
9835551756fa17dc0bd4f83bbfee4217

SHA1
a013aa36cec47cd49bd7ea6b5483845912271a7b

SHA256
d3a1a6da0feb0cde23577fdeceb8814483208594f8fb4f4aac22190fde090e0e

SHA512
dbd8e6f75556f5028ad4959b536aa28aa99eecdfb0e15ea4be4a96823e0a4927543bfe805ad863d322b48acf8b10a14a80b225d5fed96f7a5a6646a0d9c4acd0

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
88KB

MD5
58a9d6a16eef04b20f92d05a5382a14f

SHA1
9d3862d9ed59a13c951c77f18656ab14b8ad62aa

SHA256
b4468885fd55131593b4731638db4ac9e24069e0d21a20101ae3f8d9eee1627a

SHA512
902835fd499d8436377d85959f7953fb40f3053a57be4340ebbecf35aa25ff5faba486f21f9c73011a5aedfd04618cee647ea01fafe1c8261efcb0084f233630

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
88KB

MD5
9ee62c3ec480177617a909b89453f8d8

SHA1
aff308b06d5040e042ddf528d8648401ebf7ae8e

SHA256
c3cc5d4687abdb6eba6cf11e83d75740e6e6ddd21befe355e86c7e0c3f77c420

SHA512
99058439db5095b107e91e59d100fe626cdffe982c2d7b98b89ffa7e4094a917136535bad484828ef62c4d0cf951e74197d931d16b93f191bb06430405991a33

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
88KB

MD5
2d97fbaa439cb31be1722a53605cd119

SHA1
676cbe8fc71df6ebbf82f3215831033927062cb9

SHA256
06b8a61d11ad0a6b4192c0b6a3bbf025d3a9a3c491716ecde3bb47cb3401ea13

SHA512
7fdbb8140c1098cebfeb0950c6a564a95d6b3bfe7442af332e528fe5b33b972bb796eb79134059c50c55dcd09e02dadc23dfaebdd886f484f4d2d9bcc0f3ee75

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
88KB

MD5
a0dd883d07f6da8913393f75f65fc6b7

SHA1
fa04404d72b314cd18945d0c5ce635ec8061739e

SHA256
6d31d29addb86177c0805517a99329758877397becf63a82b1a32832fd6bd4aa

SHA512
525892f6f9bf5e7cdc223558bb0163f4f66a8ba16485598ff06ba6951bf84ecf01a149e78af65ca46ae7ffbebd3fd88445ca1c90e78e57aaf60ecbbfb6a9db2c

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
88KB

MD5
1a41444131975a49f4c3a6007d1cd2a4

SHA1
5e3483000530224bfc88830cc966f82dfcd55398

SHA256
a93c698b6fc90a92ff8174ae7ac6b40a4b8defe7b1e8c9386be2a0935a1d42b3

SHA512
609e9d888c058b693675536e68035a636b095ca427ff73b5b1afe4e491cfccfdb8277f82a01cd4b5c3d4a694dad776e6f1ce17b44a5b3c4749d27bfb9451c073

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
88KB

MD5
e8ded0cc0fa175c4035661e0628bd9d1

SHA1
f12613a7dbff886f13fcc0622b15f53f705a6d6b

SHA256
ba0f6d80c8bca31539570a1cecc0dbe9987fa271fb19021fb162165d529ce1b8

SHA512
c78b2476f77eb37df6646f4db11f20a547228e172d92e137e1d8a8f41e80ecd463961a4e539d0fb5a5ae36af85f8de13e6b6c4642e776710b2f640fa935077c3

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
88KB

MD5
1732549599a73dffb09f665dda0f9212

SHA1
746eadf7b2e2c13be5196da609501b1241656f6c

SHA256
6b5a133f5fdb5f6eb70ef007dbe6b13b5fa2fd51e40768f926599e6094a1d103

SHA512
9e57266c06895cfc4f18bef0209485f23b3d3e850b6fd280514aca264a076e012adec7a22096eee66b9fd8d4c36a9803d5c0a7a7da058ccc3843155ea46d509d

Download Submit
C:\Windows\SysWOW64\Jemfhacc.exe

Filesize
88KB

MD5
1396f5431081c7a8141b8ddec7fd0e4e

SHA1
9d625ebf49f28a8a288d030c56ec4d892d3d8bd2

SHA256
ab09ac469f3a2304a880acf6c2725d25e21f3b7840b7411d08d73515fbc0ee3a

SHA512
1efc38217b671278fab1aa3e671826cf7c1340b1b76e54d592845bacdeeddced7b9cc24a25cdaab64ba1797e17219282baad231e186c623b957464c4385e98d7

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
88KB

MD5
4cee1f51e9414bbd3157ccf805bba256

SHA1
6c27d475dcdaae6b909643cc479191d77c53539f

SHA256
c24ed91676c22bb6b3b351b52528372c1757e19f6c1461ae9dbc3afae3ed7659

SHA512
a020d341dc0905b0aa30fc9c145c79a812e2cfb7d3b62285bff4a367af56c70d6fe357966e70a400636be85fe00d5e69abac1b28e1e9c11644936c76316b15e9

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
88KB

MD5
73dd86f459e2a7ed5e215d5d3874d2f7

SHA1
10decd9a946134344c4eb5e73707c33a65ab0b53

SHA256
2f5829b7fcddcf0edb9b1a5cfeb310c8a770653d99e4405bdb4f8e17ea8b4e69

SHA512
e8abda0bdbaad5b65b5ed94cdbc385cd8a8d28ee1fa7e7f53ca59c335ca5996bba8fb01bc7ab6d560673713fc3b4c45fa4d5996e3d5dfa4bba28389f74f939fc

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
88KB

MD5
1fb9152a25afcb20e6a9e775486dc8b5

SHA1
d979126d733915157ae23bf5b2414ae81ae4f4e1

SHA256
2a8cda2c7cc85bfc252b33474e3394c47d0eec809b54bf96e4be6d0d9b140b4e

SHA512
dc4a60265e701875d508bab19e8e450fc15e3b2656a5b58c9bc0b8125a526a9626cd924e00086c75e74bd78996fcfdbcb2057ef1a6601f92a4de14e28f26d3a3

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
88KB

MD5
b02041bea0ba49149416bf4a0f2e177d

SHA1
9187942127e3d945a5129cba86a4fea7c5b66963

SHA256
1a00ee3c5ff8119be6325e9a8c47246b7668535270e1fcd56576acad821a3531

SHA512
70e2d40cbeb34b6b3ace531ef102d6019356845ddd1f75e8d82d6a3c14dc70f28c1b46270b85bb63124f696e8411658ba949451f1f72ea4ada75390b3374775d

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
88KB

MD5
7fe84bf70ce4b8b128bce15bab9f6833

SHA1
0092b16d4eb4b7bf485dbd4648725d54fcfa9650

SHA256
a89e3eba3982eef14f5dc73e9589b2fcd5d3c15073b23c20e5a7b78406e670b4

SHA512
e5ae8454370c1e9570a53e538e4a2973e61549ab6da9b2d8983e370e9cc807e3ecd666dc28afca8486291b7f22425e39ae147a0c718321d3e2337d40fb4d270c

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
88KB

MD5
45754f60e45ff16cdaf3726e04660584

SHA1
1048372f2b393d74e44e22a398f00e4a250f684f

SHA256
c15845f7f392173daa9e41749805f4de3de58119ade68a28a4f5a04c02eb91c8

SHA512
28973283b64d9fa34da98a2c30c6a9f97274c2177b796a12984867ab6cf2f3875183951905196d8dee4ed0adb72e0bb4a4595cf7cb2b70ce74261c630a492f0f

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
88KB

MD5
a5a90619fc74a59039b41775894667e6

SHA1
7d654a59213895734610a533a60f94e46f2efdb4

SHA256
15114f72978dfa4a5147d89e8d609660e98b6f9b828906af43e440edaa3a1650

SHA512
e3205fff334a340dc0c8779068f4ee59ea4aa8d14065b60906d7fe7dc7a953ef0c45c6c5f1b98f5505389df88cabd1fc0f33e9e38da01453187b70f404959157

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
88KB

MD5
1f5f86ce1119c32a7cb38407539d9c2a

SHA1
02dc4fd7245be78b408204c74a6d4d3dc5ab4706

SHA256
eff9ef2d67f41e7c240774fb451588ca7c54bd4f154c0bf09f75009a032f199c

SHA512
e87fc1c6886f5acc3e441ab918eee1a201d8220d15b1f025f86e2a571d124dca9d2a9c62441729c24d1fadf06d28a2d3301e7a77564293ed67374997748c8019

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
88KB

MD5
0dcdaa2d9583508c2cc268ab302d84a5

SHA1
9cc10f0d5c24f73a5c616163e6b7748dd7e111db

SHA256
b99b1a67635080efc608ffd5da52d7f7f2e9ad036012084fd77e8cd471688b17

SHA512
22e8b94709f19494642cf278dc07b3a692619f544880e5f3cbc07a76dfffd4ae91fb4ab5cf16b1ed90d3abf2e1e968d98e95024e73348343c10ec6fc339aeb63

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
88KB

MD5
5e1686c8559c8d99a4203b5a71bdbcc0

SHA1
6db63bf4758e1c053eb9968a2d19ef7b148c4a4e

SHA256
75b4e952b5fce872f3b8fa7a3bdbdd8cea2a46f1009e7b9d9df27430b02b30f7

SHA512
f6fdffacc37056cf88712b8f1b94f9cb4d9697f12d27c308629735085ac915b2623694f4d168886eb681584dbd9a64062083e6d6437cfdbc70b1df8f53ceff13

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
88KB

MD5
11986791dbce4684829b786b116d96e2

SHA1
5c17dbe284cff67fa6badcaa17c8b5b49d4a4d7f

SHA256
5dbaa944f0c634c955c15f11edd915cfe5f83b4f1f0a49945f8a2c0a336d95ce

SHA512
e0958d710cef0a9aeb0e5135e1ba6fc0be24a3fdc7acc2f66d9db86085b920fa778c682f1fcd24240d47674c29ce086aaa079b9f0dd3b74e27cd4bb6fb00de91

Download Submit
C:\Windows\SysWOW64\Kcmfnd32.exe

Filesize
88KB

MD5
c6cee1293c466dcec778a94220fdee13

SHA1
2337f75f3d37b1a13b5aea01e0eeaff33c9d398b

SHA256
d2f1da69aeddb896331bfa9b95ac006dcec1139532821f8e6b63f6485a186e18

SHA512
3be977d6219f3a2402601986e8055a89e5a452779bdfb060fe60f86b4933bda1163ebe4a58f671cde21385fc48968c744bdce8c67ee043719b78977aca07b12d

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
88KB

MD5
8615e72908558764c3e3a32f21f39d38

SHA1
ea7eb37d93c1895141de3425a6e5e15704ff50a1

SHA256
b5762e51c841df28145de14144628d65cc13706b18c417dd921a6cc56a03412e

SHA512
bad851c17f0b06dff9d63c3cfc6b5fea1db82835ef359f0e3052cc93475903eccceb5ee89b8f22a97891d6f7281d9773c62d4a5f37dd7c7aeeb4f44be8c5f110

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
88KB

MD5
e64123eec7617b17fdfbad04b9a18fd6

SHA1
f415adfbf936b2ff55c6ab9719b2864ee6b054aa

SHA256
0a26ea650091f60d7d76d4aa6b6659fa7212ae9bf84c299493caf98b2b5e326b

SHA512
96ee71655635d6338af97900d335c46735acb31fe33a7ccc7b3e2653b7f74b63e01f330352564fb89284a8af5bf171f46a5ca39d790e18c7123f579743a549f0

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
88KB

MD5
5962e7bd90827f4f747f377eba81459f

SHA1
5d26d24a54a7c4bd00a18373ef62eb0ff0299455

SHA256
55e97c54aefec9f4a128ab956fca6086bb5da5aa0f74652f1c85312e7200d3fc

SHA512
aad2f8915924e1dbb8a48a0a55eed87104abe7a9daf5a3a2ab341c1a52433275e18ae4b34c30bfa9928e06782301f2a9e6692e87d6f23df29d22d4104695e56f

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
88KB

MD5
7a2b152188c47d14756bab9818b16043

SHA1
1dfe67a24a17cde966ee1b937609cbd877551b62

SHA256
930da286072433206449e929dc7bb921b93931790bd83ab54f894e309618ed81

SHA512
cba562cd4b86aea05e8485e77b846db53666979242cf09ed1c6f2cbfa032d54f12223416333cf2e808b0d8cdae4982a367f9cccae97344bc842e7bcd97a6894b

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
88KB

MD5
3ecf75087e0567247a21c0153e71a9b9

SHA1
2d232a6c42264635899f1d52dfba72909002749d

SHA256
1d3c29d73b29524491c2833e9aeb11bd8538f4a080e4b3802878399657d021b5

SHA512
35d2e071fc2af0e9ef4ed1f07d8e136a4759c65820dde8dbdf045bc4a899a35b2d30989c9849543892f2e370f0d4dd51af2115877f5ba7783916659bcba0c8f2

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
88KB

MD5
fe9abdcea2c0ed0f7b948d36c6a33bd6

SHA1
afb24b5af552f8adcb1c047bbfc0bfb114d7dde9

SHA256
e1a5b6a1a89970bd8fc512a9b7288ad20b43a325ce35f5dacb78d6a3c480e0bd

SHA512
f2a9287ca7b3759c78d2977d70fa02ec8aa7f94d231f74cb75aa6a72083794fc5727a42f6efd9373e2e8fe7a3bb149b0dac96a989741ed24364d1bcf16e29b49

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
88KB

MD5
a8306bb912c990bb80c3698ae71e8c5a

SHA1
c998ff01697e785555002d453ab7efdd50226335

SHA256
41475defe95076db210b7e4cde47e3523dcc31bec696a2886e8e244a7314919c

SHA512
ff4c12deaac9fa95caea78223eed0a8dbe0f7f117a8a5e9524003ac7b5ee085adbb37be259e6e40a8916992c58b223208fe660d7fcb50f1df2fa31a32fc912d2

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
88KB

MD5
abf2670ac14765b64006b1d1c1d6afd1

SHA1
f5afb294085a1f2180902d57badbe02f1960ec08

SHA256
54846b9e3586225f51c58331746afb908782b1a444caf1318e51664c136539ee

SHA512
90c682fffec493abb5d94434368e132f3c2b58adf02e933541c1119ddacc9378ca0b25f9a71773ccd769da49875899de15d0d5052e7f90655fa6c2981472ff57

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
88KB

MD5
567529c03d87379cd31986097ca08078

SHA1
ef82feb18a5347901f1da93aefbac7852290bedd

SHA256
401c6eb601ba4350cf632a09f5e86d0140c20cea8e1155c6c581b151767ca86f

SHA512
b1eeb2839684ef68918dd8cb0e0abbb8b2f175fd4671044f9be512c4440af9ea6e06461a00ea243d755495857748fc62659e140e14ef69176c29988b7479b7c2

Download Submit
C:\Windows\SysWOW64\Pblajhje.exe

Filesize
88KB

MD5
7d2986ba3b9e192f8947b825b1c4bcba

SHA1
c5f06992b44c50709f7e39f4167b932c00673a93

SHA256
5cd16eaa7caf4e5da93a2f1440a0f78ffd6fcb2895ae364be382cdde1e1e914c

SHA512
73222ef59fc1f39141709328bd9cced36f8fc54e18483d1b01351f898a7b99058d2735dada1e3598a6e57393cea9f6863896c74c174cb94d888346bf87b75588

Download Submit
C:\Windows\SysWOW64\Qgiiak32.dll

Filesize
7KB

MD5
601211874d36493e162ba3bf24b3e9b1

SHA1
cbec888296c5bbec164e73743a5042de9288cede

SHA256
4a8b0c04366fbbf9fe4f32779e772cbada0d509619a14c51d47499d72f6afb9f

SHA512
4de5334d744b6c22fea1a6c20758c868c2144a3ca5ac6ee66c2bc9c887e5f992cb75b67610f1298fb888493b7717a2759f0407e8bc5e88ae0a31cf620673f44c

Download Submit
memory/216-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/220-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/232-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/596-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-599-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/864-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/924-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/924-585-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1276-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1308-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1312-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1312-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1724-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1988-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2116-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2428-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2476-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2724-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-592-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3180-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3248-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3448-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3548-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3608-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3652-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3716-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3760-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3952-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4072-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4152-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4188-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4192-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4200-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4388-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4492-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4540-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4660-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4660-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4708-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4732-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4872-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4964-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-564-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5084-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5104-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads