berbew | 61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Size

704KB
MD5

1513148074c14bae4004cc3cf45996ab
SHA1

21165a43f657ea9ca7860980888748d083b452f6
SHA256

61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d
SHA512

47884ea8729175865650aeb1c4423dbc0ef1edef195245fae89068d7d16823110314bdbd739633004da2a1b69657e653c3d1db40b945d2c132d14d5f8dd235ed
SSDEEP

12288:CqLOrkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6Ir:8gsaDZgQjGkwlksd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggapbcne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Honnki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbdleol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoebgcol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglbfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbofmcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Colpld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoebgcol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehpcehcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdkjdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdkef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimoiopk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggapbcne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Colpld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgiaefgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcdkef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gglbfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Honnki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooembgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihfnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnfkba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbofmcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdkjdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dboeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 53 IoCs

pid	Process
2752	Colpld32.exe
3040	Dgiaefgg.exe
2408	Dboeco32.exe
2552	Dcdkef32.exe
2972	Dhbdleol.exe
2180	Emaijk32.exe
2188	Eoebgcol.exe
2008	Ebckmaec.exe
2836	Ehpcehcj.exe
1624	Fooembgb.exe
1424	Fihfnp32.exe
2172	Fimoiopk.exe
3064	Ggapbcne.exe
2912	Gdkjdl32.exe
1592	Gglbfg32.exe
2896	Gnfkba32.exe
1804	Hnhgha32.exe
2032	Honnki32.exe
2392	Hgeelf32.exe
2920	Hifbdnbi.exe
1716	Hbofmcij.exe
1184	Hjfnnajl.exe
2828	Icncgf32.exe
1464	Ibcphc32.exe
1732	Iebldo32.exe
2880	Ikldqile.exe
2792	Iaimipjl.exe
2144	Iipejmko.exe
2596	Ijcngenj.exe
2588	Imbjcpnn.exe
1828	Jggoqimd.exe
1976	Jgjkfi32.exe
1936	Jfmkbebl.exe
1396	Jjjdhc32.exe
1744	Jbfilffm.exe
624	Jlnmel32.exe
2252	Jnmiag32.exe
3016	Jnofgg32.exe
3012	Kbjbge32.exe
444	Klcgpkhh.exe
2928	Koaclfgl.exe
1672	Khjgel32.exe
2508	Kjhcag32.exe
2016	Kocpbfei.exe
564	Kenhopmf.exe
2060	Koflgf32.exe
3024	Kadica32.exe
876	Kkmmlgik.exe
308	Kmkihbho.exe
2332	Kdeaelok.exe
2788	Libjncnc.exe
2592	Lplbjm32.exe
2152	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2156	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
2156	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
2752	Colpld32.exe
2752	Colpld32.exe
3040	Dgiaefgg.exe
3040	Dgiaefgg.exe
2408	Dboeco32.exe
2408	Dboeco32.exe
2552	Dcdkef32.exe
2552	Dcdkef32.exe
2972	Dhbdleol.exe
2972	Dhbdleol.exe
2180	Emaijk32.exe
2180	Emaijk32.exe
2188	Eoebgcol.exe
2188	Eoebgcol.exe
2008	Ebckmaec.exe
2008	Ebckmaec.exe
2836	Ehpcehcj.exe
2836	Ehpcehcj.exe
1624	Fooembgb.exe
1624	Fooembgb.exe
1424	Fihfnp32.exe
1424	Fihfnp32.exe
2172	Fimoiopk.exe
2172	Fimoiopk.exe
3064	Ggapbcne.exe
3064	Ggapbcne.exe
2912	Gdkjdl32.exe
2912	Gdkjdl32.exe
1592	Gglbfg32.exe
1592	Gglbfg32.exe
2896	Gnfkba32.exe
2896	Gnfkba32.exe
1804	Hnhgha32.exe
1804	Hnhgha32.exe
2032	Honnki32.exe
2032	Honnki32.exe
2392	Hgeelf32.exe
2392	Hgeelf32.exe
2920	Hifbdnbi.exe
2920	Hifbdnbi.exe
1716	Hbofmcij.exe
1716	Hbofmcij.exe
1184	Hjfnnajl.exe
1184	Hjfnnajl.exe
2828	Icncgf32.exe
2828	Icncgf32.exe
1464	Ibcphc32.exe
1464	Ibcphc32.exe
1732	Iebldo32.exe
1732	Iebldo32.exe
2880	Ikldqile.exe
2880	Ikldqile.exe
2792	Iaimipjl.exe
2792	Iaimipjl.exe
2144	Iipejmko.exe
2144	Iipejmko.exe
2596	Ijcngenj.exe
2596	Ijcngenj.exe
2588	Imbjcpnn.exe
2588	Imbjcpnn.exe
1828	Jggoqimd.exe
1828	Jggoqimd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbonaedo.dll	Hnhgha32.exe
File created	C:\Windows\SysWOW64\Chpmbe32.dll	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Jggoqimd.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Dboeco32.exe	Dgiaefgg.exe
File created	C:\Windows\SysWOW64\Fooembgb.exe	Ehpcehcj.exe
File created	C:\Windows\SysWOW64\Mpbclcja.dll	Ehpcehcj.exe
File created	C:\Windows\SysWOW64\Plcpehgf.dll	Fihfnp32.exe
File created	C:\Windows\SysWOW64\Jjjdhc32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Pbkboega.dll	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Jgjkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Dcdkef32.exe	Dboeco32.exe
File created	C:\Windows\SysWOW64\Blghgj32.dll	Ebckmaec.exe
File created	C:\Windows\SysWOW64\Fihfnp32.exe	Fooembgb.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Lhkbmo32.dll	Dboeco32.exe
File created	C:\Windows\SysWOW64\Eoebgcol.exe	Emaijk32.exe
File created	C:\Windows\SysWOW64\Diodocki.dll	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	Jggoqimd.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Dgiaefgg.exe	Colpld32.exe
File opened for modification	C:\Windows\SysWOW64\Dgiaefgg.exe	Colpld32.exe
File created	C:\Windows\SysWOW64\Bnnjlmid.dll	Dgiaefgg.exe
File opened for modification	C:\Windows\SysWOW64\Fihfnp32.exe	Fooembgb.exe
File created	C:\Windows\SysWOW64\Aonalffc.dll	Hjfnnajl.exe
File opened for modification	C:\Windows\SysWOW64\Iaimipjl.exe	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Iipejmko.exe
File created	C:\Windows\SysWOW64\Jlnmel32.exe	Jbfilffm.exe
File opened for modification	C:\Windows\SysWOW64\Fooembgb.exe	Ehpcehcj.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jjmfenoo.dll	Fimoiopk.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	Hgeelf32.exe
File created	C:\Windows\SysWOW64\Hjfnnajl.exe	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Ibcphc32.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Gglbfg32.exe	Gdkjdl32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfnnajl.exe	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Iaimipjl.exe
File created	C:\Windows\SysWOW64\Keppajog.dll	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Jgjkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Klcgpkhh.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Gdkjdl32.exe	Ggapbcne.exe
File opened for modification	C:\Windows\SysWOW64\Hifbdnbi.exe	Hgeelf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Pkbnjifp.dll	Gglbfg32.exe
File opened for modification	C:\Windows\SysWOW64\Hgeelf32.exe	Honnki32.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Dboeco32.exe	Dgiaefgg.exe
File created	C:\Windows\SysWOW64\Glcgij32.dll	Dhbdleol.exe
File created	C:\Windows\SysWOW64\Ebckmaec.exe	Eoebgcol.exe
File created	C:\Windows\SysWOW64\Ggapbcne.exe	Fimoiopk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2208	2152	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimoiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaimipjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Honnki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboeco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbdleol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebckmaec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Colpld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehpcehcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggapbcne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emaijk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdkjdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooembgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnmel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcdkef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fihfnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gglbfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfnnajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgiaefgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoebgcol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbofmcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhbdleol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gglbfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Colpld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll"	Fimoiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbofmcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Honnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll"	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll"	Fooembgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll"	Fihfnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgacn32.dll"	Colpld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll"	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbofmcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgiaefgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhbdleol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggapbcne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehpcehcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iebldo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll"	Gglbfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Colpld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdkjdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kadica32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2752	2156	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	30
PID 2156 wrote to memory of 2752	2156	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	30
PID 2156 wrote to memory of 2752	2156	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	30
PID 2156 wrote to memory of 2752	2156	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	30
PID 2752 wrote to memory of 3040	2752	Colpld32.exe	31
PID 2752 wrote to memory of 3040	2752	Colpld32.exe	31
PID 2752 wrote to memory of 3040	2752	Colpld32.exe	31
PID 2752 wrote to memory of 3040	2752	Colpld32.exe	31
PID 3040 wrote to memory of 2408	3040	Dgiaefgg.exe	32
PID 3040 wrote to memory of 2408	3040	Dgiaefgg.exe	32
PID 3040 wrote to memory of 2408	3040	Dgiaefgg.exe	32
PID 3040 wrote to memory of 2408	3040	Dgiaefgg.exe	32
PID 2408 wrote to memory of 2552	2408	Dboeco32.exe	33
PID 2408 wrote to memory of 2552	2408	Dboeco32.exe	33
PID 2408 wrote to memory of 2552	2408	Dboeco32.exe	33
PID 2408 wrote to memory of 2552	2408	Dboeco32.exe	33
PID 2552 wrote to memory of 2972	2552	Dcdkef32.exe	34
PID 2552 wrote to memory of 2972	2552	Dcdkef32.exe	34
PID 2552 wrote to memory of 2972	2552	Dcdkef32.exe	34
PID 2552 wrote to memory of 2972	2552	Dcdkef32.exe	34
PID 2972 wrote to memory of 2180	2972	Dhbdleol.exe	35
PID 2972 wrote to memory of 2180	2972	Dhbdleol.exe	35
PID 2972 wrote to memory of 2180	2972	Dhbdleol.exe	35
PID 2972 wrote to memory of 2180	2972	Dhbdleol.exe	35
PID 2180 wrote to memory of 2188	2180	Emaijk32.exe	36
PID 2180 wrote to memory of 2188	2180	Emaijk32.exe	36
PID 2180 wrote to memory of 2188	2180	Emaijk32.exe	36
PID 2180 wrote to memory of 2188	2180	Emaijk32.exe	36
PID 2188 wrote to memory of 2008	2188	Eoebgcol.exe	37
PID 2188 wrote to memory of 2008	2188	Eoebgcol.exe	37
PID 2188 wrote to memory of 2008	2188	Eoebgcol.exe	37
PID 2188 wrote to memory of 2008	2188	Eoebgcol.exe	37
PID 2008 wrote to memory of 2836	2008	Ebckmaec.exe	38
PID 2008 wrote to memory of 2836	2008	Ebckmaec.exe	38
PID 2008 wrote to memory of 2836	2008	Ebckmaec.exe	38
PID 2008 wrote to memory of 2836	2008	Ebckmaec.exe	38
PID 2836 wrote to memory of 1624	2836	Ehpcehcj.exe	39
PID 2836 wrote to memory of 1624	2836	Ehpcehcj.exe	39
PID 2836 wrote to memory of 1624	2836	Ehpcehcj.exe	39
PID 2836 wrote to memory of 1624	2836	Ehpcehcj.exe	39
PID 1624 wrote to memory of 1424	1624	Fooembgb.exe	40
PID 1624 wrote to memory of 1424	1624	Fooembgb.exe	40
PID 1624 wrote to memory of 1424	1624	Fooembgb.exe	40
PID 1624 wrote to memory of 1424	1624	Fooembgb.exe	40
PID 1424 wrote to memory of 2172	1424	Fihfnp32.exe	41
PID 1424 wrote to memory of 2172	1424	Fihfnp32.exe	41
PID 1424 wrote to memory of 2172	1424	Fihfnp32.exe	41
PID 1424 wrote to memory of 2172	1424	Fihfnp32.exe	41
PID 2172 wrote to memory of 3064	2172	Fimoiopk.exe	42
PID 2172 wrote to memory of 3064	2172	Fimoiopk.exe	42
PID 2172 wrote to memory of 3064	2172	Fimoiopk.exe	42
PID 2172 wrote to memory of 3064	2172	Fimoiopk.exe	42
PID 3064 wrote to memory of 2912	3064	Ggapbcne.exe	43
PID 3064 wrote to memory of 2912	3064	Ggapbcne.exe	43
PID 3064 wrote to memory of 2912	3064	Ggapbcne.exe	43
PID 3064 wrote to memory of 2912	3064	Ggapbcne.exe	43
PID 2912 wrote to memory of 1592	2912	Gdkjdl32.exe	44
PID 2912 wrote to memory of 1592	2912	Gdkjdl32.exe	44
PID 2912 wrote to memory of 1592	2912	Gdkjdl32.exe	44
PID 2912 wrote to memory of 1592	2912	Gdkjdl32.exe	44
PID 1592 wrote to memory of 2896	1592	Gglbfg32.exe	45
PID 1592 wrote to memory of 2896	1592	Gglbfg32.exe	45
PID 1592 wrote to memory of 2896	1592	Gglbfg32.exe	45
PID 1592 wrote to memory of 2896	1592	Gglbfg32.exe	45

C:\Users\Admin\AppData\Local\Temp\61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
"C:\Users\Admin\AppData\Local\Temp\61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Colpld32.exe
  C:\Windows\system32\Colpld32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Dgiaefgg.exe
    C:\Windows\system32\Dgiaefgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\Dboeco32.exe
      C:\Windows\system32\Dboeco32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\Dcdkef32.exe
        
        C:\Windows\system32\Dcdkef32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\Dhbdleol.exe
        
        C:\Windows\system32\Dhbdleol.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Emaijk32.exe
        
        C:\Windows\system32\Emaijk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Eoebgcol.exe
        
        C:\Windows\system32\Eoebgcol.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Ebckmaec.exe
        
        C:\Windows\system32\Ebckmaec.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ehpcehcj.exe
        
        C:\Windows\system32\Ehpcehcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Fooembgb.exe
        
        C:\Windows\system32\Fooembgb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Fihfnp32.exe
        
        C:\Windows\system32\Fihfnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Fimoiopk.exe
        
        C:\Windows\system32\Fimoiopk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ggapbcne.exe
        
        C:\Windows\system32\Ggapbcne.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Gdkjdl32.exe
        
        C:\Windows\system32\Gdkjdl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gglbfg32.exe
        
        C:\Windows\system32\Gglbfg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Gnfkba32.exe
        
        C:\Windows\system32\Gnfkba32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Hnhgha32.exe
        
        C:\Windows\system32\Hnhgha32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Honnki32.exe
        
        C:\Windows\system32\Honnki32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hgeelf32.exe
        
        C:\Windows\system32\Hgeelf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Hifbdnbi.exe
        
        C:\Windows\system32\Hifbdnbi.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Hbofmcij.exe
        
        C:\Windows\system32\Hbofmcij.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Hjfnnajl.exe
        
        C:\Windows\system32\Hjfnnajl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Ibcphc32.exe
        
        C:\Windows\system32\Ibcphc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Iaimipjl.exe
        
        C:\Windows\system32\Iaimipjl.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Jlnmel32.exe
        
        C:\Windows\system32\Jlnmel32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 140
        55⤵
        Program crash
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dboeco32.exe

Filesize
704KB

MD5
30a7549fb5ffb92f5b6d395bedc8e217

SHA1
11a66c2a42113499ccb4187041784c59095692b1

SHA256
351b562a0886f9a5dcf6a5821dd11265780433e0114fc1e4c04b07ab9d8f6014

SHA512
45c537df33d46d7ac2c436f5abaf5cc459fa877b2e32ef5a3ca858dfa3c6fcd73d4a67aa8fccf456346025f5e3b6764acacda34202e5bf30cc0bd6e852652d14

Download Submit
C:\Windows\SysWOW64\Ehpcehcj.exe

Filesize
704KB

MD5
25c017c9e5665e4390997c17e0816446

SHA1
eda68b1e5bb37b692e276f1984be9dbf234c759a

SHA256
57f07a9e227de30658b55fe1b46a3933036cf25e29c72d6e9362c55d018e8b7a

SHA512
439d3a952071f7920df07cbba0c02ce9bfaf10f4f30b90d5bf6ecf8bcb7f60f6a9ed7f369afb6fc1613723924f8f6a3b19fc4130517bde7b6d34929dcbf69cb8

Download Submit
C:\Windows\SysWOW64\Ggapbcne.exe

Filesize
704KB

MD5
549131b6bf6750d4e25a166fb619c8ee

SHA1
0b6ee127cd733a8652fd2c7bbd40abf8e8a7089a

SHA256
0aa56763044ead3f6ad47e97f16b34654e3890e983d5bb28e37ab76402b18dcd

SHA512
6f0578632c2676e1972fae2fc05b69707368567cc558c552287ab654303158ab9db7898415da67f6f6bb8c61e7463dc7fc5b140d82c6d54a08d2b1e90bf6ba95

Download Submit
C:\Windows\SysWOW64\Gnfkba32.exe

Filesize
704KB

MD5
a080212949171b925e10cb85a44bdbe8

SHA1
42db02fa8a04e8d5535b216598ace32c9ae7f734

SHA256
d7f83c7a8577b5a77f6d258abcfb9b4b23d9358bb2c7537da15629f113f0b97d

SHA512
f9062495db1c86806a725efff75b0812ea4b9c696d5a7127cc9b915a3745c6af144aa06909f34d5a5cac48d9d8128536fbb5a700249a4e430e472a27a6ea1acb

Download Submit
C:\Windows\SysWOW64\Hbofmcij.exe

Filesize
704KB

MD5
b759bccd2bff823b6bcef4bc1555a553

SHA1
82cb07fb55a8dbdc1e214922af0834e405c484f3

SHA256
c9aa580c78e1973b6094439ac7033a1fcca7a15ef2095e442168acd3f779728c

SHA512
93f0f7299368b1b1248d387cad1b399b6bc82dc78c5716b87ec57cd7d63db1e1ad96a49b1fdb00dd8273d589eabc81317e55c4b25b8ac164b6045418f868f11d

Download Submit
C:\Windows\SysWOW64\Hgeelf32.exe

Filesize
704KB

MD5
452288d0feb94d3961da1d31495ab483

SHA1
ee5c4e5750f8a28f0e93d6bd5fe9ad085b49a364

SHA256
f908360b99b5116a7af3fd067d067f2ff275ef8fd272e341098a9200eb836078

SHA512
f8ca5e6a5f2699273c5d4f597d1a7be44bececa540c7de3fb69de31e518eea1f738e36f4dacfc1d888a4b0ca889a8c7d4c5d51f44a28624a6acc4a0a3f7fe407

Download Submit
C:\Windows\SysWOW64\Hifbdnbi.exe

Filesize
704KB

MD5
632f68bbbed3dcbfa7d4f4b5de305bcc

SHA1
b4bc135edc9e206597a406d9ebe9759d10f9e6a8

SHA256
52bdeaf9a8cd50145ac0dfb43e9c6ad02d2d5f1b1ec06cac0da3faae8f8f5ed8

SHA512
3ea837e11b0c059f71c7ecb674ebbfc77278cf4b36684dce1f1a5d8233647f9bf7f5055b9277bba8ebdc16ece691c2f975d57a7e3588a1a277f94277b3c0ae6d

Download Submit
C:\Windows\SysWOW64\Hjfnnajl.exe

Filesize
704KB

MD5
d163cb0e3538814ad7b124c3f73957da

SHA1
d55b9fdad675d66655344261b94c4e3fd807958a

SHA256
3f67dfc740e539c664ec78f1ce88e909ef919a68f594bff4d228907c27177cd7

SHA512
dc7d8217a4579cdaf4ed6b639ec82b9f0ab3013eb236b5ce6fe1dd9d57eac011d75bad31a4c6da5bda210055c93bf9ffbfaf2c2dcd67314e1361092f62ce522c

Download Submit
C:\Windows\SysWOW64\Hnhgha32.exe

Filesize
704KB

MD5
006649c49624049d927f0ce49770415d

SHA1
4686276dc43729bcb1413d4090cff6cbbbb46dd2

SHA256
729f4e270cd955915bc34ffc552de8762379d3c83a64d4cae0ddfa4a4d2d5e46

SHA512
d761144159efe60a7b1d7575355fcccecb9387b5abfbd778e8127883c2edbb6174d3ec7774346e43d8558e2a6869d9a7ddf93cac2a21914af49814a9218e85ac

Download Submit
C:\Windows\SysWOW64\Honnki32.exe

Filesize
704KB

MD5
11bf18257836efaca3e7a1bd3cc1a4d2

SHA1
7ae6cbd2561174ac3dbbd8e000afecc3bfaacfd1

SHA256
8300555f5857807916dfeeec88486b2d90bdafd3b04d6a5430b939f1eccd556a

SHA512
1a394558f46aa4e87b09610830f5f0da4685c012b34ec0b1709b3b821a2addd816152349053952246f8d44706ddb18cd01423962b57e652fba73a241b071c892

Download Submit
C:\Windows\SysWOW64\Iaimipjl.exe

Filesize
704KB

MD5
753a3957a35eb0cb9aa4755c79800025

SHA1
6428e1721f5da03dcbc93cd338157d934e7ae41f

SHA256
a2f50f0c682c6e54e47e126c4b43f8337b08a0d6b5cb5d75f72386d86a8dd661

SHA512
64727e70bcb4967ab904e8da65e7f3e8a17c233a9b7ce838937b445812d38cd893c41aa19618e1df529b6771122344a04fad06ee02f991f76bb5f22c4cde7833

Download Submit
C:\Windows\SysWOW64\Ibcphc32.exe

Filesize
704KB

MD5
87e202038c8bb82f00f72dff1e38931f

SHA1
85654ce855352def5cc715d6a6f5fd68bf3a0b82

SHA256
305b43337f5ecf3f8aefb7c83140187cdcb21bd76a71fd26cb840684a731244b

SHA512
4aece4c76de5124370bc442654c2073467ed8364f208eb40398cc724aab8a60f0ed4354640724b30ebf329cbf6d35329b1a9654bfa60637e9000ace80a198bcf

Download Submit
C:\Windows\SysWOW64\Icncgf32.exe

Filesize
704KB

MD5
2c0c24ba6d141f67c1546e2f8500e9df

SHA1
76a48cb08c51384d2f2e74c963009326e7593461

SHA256
7f98af886f1ce6b1c7c5d61cbd408a8e21d1f936a2f5fdc3d453280fbde4c6bd

SHA512
4c08154b6d99ebef276854ce64df40cc064ef95bd047cdd5bd8ede907e538918a8be2af9c76bf4c1cae1b154684c94d3edf5fe3325be8bf00111ff24517d43e6

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
704KB

MD5
8a20137df623845da46d651d126449d0

SHA1
d8f0788a3b9b34e365061037793667157a2ed9f6

SHA256
52d97803c672fc5d94c23649391829e28fda0c1f5d428889e42cf9cc5b0a22f5

SHA512
d58296310336ac3b927b75c7365275679412ee6236dcfb9ee5844d7437f3bcef7328a9e6e42e67b776a259e268645046501caac4c3a06f4a4eff31cc98400701

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
704KB

MD5
4d1c5c66518ed88239067557e7ca62b4

SHA1
279d7b08689d255607c0e4c00af0e000852e9e9d

SHA256
daa72c9d1484ebf5b0d637713cd458bc32ecf9a27712b8b530bcb199b620c71c

SHA512
6d5d2ade4101e8a1175808b6225406071cd0f8eca994ece6fd90be666d09836468e35d86f436decf53787fc155839ec9ad15716f49c00eddd6a4316c36b7cf1f

Download Submit
C:\Windows\SysWOW64\Ijcngenj.exe

Filesize
704KB

MD5
493810d6e49360e1bca9bb844764ed3f

SHA1
f63b5569c7b576d8e595bcbc13bf1f24288a267f

SHA256
1e8da1c8794bd1c5c498534f346fe4a29fdb17cd6fe52dd35e22ef4f22f83cb6

SHA512
c746b4e46ed03215632e7dc07fabccb079d8895415be399f5809547f83b113713aad99cfd79ce217813f4c2efdd1e729af502b7bc60e1e4f9404b6dddc147df6

Download Submit
C:\Windows\SysWOW64\Ikldqile.exe

Filesize
704KB

MD5
c24c0b8423d7750bed137956b69950d1

SHA1
5c11364391be76ce159fd111e49c01e5f2af416a

SHA256
54e0a320a51369002ea920a6a8495087f59c627a90f088fdd47a1103d4d68dcc

SHA512
0ff31ef943cc6c206f6757c3357bc51364b103522064f4021e1f34076384f638f495e88c8e9c54899246b4c23e089ad213724adf3b766ae9bf5c13cfc1138ed9

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
704KB

MD5
640b641a3308fdb3b53ad5341b944f1a

SHA1
099c7c47c51860d9612a9d709fc7fb95f0d7e7a6

SHA256
7c0123897d57671a0a10b137f36d8c36ad1954da2a553bc5c3996dab66238934

SHA512
fd01951151392b096af69dbd883c4bc4c060971bc0fdd47e7513ccd0b95516983580746a1274fe758eca4a167e7a039b3cd0b0a54117e66c0a8cef1781818f4c

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
704KB

MD5
374213fa362aa9ad6c65dc16b4a8b47a

SHA1
3ee49bdc7084a0f2820e1a93546e92cdd7a2da23

SHA256
c85e95829b3c3b1da44520874055e5b7d446d6772ba4f284df8f36d5848ef94e

SHA512
1d58b25a291ee5e191644ce4c9430f7430a45f43b6f1e0545f4b5452b3af034b8ea4d611c660d1ca225485c278ac512390cd8628f887ae54c66e1b471b1ec10e

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
704KB

MD5
7e5fc7561c87baf53013b48c0ac9f38d

SHA1
8e2fdae232d01b265d39b6766578c23aa447eb4d

SHA256
fc851c949e950a6dfafc150182871a755c2874184706ef4d72621243f771f822

SHA512
a4fbaabe1c4d96b6d4dc9fdada8ec7eabcd4423b11ba82810d4b8831dffc3bfb503287704199f38854ea7a7c2c2bdc0d7d912b33a03486c213dae0f13a0414dd

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
704KB

MD5
eaf938191885ee8dd0683f1fcf0b512c

SHA1
116dae01fe452a7442c723e7771d19e435754cd4

SHA256
06fbed9be4b2ee5410904d5c20172c6c109ed902a6d3b633012b7a1679b6820e

SHA512
21eaccd8ed933593d65e8a07b18573f8926e9c08212709757a7fd932996fd778244f45d6a480d1e5b3d312c8a84fd17e1209e22599d5ed230e3993ad0cb0b21d

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
704KB

MD5
f04d17f8663e1caed1b33d383535309c

SHA1
e33a43c382e73c24850b8185b10eaa2edb616486

SHA256
cde151051bcc33e3b49f4a25497235492b6f1f09d848814d296d49a9e21f090d

SHA512
32fbae08a637a13202b443cd57837ecfb1280feadaac82a21f0c4451d6c5c311490e6c1317103336b8b1180a40f3479123868a7ab811352be6c71c6be5794956

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
704KB

MD5
9c01e57fec3c656e500b6c88a5c4ee3b

SHA1
2d9e7e586ab67b173ef05be90c5ff01348466a3f

SHA256
4e58ffc6b98602d5d8cc335b3fc9f6bff818a82ddadce12d0141a0b0d499c6fb

SHA512
243bcf1bd17c61b521b9c9fd04f709e971d5240a55803e995fe1223c6fe83dac2863f869fd1c9044ee3cd7ee17d9cb9f1728185fc554af787412e6fa2631a04c

Download Submit
C:\Windows\SysWOW64\Jlnmel32.exe

Filesize
704KB

MD5
9e9160ac3686672a5503dac25f582be8

SHA1
745afa562558088bf8eb463b3cfd3587b0422357

SHA256
039dae31e4e43ef73c8ab663ea3c1e5382eaf73bc074e5944a4ba27608c6c01a

SHA512
5ec09620777fedf85578367b544d0f49dcff4f3a2999de9bcef329c2eee9c15ceb94902ea085815cb94b99dc277d4143aec143c5028a16a171b0d7c0a458a7ea

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
704KB

MD5
2385b936a2da9d66ba39732f1ec174d0

SHA1
d965e2182b656627364794c63ae2f33563e3be28

SHA256
c78015df26da2561a05084e011b5dad3e261a0f1509abb132b7011771c14ace8

SHA512
c49a8b6c81630528d9d7deaf70245faca0cc8bfa1680e7ae736136ea55efacb92ef0aba3d137e025768eae32bf2022f77196776e9415c6edcfd8b9f645917597

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
704KB

MD5
679f8d6614159365c4c73e1232573216

SHA1
028d36672ad62ab8b4f72479a94afef7dc98f4af

SHA256
66c0a5f01065c33ae8fcec3d5ce81b70f893d686fd99e827bd23f2f5c30b5057

SHA512
40da7609c18b315fb8d84fa7a7be93e5ff087d6965e7d039a373d598234637a91462ca7e6209490069239c3d2d007592c69712023706ecdd6ef4f4bbb58ef29f

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
704KB

MD5
0f2b1419b9e13018f4757839eabc9c98

SHA1
db0bfa3cd6f36c6d91f604fc972f20ce05581cd3

SHA256
1e594a6ae8d2be99a34e19f69eaca7e6f6facfb4a7a0c20119be6de0403965da

SHA512
cff33b756949b84e001516629842f4e26b4b7f1c523dac4493d36737b0c7cd06127d3b1220294f899e2833ded094450e369ba15d2f3e65ffad11cace9e1b86a2

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
704KB

MD5
0b4293c244344746fd01fdcf9b1f4ebc

SHA1
a0234b6212811246341bf6610824369963226f1e

SHA256
b86b099ec00e3d25dc9eb0bdfdfaf353964e3366bf0bb8352533e1eb2e8e9f0f

SHA512
ac9f64c72cfd33c7b99c1a571a60badf4138b0a16fa8180e8435b79460d8f1cd9b00781550070c1f267cee4efc2dc2b1914880eb3bb164828b56bd1508dba73e

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
704KB

MD5
e4c0cbe1e4aa25874780db200e2c09a1

SHA1
6eee8a933cf077ceb1ac72d137c30e04b7041cdb

SHA256
787d2b7a03b0df1d5eba9b921cc97214ae39ede2a2ec7cf1eb0603e1dffd3208

SHA512
520a780aaed60d8e4f258a8ef84ddc994c6355323a1c3dacfc901a1dbb452b9658754258bd4917c5d43d58eef6eec492d7330951ed2123f8ea9cf5d55b1434e3

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
704KB

MD5
e4dff073965f0f7d04f179408e28a67e

SHA1
58370a8aaf6842bcb028959c7ecec3b30f8d8971

SHA256
6a786ae41f5edf0c6b3cd9f7c195785ee141a8a580c856ffef7c578fdf43c802

SHA512
e97d569bdb68c2ace3a5a4b3c9e13e06e2508af87179e005e742313d94c709415ed5c62c4987ddd41e4e5ec37a35908c4928a954568a52839af3ee7861bc5998

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
704KB

MD5
330b2bf62a372ba8ff000295a0509904

SHA1
84eb6a715bac662f8c0d6734381618825e359d13

SHA256
6174d6ed8dd46f87530c306b0965fe95317f5998ba2047f86674abe004bb5224

SHA512
ed814a8cb566364c588daa59f2a47033eb6f99d4065bf871128ad0288807e6325566962b45976c2d967ff38f466a172048e36ae56e520589aee3bca9319e0d7d

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
704KB

MD5
bb97b9af0fc5721eae92dbb433455d84

SHA1
89bb353b475a2315e29a1cca7d142a9ce3c56abc

SHA256
a2028e5e7da7edccbbf51e32c981feea53a1595cac6ed7420bc2f2e12fba0919

SHA512
c0ab5e3a87a2b4c4ed0fbd8926fad6a0543c329e21b95dc7d6b68acb964c11b1df04a580e2d1fd720daeaace62a24116ce33b5526c05d57617636f5ea0cf61cc

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
704KB

MD5
62f2f8039e71d23725b96d1e69469110

SHA1
5fba1e8c92dd1a747a2238a0bbb9225f18f1a9a2

SHA256
89c9604a8e833ad8ecbcd27c4d130646f12da8402569e49bb3daa960a3774d97

SHA512
b78d533f6e2cf6df0a3add558a94682782a738aee85bc107b18b83bb825d5f9d63149dc75e7f31b66f10789b00516b51f4d5ff17c77a3bf2bd6252e3e00b291e

Download Submit
C:\Windows\SysWOW64\Klcgpkhh.exe

Filesize
704KB

MD5
7bdff5705effb4b46c1b087ac0faa36f

SHA1
dac9bf73fe590b3dfdc7503621df06616cd9fe63

SHA256
5a2c21b8112c2cdafb1fdcce7481bfd7aa50c79d9215f8fe227d37b1058e6991

SHA512
7a815c5cf08cab6296e4d57760ff892ad966a3a0759349e7da7a63b84ea4f5d157a6039bff25a26b657bb8ad886344992a0eed2faf250bf14bce3768b4157f37

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
704KB

MD5
c38d9e7a008f58b56609b559c2aa9e4e

SHA1
ef17d45f6138b6febdf4b07562eaf0b78d56c8d0

SHA256
7b1a8779ae9b019894f58f44df6d5d393ac11499d9ce025405bb952292bc3dab

SHA512
d653e60e8098718f817caf23036fa7c0e5194ee9b5c9523cbcbf8605fe5bc0418fef70e0b3d172b26fc70fbb3e8e7aa27f23cedbeb5b0321f241e0d4a21b5b9d

Download Submit
C:\Windows\SysWOW64\Koaclfgl.exe

Filesize
704KB

MD5
7930dd272b00ce4194dd2883bc124ab7

SHA1
5d8f21b440e32b3d60baea4574c09073edbca03d

SHA256
3f7b064caa60b5e8b768624cb3e3472844fb265bb16b022720813e3979074955

SHA512
670919e8d3248ba6b8387bd1265c2cf52ec3e68ef11cd86f36c7ed4c16c26aabe90f723048fb923053e948f58c6b4d7cf3e513a1cbf87b63cb381522076f789b

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
704KB

MD5
af62464c439663f47a5c6de9ea83a323

SHA1
94047f6613deec55507352c8e29e7517e5017611

SHA256
4528386e1105030b4789db95fcc8e34bfe13b176ec9b160002c4fd0f8cde0b17

SHA512
168ce09ca1ef205c2dab3f1ae997896e4c4293b8ca79a7518724619c7bdf2db494217dec0e004dbe31bc147eaccf774d4c00cdbc2222c5202639b5e887ace13c

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
704KB

MD5
5e8ef318b8151cc41cd991aa02d9f20f

SHA1
2a86b285612d5f81fbbb8622acceae2ae9437cc4

SHA256
61ad7e4424bdb45f41622bd8ad26d02c9ca95ef009f72b23cd8477666a3be926

SHA512
a55331375641bd81e662f69a499646609e7e99e2e92a76d1e6926018566cb7aefd47e1f878a91980f843870c6a3cdca4951b89e0fee94323be21ffdf2a2f0ad5

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
704KB

MD5
f65c538bc4e326f9a4840cfe8734a649

SHA1
cbed9a1a76d1e1ad44894d54a9b3ea4932be32c5

SHA256
073cf26d13f32802080a4cd65c139dcae9df616d40b0febe1e08c580856ee23a

SHA512
303f65a02cc05271ddbeb4c43b3d463e4ec2b537e225a3b718211fe510b2a6312ee2a04a446ae2803559026bedde12ab84e5c7463840ab966e212daa06c9efb3

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
704KB

MD5
0bef55dd58549a7f78a35744c5170d2b

SHA1
556a4777498b4d6d4133173cb21ae4296f9f3d7b

SHA256
4074d111f67e7661724e07d95ec787920306868a60f2996dca8838c357f15c6c

SHA512
3ef6a880efafe0efe49bb917890ce7405dc9bd94cddf2ac7956c8bcf743c526e323d81b300b772d2ff75c40372fe92625ef3e8edf3728014046e1c77a86b552a

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
704KB

MD5
337c84fbdf412cfd76950b6ed69294d3

SHA1
080398fb85da38037b4dfedb1c2f42129c959ba2

SHA256
c359d08f5a1eff8547b1193702ebeedce12d16ca0e2d4c54176dee091c969895

SHA512
eb2e645a9adc954586a5de7d1941b624a0c85f231ddacb774c54a87d8c5d0c5fd54362e47495bdd690736043be428bafe3acb2e09349956d81ce6fdaf006f6d4

Download Submit
C:\Windows\SysWOW64\Onepbd32.dll

Filesize
7KB

MD5
830b8df077783fe6702d915cfee6639f

SHA1
25861211e088f284a2a59fc06d1456f08cbafb07

SHA256
d50f574ad203f67bd71d2998d2f965d696a81b8281e2e01e5c6bc928e64f3fa4

SHA512
f21010d2472e37b999da8fb8b928f58feefe67abc1af7ee29a38ba099e004af375ecf3224d01e0296190a708db88c9205e2fd0bc361068921281b249d2327ff2

Download Submit
\Windows\SysWOW64\Colpld32.exe

Filesize
704KB

MD5
26725ede36bccab08961e6f9a6429971

SHA1
4f34e72702bcce350adefd046729fa9757973ea1

SHA256
325f2f539e98a904a0f25a7efbc5f697135e668ba7f84bf801ea4f4a35451a44

SHA512
502510055f1b9f3999d951bbfaf3a10de1a145dc7b7753be6087d885e5d572c835437cf9fa514a8aad70d117d7c53a2cc4c0fe3c93328f62cdb590a4e0d8849d

Download Submit
\Windows\SysWOW64\Dcdkef32.exe

Filesize
704KB

MD5
b75cc8ebc6145a94ee85261efbd739ae

SHA1
cb8645697a3b54b7d76f0823729273a9417042ab

SHA256
5805891bb1a2c9fd710f453f8441273ff0c07cff6665fd67805367ae35fab753

SHA512
9356f6ef58fa8e61c4e634b21468feea74c20feb8287adb79693d088aa98ccaaf60c1874086d3a8cbcbe33dfeb15e291662207573f6d5c95d8b438cce099accd

Download Submit
\Windows\SysWOW64\Dgiaefgg.exe

Filesize
704KB

MD5
fe745def7ca90d156c4b0707bc61a69a

SHA1
64d0f65dc81645c8746b768eba604a23268675d4

SHA256
90a6b858f2519f2e17e9b8e7b503ee270cf7eb442febcaf3bebbabaaf26b03a3

SHA512
f44b6cf3035e5eef15dd64f032a2d2ad963ee5c5ae67395c1defa46a7738e52e24ff20c0cba5476de18bc3d1651ec728bafbf4536357036c33a7c4aa284c1a51

Download Submit
\Windows\SysWOW64\Dhbdleol.exe

Filesize
704KB

MD5
e38a6d3c9a2d937c3de67ef95985f6ae

SHA1
8982c09e1afdd4c5661e32dfd1e030b85c7d14a6

SHA256
d2d0ce6baf5792216d965f514dedd1dd5ddcc76c514fb01e45b742e591e5d6c5

SHA512
cd3e1f6f45df8af971d87b3df8fb8a9ff32b2dc084dcc036677500aed0eb7a2822c0303d8b0ff4df08dc2eb8445e7bed652a31cd3a5eac5467ae8b4b2a06d253

Download Submit
\Windows\SysWOW64\Ebckmaec.exe

Filesize
704KB

MD5
f3126a56484574a0bbb0448f8e54e8da

SHA1
66c9f7048385ea452bc8295d1d21e797ac2fcdeb

SHA256
c7749570a6a9a6fff217dab3e541d03d84b9c1c48ba9863c54e8d4738c8dc7b1

SHA512
403491c2bc4e145425fdc69b6071ac7a14f84ffa83535129ccc2285b683b5cea56fc31d8bd99e040873adbb00e79f1b95f37f1650ec0b6b80285682e7ee2e68b

Download Submit
\Windows\SysWOW64\Emaijk32.exe

Filesize
704KB

MD5
04a385648e2166ce2b7ab1fb7903c14d

SHA1
8b4e1ef53f13cf693c85d7057a95fdff503de480

SHA256
35b9dbd3f7cd4c461d184fbfa2a0a3632f2644730beda9d339e83df8856bc923

SHA512
054890ae55adb1959977872f6d40059d1ba62a4e4060c8c53cb9300956e8a5e6536982d096c556e870a798d175ff5e482d21863e371bf0798b9b8658aceee7eb

Download Submit
\Windows\SysWOW64\Eoebgcol.exe

Filesize
704KB

MD5
c420ab0c1dd018d8c6c1c39431495a1e

SHA1
fb8e9b74b3768a90831d3de7515fceaf475b53e1

SHA256
23161c19ee250630eeda8594608a37bc19a5c5bc84889205ee5e03f78139a00e

SHA512
db49fe9bcaead901bbc56e228634e6a20b80c1eef91134e31f6db4825885afacc6df815203900ed49857296726e44c08f23398112a62cd786d3dbfd0a1c163cc

Download Submit
\Windows\SysWOW64\Fihfnp32.exe

Filesize
704KB

MD5
eff69e0f35b82e6c5061e827d497f79e

SHA1
c3f4270ec7475733cefdc39f110a209fe59e8a49

SHA256
6e4f285409109239c3f1761fcfd955f8035de1b56415a6e991856da6f983d932

SHA512
59e7bce6a6aaf583643b66bf3b0f332783fdf644da71e2ea99552cb70ca809c1cba924bc6b7740ccd0e8bf60e5c08ac1bbcf6c4dc62d364fecf7ffa5e91a47a1

Download Submit
\Windows\SysWOW64\Fimoiopk.exe

Filesize
704KB

MD5
2eb2d392b1f682b659bd4fe091c1b782

SHA1
fc800fd0c52991e5dd4b3f0ff69bf3440a78b2e7

SHA256
07c64c9fa13cef1dbd7e2fda7185c68c95d91c75d5a35e64e88106a5e370cb06

SHA512
486b01b8c4f10a0e697126edb22bdfa148576142b72a0a873745fb7764bb110d2f209959c0a45648f44fe7f9e55429a3ffd01977e1146e3d7a0a48e26032771d

Download Submit
\Windows\SysWOW64\Fooembgb.exe

Filesize
704KB

MD5
056951140ef41a83a4e41366185b81c6

SHA1
8ecc243f44cb2d4c32955c5d4c5c73b0c951c9eb

SHA256
458a4d4bcff7a30980378d9539855e9cf9e906bc0dd76a10af5981daac676486

SHA512
130348a7686e5dfaec27a0d41a86534378b30e3efc5e028a556681d54b9bafb6f1917050605aa2893b1f3bfbc135fb886bad3f56b90ad59148607087aa94dbff

Download Submit
\Windows\SysWOW64\Gdkjdl32.exe

Filesize
704KB

MD5
5c429de47b7762886c36fb169b4020bc

SHA1
49a2662b10aca40f26ec59f1c20283b0727c6a5d

SHA256
1470bb5caa9d1e5db8ee14dda8384bef19f0eda8bc8b837ec32bed6de7f0b8b1

SHA512
316fb8d0b88c4f45656085697bbf271b55f6a965b9d3d59dcdca6923a99b42145d2fc0aa91b2adc6a50760fc48192d5b25554635672e62c4b8e1e4dfd0e78270

Download Submit
\Windows\SysWOW64\Gglbfg32.exe

Filesize
704KB

MD5
1beb187c5871b96c34c42a28bb08c376

SHA1
9cd3bcd80533ca7fbeccff8dbb6a99689964c90a

SHA256
dcf359ba9e26ed097e5200eb51fffead1666603a9b56f63c8080b07059a0372f

SHA512
097dae1e5caeddac086f2fe86b019d08ef60e4e563d7700ec758b78839452b3e67d9bcb9f028cdb1aa6a5763e3717558c61f0a52775ad459f5a8e3a86ad56bfa

Download Submit
memory/308-659-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-647-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-299-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1184-300-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1396-431-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1396-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-166-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1424-163-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1424-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-686-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-320-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1464-321-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1592-232-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1592-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-149-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1624-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-293-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1716-671-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-285-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1732-335-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/1732-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-673-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-336-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/1744-653-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-246-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1804-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-641-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-405-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1828-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-400-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1936-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-416-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1936-651-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-407-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1976-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-125-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2008-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-642-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-363-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2144-364-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2144-638-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-417-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2156-12-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2156-13-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2156-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-184-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2172-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-183-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2180-95-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2180-96-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2188-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-109-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2188-110-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2252-643-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-463-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2332-637-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-265-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2408-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-49-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2552-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-63-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2588-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-386-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2588-385-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2592-661-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-374-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2596-375-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2596-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-639-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-430-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2752-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-22-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2752-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-432-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2788-636-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-354-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2792-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-350-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2792-655-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-687-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-307-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2828-311-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2828-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-134-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2836-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-136-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2880-342-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2880-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-343-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2896-235-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2896-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-239-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2912-213-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2912-212-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2912-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-278-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2928-645-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-77-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2972-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-657-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-649-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-41-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/3040-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-442-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/3064-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-193-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads