berbew | 8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Size

352KB
MD5

e37e54c6ff30ebe730ba131a3abb7acd
SHA1

5db05ca97f5fcc88dfb4ee001980c8dbf9fc7de9
SHA256

8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae
SHA512

c0e0db40f023865794a9d41bfb3899e3535edee4599c79a522318645ac4cefba324e7dbd4d5fb3c77f1f9d2af2101c27286636c07950cf6b42180e90e838b8db
SSDEEP

6144:xvy6ZvytnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:fAtJCXqP77D7FB24lwR45FB24lqM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khabke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iencmm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 27 IoCs

pid	Process
3056	Hepgkohh.exe
3060	Hkjohi32.exe
684	Hqghqpnl.exe
776	Hcedmkmp.exe
1876	Hbiapb32.exe
976	Hannao32.exe
1944	Hkcbnh32.exe
2648	Ilfodgeg.exe
2272	Iencmm32.exe
1920	Ilkhog32.exe
2948	Inkaqb32.exe
3244	Ihceigec.exe
1564	Jehfcl32.exe
1140	Jnbgaa32.exe
3280	Jnedgq32.exe
4328	Jacpcl32.exe
3432	Jjkdlall.exe
3452	Koimbpbc.exe
868	Khabke32.exe
4168	Kkbkmqed.exe
3676	Kejloi32.exe
2184	Kdpiqehp.exe
1248	Lbqinm32.exe
1560	Lklnconj.exe
1136	Leabphmp.exe
3704	Ledoegkm.exe
3672	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hkjohi32.exe
File opened for modification	C:\Windows\SysWOW64\Ilfodgeg.exe	Hkcbnh32.exe
File created	C:\Windows\SysWOW64\Kejloi32.exe	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hannao32.exe
File created	C:\Windows\SysWOW64\Ncapfeoc.dll	Ilkhog32.exe
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Anjkcakk.dll	Khabke32.exe
File created	C:\Windows\SysWOW64\Lbqinm32.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Hepgkohh.exe	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
File opened for modification	C:\Windows\SysWOW64\Hannao32.exe	Hbiapb32.exe
File created	C:\Windows\SysWOW64\Mjfkgg32.dll	Ihceigec.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jacpcl32.exe	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Hkcbnh32.exe	Hannao32.exe
File created	C:\Windows\SysWOW64\Ilkhog32.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Hiocnbpm.dll	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Hlcfmhdo.dll	Hbiapb32.exe
File opened for modification	C:\Windows\SysWOW64\Ihceigec.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jnedgq32.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Gccebdmn.dll	Hkcbnh32.exe
File created	C:\Windows\SysWOW64\Dbmoak32.dll	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Hepgkohh.exe	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
File created	C:\Windows\SysWOW64\Ggghajap.dll	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
File created	C:\Windows\SysWOW64\Oflimp32.dll	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Jhbejblj.dll	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Ompbfo32.dll	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Ilkhog32.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Lklnconj.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Khecje32.dll	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kejloi32.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Iencmm32.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Ihceigec.exe	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Khabke32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Kkbkmqed.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Hkjohi32.exe	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Hbiapb32.exe	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Ilfodgeg.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkmqed.exe	Khabke32.exe
File created	C:\Windows\SysWOW64\Kqcdne32.dll	Hepgkohh.exe
File opened for modification	C:\Windows\SysWOW64\Hbiapb32.exe	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Iencmm32.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Iencmm32.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Jnedgq32.exe	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Kkbkmqed.exe	Khabke32.exe
File created	C:\Windows\SysWOW64\Dpjkgoka.dll	Kdpiqehp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	3672	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcedmkmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbiapb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hepgkohh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqghqpnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfodgeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkcbnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbejblj.dll"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggghajap.dll"	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomgchl.dll"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccebdmn.dll"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hepgkohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll"	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmoak32.dll"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkjohi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jehfcl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3056	4804	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe	89
PID 4804 wrote to memory of 3056	4804	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe	89
PID 4804 wrote to memory of 3056	4804	8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe	89
PID 3056 wrote to memory of 3060	3056	Hepgkohh.exe	90
PID 3056 wrote to memory of 3060	3056	Hepgkohh.exe	90
PID 3056 wrote to memory of 3060	3056	Hepgkohh.exe	90
PID 3060 wrote to memory of 684	3060	Hkjohi32.exe	91
PID 3060 wrote to memory of 684	3060	Hkjohi32.exe	91
PID 3060 wrote to memory of 684	3060	Hkjohi32.exe	91
PID 684 wrote to memory of 776	684	Hqghqpnl.exe	92
PID 684 wrote to memory of 776	684	Hqghqpnl.exe	92
PID 684 wrote to memory of 776	684	Hqghqpnl.exe	92
PID 776 wrote to memory of 1876	776	Hcedmkmp.exe	93
PID 776 wrote to memory of 1876	776	Hcedmkmp.exe	93
PID 776 wrote to memory of 1876	776	Hcedmkmp.exe	93
PID 1876 wrote to memory of 976	1876	Hbiapb32.exe	94
PID 1876 wrote to memory of 976	1876	Hbiapb32.exe	94
PID 1876 wrote to memory of 976	1876	Hbiapb32.exe	94
PID 976 wrote to memory of 1944	976	Hannao32.exe	95
PID 976 wrote to memory of 1944	976	Hannao32.exe	95
PID 976 wrote to memory of 1944	976	Hannao32.exe	95
PID 1944 wrote to memory of 2648	1944	Hkcbnh32.exe	96
PID 1944 wrote to memory of 2648	1944	Hkcbnh32.exe	96
PID 1944 wrote to memory of 2648	1944	Hkcbnh32.exe	96
PID 2648 wrote to memory of 2272	2648	Ilfodgeg.exe	97
PID 2648 wrote to memory of 2272	2648	Ilfodgeg.exe	97
PID 2648 wrote to memory of 2272	2648	Ilfodgeg.exe	97
PID 2272 wrote to memory of 1920	2272	Iencmm32.exe	98
PID 2272 wrote to memory of 1920	2272	Iencmm32.exe	98
PID 2272 wrote to memory of 1920	2272	Iencmm32.exe	98
PID 1920 wrote to memory of 2948	1920	Ilkhog32.exe	99
PID 1920 wrote to memory of 2948	1920	Ilkhog32.exe	99
PID 1920 wrote to memory of 2948	1920	Ilkhog32.exe	99
PID 2948 wrote to memory of 3244	2948	Inkaqb32.exe	100
PID 2948 wrote to memory of 3244	2948	Inkaqb32.exe	100
PID 2948 wrote to memory of 3244	2948	Inkaqb32.exe	100
PID 3244 wrote to memory of 1564	3244	Ihceigec.exe	101
PID 3244 wrote to memory of 1564	3244	Ihceigec.exe	101
PID 3244 wrote to memory of 1564	3244	Ihceigec.exe	101
PID 1564 wrote to memory of 1140	1564	Jehfcl32.exe	102
PID 1564 wrote to memory of 1140	1564	Jehfcl32.exe	102
PID 1564 wrote to memory of 1140	1564	Jehfcl32.exe	102
PID 1140 wrote to memory of 3280	1140	Jnbgaa32.exe	103
PID 1140 wrote to memory of 3280	1140	Jnbgaa32.exe	103
PID 1140 wrote to memory of 3280	1140	Jnbgaa32.exe	103
PID 3280 wrote to memory of 4328	3280	Jnedgq32.exe	104
PID 3280 wrote to memory of 4328	3280	Jnedgq32.exe	104
PID 3280 wrote to memory of 4328	3280	Jnedgq32.exe	104
PID 4328 wrote to memory of 3432	4328	Jacpcl32.exe	105
PID 4328 wrote to memory of 3432	4328	Jacpcl32.exe	105
PID 4328 wrote to memory of 3432	4328	Jacpcl32.exe	105
PID 3432 wrote to memory of 3452	3432	Jjkdlall.exe	106
PID 3432 wrote to memory of 3452	3432	Jjkdlall.exe	106
PID 3432 wrote to memory of 3452	3432	Jjkdlall.exe	106
PID 3452 wrote to memory of 868	3452	Koimbpbc.exe	107
PID 3452 wrote to memory of 868	3452	Koimbpbc.exe	107
PID 3452 wrote to memory of 868	3452	Koimbpbc.exe	107
PID 868 wrote to memory of 4168	868	Khabke32.exe	108
PID 868 wrote to memory of 4168	868	Khabke32.exe	108
PID 868 wrote to memory of 4168	868	Khabke32.exe	108
PID 4168 wrote to memory of 3676	4168	Kkbkmqed.exe	109
PID 4168 wrote to memory of 3676	4168	Kkbkmqed.exe	109
PID 4168 wrote to memory of 3676	4168	Kkbkmqed.exe	109
PID 3676 wrote to memory of 2184	3676	Kejloi32.exe	110

C:\Users\Admin\AppData\Local\Temp\8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe
"C:\Users\Admin\AppData\Local\Temp\8e14753fbdab252048330a5032cf23747d5c8aed4f4225ef6b74d05eaeefefae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Hepgkohh.exe
  C:\Windows\system32\Hepgkohh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\Hkjohi32.exe
    C:\Windows\system32\Hkjohi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Hqghqpnl.exe
      C:\Windows\system32\Hqghqpnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 420
        30⤵
        Program crash
        
        PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3672 -ip 3672
1⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2820,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hannao32.exe

Filesize
352KB

MD5
04da28ee02bc0c39fd8519eec4bb064a

SHA1
7bb7937eddb007487974474bbb15e0ef3a2523bb

SHA256
c7217494a9b517d9f538949635a30ea876de285b868436f335fe6bb0dbf841eb

SHA512
705d559760d16dfac9f1c7df0b787ef5fe647854f0febc4cdbe6620f07f07664784babd079ac78785e2145db2e0f2f488ee8c4f42cf1989148f3e843ffefdae8

Download Submit
C:\Windows\SysWOW64\Hbiapb32.exe

Filesize
352KB

MD5
4b9f54817cb4c703b41b6c37421be0ee

SHA1
ba7dbf42068a95f1e1f5a0e410dc2f6f4ed4268c

SHA256
88e267a1481297bd71c69053b8506c909fac899f48022d8c9dd65c6422cbfee7

SHA512
692b95d63c70f92d8ab6076030ddd5429e2baf342716c2692221603441423fd39364a5d39ac8372b4a9fbd7731acf46f5caa2084c372d4e2b6d3031ffaefc3d2

Download Submit
C:\Windows\SysWOW64\Hcedmkmp.exe

Filesize
352KB

MD5
3a8319222fad3224fdbf66335257f851

SHA1
d804c584cbfd32ca444590f44cc0f9912d9dbedf

SHA256
ea60b47392c7e1d967432a33ed80b216a8298f5c57a3aa1739105d3293ade171

SHA512
e2eadd99110d9119c5e0bab09f4897bc8578b156e82e57938d33d1693abf28599bdb3f76fdb4315c81a8474959c527fbb0e79014345bf0c7959fcbd415e36db5

Download Submit
C:\Windows\SysWOW64\Hepgkohh.exe

Filesize
352KB

MD5
2317554af14fa60bcda1b399f16cb1ac

SHA1
a5fe45c6f587a678151156493814b8d666035db8

SHA256
139797487897a31e86ec15728c6f096ab2e87d925515ef986acdc1a1989158e1

SHA512
23984ed336e96a205510a1a1be3e095b9b51ece86649dbbe64e37bdf28aa930f0b30927e0caecc4bbcbc254a8fcee46482cedd90229306af2fbf4a82754dca73

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
352KB

MD5
b17cd4944ca0ae0bff778b4d4bcddb67

SHA1
6ee1c3fbbca1cce33d8512049263fe21c1ec553d

SHA256
31dc650630d4919cfeddb69c9571be97dda2d6b3bb8bd39bf69faf768743f0d3

SHA512
aab39c46864afb7cfe0084d2ac4a17e4389acb093cfc76a0f21ad297f4c96c359991326f61a25b615c8dbf12b31c75cc4d6dd9d9f85ecb8a6f1195fd055683b7

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
352KB

MD5
980f900c377cc2805c49bc1c57ae1d51

SHA1
19661136d51e0a325a90080220ad70a42939bdee

SHA256
b102d594c2d7a5429e63d6236d5524d2c236dc534c661f343dcdc5299b0c7b6e

SHA512
32ff29c3c1bd746e784049db60d4ffd098a95af94c1a25a841c958cf14f306aeb949d13396429e7aad22ea908592640ca40c8b959de7942574c191bd228f463f

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
352KB

MD5
991315ea3b25b9829ae5c35e40a5ac33

SHA1
2cd4947fda6b836d08bde9d46c0c8b1296103287

SHA256
1f551c26f26acf07c2fb250ffc938869b94153e5b045275fa1a713fb83e13d09

SHA512
d3d8557140a4569792215cff797dac71cb53d32351fd0bd7a18c1c603b956157bc7bd41e0f0d0159c2cffd0b6e3b3c64a97cb06898d24bf0cfdee7f62e222a20

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
352KB

MD5
02e28942fd24fd08a111157ce352498a

SHA1
d3459841bdee16e591eb4ac5e21b8de1a97e3b0e

SHA256
2cdfb339f55201f6f23db892ff906d6c30323b809ef53fe69130b68fc1e877d7

SHA512
65f5bb2a2139a9da595a15f78a696df191a354eda564a81c3b13eb8339dad61b5425d344120e102d772ec761c781baa6b3d933610b31225f00c9fd6523f3d14d

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
352KB

MD5
e127c2763a948cb4165707f2a82609e8

SHA1
71727eaffa9f1a1d74e5728023b4e80f21473895

SHA256
73248e02ebe54c1b30681af8b6c0a670bc8730992db8232c2622bf8b445535d1

SHA512
5cb8678e7020cc65468fc6820cd64c52d63e4fcbbca26fee86f492e2842d0ffc2da59cf347a205bc7a87f4b572cdc4c9e41cf74774d7e64ccac511d82f3fc9cb

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
352KB

MD5
a9a87d10eac09c5e1e9f08f2bf52e333

SHA1
f3313ff7533778f14faa05138463f6d62926ebbf

SHA256
5123ee24cfa813a61c7557d3d2abb034c407c9de374822aa32c80e6ca3f63b28

SHA512
8df6a4cf4f9a967b78c3d47da0d9783aaf2b429aa9229854845888bde662cb60ad8d34c54c151faff2fe3411b11cfbdb733d648f457f0e3b37cbd09ed42e7a9e

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
352KB

MD5
a03b8b8af3545e61db605f23e029896b

SHA1
fdca1ab6c868f7671fca6e667526ef589e291101

SHA256
2c4bdab0b76693c4a2ab9743e934f46af16e6f2a44702c94640a5c3800640f64

SHA512
43fd648a2772175661b48f205da8241d785ea88381cd3a3fb4043b5887afd6fce28be20ef9c96457dc334276445aae379eb5d9b070e74f369301978dbb29f2f2

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
352KB

MD5
06a7f91cadc84b21f1fb752e9ba27863

SHA1
b81aea3c594a419b01dabf7589e3015f72e0a158

SHA256
a9f76cc7e64478462344a8218241c125c03e7b79d2e8844b85abf6e48018ff79

SHA512
48a90e80b766894b3e68e692093c9bc6757a5ba19e18d28b2cd9bbe1baee5e863c1d71019b6fede56d4ddf7bc914b122fa2c43abc02dabdcbdd17221e2b2cf4e

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
352KB

MD5
6ee614c4238180113fc06cb9e64b460d

SHA1
5259209d18a8a6da8c1ae935492377a1aa40fed2

SHA256
5d8490fb2dca74d24e9704b7bb1213aaa8723c5733864e6c14ac681141e10100

SHA512
431f5c6aff323900074bb3e4e8c46b545026a87699acc6396e18eae13daa666d0199546bca8500d4a0cbee09575e8d86f0e45bdbffc5b4f4090c705f77afcc4e

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
352KB

MD5
4685a1cbd0379d5dd1086b036f0a1103

SHA1
13ec2d79b653c4c5444f8a043f28cea5cac73d78

SHA256
0da1b3c9152665d1d8dfa8a0b0a9faacbbbc314a409b17fa10c1e7a640fc2853

SHA512
f5c0e8eee0c695b9de68dfbd4527d034e1f1375d01049c5ec55771371ea7e0ff82fc218846853bbae5a8dabc9e1d8c90af43549783f4fe4f60e3923a90ec1134

Download Submit
C:\Windows\SysWOW64\Jhbejblj.dll

Filesize
7KB

MD5
80f251d7d232078fb7c121c44011a2b7

SHA1
a14fc33ed728f0f245911c3788709c9c9dff326c

SHA256
4b27d1963a7e389ec04a8c1b77eddf8aa78d79a13d8a42fb0ca7ade0bcd398b3

SHA512
f746f7493ba756829342d9f09aff9bfcaca7afd97fa6e13b6bf36898e7ae13a706a1c076f75b1272e83260adffd234e614f8ca4f3c0548120a0c51592e56028a

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
352KB

MD5
47bf83e3a0fcb56be57e0fd94787fb33

SHA1
08b7ef07f75bd4d18a6c2ad0707359ac6f8aa16f

SHA256
ecd0c3309c9545562a6df8e4081794d91b741732810036612dee9e124391574c

SHA512
3a78c0a4a564466c94d5319a436703c488106124d09d63fbc1d3dadef3134437e4c319c80909072b32e5ed915622579e8c065a0ccbf11355461bfcfff9e6e5ec

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
352KB

MD5
039a38f77edbe77872d412b60c1f082e

SHA1
b3bad4075210da34625a8d39da7276bcfac270f0

SHA256
672f45ec75f1b81a388491d9ce25d6442212880fd929cf2dc2ba3f31e44a0e7f

SHA512
2848cf15452626d48b122383d2bda847dd71515e4719f08ab3eebb1fbbb601547c27e69714c24b817348c73ca43d88ba2d4cf258a766a125f39149c6e10d6a80

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
352KB

MD5
5ce132acf7f89f51ae66da218553fb3f

SHA1
21e1920cebfdc560cff746169742936918988d2f

SHA256
0eff69dccdb0b89737e4e7b7342529dcad59de5bfe99b13a3caa86b59c44d9ec

SHA512
2cbbac86f2ad2c1e3f443062f80e403b2448b9e933c9896b988ae4ffa71c899d0ae839a9554ee10d884d154abf8a6aaf16d337224ead8cbfb0a94cf62e42ad82

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
352KB

MD5
3668eaee72943f0a76d9498ad41ca547

SHA1
e0a0a4a5969b9398edc7f462afc4274061da518e

SHA256
ef4036bc84e4cd90451ad64cd9e6c259c1edaac610e8dc0bcbc487d404e11f50

SHA512
a642fc165ebe5a7b0b92625f3b9c52025b4678a628f42c3b016567d6b3dc2ac774092af593ca4bd30d2308917f6b9e2ef776694cb412da496f920792ecc386e4

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
352KB

MD5
cda92192b349aec795a5b67311c0c766

SHA1
680f9cfff4e357599b8195109b6579b54c5476e6

SHA256
48ce4f131564bb1aa16478c09560423fe8ab720d41b465d10d17d80ec6db6901

SHA512
104cdb0933cfa1900f26938cba7cf3ef1cfd001d14de612c00c88a36e654530b3d351639a10d090ac528824942c79cd5596a0764157ad1afaee158b1cbdb37d2

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
352KB

MD5
1d68274e959f586f7e18524e658f20d4

SHA1
c7c07075027bd0ec11045706b0fd02695ebccc70

SHA256
1e9f2a3e22ef8e10fa5309f792c56b20a87abcd386bc3e7f89924b008f8cf2db

SHA512
26a4f90cd4c105b29e65a8029f28154cbf02b588a2baa27b91feec7bee1416f3aa82113900493c9a9c9937608533026135640451bf04737f042a9f33ce27456b

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
352KB

MD5
e91aba2fbf89af3fe7e4baa960797e77

SHA1
72ea518d5b033555f95bfddd392cc3e1119d3d93

SHA256
389c07ff361b3b6b67c9da2e79dcb022535556bd99063d6d88aeca1ed792e45a

SHA512
5cc0f95ec7efa62e1a0056786398bfd15363b0a702c086a72f80a8e861a2e47e5249d5b6ab6a7a8c9267d0fbdeccbdc911f28ec55fb5db06f1bda35c38db2512

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
352KB

MD5
e3c692cc23510f6bdd5d93ab0c88d057

SHA1
54e814cff6f3738cb711c212580526b4af0e1228

SHA256
5c2b991b5b4ce1b367ea7da42e46df9c956948068d6fccb90940714352aca6ff

SHA512
b1d1d960ae36467bb7e6993b1369dd26012e62b773b5fe27fbb7d3a8c8a27a05dd70e0618a5f141c1a0f3ec1d3976627ad2dc4a1190e86d9058c52688bafe407

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
352KB

MD5
bf0eafec900115dcb3c99003c3bc158e

SHA1
cafd28f7ed71b52167adc5f3c8410c06199c33ea

SHA256
b582046ed6700bb00998fc20ae4ba1b2cbaaba2088ccc2b2e3fb97918a37b51f

SHA512
2ab3c2f09159978798e48827287636a12a3ac184c4a307b75694c81c783b0b2b94ac0c9e684b20e237b38ff0d742ad4cdbb67ce54e4fa4a578f46e5299a72744

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
352KB

MD5
0942a8f9dd8a740315e032836052c437

SHA1
06394d68bd268208482565e46d467e14c674c0c3

SHA256
3f1652546a528d736cca5b347022cfd19797fd923ae1b4a078a6a48a6785b3d7

SHA512
e65902bde73f01797c81b919f854a82b17a6035abc81e45905e11e03038eaa2e0cba32a8196bcd13db500a4fb7a9feeba95c0532f36b3cf06a2d8d630fe6fe61

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
352KB

MD5
de076325ca6f92e000a8438bd8394f65

SHA1
bf57472ba9ca9395aa365a934752dfd2db9fd04f

SHA256
fd8f05b60f91373a951c080c3fd7436c4ce7acd0e76e36197947401d361f5def

SHA512
626a5799e120cd43e6fd3f9488b45136eec51a2cce9dec3d28be2ed01b9bd891db10f8fc99894d8b5b8f7a413007fd0e702bf03125ec753bc67e6641bb5552a9

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
352KB

MD5
160c6b49491aa844fe77af4e5edceceb

SHA1
12bdf4f2abc9e9df003f3ebe3f4cbf8398ec7417

SHA256
d41c6f39d309219ac9a4128993ab3716f9ce5af6df30eb5f117d9b65fdf0eea7

SHA512
721e1db0da3a44ba1fa4a9b23d6de9e40bfd5c3bb38c94f3ca31382b30ba088197686a93e77d1baddb683edfab7b962ee8d943a2d6f4f710829e2273f8bc470d

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
352KB

MD5
a8880e031857e4204e64c813e8ea0296

SHA1
2900df8ce9d966a92a78d99731faf21851e477f9

SHA256
885d990ed374f90815bc86a035e8d56c1ce2887efa2b65c4c4060351ecaf23ed

SHA512
8438c2ef63a980f5966c90d6c77a639ad95f468ac7bdbf5794060c25347c44076426407c2661fe236721c71a754722a8d0f05118106a7f7bdede3e33c787c305

Download Submit
memory/684-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/776-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/776-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads