berbew | 6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Size

64KB
MD5

5b2ba8c17752fe9da82af8bdffc05330
SHA1

5c0c5e0afa3d9c4a6c4570f989798b94869ad952
SHA256

6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01
SHA512

c2a796f3683ba4d06214de510b73464484535b7fd4e2c28bcf161563a1f4d330023f8d47830508e2467fe9777d0d802625002028c29a41e3571152287f128f03
SSDEEP

1536:9SBkrQLajN98u+p9iPiYsTFKPI32LUrDWBi:YhLajD8uBiwU2Bi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdedepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iholohii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkled32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icogcjde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaqcnl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 37 IoCs

pid	Process
1800	Hegmlnbp.exe
664	Hjdedepg.exe
408	Hbknebqi.exe
720	Hghfnioq.exe
4244	Ibnjkbog.exe
540	Icogcjde.exe
2436	Indkpcdk.exe
5076	Icachjbb.exe
1412	Ijkled32.exe
1628	Ieqpbm32.exe
4656	Iholohii.exe
2324	Iagqgn32.exe
4156	Ilmedf32.exe
4792	Iajmmm32.exe
4748	Idhiii32.exe
3368	Jnnnfalp.exe
4072	Jdjfohjg.exe
1868	Jldkeeig.exe
384	Jaqcnl32.exe
1920	Jnedgq32.exe
3088	Jdalog32.exe
2944	Jjkdlall.exe
3568	Jaemilci.exe
5072	Jddiegbm.exe
2488	Keceoj32.exe
4320	Kkpnga32.exe
2216	Kefbdjgm.exe
4232	Kbjbnnfg.exe
1148	Kdkoef32.exe
1312	Kaopoj32.exe
1804	Kbnlim32.exe
3800	Lkiamp32.exe
4768	Ldbefe32.exe
1604	Lddble32.exe
896	Lhpnlclc.exe
448	Ldfoad32.exe
1528	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Ibnjkbog.exe	Hghfnioq.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfohjg.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Qhomgchl.dll	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Kdkoef32.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Hjdedepg.exe	Hegmlnbp.exe
File created	C:\Windows\SysWOW64\Iajmmm32.exe	Ilmedf32.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Cpmheahf.dll	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
File opened for modification	C:\Windows\SysWOW64\Jdalog32.exe	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jdalog32.exe
File opened for modification	C:\Windows\SysWOW64\Iholohii.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Lmgglf32.dll	Iholohii.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Jdjfohjg.exe
File opened for modification	C:\Windows\SysWOW64\Ijkled32.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Ofbmdj32.dll	Ijkled32.exe
File created	C:\Windows\SysWOW64\Hbhgkfkg.dll	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	Ijkled32.exe
File created	C:\Windows\SysWOW64\Pkbpfi32.dll	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Ojglddfj.dll	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Bmapeg32.dll	Jaemilci.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Celipg32.dll	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Jaqcnl32.exe	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Lddble32.exe
File opened for modification	C:\Windows\SysWOW64\Hegmlnbp.exe	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Iagqgn32.exe	Iholohii.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Ilmedf32.exe	Iagqgn32.exe
File created	C:\Windows\SysWOW64\Lkiamp32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Hbknebqi.exe	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Iagqgn32.exe	Iholohii.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Fhkkfnao.dll	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Iajmmm32.exe	Ilmedf32.exe
File created	C:\Windows\SysWOW64\Jnedgq32.exe	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Jddiegbm.exe	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Hgpchp32.dll	Hghfnioq.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Keceoj32.exe
File created	C:\Windows\SysWOW64\Icogcjde.exe	Ibnjkbog.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Indkpcdk.exe	Icogcjde.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Bdelednc.dll	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Ijkled32.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Cobnge32.dll	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Icogcjde.exe	Ibnjkbog.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4932	1528	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icogcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hegmlnbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknebqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghfnioq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfood32.dll"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmapeg32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojnef32.dll"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaaihpg.dll"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll"	Icogcjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomgchl.dll"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdelednc.dll"	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpchag32.dll"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hghfnioq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijaaij32.dll"	Jjkdlall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1800	1104	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	89
PID 1104 wrote to memory of 1800	1104	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	89
PID 1104 wrote to memory of 1800	1104	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	89
PID 1800 wrote to memory of 664	1800	Hegmlnbp.exe	90
PID 1800 wrote to memory of 664	1800	Hegmlnbp.exe	90
PID 1800 wrote to memory of 664	1800	Hegmlnbp.exe	90
PID 664 wrote to memory of 408	664	Hjdedepg.exe	91
PID 664 wrote to memory of 408	664	Hjdedepg.exe	91
PID 664 wrote to memory of 408	664	Hjdedepg.exe	91
PID 408 wrote to memory of 720	408	Hbknebqi.exe	92
PID 408 wrote to memory of 720	408	Hbknebqi.exe	92
PID 408 wrote to memory of 720	408	Hbknebqi.exe	92
PID 720 wrote to memory of 4244	720	Hghfnioq.exe	93
PID 720 wrote to memory of 4244	720	Hghfnioq.exe	93
PID 720 wrote to memory of 4244	720	Hghfnioq.exe	93
PID 4244 wrote to memory of 540	4244	Ibnjkbog.exe	94
PID 4244 wrote to memory of 540	4244	Ibnjkbog.exe	94
PID 4244 wrote to memory of 540	4244	Ibnjkbog.exe	94
PID 540 wrote to memory of 2436	540	Icogcjde.exe	95
PID 540 wrote to memory of 2436	540	Icogcjde.exe	95
PID 540 wrote to memory of 2436	540	Icogcjde.exe	95
PID 2436 wrote to memory of 5076	2436	Indkpcdk.exe	96
PID 2436 wrote to memory of 5076	2436	Indkpcdk.exe	96
PID 2436 wrote to memory of 5076	2436	Indkpcdk.exe	96
PID 5076 wrote to memory of 1412	5076	Icachjbb.exe	97
PID 5076 wrote to memory of 1412	5076	Icachjbb.exe	97
PID 5076 wrote to memory of 1412	5076	Icachjbb.exe	97
PID 1412 wrote to memory of 1628	1412	Ijkled32.exe	98
PID 1412 wrote to memory of 1628	1412	Ijkled32.exe	98
PID 1412 wrote to memory of 1628	1412	Ijkled32.exe	98
PID 1628 wrote to memory of 4656	1628	Ieqpbm32.exe	99
PID 1628 wrote to memory of 4656	1628	Ieqpbm32.exe	99
PID 1628 wrote to memory of 4656	1628	Ieqpbm32.exe	99
PID 4656 wrote to memory of 2324	4656	Iholohii.exe	100
PID 4656 wrote to memory of 2324	4656	Iholohii.exe	100
PID 4656 wrote to memory of 2324	4656	Iholohii.exe	100
PID 2324 wrote to memory of 4156	2324	Iagqgn32.exe	101
PID 2324 wrote to memory of 4156	2324	Iagqgn32.exe	101
PID 2324 wrote to memory of 4156	2324	Iagqgn32.exe	101
PID 4156 wrote to memory of 4792	4156	Ilmedf32.exe	102
PID 4156 wrote to memory of 4792	4156	Ilmedf32.exe	102
PID 4156 wrote to memory of 4792	4156	Ilmedf32.exe	102
PID 4792 wrote to memory of 4748	4792	Iajmmm32.exe	103
PID 4792 wrote to memory of 4748	4792	Iajmmm32.exe	103
PID 4792 wrote to memory of 4748	4792	Iajmmm32.exe	103
PID 4748 wrote to memory of 3368	4748	Idhiii32.exe	104
PID 4748 wrote to memory of 3368	4748	Idhiii32.exe	104
PID 4748 wrote to memory of 3368	4748	Idhiii32.exe	104
PID 3368 wrote to memory of 4072	3368	Jnnnfalp.exe	105
PID 3368 wrote to memory of 4072	3368	Jnnnfalp.exe	105
PID 3368 wrote to memory of 4072	3368	Jnnnfalp.exe	105
PID 4072 wrote to memory of 1868	4072	Jdjfohjg.exe	106
PID 4072 wrote to memory of 1868	4072	Jdjfohjg.exe	106
PID 4072 wrote to memory of 1868	4072	Jdjfohjg.exe	106
PID 1868 wrote to memory of 384	1868	Jldkeeig.exe	107
PID 1868 wrote to memory of 384	1868	Jldkeeig.exe	107
PID 1868 wrote to memory of 384	1868	Jldkeeig.exe	107
PID 384 wrote to memory of 1920	384	Jaqcnl32.exe	108
PID 384 wrote to memory of 1920	384	Jaqcnl32.exe	108
PID 384 wrote to memory of 1920	384	Jaqcnl32.exe	108
PID 1920 wrote to memory of 3088	1920	Jnedgq32.exe	109
PID 1920 wrote to memory of 3088	1920	Jnedgq32.exe	109
PID 1920 wrote to memory of 3088	1920	Jnedgq32.exe	109
PID 3088 wrote to memory of 2944	3088	Jdalog32.exe	110

C:\Users\Admin\AppData\Local\Temp\6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
"C:\Users\Admin\AppData\Local\Temp\6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\Hegmlnbp.exe
  C:\Windows\system32\Hegmlnbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\Hjdedepg.exe
    C:\Windows\system32\Hjdedepg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Hbknebqi.exe
      C:\Windows\system32\Hbknebqi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
      - C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 400
        39⤵
        Program crash
        
        PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528
1⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4468,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
64KB

MD5
1e238e0db5ed66a727e4d568ad3ba03b

SHA1
e8c30795783a78f168695656ea341d4d9ce02217

SHA256
a24359bac1b86a48e0e5dc61057e862ab6ece1d67dfc169eec71669e1fd30bd6

SHA512
95c1213c93e24a289e8295ccd32d098bcdfb988b97cdc072229aac0f32593a3ea98b1631ebea9bd5f3eb1e40187b0b2a77f47ec8da37cf0121669fec853d8818

Download Submit
C:\Windows\SysWOW64\Hegmlnbp.exe

Filesize
64KB

MD5
9121adb99783e922d06cc9674df4160e

SHA1
4d0c554ac991c193cd62090e565f67443399d69f

SHA256
a02d7562e471d6a6676d24298ea2228140f2067808e3352162c806a21a5a9b98

SHA512
12df53ee93ffeca706be1fba68d90537780f245b4e3f7eb2098728adcc7e55b6af7b4a71c5861be325491fc61ce826776556660b93bff5eff37361c3f66d3ae4

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
64KB

MD5
2a01ee1f0897e4d8ca05355b97fa3c9c

SHA1
ac62e620e0190b26f421581c07ab8397a30efc86

SHA256
d259f1fbc8e3471c6b37b64b6be48b72b6ebcd41fe9c029247ed3426bfa0a671

SHA512
dbb28159384a8b33643ae473daa280ebe8b59aace1b51dd0635e8246ea0d278394050dfd1d51a60a23fdb8b4a42890798354d99e631fc660f4962359a6304f92

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
64KB

MD5
e97f176c3178670c00713cf5a9e5b5e6

SHA1
afeb4bed9e3dd74b1aaf94181478264ccb6e2021

SHA256
fb8cbc2aa793c5dbe4300ed1f18fc0b72cb472ad6764bd8b62f4e4676cde2970

SHA512
8ca0c4576099aada34e856e7ac9ac04ceb53c03bc569c11488761936bf61d0011ef7b55678db0a4dae7f4befaec5a7227f0d622b27efb13c368f0b9d19831116

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
64KB

MD5
33af19334f99440c77b550edc1c8fb0c

SHA1
7210b3dad1a3e414825a44f81e8b81ac58c8ef5b

SHA256
7c1bcbf0624447bc696c9840e97e43614e94f59e070686690834c6e71aeb3540

SHA512
e7186fa2655b5e4ff6a833889f22098b830fea80a0ac7269eef482e78f74617afca37ca43ea7e0772176b2eb82cce3466195ce645074914d6220b556dd873747

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
64KB

MD5
12d1293ea8657a2e9709db3bd11313d8

SHA1
74a5228f98e8c844939aba31fffe46f4d3a1a607

SHA256
cc92404bae7026a5eef358b71ecf6b51d228cda44778e96164a5ed65341d1e2b

SHA512
8051f623acf242552ba052055905cf464c70d827f6c52e8a7bff5869808c15bc29fc02531c4a2cac8ce684bc28accc1baeb63a1aa6328662f0599f5e7ba2613d

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
64KB

MD5
a595fb171d6d51c52830030592fff975

SHA1
0c7fb20a74fd70d42fdc1cdaf65a5faf3b2d1ab2

SHA256
2cec8615203baee75daa7bd27bcae34671a1746bf2c64d05df8827c3b3359e1a

SHA512
5fc77cc0af7dc50a91952e29201ee1a1d982bd1f85cab87fa8b2beb3e78ecb57f0bf80322edbca49fb58452d9c7569e2168582faed7d4f689bca88dc548ce39a

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
64KB

MD5
75b5f120b6208e7fd5e8e962cbb5d5ef

SHA1
7d2f82885d57ec174f8573f8de2e017c8f9e4b8d

SHA256
95a9314ee0ca497464f7c544ac4ed7178bf43613faea6700f4f190bca3e8892a

SHA512
6ccba8f0d8aa04d3c028205eabd3db2bf66d9e6403238d45a2233411352fa22ec05b7b134825769923f781c60421b995e4c3f29bb22f04c03c8e5b15404aabd9

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
64KB

MD5
1517306d849c43e955a75fb995aeac1a

SHA1
9741443a4b8b3a68475c65d0bffeaee128971a15

SHA256
984a3132be780359c0301bb9baa5094946b2f32e42de60b9076c0fc4b02cb170

SHA512
33b3aa0faaae6f914933246ac50342953d419ad6a10d8ab2d37c1b20a3a088185f602ed25e25ddee34ac6856dac48c434ce285ac458a408b5fc1dfd5b5b4a94f

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
64KB

MD5
adc9f7d2b6bdcd5325970e4e48007186

SHA1
d5fc3094b6bd5c60075da8c86512d2d0a60178e5

SHA256
61d93f537b7020bb0a126c0bc295c1fdf5bffd4d9fe18b647a365b5d6e7bef59

SHA512
9e3f7c7e9ae38cec50777075a11fac8f7846164df0c610f558ce25f28c9d1bd6fc25b5ee5a60fa435a562b4e2c4441baf83fc306390fb97a72da43a1476fb698

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
64KB

MD5
54dc3a21cf627f84c54c47200c7a4a1a

SHA1
61f09d39de4e8f5d718f863d845ea5e7d24a2860

SHA256
c8009c8ddbc39bd56be0e885019e78c998adc1fca66dcda3d2df63456ec4cc6d

SHA512
759d3652340747a28ac6d61a89afaa1b5c6ecf1b915bbf490353f71f6134ad3ca16affb5018e8ea14f6965f208a6af372d6a286e89258f5173559ef8c77ff39d

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
64KB

MD5
7a8e50be2a017ffef825374882ba2889

SHA1
f89d69286c19c63240c8ce660bc3a611470ff433

SHA256
191925787d4489be0354aa80909ce989c74e46539a7059d4390d8eccb70d6bfb

SHA512
a263cbe80be9c24013258f05378c4ec7a2ef9a77550659bcd9312a95b58c1ec4c1c34e03b41c2e95dcb1430df579f6a4531dda43300284b0fabf6146259b7328

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
64KB

MD5
955ccb944d079156dccacc63a3f87d89

SHA1
1d0f64fcd8b8d3cd1461dcc60ccc63269927b80e

SHA256
4544867eb8718f4d9e6a9899aa1cce871b4f8395c74acc4f0382b5f0d92c02c0

SHA512
98551983b624bafa01204e92dd33ea6a1b7dd9ee655457f83e83c6f646f897de2fc598fff37a0c0ccb6875e529aaad9578bd283e876e7a507d17ab9e62756e70

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
64KB

MD5
b46c6a88e571ad9d97158e486084a032

SHA1
51a1b1a0d1697b46a9701b1cdd81be703942906f

SHA256
c78034d38e57f459c8f1e878a17c02fc070589595c9068df17633ab54e71cdd6

SHA512
2bcb3bd5ca1461898677e7e213161977025ca8e17a45e7b09509fc73ea968748bdcf0cbdfd48ebe1b04db864fb464916418fa49fd5824e7a7760842a308132a4

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
64KB

MD5
39946fbb581435bac97b6b5cedf986cd

SHA1
3b03eb501d5bcbcceeec8cf9a3a03cc8ec2575b2

SHA256
06dabc46042129c7d79a59ca9a75573ec059465f4a1bd5ec4e2c702ed8e11783

SHA512
6980ddeb7cb00dcb6d91f05c24e499117e8ad27c8c203010d3b66553a2ce01b6ef98975b35befe47ef813376fe5d10154a55cbbcc448d042ec626fd79419e1dd

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
64KB

MD5
de9ecc5235c4b2080c57d9ed795c110f

SHA1
249311c534fb8f5ba90e3defd9bb1478edfbe26c

SHA256
8573feae66bc2c47023866531a29f3344f9e38aa18f7efb9838bbd1270b0c43f

SHA512
9bf9a3045b7776021f1fbbe94a22df32bc09605eb6832d8ee19020a6f682df3b4db625298f8c54d22b54e8148b2590bb31d581ca0c5463366abddedd1fd0cf97

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
64KB

MD5
f4a567b0826fbbe8a61e11372bb862c8

SHA1
d021bbbbc980a7d9a04b75580d35746847bdf61e

SHA256
cdb1ac18a4daf06e96cc76555fd7af0d649911ba017a6ca1c1de21ef2a3a7481

SHA512
97518bd2c6fd9439ad3ef0c0a625f19e1a923c9f1b7d413fe72cb24fd4a2c34f97b22ae4604400f3e0d26fb27dd75e59ad3e001d77602d148a4d2161bf23a963

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
64KB

MD5
fb6bec98c7fe27f54940720e49abd4f2

SHA1
c003e4bceb7762b298713d395cacc0010c2e1b68

SHA256
fd88d2f62422d0b47a0a7d37953df3bf402895154053037da0060cef9f3b0168

SHA512
ec4d8a21ac64ae747546d0b7906f8634829107a53068402e350fa2725e94b5105994e02aa29cf5d2cd59907e47b1bf7d28fdb86463b09cb7dd616c5b30a0e551

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
64KB

MD5
f6beee584b811e100522ad428fc74cfd

SHA1
0d39081fb85e91659040ba16db6e2d755522fb0b

SHA256
96a64b906be4a3436aaa4a9448cc825f6d1839de4872f45de3ed852ab10e5fa7

SHA512
f0b0684a4c3d8957d1d236686baa5de529de4db848c87d37d5cfcda1cae853a11e34e9a68d5c6d9b733e5f53dfe46f7cb7153dcb8777c4d43d0510d329246668

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
64KB

MD5
23cbec1589cfcb40a6eb4a55c3096f30

SHA1
f89cc6e78edae8fdbfddc9131975a6537638a06c

SHA256
5233f38cb12f6f60ed04f869e9010c456c8f1d3a51576fd4fa442e846a98c5d0

SHA512
320da00108195764dbb65e948b92934b263e630a96f496cf8ec14d952e7d5b402c87efca4b94195a68c17e559dded370d8f07f5c8a49dbe5724d6e6050af25f6

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
64KB

MD5
fc6b52b9d127157c4f6a9f1e56d79ba6

SHA1
a88f9eeee40121e81023143bc3881b2f88598c54

SHA256
3d39d24aa1c4d2c6a7a177927c3423f4cee3ad337c730c24a3af9d7bfafa3e1e

SHA512
bbc06dd7e836abcfc71c8c4f0b1cf1481ebb64fc03e3cae531562c3e814183c263fc8145ff75abad07d1ffbb5f4a6918af6db170579150446d821f003898fd57

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
64KB

MD5
221bafaf93144380bbf9b4e71ae86b40

SHA1
f3be90e3579f29597fdaa560c34735b9ad99beaa

SHA256
321da48054de6088ab51fee7a075c31408b2931f92236e53eac04c6efb3316cc

SHA512
1d2ee723bf43f4146c6f11c8c82db2b8bee19ca4a649ddb3fa38ea3367ed29ef467df66f5d032bcdac8600fe4f3eb598e3e9127ed4448e4af7fe9fc015e38ef7

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
64KB

MD5
f1ebe0d610734332451a5b412c42f74a

SHA1
6b8a208b22ddbbd7b971469e12241201be860ad5

SHA256
6c0efee84fa3eeceed1a6075e05823ac95c3f48e2dea518407fa5052a364f29d

SHA512
1bdcc9c41fcc9c24c371671ace7ac25c983a4c17985058987f6beea669d0924bef4ba6d40f4ea88a76b256f6c9b7621bc4182a620120a792c80bf4c949aa4a86

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
64KB

MD5
1ddac5f0790b342014c291b9eb5ce4f2

SHA1
1d83aff1712f51860a76239ab235ca7b363211b9

SHA256
63b67127602a8bb05c01e4fe411ea672b0f17f10f44cea2fc99260443a5260a6

SHA512
09cc14c4a3f062ff95737ff0a3662faadec7cdaa45d1775cb08ad5f87cd99a28707a441d590171b811ef3726857399d9bf0cdcbfee5ac7de937b68b7539531f6

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
64KB

MD5
d200778cfc03bec398c3c9a3e19a15f7

SHA1
a66b204a5fcdc6ddce664064c9b938cc36f07319

SHA256
56ded23941a66e7178f856ac96bd7d20b4c2518154d3b6296ed6a7518fc83395

SHA512
f5c7e7e9703ed0f0c652c7cf1315d780f3964a9e392e9e3fb39733e7b14164f3ff8b262e5ca2b8a2c78493d93c395624c05a1466f2c8d500b52acc6d629f545d

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
64KB

MD5
9e5a869d7b669b266e26edb8803d6209

SHA1
6d8404f55e2492c190005bca961b7d491ca16edd

SHA256
81ddeccb99cafe1b2b88c1c40f84c6695fe6e60e85d1a069615584a300d90d51

SHA512
fba2577b903feabb2e392ad365998bb0430019a1cd5e868f5d0629ff10d77f66a72bbd0195002033c9a8a00276bd13c500aede7f6cd2255f8357a0698d996d20

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
64KB

MD5
5d18515ab43c4a536c05ac0d0d2c9082

SHA1
50062818ba693e3aeb0a0649195a7901603b44b9

SHA256
3b6223913803b9e6d1a4e7a4f16d697d8efc35d3c30b9e77a87cc1d383bfb4c3

SHA512
f3797863c9e55e4b5be889d63a14169ecd34bf48ce137e7813ae5affecb4152224febf628315747c19f21afcd2d72781b630df9860b19b5680bdc560987c5084

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
64KB

MD5
60b9f7c0e3356af98759f950420dfa3c

SHA1
c375275eec20d235fdf4c10b3955628a5087fc42

SHA256
9721d6e593fc8b3e6f139d301c156444c85989fa43cb207f7f94c4ab1326238d

SHA512
1350c56416657d7a911248674d3d3ca885526e675f26a747629cc702952e5dbdaff7ad9f5d88db0d98c18de28d0e46032d1f93b59bb878189f3a0ac520819c11

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
64KB

MD5
a505ea80a8f7c3b20a14cbea1e536e14

SHA1
c7266215a5eccf54953fd551b5040dd49cc1d7bd

SHA256
e67fc79bf33b44c2a37b466fefa5868e21b96cb4356c90888159449dabbcff76

SHA512
2cd124bb298ee536eae02d91601bd40309e46f3782594f530ba1a43f5ea8d1135ce8de7778472a44ecb5d62389dab5f16f52f912aa49332aa65a71f9e7702de6

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
64KB

MD5
e16636d3fbd7616d359379b172ea84b5

SHA1
d015759460c16b6ebe9931564a7dea272669b678

SHA256
2583ca1b54f78e4d3099f716f84fd39be8604f3c7de951a7cdedde31ee2e1448

SHA512
265cbcb8cf531c89c741bc0c280e1934ada6a05f2cbfb6d95dbd045522403458c9fad33439c08f3d76480823f6b5735a4522bd7c3b10808a42c00b91d162474a

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
64KB

MD5
e3c88f05cfea0f73b2562addd37da5ee

SHA1
520a5f5e037653be8a7925ad8a1aa0022b21f9df

SHA256
1d073accad06ed56fe62d71af455f43fc58c01955361a10e14c876ae93cd1196

SHA512
b3518065eb9c20e3e6ee1e22f8501174ce44266213a528e7b0db917205c0e37fe3ece81128b6f99112e444b3a7e7caf9c128f1e9c64c34b6a7cf4ff168e6ccca

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
64KB

MD5
a5605fb03bdeeb66845ba8532328ae88

SHA1
592c12727aced798a65e8bdef81df4712d31a9ac

SHA256
e549e211817fffff873300a46b0bc15a43fa5c0cb56cac1f7f6faa88a84ed588

SHA512
e5a0c65e47570756bbe36476a3a62e276b065ad2575ef72b8d86a6ef3d533308a1452eae37d027117cd49628324aebca7079d98a913c129c88f2262723c6280c

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
64KB

MD5
afa298716c6111fcf9f07575f15bb350

SHA1
ce9386b122e47eba8274f6e3c16e42e5017f11c0

SHA256
5139e3daef9924e481a9a90a4bbc11b54e1748f0a5824cbff665e7ddba90353e

SHA512
9d990ba8d97ee0ff845676a19e078602d95561b6b0377c3da0d43a5c7964b4868863c275b77db2f215f425b6927f64ff78952e9fa3e680248567a0551ffe90cb

Download Submit
memory/384-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1104-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads