berbew | 6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ce

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Size

448KB
MD5

daff84472d0384b9574c87eafda63810
SHA1

b98cfd73324151209d951f2398e3320288114d4d
SHA256

6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ce
SHA512

aac2751651e6ad002b1bf5fc084655cea95a3499f56a4bf7628781e72ba7dd694cbecba8200cd09a848ac77fa510988fc789cb7404082aef956da7c8304364ef
SSDEEP

6144:SaPDejaD5coTS7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:SCLO7aOlxzr3cOK3TajRfXFMKNxC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkhlcnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefdbekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdgahag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 44 IoCs

pid	Process
1340	Jjgkab32.exe
4528	Jlfhke32.exe
3516	Jlidpe32.exe
408	Jjkdlall.exe
4560	Jbbmmo32.exe
1808	Kbgfhnhi.exe
4480	Khdoqefq.exe
656	Kbjbnnfg.exe
3844	Kdkoef32.exe
2208	Klddlckd.exe
2768	Kkgdhp32.exe
3088	Ldbefe32.exe
4920	Llkjmb32.exe
1652	Lhbkac32.exe
4380	Lkqgno32.exe
4400	Lcjldk32.exe
1828	Ldkhlcnb.exe
4056	Mkgmoncl.exe
4048	Mcoepkdo.exe
2960	Mdbnmbhj.exe
2776	Mojopk32.exe
2156	Nefdbekh.exe
2184	Nkeipk32.exe
4080	Nocbfjmc.exe
3368	Nfpghccm.exe
4176	Ocdgahag.exe
1492	Obidcdfo.exe
2484	Ochamg32.exe
4104	Okceaikl.exe
2076	Ooangh32.exe
4360	Pbbgicnd.exe
3696	Pecpknke.exe
3220	Pbgqdb32.exe
2420	Piaiqlak.exe
752	Pkoemhao.exe
4416	Pehjfm32.exe
2180	Pcijce32.exe
4436	Qejfkmem.exe
2684	Qfjcep32.exe
4576	Qkfkng32.exe
5028	Aflpkpjm.exe
3776	Akihcfid.exe
3240	Afnlpohj.exe
644	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Lcjldk32.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Obidcdfo.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	Ldkhlcnb.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Mhinoa32.dll	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Aflpkpjm.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Jbbmmo32.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Mcoepkdo.exe	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Nefdbekh.exe	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Jlfhke32.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Khdoqefq.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Gnggfhnm.dll	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Kdkoef32.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Coffcf32.dll	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Mojopk32.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Kkgdhp32.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Pbbgicnd.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Jbbmmo32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lcjldk32.exe
File opened for modification	C:\Windows\SysWOW64\Obidcdfo.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pcijce32.exe
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Jbbmmo32.exe	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Mcoepkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Bebggf32.dll	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
File created	C:\Windows\SysWOW64\Gpejnp32.dll	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Kkgdhp32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lcjldk32.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nkeipk32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Jmgdeb32.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Nkeipk32.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Pecpknke.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Khdoqefq.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Okceaikl.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ocdgahag.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Cqgkidki.dll	Nfpghccm.exe

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbbmmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenlmopg.dll"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Ldkhlcnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll"	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkidki.dll"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdgahag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejnp32.dll"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mojopk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1340	1728	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe	89
PID 1728 wrote to memory of 1340	1728	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe	89
PID 1728 wrote to memory of 1340	1728	6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe	89
PID 1340 wrote to memory of 4528	1340	Jjgkab32.exe	90
PID 1340 wrote to memory of 4528	1340	Jjgkab32.exe	90
PID 1340 wrote to memory of 4528	1340	Jjgkab32.exe	90
PID 4528 wrote to memory of 3516	4528	Jlfhke32.exe	91
PID 4528 wrote to memory of 3516	4528	Jlfhke32.exe	91
PID 4528 wrote to memory of 3516	4528	Jlfhke32.exe	91
PID 3516 wrote to memory of 408	3516	Jlidpe32.exe	92
PID 3516 wrote to memory of 408	3516	Jlidpe32.exe	92
PID 3516 wrote to memory of 408	3516	Jlidpe32.exe	92
PID 408 wrote to memory of 4560	408	Jjkdlall.exe	93
PID 408 wrote to memory of 4560	408	Jjkdlall.exe	93
PID 408 wrote to memory of 4560	408	Jjkdlall.exe	93
PID 4560 wrote to memory of 1808	4560	Jbbmmo32.exe	94
PID 4560 wrote to memory of 1808	4560	Jbbmmo32.exe	94
PID 4560 wrote to memory of 1808	4560	Jbbmmo32.exe	94
PID 1808 wrote to memory of 4480	1808	Kbgfhnhi.exe	95
PID 1808 wrote to memory of 4480	1808	Kbgfhnhi.exe	95
PID 1808 wrote to memory of 4480	1808	Kbgfhnhi.exe	95
PID 4480 wrote to memory of 656	4480	Khdoqefq.exe	96
PID 4480 wrote to memory of 656	4480	Khdoqefq.exe	96
PID 4480 wrote to memory of 656	4480	Khdoqefq.exe	96
PID 656 wrote to memory of 3844	656	Kbjbnnfg.exe	97
PID 656 wrote to memory of 3844	656	Kbjbnnfg.exe	97
PID 656 wrote to memory of 3844	656	Kbjbnnfg.exe	97
PID 3844 wrote to memory of 2208	3844	Kdkoef32.exe	98
PID 3844 wrote to memory of 2208	3844	Kdkoef32.exe	98
PID 3844 wrote to memory of 2208	3844	Kdkoef32.exe	98
PID 2208 wrote to memory of 2768	2208	Klddlckd.exe	99
PID 2208 wrote to memory of 2768	2208	Klddlckd.exe	99
PID 2208 wrote to memory of 2768	2208	Klddlckd.exe	99
PID 2768 wrote to memory of 3088	2768	Kkgdhp32.exe	100
PID 2768 wrote to memory of 3088	2768	Kkgdhp32.exe	100
PID 2768 wrote to memory of 3088	2768	Kkgdhp32.exe	100
PID 3088 wrote to memory of 4920	3088	Ldbefe32.exe	101
PID 3088 wrote to memory of 4920	3088	Ldbefe32.exe	101
PID 3088 wrote to memory of 4920	3088	Ldbefe32.exe	101
PID 4920 wrote to memory of 1652	4920	Llkjmb32.exe	102
PID 4920 wrote to memory of 1652	4920	Llkjmb32.exe	102
PID 4920 wrote to memory of 1652	4920	Llkjmb32.exe	102
PID 1652 wrote to memory of 4380	1652	Lhbkac32.exe	103
PID 1652 wrote to memory of 4380	1652	Lhbkac32.exe	103
PID 1652 wrote to memory of 4380	1652	Lhbkac32.exe	103
PID 4380 wrote to memory of 4400	4380	Lkqgno32.exe	104
PID 4380 wrote to memory of 4400	4380	Lkqgno32.exe	104
PID 4380 wrote to memory of 4400	4380	Lkqgno32.exe	104
PID 4400 wrote to memory of 1828	4400	Lcjldk32.exe	105
PID 4400 wrote to memory of 1828	4400	Lcjldk32.exe	105
PID 4400 wrote to memory of 1828	4400	Lcjldk32.exe	105
PID 1828 wrote to memory of 4056	1828	Ldkhlcnb.exe	106
PID 1828 wrote to memory of 4056	1828	Ldkhlcnb.exe	106
PID 1828 wrote to memory of 4056	1828	Ldkhlcnb.exe	106
PID 4056 wrote to memory of 4048	4056	Mkgmoncl.exe	107
PID 4056 wrote to memory of 4048	4056	Mkgmoncl.exe	107
PID 4056 wrote to memory of 4048	4056	Mkgmoncl.exe	107
PID 4048 wrote to memory of 2960	4048	Mcoepkdo.exe	108
PID 4048 wrote to memory of 2960	4048	Mcoepkdo.exe	108
PID 4048 wrote to memory of 2960	4048	Mcoepkdo.exe	108
PID 2960 wrote to memory of 2776	2960	Mdbnmbhj.exe	109
PID 2960 wrote to memory of 2776	2960	Mdbnmbhj.exe	109
PID 2960 wrote to memory of 2776	2960	Mdbnmbhj.exe	109
PID 2776 wrote to memory of 2156	2776	Mojopk32.exe	110

C:\Users\Admin\AppData\Local\Temp\6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe
"C:\Users\Admin\AppData\Local\Temp\6879ab447fcca7a792e7eddec4d51022ba5804f7c331f5b760e48711a939f2ceN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\Jjgkab32.exe
  C:\Windows\system32\Jjgkab32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\Jlfhke32.exe
    C:\Windows\system32\Jlfhke32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\Jlidpe32.exe
      C:\Windows\system32\Jlidpe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gpejnp32.dll

Filesize
7KB

MD5
67a69319445a8ba91945b449f012c78d

SHA1
20793ae5f9e53afbac88e5900bfe8cd199461eb5

SHA256
95286727eb4b0838c84e120b7a094e68fe49d5f7ef3711a54ff0746dd10514c7

SHA512
3f6301719ca0409910b6d5cb1c0c2c44e68d324fb007b0ac9d15a919d49293e4c0c30a3469fa93d9669b0ddadc81e525c06b061bffbf27ab1cee744449150686

Download Submit
C:\Windows\SysWOW64\Jbbmmo32.exe

Filesize
448KB

MD5
00c9b4dcf2d042a74a91de4ab753af5f

SHA1
7c5ad7ede387bfb91ddc3a94e329b909d174fac6

SHA256
ca2b558e222b972b2be17d556e7fc73723a8eb56389650f9d343d00cfc50f1b0

SHA512
d881106a913c9d3053af3fa9fea9f11ee6bbfa7e2f0e9e3b8230274c5de1f579a4836ee6b33ae5d931323b8eedcd3f9821ba40a8777a760983d48fb6bf161b36

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
448KB

MD5
25ce671120e2399381be423d7f2481b1

SHA1
13f4077bbd8294b2d10fd9556e9288a35644159c

SHA256
80a2f5d9b2345dd95cba822dfb24e9dcf655dd78b9feb845bc56a7776dd89900

SHA512
6fb6138ef405086d669de4866dfb08c0bda7102260f3a2e1480d3fcccdccda1ed647b12f35d344d004f39cffcc2dad8305db20cca4cce814e93f369150b08c34

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
448KB

MD5
413558af78c147913b5e2e0ae1a4d455

SHA1
676c570f2bc8fa49a9fc6ab0c0e617920576f6a7

SHA256
fcdd025eb9740d69e5117a2ada72521aa318c83abdcc882e8a99a7e3a181bcfb

SHA512
d0ab9dda8bc09129df05bde4e845eac726152aae6e7f7cf9b572b71a58a48f13942a3f4d7558c2fcf76a192b183cd8eb01bd4c2cff9ba18878e07b5d656cee4e

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
448KB

MD5
22260242387761466ea8689cdb81c704

SHA1
01446c2ea8dcd7efce2bcf6afb02a74bbc531e31

SHA256
5a6553814bb76743ac557d68eba490a1bf0a5edd12f27afac45e2ec3961613ef

SHA512
5e402e96bd078eedbf2009397c94d9e321ca5e3bdfdcdbb75e05a8cae890b316d2fe63c154fa1748ee3580bb53b80df6e725340c0ebec19bff8b49a03a8fdc3c

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
448KB

MD5
85dceece887ffe6b527a063df34b5f51

SHA1
99fbddc17a3e5d4eacf2783eeb343d504509d433

SHA256
a9157762d9e228ce69dea5aa256bbb7d15e655a77730abda81d737acdedd7c48

SHA512
078f3b8177fffc44e905a734444e20d2b5d101d67d24e34711738b4dff632c554df0811c2ae46cdad41f4ed54559b3e1eacc435f094f9fe90acbc0071ff4f4f4

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
448KB

MD5
08e659c982bb62439d4d5045c03b27db

SHA1
710938b6c6763c84e4d6268d51eb6827cd7e2665

SHA256
6dc561640cd2b7bb13abf0787f5e10371f247934e903ab07986c2c75e10df007

SHA512
1e61d25c55b93baf4dae2fdb7451c123e2c0afb51fa723e84ddcac109f702ca8814a9194b160948762b36556af15d0a559744be694835f90836638896477801e

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
448KB

MD5
a6338169b4868a725935a01634c41687

SHA1
440f23d5b1196c5d226a5ddb24bbe10469d33165

SHA256
af0e1d1500e8237cc50431a15290ed6d1d8b14a16c252c74550b9df93f341d4c

SHA512
77f769463fcbb81237ee338c41ee057bf8beab0510bcc3d1c1e527d9b07774c6203959cb09d799c910c4ba09f89000a752d5a4fb86c55a94e0a2eaeaf1a562e5

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
448KB

MD5
c8318771b482bb78aa254cbcb43c743a

SHA1
2cdc3ec1e720281fcf4712ce6a26dde14171a368

SHA256
742b801449b94635736403966d2eea093e6624f285fb777c18645552cd339492

SHA512
511aefd1e5af7f43e0088b0613247e25cd2bb5843bde5bd1bfb2b4ac60751e791168009892d02b5390cb193d723a590b6a6d4b79d0e676d74e436a1f257729bd

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
448KB

MD5
e6e0680deae0de2accb163a50fdc49ba

SHA1
b647f4f02be396e0ff9a494485487e1d895418b7

SHA256
e006037120a2259b339928064409ef19b01b3a03e8fa7bd82c915499e6cb11fa

SHA512
05276ab716592c53217699cd81c33eff83b417e1195ccb42f20b0bc224860127b437c27fe5c8330623664e2a1823e66b502c72608e88e4022f37d2ced7a29efe

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
448KB

MD5
28a82d069c2f566f7e14a34f69b956e2

SHA1
c90d4b2549622258551d0a767be53351d1e0f546

SHA256
1c171d1c9b7f5140206565da0703d4f29bb6e5bd19ebc69c3dc39dbf9a17eb55

SHA512
3eb86ad21893e5a2d2d4cdad741c68517e7ef4892103aad6af50782d8bc47b4c1f589332555ca67f733a0bc231b58daeee10d2cf89bfe0e8babcbb4983797ba0

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
448KB

MD5
504785c270e20f6e8897a5fd69165f87

SHA1
b8fc706ef5ee9a35d9f3217029373deecfa77cd2

SHA256
d7b96360f827766e3c9f30418d78c8f881647d5602ccd8ad3de68e7b0ab1bcda

SHA512
462b886d6e1eb27a97865c38f081291a90460e85eb3aa981630ed058316a7d8e25ee60e2484f3871d6bd5f323fc2054bb192be1b5527f48277178168af1044bc

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
448KB

MD5
99904ec3ea2c7a186aebb15a8e92373e

SHA1
2092a2e829d56394cdf9dc6e8cf7f05b3e8fe2d5

SHA256
fa6aad0e1a4de6b210e8d0af3532bd081540941b63b07e62a32f2878cf3f247f

SHA512
95880d8744e9c2f855be9b738bd96d41f717ec6d6faddcc84618fdb6b1689202ce74ae3c6bceb816ff71ebb75b02c9b20dc48ddbb8cbefbe3b18ac90e5c7830b

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
448KB

MD5
c3d14f7b245967d39c156f4cda11f564

SHA1
b6240da77115b89dce98c6ca82e37bf6505b273a

SHA256
9d0a381c8e426e433cb8f012e66f91bbf6f557dcf43af6584e880fd39d0668b6

SHA512
09aa6628e4bae6855a182500898f8c658d9227f026fa5cb732212bb5b8a5e3cce0f9b0264dc98b993a2d4ec427864c7c3b05791c10705762552aedfc58c1b4f2

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
448KB

MD5
1e80965870a41f1018a45c1c4ae33129

SHA1
45622cce1a1559d4fe0e26506fc123c17b37b387

SHA256
5a7fcd2cf9525cf37c258325d62f33f796e845bf8d52e57464469eca1e0fa028

SHA512
edf340faf98358e1ea2c9e89a8d3cf87f6f3821b2d44b5d3a223896311a3c1e340c438cb0b7c2fccf344f534cf8cfa37bbbbf37a6265fe411ab68f915bad62ca

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
448KB

MD5
c988e353841ece86341783dad56e65f2

SHA1
ba29b5c8bad5004d746fa15814833a0025d8c1cb

SHA256
b797be9af0bf9d608667f30dc3b276c3f432f722a596eb0909d60e126c06c27f

SHA512
2280a614bbd593b3aa3e6f5db51cd43d81fbd6408212487f83830fdae0fd7f72c28e98879350d45ddeea01ee7aa5bef5697a90eaacc227371eb8eb2a65e09791

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
448KB

MD5
00e7fe959f3948f98a0e84af7610360b

SHA1
834d47c8fd7107ad88e2733068ebdd4b1dbeab2b

SHA256
7b3f139fc6c00d7baa571481752fd8a1d4a7c499ae2ae130afeb941f9fadde5f

SHA512
97c36a8392dd266297b6a8c3c49837a12febe91540cd5852da128a412d33d7698640fc0bf59129c3011bb2487c35a785106eddba22389f1803d6cf5d83526d38

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
448KB

MD5
6c4afb573a6658ccde657a2a920327ea

SHA1
29a793492a3200b765a47dbb64112b10869fbf07

SHA256
c56da70f845354ee253a9a691fd6b0f90c5cb74f02d3346c7a7668fdecd49997

SHA512
129c40d7d27f4f0adf0401a11dac1438adb9dc6a0ae976fc5c2f7ec8da1dbfaef982207249071b3ee094410d59aad1f97b24e8171fcea081c0dfa945ae6467e2

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
448KB

MD5
e72cc1c30db98815211ebc301870b37e

SHA1
b502ed32597da127e107601a1650602b57a4f1f0

SHA256
136bf2e19e93d2254f4f32581e6fb8452350319e1ca9b69bb6e46294c63a16e1

SHA512
77ff001cce6b6e3801ab95cf14e0aab7b6c7b2e35a6a62996c86055a8c423af7349f5f2479425e5eb950d8147004f9fca9e0bbc474f79c79007f15640d754140

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
448KB

MD5
497643b19907b260f45541a4887b4d0b

SHA1
29f8621a5631ae117982ae152c44971649a743dd

SHA256
2c50acc8d16eb5e10ab8e90eef1000679ca9df0f72c316b3121ddf4c5a347327

SHA512
86b5f24071bb629f70a5476eb2970ee6734698bb7ced5226f4821ac57098695cae3b6d4cb1da66c9318a6b528e1880d46a3580cb2c6f70169a8311e4e7dea849

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
448KB

MD5
4a894d60277fbdd71d94550663d3f18c

SHA1
ac6cbb51573b68db38495418e903a40f36253f3b

SHA256
88ba691f5908ff2e02d37fb004a3e06faeb86708c5c8a0b19e0b6a8fb602edff

SHA512
aa899ad5d94cd1d31e09ac3caf03572ab1491701cbc3116214330d9a60d3cbb32e56940382b596bd49ab6a83374e1ea1b562606ee92cf62d78108aa50e7647f0

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
448KB

MD5
b530852aeee14a5ee0fe294cb256cd2a

SHA1
e1bb068ad5217913e0123ccc2a45aa4956af469d

SHA256
408e7c3dfdb3835eb2ed64c75e13c722cf614700d5ea2f11a4556df1af5f48ed

SHA512
6a52710277a74869a721126bad5d52c1124ba8946b5910c1a2afe1412675cd491d73e156c487b160ea395e0f0b4ccabdb3ccd0ae044818979da45df3a75bb807

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
448KB

MD5
c196b51c57129bd3f65b7d29dee322b0

SHA1
912d28157d7fd54c1d3184ad303ec3c0c190d64c

SHA256
7d90c18411da1601b14fd1ebd18b8a1170cc139c38f5d30ee41058011445ef8c

SHA512
027a82c6b978641fdc06a588dc0495a9f821adada1dd60368f51cd9341df221eeac33d30b7675b8a313aff11ad3a8df6c6a56fc0a66f7c697cfad5f9ebce8fac

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
448KB

MD5
77597125f6556c9699c91fd8473d1ab3

SHA1
aa52c942f48ccf5baa6659229db806ed722c7da5

SHA256
e2f87ec014f8885796cb54cf713765c043b88c2f6179881b7229c3bce4a8671e

SHA512
16ab9c1729b5019efb121d90be7db0410a667c1b9a4071365086c29adbd909908162c10eeb7c485da0d3126db954e3244e1fc9fb357e24582903c87544a23ad9

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
448KB

MD5
649d5efa6f60fc24540a2422a1721127

SHA1
2e218b8bd7cbaa117abc8f8d33af6b2d55a59af3

SHA256
f912f6c1d111798f3ce47ff2c9dd5f5b51ca0cc0fe646fce7781a97b85a4aebc

SHA512
88758ea982e0937298e62a8457692ef66a789be593c59a095e89e6ba3aec5f4b373c5ccee59d9fd1aeaabf902451551709c53368ab36ef8d3ac8e7b6c5bdefbd

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
448KB

MD5
d36ee0b028420cf831f451bfe1e60ddb

SHA1
f2367c55835b1f14dac2f70b316b489e46247af4

SHA256
06f0f02f677687794068eea7842edc7792961bceaf003cc56d2d9a4f5e974f8c

SHA512
2deb82188f482f829e5ccb0995b10423a8027a5ad4bc45f5052ed89e341e7adc4e24be0f2364b2ca24080416629864df22db9e93ca56d9fcfa0891aa4ef4495a

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
448KB

MD5
deb05cb47a6097e0492ee3d6ac5b0f34

SHA1
bfa9f43168f55715b0ea1942d56e88439df4d532

SHA256
1aa296124c49c09838feb51846808d83d9f3ffff4c9fd48da2b59f1fcf145004

SHA512
31da5405a9b4a8e9c454047bcedfcd1a991c2385a30ba41015cfaf23bf9f72dd50c56eeb9281cfc73db513ab830256919c655c01d7454b329f563be3b163619e

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
448KB

MD5
7ec1ce358beb513ee19160b20a52dc30

SHA1
285a2ab24b1e3b294aefc328420c3207937aa86f

SHA256
8f76a1ca15db868b9a809f09dbdff1b2709ddb8fb1d9745f3dcbbaab86f5bae1

SHA512
2b9f6d4dfa6e55ef2e34c42154c01e6e6955557d47ce0d23c22341a4ba1f468b254bb7f99421f5ee44c51f092d6a6d1e55e2b5eaeff454e4682ed74758760896

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
448KB

MD5
2a0aae5a9b67658ed022c939eb29cec5

SHA1
a832208b98fc00005a10a18472ac2d3594a05ff5

SHA256
c94911eaa8b60c32ff62c2ba33d2f9d72d9e2cd3605ac1da7425c147e305117a

SHA512
feb12d76c2b58e9804adf902256c324b74048254d9682652b0118325f82a424bfe12c59cde9c648ba8b1ec9c8598d27c2a19413fc22e4dd2545c1f071aaa0f8d

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
448KB

MD5
fc11c02d2120c8e3b68529020f695905

SHA1
b35b35954bdda06b3ce597ad735c342900a23905

SHA256
fc279309dbdafcdc66b3a811f074c8f4e58f0582ac953ed2f4561a1a5cf8a614

SHA512
da75a20341cc8d27af8a63501d0b65eadecfb5d44073b953f6724c8da03bd7bab61a2eb4017740d8c9d6964e1cff6e988cd9fdea1f4aa2d82cf3926a897cc602

Download Submit
C:\Windows\SysWOW64\Ooangh32.exe

Filesize
448KB

MD5
c17f7b585d64fdcb09c4b97e8ac91898

SHA1
a9499b62eed6127d86f9cf4d631792f836559e83

SHA256
7f6eb613cdedf418070e112ef180c108792e2c88065acea6c7ff76fddbd2a3b6

SHA512
5f8e3b8e9efbc43ef8c4c21423fbc91f84c0bce94461def6473b5399c3388978fd6f0e3876fdcb91c420ce23c8fc1b24951266dc005d99810271a9d44ff1e3a6

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
448KB

MD5
b2b9158a785fe6cf0dfa90ab9674f99b

SHA1
a3b57b46b6f67dedb339102e15a56b99666c12b5

SHA256
a8f76a23474e367b269d8d04d1798e82470400875b2b8febf35520e16b67a842

SHA512
042463a1601597b4bd6fa3ff19810c946e2fa12a8216cb3ea1dc5e100424195e80ba6506e1a2f3fba7ca54109462ae51c38230f08e70f564c57f12b16b45548d

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
448KB

MD5
4e84c25c3f04aa48a4687c7b239374a0

SHA1
a4b226ec5237b52613c8ee048cede6dd60ddaf85

SHA256
1abdcb84ad67e66f4e2dc11a0bb2dd40f9851960a950c1fcf05973ef489ed04a

SHA512
b638735e0cbcf1bab7749c9b10f1a5e4853773aa18b33fb7f41f61a0664b31a0bd738283b9125065766018e140b023aaff80f1bc0a35ccc7bed129ceb01972dc

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
448KB

MD5
27bdeef028856c9e9b452752c8196676

SHA1
102c517f5b3e7fab4bca91267dc803a91663c3fb

SHA256
42178a8ebeb41a4cc2875ffd113f7c44ab912fb51af9ef79b3efb85b6fa85b1d

SHA512
5ccb5ba17a48a8b3df5f3d730e875cf0f57448c716f6141985f237e4633026fd21635d373ad694818033b99408890bb37f8646136d49139250e79b1468e765b4

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
448KB

MD5
bc7ac91fa8d81f95140fc53f9fc5fe04

SHA1
55c4b1fbfb386a8f8bf75b0d6a13b2b9446572a5

SHA256
42ab57fb997bcd9ea157dada4d5dc010e364e89a79303ea422c67f8bc8ab22de

SHA512
87013ef6d08615f603effb0a45a5afa8bfc19abaf2583aa663905c48e105181ee4290f338e1f24fdac79f2386016e6ec71d755262bd837ecaaaf021019d04b32

Download Submit
memory/408-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/644-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/644-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/656-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/656-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2768-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2768-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3368-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3368-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3776-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3776-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3844-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3844-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads