berbew | ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 00:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Size

91KB
MD5

c488c45a1c56510de38b580f51048960
SHA1

515befe9b89b1b6ae28bc95b2601b16e8aff2b65
SHA256

ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1
SHA512

382adbaa228bed35c2e9847d8c1dafee58d2f6f5fa056687d1f9543c4dd89fa728141fcd8d1c7790c9d31f16db673795f2b1b7993b48b50ef74e29e89c29847e
SSDEEP

1536:dE8XIwXaydgeDBV47Ws0eCxq5euUn1dMbEGyRVfeDQtob1xS15UJy/vSGw:drVKydnDY0eCxq5euUn1dMbEGyBGMV/g

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjmfjmi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 21 IoCs

pid	Process
2668	Klecfkff.exe
2708	Kocpbfei.exe
2952	Kfodfh32.exe
2820	Kpgionie.exe
3068	Khnapkjg.exe
316	Kmkihbho.exe
2528	Kdeaelok.exe
2888	Kkojbf32.exe
852	Lmmfnb32.exe
1296	Ldgnklmi.exe
108	Leikbd32.exe
1820	Lidgcclp.exe
584	Lpnopm32.exe
1964	Lcmklh32.exe
1448	Lifcib32.exe
2240	Lcohahpn.exe
2512	Liipnb32.exe
916	Lhlqjone.exe
1752	Lkjmfjmi.exe
1340	Lcadghnk.exe
2660	Lepaccmo.exe

Loads dropped DLL 46 IoCs

pid	Process
2080	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
2080	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
2668	Klecfkff.exe
2668	Klecfkff.exe
2708	Kocpbfei.exe
2708	Kocpbfei.exe
2952	Kfodfh32.exe
2952	Kfodfh32.exe
2820	Kpgionie.exe
2820	Kpgionie.exe
3068	Khnapkjg.exe
3068	Khnapkjg.exe
316	Kmkihbho.exe
316	Kmkihbho.exe
2528	Kdeaelok.exe
2528	Kdeaelok.exe
2888	Kkojbf32.exe
2888	Kkojbf32.exe
852	Lmmfnb32.exe
852	Lmmfnb32.exe
1296	Ldgnklmi.exe
1296	Ldgnklmi.exe
108	Leikbd32.exe
108	Leikbd32.exe
1820	Lidgcclp.exe
1820	Lidgcclp.exe
584	Lpnopm32.exe
584	Lpnopm32.exe
1964	Lcmklh32.exe
1964	Lcmklh32.exe
1448	Lifcib32.exe
1448	Lifcib32.exe
2240	Lcohahpn.exe
2240	Lcohahpn.exe
2512	Liipnb32.exe
2512	Liipnb32.exe
916	Lhlqjone.exe
916	Lhlqjone.exe
1752	Lkjmfjmi.exe
1752	Lkjmfjmi.exe
1340	Lcadghnk.exe
1340	Lcadghnk.exe
1968	WerFault.exe
1968	WerFault.exe
1968	WerFault.exe
1968	WerFault.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Lifcib32.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lifcib32.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Liipnb32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Lpnopm32.exe	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Lpnopm32.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lifcib32.exe
File opened for modification	C:\Windows\SysWOW64\Lkjmfjmi.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Gkeeihpg.dll	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lkjmfjmi.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Dllqqh32.dll	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Lkjmfjmi.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Leikbd32.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Iekhhnol.dll	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lifcib32.exe
File created	C:\Windows\SysWOW64\Lpnopm32.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Lmmfnb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2660	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekhhnol.dll"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllqqh32.dll"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leikbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2668	2080	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe	30
PID 2080 wrote to memory of 2668	2080	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe	30
PID 2080 wrote to memory of 2668	2080	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe	30
PID 2080 wrote to memory of 2668	2080	ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe	30
PID 2668 wrote to memory of 2708	2668	Klecfkff.exe	31
PID 2668 wrote to memory of 2708	2668	Klecfkff.exe	31
PID 2668 wrote to memory of 2708	2668	Klecfkff.exe	31
PID 2668 wrote to memory of 2708	2668	Klecfkff.exe	31
PID 2708 wrote to memory of 2952	2708	Kocpbfei.exe	32
PID 2708 wrote to memory of 2952	2708	Kocpbfei.exe	32
PID 2708 wrote to memory of 2952	2708	Kocpbfei.exe	32
PID 2708 wrote to memory of 2952	2708	Kocpbfei.exe	32
PID 2952 wrote to memory of 2820	2952	Kfodfh32.exe	33
PID 2952 wrote to memory of 2820	2952	Kfodfh32.exe	33
PID 2952 wrote to memory of 2820	2952	Kfodfh32.exe	33
PID 2952 wrote to memory of 2820	2952	Kfodfh32.exe	33
PID 2820 wrote to memory of 3068	2820	Kpgionie.exe	34
PID 2820 wrote to memory of 3068	2820	Kpgionie.exe	34
PID 2820 wrote to memory of 3068	2820	Kpgionie.exe	34
PID 2820 wrote to memory of 3068	2820	Kpgionie.exe	34
PID 3068 wrote to memory of 316	3068	Khnapkjg.exe	35
PID 3068 wrote to memory of 316	3068	Khnapkjg.exe	35
PID 3068 wrote to memory of 316	3068	Khnapkjg.exe	35
PID 3068 wrote to memory of 316	3068	Khnapkjg.exe	35
PID 316 wrote to memory of 2528	316	Kmkihbho.exe	36
PID 316 wrote to memory of 2528	316	Kmkihbho.exe	36
PID 316 wrote to memory of 2528	316	Kmkihbho.exe	36
PID 316 wrote to memory of 2528	316	Kmkihbho.exe	36
PID 2528 wrote to memory of 2888	2528	Kdeaelok.exe	37
PID 2528 wrote to memory of 2888	2528	Kdeaelok.exe	37
PID 2528 wrote to memory of 2888	2528	Kdeaelok.exe	37
PID 2528 wrote to memory of 2888	2528	Kdeaelok.exe	37
PID 2888 wrote to memory of 852	2888	Kkojbf32.exe	38
PID 2888 wrote to memory of 852	2888	Kkojbf32.exe	38
PID 2888 wrote to memory of 852	2888	Kkojbf32.exe	38
PID 2888 wrote to memory of 852	2888	Kkojbf32.exe	38
PID 852 wrote to memory of 1296	852	Lmmfnb32.exe	39
PID 852 wrote to memory of 1296	852	Lmmfnb32.exe	39
PID 852 wrote to memory of 1296	852	Lmmfnb32.exe	39
PID 852 wrote to memory of 1296	852	Lmmfnb32.exe	39
PID 1296 wrote to memory of 108	1296	Ldgnklmi.exe	40
PID 1296 wrote to memory of 108	1296	Ldgnklmi.exe	40
PID 1296 wrote to memory of 108	1296	Ldgnklmi.exe	40
PID 1296 wrote to memory of 108	1296	Ldgnklmi.exe	40
PID 108 wrote to memory of 1820	108	Leikbd32.exe	41
PID 108 wrote to memory of 1820	108	Leikbd32.exe	41
PID 108 wrote to memory of 1820	108	Leikbd32.exe	41
PID 108 wrote to memory of 1820	108	Leikbd32.exe	41
PID 1820 wrote to memory of 584	1820	Lidgcclp.exe	42
PID 1820 wrote to memory of 584	1820	Lidgcclp.exe	42
PID 1820 wrote to memory of 584	1820	Lidgcclp.exe	42
PID 1820 wrote to memory of 584	1820	Lidgcclp.exe	42
PID 584 wrote to memory of 1964	584	Lpnopm32.exe	43
PID 584 wrote to memory of 1964	584	Lpnopm32.exe	43
PID 584 wrote to memory of 1964	584	Lpnopm32.exe	43
PID 584 wrote to memory of 1964	584	Lpnopm32.exe	43
PID 1964 wrote to memory of 1448	1964	Lcmklh32.exe	44
PID 1964 wrote to memory of 1448	1964	Lcmklh32.exe	44
PID 1964 wrote to memory of 1448	1964	Lcmklh32.exe	44
PID 1964 wrote to memory of 1448	1964	Lcmklh32.exe	44
PID 1448 wrote to memory of 2240	1448	Lifcib32.exe	45
PID 1448 wrote to memory of 2240	1448	Lifcib32.exe	45
PID 1448 wrote to memory of 2240	1448	Lifcib32.exe	45
PID 1448 wrote to memory of 2240	1448	Lifcib32.exe	45

C:\Users\Admin\AppData\Local\Temp\ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe
"C:\Users\Admin\AppData\Local\Temp\ec37d6c07de842869ede4d2be376cbe53b369567e11f4398e6fe028b58cab2b1N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Klecfkff.exe
  C:\Windows\system32\Klecfkff.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\Kocpbfei.exe
    C:\Windows\system32\Kocpbfei.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Kfodfh32.exe
      C:\Windows\system32\Kfodfh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Lpnopm32.exe
        
        C:\Windows\system32\Lpnopm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Lkjmfjmi.exe
        
        C:\Windows\system32\Lkjmfjmi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
91KB

MD5
1e2481d1cb853eb67c2eea24694da38f

SHA1
3cfa357d93aac4f4dc3f638392e98a62e733d3c1

SHA256
085beb9fa5fba11d84812572b034fbdc57ba50bf738ce2e97d5e86a84101d901

SHA512
d4c96803f9428a71b600efad81990c3457d0549d06b7a36871f71ecb304304799672735afce4aaaded26ca9263918b647a01045a6cf7ee67287bc62bc0be726a

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
91KB

MD5
d284d4822b25c48b77f8b1461e199ce6

SHA1
328a877d8b2dee12c9fdd9ba571f648bbca8b52b

SHA256
8255267a3007511c91907b74bacfd067f62900585f269903f794012daf6786ac

SHA512
1298c54fdcce78652956bd0fe0fd9851a3b3385f98a5556dd3199d1c1b6340c95143d3a581b90ec638a9826824206930397b1662ba4576392863266ae2efd81a

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
91KB

MD5
a76df3d762b5ea9668b723c380108fd1

SHA1
8ce442c441cdacbc7d46cf9bd6031178b5097f48

SHA256
08b966edf4a97bb95c231cdcce354750c6252e6a52b590e892f1e0ab630d4d82

SHA512
d0cd0d53c6920218fc93a2c4f763a3fb40abaee06d760562bfbcad94bfe879bbb7677ab72d122794bdee5488668847b68c1b57555be8775c1c471f76b2b83488

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
91KB

MD5
3d0b4b4d3f505d6cd4838fa366b18b24

SHA1
43bddb1265b37487fca97ff771c2d9d0b6b59130

SHA256
3c1df399a68bfb3f6fe0a913257b5be2eb9cc1afc13124a5a64d963b85736896

SHA512
7152062ce780e5b580a1d67eaf820ad89ba313b18d4fc2363cb01e82cec6c874db790f82b502222ff16a5c3d2f2301d4890072a7404f2f542c7b5b51d561e210

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
91KB

MD5
8f9eb5b34d8595a46d313d7a557702b7

SHA1
76ae87d911e2c4c8ae3e8e7529cb15277ea60d1c

SHA256
8a432d4b5f112d64f6005b76ca727ebf777ac3b913c9558180cd994847ca53f2

SHA512
5bde6b5f39bb4dc2322a95cfe64b6a1df0f4c9701afd13523b7710a149764ea4b31cf8efe478d177ea9a84747bc53babdda6c3c6e4c8e22dfed9dfcb961ce827

Download Submit
C:\Windows\SysWOW64\Lhlqjone.exe

Filesize
91KB

MD5
9762cf669814e74101c4a2f070bd6492

SHA1
3528b31f7a5a7005da335552671e01f2998706b1

SHA256
9bdd1060dbb376829e796b1f0b006d4e5602362f8bde9cca1228c902ec779b4e

SHA512
5de538d03102259804b47441e14d2ebac0aceee9a5c21ca3c9675661db081c195c581d5f79bc63d2ed9b3fa0bd875baf8a482e03a3d4c3d90d7b95172d7f5ea0

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
91KB

MD5
bcb4d8604a785405540e8b5aef715a8b

SHA1
9b59c96a8f4c101be51db1af228552bf59c5fa5f

SHA256
b7fb9b20bf865484042c973f926fde4c29f25ed1ef3b07cf7a1aa9694aaafdf0

SHA512
ac70911e484e6937aca6a3578e27e8d361e102e8348b6e9b72fe6d47eecfe18f00ed76e9c38b10822cbcd5fc855435c482b4694c7524660978256d94c96f9a47

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
91KB

MD5
ec6818b3e10a547c0d2fbee768263fb1

SHA1
dc8b9b5318f5ff59a41b4c44baba10478fd6831b

SHA256
35b0632261eaf3ab5b657ed8a419b108beb6061c74016b74068f0e197292030a

SHA512
bde4df8ba20afe844d8a422849f23cb9ea361b30974bb11817f3ecfdc2d4c89e5d0c00bf21f0fea101b5d160b30a23b27573e403f64451199c3be9efd6102d0d

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
91KB

MD5
3c386700be25089e0da2376bda66239d

SHA1
e4fa432cb64a448967101a191703393808ed88f2

SHA256
cf4126c13c10a9651ce2a03eefd8a54691bde7e5edea3882833392264b361341

SHA512
37765e31544e90abf1a8670c6b2e7458e79530262599b631338c3448cb4620fbd7804bcb0ebba3f35043674a5341ecb588f5030ee8144b9fd31b5d7df9b4865f

Download Submit
C:\Windows\SysWOW64\Lpnopm32.exe

Filesize
91KB

MD5
c7c538b85d1f3c2d8f84604af6d1aa15

SHA1
18b0f684879c0707d38f27ae32698e795d0e29a7

SHA256
2d695f14a6dd064268c09d03536086eaa01c9a3fccec1f9ccbd379833edeb0b7

SHA512
7ff1d1b1315081a7db1d61d833dddea57d2489f887127d6278510292cb934bba086777fe313c966333f8cb67df0a582c9c966e3c44a8f2619d383450c8e12051

Download Submit
\Windows\SysWOW64\Kfodfh32.exe

Filesize
91KB

MD5
9fed9e435a38e5a4d91b0c4e1c7d44e4

SHA1
28799a7c52aba7237b4c6867a67a6a4b9d222633

SHA256
92894f343fadc1127d05192e3eb4a4af069402a278bacdecfcdc05e813b781e0

SHA512
5805d2a40a3ec30aedf723622f4b0af98c2cacd2d3bb39a25aa8c24dbed7da5e2b5d7d6cdcbf92d982f9672f5060118741a5496a37e47ca420ed873025238c9c

Download Submit
\Windows\SysWOW64\Khnapkjg.exe

Filesize
91KB

MD5
5a06639a85b07a79482ab76523aa2b6b

SHA1
190938b61bb3af27379379e9eb63dbb997dc5202

SHA256
c55b47d16a47c467a5249a349dd661040912e2c22e07a5fc8c87fd54b794fcda

SHA512
5a71ecc9fa3ead469a06754c8ec2d2ddf58c65ac23bcffa5332026dd52e633036faa5f2f662bc231a02e398d307ac6bd6409a1f6e652ef978d3f24a234e0fde3

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
91KB

MD5
d7423051dca8dad028dabfe0c4696c71

SHA1
fbc4e7c445266c0044cb7d3d13b54109e77406f8

SHA256
7cdf007c1b5128f6df4fe5410c620dbfb768fe9faa87339190211d239cb13645

SHA512
0881a1e003be80be5e7254d3cb00303cecc62fccf285aedba09ff64caecf7c41366b25f5a0ee4594e20ee019c884f3bc169f94d56f7925e0ddcdaf57a9202751

Download Submit
\Windows\SysWOW64\Kmkihbho.exe

Filesize
91KB

MD5
19790a8cc76d50ba48f5394dacf5b9f2

SHA1
a4684710e942f5b38318effc8460a932af2e2bfe

SHA256
f303af7618b51bed9145a685c2522abfc3215d6be4c01d4cd485f19b7fd4e31b

SHA512
a53a414cc5239876b70fb2ca63b087472c2e2b759713100e54c2805429f99ef6a8dd91677ed973b4c2dcf49cf779f457c4adbf46399b48d8bf94dbe232733001

Download Submit
\Windows\SysWOW64\Kpgionie.exe

Filesize
91KB

MD5
27e98e8b9f18d1d5711867bef1b4ec1c

SHA1
16b22c5ad8d9a6370eb3120cacc8fbfa8a7c0638

SHA256
1c4ac4245d0dbaa9895dde41c5377a84b2ce7d39ab34a22f77f889694af5c6b4

SHA512
a6853b3a34adee6f610f46af00a3522b64761702dbb95821e0b2f5c79a69e6b132c924c181ca0cc6b3f43239645b0ac7faff54d6935858faa0cdbf092a6ea070

Download Submit
\Windows\SysWOW64\Lcmklh32.exe

Filesize
91KB

MD5
ea0c9c2e46d83d59995b585f0bed680b

SHA1
e8a99fb8b8cb194888bdbe4399a0d9e57c46b6b7

SHA256
6ea9ce8dbc7a457830579c4cdfa37c34a8314e8bd3827ab0d4963b6ce012e862

SHA512
1721d182d3b05d77bc431a34077e49812387f1079e725418129c00e79120e89f953150a6a5973628a6de0e4d4f9292ad63613a532309dcf6a58d5d39d5cf212e

Download Submit
\Windows\SysWOW64\Lcohahpn.exe

Filesize
91KB

MD5
2e8c87d36ceb9154ff55be05814ecce7

SHA1
ef4f7d4c7562c0e83a5327ee19870a5c2c7b79db

SHA256
fef6c5fa7c59de3d1a4d6ff8a24eed1865e6612058906dfc141a32366ec0fc74

SHA512
912b71bfd1e4a1d265d2ba1e8f438b0e7097f98a2bc66ee43987d7f21c6a4d456d24516e9bcdc9561ce185d9c44a77bd40773f6176b251a03c137690837c1090

Download Submit
\Windows\SysWOW64\Ldgnklmi.exe

Filesize
91KB

MD5
23d277e740ded32c5d9846f4e38b956b

SHA1
99e9be8b5d52b333d12e9a19e848fe2946dd7c1c

SHA256
bdb5a8223f3c3f921fcf680eb8098adcbe89fe0c1e94854f707ad0d773a33ad4

SHA512
28f96770f9c2b5f0bf8aef10cea7415131322854960b64449d4803f212c7c0d4e7d3765caf30b023c1128492e18be076ae38f8604e005d80473b5edf75038aa5

Download Submit
\Windows\SysWOW64\Leikbd32.exe

Filesize
91KB

MD5
f00bd56dc21345c84e1e3f8ab0440320

SHA1
cbe71818595c72cf4b1f612313806b0443cc840d

SHA256
00a72eed40edc6d33fb7b0504eaf98598ba5307baf812ca1fa858b827cc64c2f

SHA512
f4c5b635a88c551e8801aba8c9e26342fbe8f01509f105f2541df9ecb3b9ce4106483c5b5cb956df1cd52f3df467c8b8efceb4772f1bb72ae1e1bafb3c3a12c0

Download Submit
\Windows\SysWOW64\Lidgcclp.exe

Filesize
91KB

MD5
11037090ef079e23a72fc936320f2f31

SHA1
178d57a03f296f2e1cbbcc60898cc49b280c25f0

SHA256
c74cce4ad034bbd6248add038e894bed336bf158691ff97cf0692b4230c54fe4

SHA512
dde953590a98dd1cc8696120e0130ecc3fb0bb5357c7739637de51549ee30c69be57ef86db25ca65c90f30bdf8c226ecd50e77b3bcdf0e703988913fe1bbae1c

Download Submit
\Windows\SysWOW64\Lifcib32.exe

Filesize
91KB

MD5
1163d197cbe7d2348eca18fe1d35eb7e

SHA1
f5896203c14e57132d0b5a0a0d6ee499eb7c09c9

SHA256
5736ec4f9e3b20aa1ca499424051dc5aaa19bb78e2d25a4e4e3ca9b24d7e8e4f

SHA512
70c72baa47b2599636e1d33297f4b459e16a528f1db8bebc587bb2525d99b07fe5d5061aab4d01ab0267e374f50d6619f582edfe223c0d72456e6eaa51d84480

Download Submit
memory/108-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-130-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/916-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-209-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1752-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-199-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1964-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-11-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2080-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2080-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-102-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2528-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-28-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2668-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-27-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2708-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-41-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2820-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-50-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3068-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-76-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads