berbew | 208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Size

64KB
MD5

c0c04c76b4c7f2881ee91c20663f5d88
SHA1

d178f54573ea6ba83588cd721ffb28595becec97
SHA256

208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e
SHA512

6101b995a331a81ffff5dfc7a2f500432ab4d95c4d594931e85d64b2bc815e58aa5baa6be239c1edd4aae8ea6cb1b5b7aaa5a7abd0b2e5e2b369446dc25f9271
SSDEEP

1536:XpbBQSUgNNco3o2HgJHAvaQHn2LIAMCeW:Xpe2Nmo3oiLqIpW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loclai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 27 IoCs

pid	Process
2668	Kablnadm.exe
2136	Kenhopmf.exe
2832	Kfodfh32.exe
2608	Kadica32.exe
2636	Kfaalh32.exe
1484	Kipmhc32.exe
2148	Kageia32.exe
2984	Kdeaelok.exe
2008	Kbhbai32.exe
2244	Kkojbf32.exe
900	Lmmfnb32.exe
2076	Lplbjm32.exe
2040	Ldgnklmi.exe
2388	Leikbd32.exe
1796	Lmpcca32.exe
2336	Llbconkd.exe
708	Loaokjjg.exe
1768	Lghgmg32.exe
1836	Lekghdad.exe
1524	Lhiddoph.exe
2660	Llepen32.exe
1592	Loclai32.exe
2456	Laahme32.exe
2472	Liipnb32.exe
2344	Lhlqjone.exe
2748	Llgljn32.exe
2980	Lepaccmo.exe

Loads dropped DLL 58 IoCs

pid	Process
2080	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
2080	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
2668	Kablnadm.exe
2668	Kablnadm.exe
2136	Kenhopmf.exe
2136	Kenhopmf.exe
2832	Kfodfh32.exe
2832	Kfodfh32.exe
2608	Kadica32.exe
2608	Kadica32.exe
2636	Kfaalh32.exe
2636	Kfaalh32.exe
1484	Kipmhc32.exe
1484	Kipmhc32.exe
2148	Kageia32.exe
2148	Kageia32.exe
2984	Kdeaelok.exe
2984	Kdeaelok.exe
2008	Kbhbai32.exe
2008	Kbhbai32.exe
2244	Kkojbf32.exe
2244	Kkojbf32.exe
900	Lmmfnb32.exe
900	Lmmfnb32.exe
2076	Lplbjm32.exe
2076	Lplbjm32.exe
2040	Ldgnklmi.exe
2040	Ldgnklmi.exe
2388	Leikbd32.exe
2388	Leikbd32.exe
1796	Lmpcca32.exe
1796	Lmpcca32.exe
2336	Llbconkd.exe
2336	Llbconkd.exe
708	Loaokjjg.exe
708	Loaokjjg.exe
1768	Lghgmg32.exe
1768	Lghgmg32.exe
1836	Lekghdad.exe
1836	Lekghdad.exe
1524	Lhiddoph.exe
1524	Lhiddoph.exe
2660	Llepen32.exe
2660	Llepen32.exe
1592	Loclai32.exe
1592	Loclai32.exe
2456	Laahme32.exe
2456	Laahme32.exe
2472	Liipnb32.exe
2472	Liipnb32.exe
2344	Lhlqjone.exe
2344	Lhlqjone.exe
2748	Llgljn32.exe
2748	Llgljn32.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Lmpcca32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Llepen32.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Lekghdad.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Ppdbln32.dll	Loclai32.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Liipnb32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Llgljn32.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Leikbd32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Jingpl32.dll	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Llepen32.exe	Lhiddoph.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Llgljn32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Lmpcca32.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Loaokjjg.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Laahme32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Loaokjjg.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Lmpcca32.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Loaokjjg.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Mcbniafn.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Llgljn32.exe	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Llgljn32.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Agpdah32.dll	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Loaokjjg.exe

Program crash 1 IoCs

pid	pid_target	Process
1680	2980	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpcca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaokjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll"	Llepen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loclai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laahme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laahme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Liipnb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2668	2080	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe	30
PID 2080 wrote to memory of 2668	2080	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe	30
PID 2080 wrote to memory of 2668	2080	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe	30
PID 2080 wrote to memory of 2668	2080	208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe	30
PID 2668 wrote to memory of 2136	2668	Kablnadm.exe	31
PID 2668 wrote to memory of 2136	2668	Kablnadm.exe	31
PID 2668 wrote to memory of 2136	2668	Kablnadm.exe	31
PID 2668 wrote to memory of 2136	2668	Kablnadm.exe	31
PID 2136 wrote to memory of 2832	2136	Kenhopmf.exe	32
PID 2136 wrote to memory of 2832	2136	Kenhopmf.exe	32
PID 2136 wrote to memory of 2832	2136	Kenhopmf.exe	32
PID 2136 wrote to memory of 2832	2136	Kenhopmf.exe	32
PID 2832 wrote to memory of 2608	2832	Kfodfh32.exe	33
PID 2832 wrote to memory of 2608	2832	Kfodfh32.exe	33
PID 2832 wrote to memory of 2608	2832	Kfodfh32.exe	33
PID 2832 wrote to memory of 2608	2832	Kfodfh32.exe	33
PID 2608 wrote to memory of 2636	2608	Kadica32.exe	34
PID 2608 wrote to memory of 2636	2608	Kadica32.exe	34
PID 2608 wrote to memory of 2636	2608	Kadica32.exe	34
PID 2608 wrote to memory of 2636	2608	Kadica32.exe	34
PID 2636 wrote to memory of 1484	2636	Kfaalh32.exe	35
PID 2636 wrote to memory of 1484	2636	Kfaalh32.exe	35
PID 2636 wrote to memory of 1484	2636	Kfaalh32.exe	35
PID 2636 wrote to memory of 1484	2636	Kfaalh32.exe	35
PID 1484 wrote to memory of 2148	1484	Kipmhc32.exe	36
PID 1484 wrote to memory of 2148	1484	Kipmhc32.exe	36
PID 1484 wrote to memory of 2148	1484	Kipmhc32.exe	36
PID 1484 wrote to memory of 2148	1484	Kipmhc32.exe	36
PID 2148 wrote to memory of 2984	2148	Kageia32.exe	37
PID 2148 wrote to memory of 2984	2148	Kageia32.exe	37
PID 2148 wrote to memory of 2984	2148	Kageia32.exe	37
PID 2148 wrote to memory of 2984	2148	Kageia32.exe	37
PID 2984 wrote to memory of 2008	2984	Kdeaelok.exe	38
PID 2984 wrote to memory of 2008	2984	Kdeaelok.exe	38
PID 2984 wrote to memory of 2008	2984	Kdeaelok.exe	38
PID 2984 wrote to memory of 2008	2984	Kdeaelok.exe	38
PID 2008 wrote to memory of 2244	2008	Kbhbai32.exe	39
PID 2008 wrote to memory of 2244	2008	Kbhbai32.exe	39
PID 2008 wrote to memory of 2244	2008	Kbhbai32.exe	39
PID 2008 wrote to memory of 2244	2008	Kbhbai32.exe	39
PID 2244 wrote to memory of 900	2244	Kkojbf32.exe	40
PID 2244 wrote to memory of 900	2244	Kkojbf32.exe	40
PID 2244 wrote to memory of 900	2244	Kkojbf32.exe	40
PID 2244 wrote to memory of 900	2244	Kkojbf32.exe	40
PID 900 wrote to memory of 2076	900	Lmmfnb32.exe	41
PID 900 wrote to memory of 2076	900	Lmmfnb32.exe	41
PID 900 wrote to memory of 2076	900	Lmmfnb32.exe	41
PID 900 wrote to memory of 2076	900	Lmmfnb32.exe	41
PID 2076 wrote to memory of 2040	2076	Lplbjm32.exe	42
PID 2076 wrote to memory of 2040	2076	Lplbjm32.exe	42
PID 2076 wrote to memory of 2040	2076	Lplbjm32.exe	42
PID 2076 wrote to memory of 2040	2076	Lplbjm32.exe	42
PID 2040 wrote to memory of 2388	2040	Ldgnklmi.exe	43
PID 2040 wrote to memory of 2388	2040	Ldgnklmi.exe	43
PID 2040 wrote to memory of 2388	2040	Ldgnklmi.exe	43
PID 2040 wrote to memory of 2388	2040	Ldgnklmi.exe	43
PID 2388 wrote to memory of 1796	2388	Leikbd32.exe	44
PID 2388 wrote to memory of 1796	2388	Leikbd32.exe	44
PID 2388 wrote to memory of 1796	2388	Leikbd32.exe	44
PID 2388 wrote to memory of 1796	2388	Leikbd32.exe	44
PID 1796 wrote to memory of 2336	1796	Lmpcca32.exe	45
PID 1796 wrote to memory of 2336	1796	Lmpcca32.exe	45
PID 1796 wrote to memory of 2336	1796	Lmpcca32.exe	45
PID 1796 wrote to memory of 2336	1796	Lmpcca32.exe	45

C:\Users\Admin\AppData\Local\Temp\208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe
"C:\Users\Admin\AppData\Local\Temp\208e005ee74f0ff3975f10ea05aa6458ef8282af8de3c5ff7fb7c7e385e82f5e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Kablnadm.exe
  C:\Windows\system32\Kablnadm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\Kenhopmf.exe
    C:\Windows\system32\Kenhopmf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\Kfodfh32.exe
      C:\Windows\system32\Kfodfh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Lmpcca32.exe
        
        C:\Windows\system32\Lmpcca32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Loaokjjg.exe
        
        C:\Windows\system32\Loaokjjg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kageia32.exe

Filesize
64KB

MD5
e8d624a1cdef75ca6e4fe09d318c220e

SHA1
8a84b1283978fe784d93554a1b27ad9e1e5df789

SHA256
5e44a0f2a7e973f30ad86b4126b78318a8c8c6b9bcc4fadb50b35a6e160f0593

SHA512
1021c15744f345c10b329d5121bc7de6cdc855349d940ce3c92e5cb3d75ec34609d4ee0967e3d6dc550599307192f75f8b9c3838403d054983926f7c3d91db51

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
64KB

MD5
5ece8874ae058f2c52634e752cc965f7

SHA1
151fc2e74cf678960892b9eaf66c4de2e8cbc04e

SHA256
8d69c55f028a3a5f9855214549c56a822f8a8a6248eb31de3d4f6b784110b63a

SHA512
c66f3ee2924f4f7f2a2010e45792d9cf47bc8cba107c13b025f502b1b6e6563d5ac9b203ed794811eb2c7181165beb583af2c8462e213b845146b99e69284365

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
64KB

MD5
96160998058b2cc3d6b45ad7a63fefdb

SHA1
679c78f70f5687fe8107242168c3adc69b6428ec

SHA256
679198a14862c4b2d837ccf90de939e9c9ec6fb2d71cbeb420c483649907716e

SHA512
2f1f273f84d5327e497bf65111b0aaac7a57a9751389503a7350267aebbfb1e25b202ea756852d82ef879f6e8004a1a8e0924f89d88169909887dfaecb155a3a

Download Submit
C:\Windows\SysWOW64\Laahme32.exe

Filesize
64KB

MD5
b0718d0eefc74607f6f453793f5ddf00

SHA1
58e1fa2ae08bf2f2d8df4f08b39c44d2cc139e41

SHA256
3db1f8d889da685f6bcc56e5df378a52cc28e3e9a0154184faf52099c2415801

SHA512
5624f05240ed2d9a773cacbfa6025a3f07cb0432fc33f07d84fd8729b03c61ae88d78c66d9fc935e1e7e8969f6546f4e8f9b8e49770caa7b6709b3edbc1bc341

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
64KB

MD5
c6196a1b49556f800ca67c2f5d4086cd

SHA1
aa1b907275c610cd6ee3feb571910691dab099e0

SHA256
7b8c41a684442be18c8f0bf8c8b50829bfb4df98e79a37a031d6670d7b4f3088

SHA512
0b595d2452a655ac85cfdc44bdca4e7f1260ad2bd873b4e329b28f136af71408c062f3615cfec9065df5128d1d5651a3dead289fde42ecf0bbc51def090a4617

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
64KB

MD5
8cca41427d3c9fa961c58bbbb5ca4575

SHA1
4d21aa52c1c39cc31c10dc42fb1433ae58adbb71

SHA256
0e84b6c451eaff4e725d4362c7d70948de76d5837ed9a186f476e882fa8a1251

SHA512
2df988f0a9e912ac6565a7d841989041cc0577f4f8ce45e518e5f9b1bff228631e46d2ef5d275472eefb8c4942a6a87f76bc966e00db6ba9dfd7fbfadd7a94fd

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
64KB

MD5
054782d594c0015df2c24f8b413cd2e3

SHA1
42b59d6954a955d7fb12a68cae2f3128bb264f12

SHA256
e771d45e1770e03fa5c16a62645a2ca20d9903b251b23ff2c14b1d5f13db25b2

SHA512
48e51a2d99ba59d6291871ad7965260114b984218efc904347094d00f40a7c3c4cbc0ddad299be8a4e7f7664c3571de350caf8436a203eed96cedc0cdce161ee

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
64KB

MD5
ae8f3d80f31fc7fa1049a389b42ea560

SHA1
580cc17bcd7eac90bb2d40b1467c9b67aaaf7696

SHA256
e85598caa70605d1e0b394c8c63c84fa8b6d1a628474cc9f986717001191d250

SHA512
2e1435096a765c542beb300998bcb06e207bbf62268053df766003e0b370845db92e8c78a44775acb305b7eefc27a3b127f5b826e7259695cb02688307785838

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
64KB

MD5
95ebf64439572c4edd4f9ec3f77cb5f6

SHA1
77ce79c37c9d9e1174edd31ed5a3a295d7dc46ea

SHA256
416e89a43f2be9c4b16175cf1727ddfdd89576ebcdf6195f638703b779427d4a

SHA512
50790711dc1e61d2ed5fba8d93442372c78a9c4896cafc246300a790a45155fada747205d94f89683355aec68ae6a1d6955e1407664f1ca8dd2ace094a2d8b5f

Download Submit
C:\Windows\SysWOW64\Lhlqjone.exe

Filesize
64KB

MD5
1b77eabe428e1564b7362265858ff3e7

SHA1
9919f77a1d8a05401eabad4576e8eea25ef5faa9

SHA256
aab407a2a1ca8aa70c8dc6e6be8acd67a7d15c9c8ca319531e109597a1fe4add

SHA512
11e4e9be5b6326e02d4c214695c4d284395117db360ac7d87648e2703dc1b7592debf8e129af2a833f732454c0861ba99f8c6d6b53fdc389783c4756198cc524

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
64KB

MD5
b82fc151df807778479c641f497eb28d

SHA1
b2a9ebfd2665aeb6e7753750fd4977d1fa693704

SHA256
f07fd783b89be07f1e102e9f7cef5ef2d1262e2f0f473ce7ebda6d3b10e4c40c

SHA512
d398cc6f1f4e2c4e5b742fc55158c89636374190b6251205340d98d29df3d742ee2a32ffa87007b01c0f3c76956da74d84c5594451ff8b7d49fdd2ff70034dfc

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
64KB

MD5
5e896976a5c980005ce03d321cae0a35

SHA1
281e45f235e4b321a70d0230041eb96134958c39

SHA256
9814161a2a3c154cee8449bcd96a06cccbe0c3166d58e8ee95381bb68149e8b0

SHA512
c53a98ebead528071685ee8a985d0b8ccbfe79846e17755bb4cb7b1a14bd91bc5a1e8da8bb1846b97830894eaf9ae1ce074ba61ace4020dabbe117bbcb529ad0

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
64KB

MD5
81283bbb286b6b463da93569669788a8

SHA1
77c046286603337cd2645dd7cda96018fee5132b

SHA256
710a91b34cdab5e9ffdc5e0db70c2c34e6244a20b986d6d9ce97f6b239503b09

SHA512
0acb8d9f070c31ca76532dc9f6e6a7041af35992b927728ab970db075bdcca0863edc9079d216c99964770c6b13799b91bc4516da351889ed18272d6d6613d4b

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
64KB

MD5
424b551d410d22462cf80d07f5d9e034

SHA1
bd6335be271d452b1d9475c00d62967b61ccac4a

SHA256
9036b8710625e842a171ed1d674d82dbea27dcc914d81a579bbe05e3744f69df

SHA512
70d85e66bcf77ac16f5074fb0c03e1efcaf6d18af089203543c36fe85295131349751cafab009510ab71289ab5481358ee5de4ad5409844d0f18af03eb644abb

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
64KB

MD5
32168bbcf757ac3252f92e7e26c6e38e

SHA1
7d36fd04c50e88e91a6c645786081e8f5b92d00c

SHA256
b76acc89b042bbab9b07c3fbee2731f6a29f8860eb6f5ce82f5f68af720e0822

SHA512
0f39256cefb46de4b3e571c4f6c47ca56883c9596e344f3974b13989ddbf4d33419ff5281a1f87014f932f0965461a0b33f9fe8234357aff5c4f57111efec5aa

Download Submit
C:\Windows\SysWOW64\Loaokjjg.exe

Filesize
64KB

MD5
a43de421ef522e1a2b6ef9c0d933c249

SHA1
13a0f8c09be0057da298d72d5ad6df1cf074f093

SHA256
6d433af0922da782dd4098504cd6614e3924edc585237e9a050466ff9e357800

SHA512
08a7f0eab304b42fd42261690980448268ef4c52d2ae94d12fc241f63c673b574171cd3d36a4c84a2bbedb0f71d78b2b933c8c39e1c292e8cc44e3a397f4c3f1

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
64KB

MD5
aeca23678f52d0d0b117fbca1c00f8db

SHA1
01a8b790d8859a3867e5d263e42bc073ff6c16b0

SHA256
17e7024547ddd607e1744cb8b4b09912613875016d7e6ba578b66ee287106e6f

SHA512
caad3e89dd500820a829b7f8ba420e0fc1fef7bc6a3f40164ec037edcb0fa21ae7744d0d160f86cb0ea6d117b87c775a404f997869472e33debafb26f41753c0

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
64KB

MD5
2d2721bf59ff91cf67ccef9e61e0c604

SHA1
ae226936c2ad16e688f7a4fd9fae80ef8bfb2c0a

SHA256
77109dfa5a59154f47d63999f005c3612edb9e88fe709415ee0576fd14083ca9

SHA512
d4e593a02468bb43e1fb1b8c011df6e0e9a500548d46bfa139ea2db6d02aa468f584cf89536c5c8a7a01e3594da8982c69f483d96183d8263d639dbfcfab66d0

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
64KB

MD5
49d43dd25b71de67e2615db0512b5640

SHA1
f7f9493f9cbcf892d49c2878ad293667a920d904

SHA256
0e16e9a98d3cd6ec508344fcfe8f6e6e2772131fffe19946fe02621aafb8d10b

SHA512
8fab4c021b0ac7c286e3ea34ce2fa86f5dba46fda28f14289ddf1d302e917416839b9f070b9f9f484978d14b53d7d822871bcba17a0579bf0c0306659e358a98

Download Submit
\Windows\SysWOW64\Kbhbai32.exe

Filesize
64KB

MD5
13fa80c4c2fdf98ad688da10c47c476b

SHA1
04db450a3dac29b48593ba61249d095b97349d72

SHA256
0602d05d21e396fb1eca52da0ce737ac104177adea98463e466ce5b2f8de30a5

SHA512
8ff0f056e647812463edbeb5c3b65e25ab4615778976290ee8d9492ff82089a0ce9bce3079a1bf169297079c574114470707ceca42ee84d462f508a382fac178

Download Submit
\Windows\SysWOW64\Kdeaelok.exe

Filesize
64KB

MD5
6bea7b052c0b25325323ea753a5d5fe8

SHA1
9364509fe330358eb9ac49ef4a1a32f368441351

SHA256
5698cbff22519a2d3bf30a7bc5eb6c590eb4a23334b3cac93ab40d8dc37d665d

SHA512
820234f7bd5a304b3481fcf1394322ea218c221016820e9fdbcf6ef24407541abd710629c2d30044f99a9ebfc932af006f2885d46a60c08e1d8de238fbb76d0f

Download Submit
\Windows\SysWOW64\Kfaalh32.exe

Filesize
64KB

MD5
4306857b48df43db4f3a543c579bb9bf

SHA1
f5acd5ad7ac34fc1a99f985d355d53dad5d145df

SHA256
3e8ae06837007e696068ed8323a29dea8fcc1a6500c987ca2334185830ee886c

SHA512
dcd6aef1535edc41a6cfc8438a9c68d04794a3454f2876acd17eb9614823d2b22293489416e5d6e6ecfd69168259bbcfcdb1b0f1044f7da873753d223d888073

Download Submit
\Windows\SysWOW64\Kipmhc32.exe

Filesize
64KB

MD5
b1aa4afc23240c4947edd448323496ac

SHA1
37e48a0051fff1508023f781974f18722242e4e6

SHA256
f5a9cf3f8acf3de11a2a98f3738a817d6edfdf93b65d1a76f42b0d6aa81a0e36

SHA512
7ddbd97562560e47c8d69282425f4749a7bb15ab1a3fa2fa6abeef4596e4c6fb9bad97587ddc40cc74fd83f4013282caf14e166ff20f8483eccaf1bb2c49f039

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
64KB

MD5
d2cfe41df958fafc357be4994bbc6609

SHA1
c14cf64e3c0dfd92d41510abad029bd8ee12fd80

SHA256
4260e2b7a504b7d1327b7e4b159a4cbaf0c1238213fec0643200071866c22a44

SHA512
47462e2a78154ac8c8fdf4994a01108c4c59c48cdc7c8cfdc1d7da7ba62959c251b40bff35bf0a900dd1781580181f921aa39c8579860c3af82f711f7ba46e95

Download Submit
\Windows\SysWOW64\Leikbd32.exe

Filesize
64KB

MD5
52c2c709755aa54f0221ed79e98bbf79

SHA1
f718ff7240bb9b5de150da5c2018c13a01c196d4

SHA256
b436acfc4077c912d7ac8871594d9fbe68e8ac8191e834953b09098d211ba8de

SHA512
af9eb4395cc9b4e557cf6a83e781342da922826832493a10fe7ffbf95ec423b509ba2333eb93c90a20e44e39545a5c8f058ec7d0a038697ab3ae562545404d49

Download Submit
\Windows\SysWOW64\Lmpcca32.exe

Filesize
64KB

MD5
c09985b606ed2f683d024b4c8b375bb8

SHA1
42f06ee3b2bc7f6e07d7a68ceec25eeee215b207

SHA256
ffa7cea5057ba8f174e8ef384ec734472f02820ebbedfa3f445790ee6f7c94f1

SHA512
c2032ebb4915b6bfc4b73e18e6963e27875ca5056738ff8baadf28eb7df671cacba85209cc9a9fafebcb2cdbdb5c94384857629b0a993e215292fa4dd7a43acf

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
64KB

MD5
1e2a9e555b7023dd32c10956bd09ddea

SHA1
b27fdf0fb8d50349c55446733e0e1b67ab657909

SHA256
6ebf39fafa283f712600f9c8966fe23827a8741423b82e109ad4eec8d1a3d33f

SHA512
db2db3d8418266b43705a5fb7124b833ec832f8e2856f26e5a3aa4085e60eec0e50b4c33db8b736e27a91cc801b1d9840973dd1e54a20cddc62bd3f647323b02

Download Submit
memory/708-230-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/708-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-152-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1484-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-87-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1524-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1524-261-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1524-257-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1592-281-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1592-280-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1592-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1768-240-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1768-239-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1768-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-205-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1796-198-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-331-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-247-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1836-251-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1836-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-126-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2008-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-179-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/2076-170-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2076-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2080-12-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2080-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2080-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-350-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2148-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2244-351-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2244-144-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2336-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-211-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-218-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2344-313-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2344-308-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2344-325-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2344-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-292-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2456-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-288-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2456-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-301-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2472-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-302-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2608-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2636-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2636-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-267-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2660-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-271-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2668-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-25-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2668-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2748-322-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2748-323-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2748-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2832-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2832-47-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2832-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2980-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2980-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-118-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads