berbew | d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Size

96KB
MD5

5f11209d66311af1addab25c47b417a0
SHA1

956c5c893866b2c351834694c8a50c184eeeb6b1
SHA256

d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228
SHA512

48badf4a0b316a21b6d983c6ba027dcd7894b59dda3d1ed771dfafaa8344269bc47de5bee7a39786c41d0cb84919468c5b0d3f6693c8fd93ff421008a5b533e2
SSDEEP

1536:yGInWRscoqXBta7cY9CJwM2Ln7RZObZUUWaegPYAm:3Inmsczzdc7nClUUWaet

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lofifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000194da-40.dat	family_bruteratel

Executes dropped EXE 17 IoCs

pid	Process
2760	Kapohbfp.exe
2896	Kekkiq32.exe
2768	Klecfkff.exe
2820	Kdphjm32.exe
2672	Kfodfh32.exe
1440	Kpgionie.exe
1960	Kipmhc32.exe
2080	Kdeaelok.exe
2748	Kgcnahoo.exe
2976	Ldgnklmi.exe
2284	Lidgcclp.exe
2980	Loaokjjg.exe
684	Lekghdad.exe
580	Lcohahpn.exe
2224	Liipnb32.exe
2000	Lofifi32.exe
2228	Lepaccmo.exe

Loads dropped DLL 38 IoCs

pid	Process
2164	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
2164	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
2760	Kapohbfp.exe
2760	Kapohbfp.exe
2896	Kekkiq32.exe
2896	Kekkiq32.exe
2768	Klecfkff.exe
2768	Klecfkff.exe
2820	Kdphjm32.exe
2820	Kdphjm32.exe
2672	Kfodfh32.exe
2672	Kfodfh32.exe
1440	Kpgionie.exe
1440	Kpgionie.exe
1960	Kipmhc32.exe
1960	Kipmhc32.exe
2080	Kdeaelok.exe
2080	Kdeaelok.exe
2748	Kgcnahoo.exe
2748	Kgcnahoo.exe
2976	Ldgnklmi.exe
2976	Ldgnklmi.exe
2284	Lidgcclp.exe
2284	Lidgcclp.exe
2980	Loaokjjg.exe
2980	Loaokjjg.exe
684	Lekghdad.exe
684	Lekghdad.exe
580	Lcohahpn.exe
580	Lcohahpn.exe
2224	Liipnb32.exe
2224	Liipnb32.exe
2000	Lofifi32.exe
2000	Lofifi32.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Jmegnj32.dll	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lekghdad.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Jingpl32.dll	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Loaokjjg.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Lofifi32.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Lofifi32.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lofifi32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Loaokjjg.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Kapohbfp.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Oopqjabc.dll	Liipnb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	2228	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaokjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lofifi32.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll"	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2760	2164	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe	30
PID 2164 wrote to memory of 2760	2164	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe	30
PID 2164 wrote to memory of 2760	2164	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe	30
PID 2164 wrote to memory of 2760	2164	d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe	30
PID 2760 wrote to memory of 2896	2760	Kapohbfp.exe	31
PID 2760 wrote to memory of 2896	2760	Kapohbfp.exe	31
PID 2760 wrote to memory of 2896	2760	Kapohbfp.exe	31
PID 2760 wrote to memory of 2896	2760	Kapohbfp.exe	31
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2768 wrote to memory of 2820	2768	Klecfkff.exe	33
PID 2768 wrote to memory of 2820	2768	Klecfkff.exe	33
PID 2768 wrote to memory of 2820	2768	Klecfkff.exe	33
PID 2768 wrote to memory of 2820	2768	Klecfkff.exe	33
PID 2820 wrote to memory of 2672	2820	Kdphjm32.exe	34
PID 2820 wrote to memory of 2672	2820	Kdphjm32.exe	34
PID 2820 wrote to memory of 2672	2820	Kdphjm32.exe	34
PID 2820 wrote to memory of 2672	2820	Kdphjm32.exe	34
PID 2672 wrote to memory of 1440	2672	Kfodfh32.exe	35
PID 2672 wrote to memory of 1440	2672	Kfodfh32.exe	35
PID 2672 wrote to memory of 1440	2672	Kfodfh32.exe	35
PID 2672 wrote to memory of 1440	2672	Kfodfh32.exe	35
PID 1440 wrote to memory of 1960	1440	Kpgionie.exe	36
PID 1440 wrote to memory of 1960	1440	Kpgionie.exe	36
PID 1440 wrote to memory of 1960	1440	Kpgionie.exe	36
PID 1440 wrote to memory of 1960	1440	Kpgionie.exe	36
PID 1960 wrote to memory of 2080	1960	Kipmhc32.exe	37
PID 1960 wrote to memory of 2080	1960	Kipmhc32.exe	37
PID 1960 wrote to memory of 2080	1960	Kipmhc32.exe	37
PID 1960 wrote to memory of 2080	1960	Kipmhc32.exe	37
PID 2080 wrote to memory of 2748	2080	Kdeaelok.exe	38
PID 2080 wrote to memory of 2748	2080	Kdeaelok.exe	38
PID 2080 wrote to memory of 2748	2080	Kdeaelok.exe	38
PID 2080 wrote to memory of 2748	2080	Kdeaelok.exe	38
PID 2748 wrote to memory of 2976	2748	Kgcnahoo.exe	39
PID 2748 wrote to memory of 2976	2748	Kgcnahoo.exe	39
PID 2748 wrote to memory of 2976	2748	Kgcnahoo.exe	39
PID 2748 wrote to memory of 2976	2748	Kgcnahoo.exe	39
PID 2976 wrote to memory of 2284	2976	Ldgnklmi.exe	40
PID 2976 wrote to memory of 2284	2976	Ldgnklmi.exe	40
PID 2976 wrote to memory of 2284	2976	Ldgnklmi.exe	40
PID 2976 wrote to memory of 2284	2976	Ldgnklmi.exe	40
PID 2284 wrote to memory of 2980	2284	Lidgcclp.exe	41
PID 2284 wrote to memory of 2980	2284	Lidgcclp.exe	41
PID 2284 wrote to memory of 2980	2284	Lidgcclp.exe	41
PID 2284 wrote to memory of 2980	2284	Lidgcclp.exe	41
PID 2980 wrote to memory of 684	2980	Loaokjjg.exe	42
PID 2980 wrote to memory of 684	2980	Loaokjjg.exe	42
PID 2980 wrote to memory of 684	2980	Loaokjjg.exe	42
PID 2980 wrote to memory of 684	2980	Loaokjjg.exe	42
PID 684 wrote to memory of 580	684	Lekghdad.exe	43
PID 684 wrote to memory of 580	684	Lekghdad.exe	43
PID 684 wrote to memory of 580	684	Lekghdad.exe	43
PID 684 wrote to memory of 580	684	Lekghdad.exe	43
PID 580 wrote to memory of 2224	580	Lcohahpn.exe	44
PID 580 wrote to memory of 2224	580	Lcohahpn.exe	44
PID 580 wrote to memory of 2224	580	Lcohahpn.exe	44
PID 580 wrote to memory of 2224	580	Lcohahpn.exe	44
PID 2224 wrote to memory of 2000	2224	Liipnb32.exe	45
PID 2224 wrote to memory of 2000	2224	Liipnb32.exe	45
PID 2224 wrote to memory of 2000	2224	Liipnb32.exe	45
PID 2224 wrote to memory of 2000	2224	Liipnb32.exe	45

C:\Users\Admin\AppData\Local\Temp\d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe
"C:\Users\Admin\AppData\Local\Temp\d487aff39708f1c26bd2eed952a67e1fecba203478553d2ad5aac90b63a93228N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\Kapohbfp.exe
  C:\Windows\system32\Kapohbfp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Kekkiq32.exe
    C:\Windows\system32\Kekkiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Klecfkff.exe
      C:\Windows\system32\Klecfkff.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Loaokjjg.exe
        
        C:\Windows\system32\Loaokjjg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Lofifi32.exe
        
        C:\Windows\system32\Lofifi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
96KB

MD5
86484a17ccce7be947397aca35754624

SHA1
9fed3bc319b8e8c96100c8d712672581be5d7502

SHA256
6308b976326f0be6f664106917f0cd925cdf75d250506d825d058ca435318d3f

SHA512
ecbf9494465698da930d1a6754b6dce139f93232fc98a9f81d8015850f9dc83c1ec67d8ba0b3d99a619621693bae503bd37eaf24a1b0b82533e96deabc4a89d9

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
96KB

MD5
25a1286cb4f4ac2f7582c31803fed45d

SHA1
904521e0756d2c38f138528fb52f7c36ccc59b38

SHA256
d6d49e7176795ddba58f0ed416baae3323cabb0084b0c046d18e83049c8dbbda

SHA512
a425096c1971bf14f0546f1d8362402e4736053556644a1668e473a9718e8018e5eb3d7e2dfa6628b25a1d9f018361d4160c8c24ed18592d6b565db8235d80ff

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
96KB

MD5
0e5921797a65274aa55fed3f8c9dd84a

SHA1
585fd3a5eb4b2e6c507722004ff687cac2062d48

SHA256
842eeb1df44eff6da12a154cd98283b33da4644afc99a1641508f328f61c0aa3

SHA512
05c5a9b56d6382a47083dd9cd9a639a8047ee69e81092667cc3538b9b41fb6ab74578175a18e0672e1f03dfe4549ffdbb21cd728edb3b1153f4131041b6c62f2

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
96KB

MD5
7ce4c3d868f13d063dd1878ee7ac244b

SHA1
557f1c28c5bd7de5f1f1d52588527e10380b5bb7

SHA256
14b9bf6103fabb59ff2a26c6f2035d89a46ab8752d1a637cef329e51dd06a45d

SHA512
a14eaa8f6292eb07194475346033e1349cc8619434e3b0f95a887e51ba97c85632530a876be3356f47a8a836a379d52ead52b6f4d5c64f375a802827d8ea4b6b

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
96KB

MD5
26b9b933b74bd9c2308e35b774d167a7

SHA1
de65b9c915798f4cb80f640ee0da60fe6b19c591

SHA256
9fd417bfbb88d3f986fb1e56697a9de005c46a8dbe1f79f2c4f32970ebc1fa4a

SHA512
69fdffc32d37ec07f79b3426d96c7f8ae38f8b8c95a5c87c4a42f18fbef5e6233800e40ed204bb43dd953543d43c219e8884d0d937955a9042f3d9f6cbc35c1a

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
96KB

MD5
38064a9fcc9e0b5f46c0b729837cd966

SHA1
05802ce8543459817dece64a932187cabad57484

SHA256
bae0cfcd583e1e4e3310d1789796c3f5201f5bdaa31c707feb43a3315593e04f

SHA512
25b5ab37ffd90ce476cae304b85bd3b5d52c942985be82db61b3dfc895e0ccd0ad5235ef7d568d6ea4c83a603c155aea07309e06288345bd7d934aefc326f48b

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
96KB

MD5
503b547db35da9bc769ffbf0df8e063e

SHA1
2774a22e616e2acf7ad68e795667219fbd3e622e

SHA256
15e30bfd89c93cfdb228c6054f874691183bd8c73c1c92f44976c4fc49b5360f

SHA512
d4e3224dcfeb0114f0e1c1c57e04bb0d9070f69dceb1464ab5e29c6973fd77df17ad3d07571b8bc4f75e8ade68983c884f196146db91444a5ca8a4e55eca2003

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
96KB

MD5
6491b4cb5800a5f883bcef90be4e844e

SHA1
951eb627dd9b1dbe1839fbfb0a2d039b2755abf8

SHA256
3eb3cc34b1ab50585aead2ddec7137c1f60e0bb9ad32d8c8c495dc58e94046ea

SHA512
187ed001a7e6d0050e8be36a57668b75c6a0e79f0514137f9e3f76e21207ab05002b69627060aaf3db5c8720871b0cb5daaf8784b62aea9a030e9083b1464701

Download Submit
C:\Windows\SysWOW64\Loaokjjg.exe

Filesize
96KB

MD5
1a6398793e625ea53fb89c8ce52a24d1

SHA1
492fd3ee50877d33ba6fb8dd4dc373f7ab535ed1

SHA256
59f4b7ba6ea1b753d02e423cbcd875992dba329913796b2803ee1cbfbdbb0091

SHA512
c7b5d33f5f025850cb1a396e9faba863bada55fac960f91a09cc1f8b987fbaba0a6ae20962aa5d95990d5b26a73b4442788fb602b010173d712d79e3cf5664d5

Download Submit
\Windows\SysWOW64\Kapohbfp.exe

Filesize
96KB

MD5
b0d04759aa85ba0dc0a9f6c3ba6aef5c

SHA1
cb525e91ec04fa1d2d4c33a1f8b123501b4dbe3c

SHA256
ad944f1ffee3ad693fef7b4ac3a34d28947d113926e213ed0295369cd79172ac

SHA512
1a32b4dc388f31c17f12fc05d195cf3ab938fbe86533f1b62baec7e6e5227f5fe127e753192da015facefe63cc9d017f94edf0801c96ac4cf378b81e3c3937d5

Download Submit
\Windows\SysWOW64\Kfodfh32.exe

Filesize
96KB

MD5
3a3147b49a690b6c936d1082df9de290

SHA1
dceb6f34e81bec03bb81a19a2e6bd3a37728f784

SHA256
b971b731fcac5baa7f9f8fcfacb7f223444463762b1694a9069e778b9553ebee

SHA512
e75dffab83bcbd5d078bd68373bf0af2ae495eb34e4d8a102e61afd6638c93a3082f0b38334ec9886faaf34ce23e5a7e5a2dfbbb55abf8cda774ba9c59f9c595

Download Submit
\Windows\SysWOW64\Kipmhc32.exe

Filesize
96KB

MD5
b56f6c7c759b4e9d69d059ee41384986

SHA1
a7493f4adaed16d166d9040ecd90a7535df1262d

SHA256
4915bae5d160e4b179341d4e8ace302ba265bb000469a0fbc8fa18cbaa4e5f3a

SHA512
8436a351eecc0c7a8852e32837baf6f57dedf9c96aaa1aa118c53b098a9adf967d51911a1c8c3aad85c3e8dfaeba06694c83b3af51a90f6f4193c4deeae6b99f

Download Submit
\Windows\SysWOW64\Lcohahpn.exe

Filesize
96KB

MD5
8c374cac030592b738f73da18dd66b7f

SHA1
6b1d74bddc9a1d281bbc715cfe5ba7f29b6727e0

SHA256
3e987174b35244835cf6be9af68f3600cef3df3de52f044117528802b8496733

SHA512
ef083f22a5bec58aa43ba0a255776ebab910d0abf1b6ce1c914701e9d3048980d0f335620bd285c89bc7c3efcf8386ceef506f4be562b05212335634eae3edb2

Download Submit
\Windows\SysWOW64\Ldgnklmi.exe

Filesize
96KB

MD5
e2c860d7aa3f06cd02f3b762a2cd8b3f

SHA1
25e374e20ebcce8dcb06e2a03c730a12ce863b9a

SHA256
852327bc2d6d886afaa77adb1245e0da77138ffcf4b6e205073b43da1552d818

SHA512
a94bed1677c1c87eef0c83f7d73d49e4e6500fc50c2adcdda1c1c53c5d64148588d068ca47d60706822e093da06e5786ba3e7f839ec7665025b045947f2664f0

Download Submit
\Windows\SysWOW64\Lidgcclp.exe

Filesize
96KB

MD5
47a20b5a36401ea3ff2626c8c61f891c

SHA1
38ecf52b974e42634db0a42de7ae05e8e62c098e

SHA256
2bca53f602e660d04416ce484e8d0bb6a71852b4c801f69eec9b92787c4d9a42

SHA512
e0bbb8a7d62d0e36d59802bfa7e9cdd0975103e2fa5478ef06fe5860a2650866c1b1ef6496032f1b9cf106c963e3af647144f57025fd6903a413cc3d68b77c5b

Download Submit
\Windows\SysWOW64\Liipnb32.exe

Filesize
96KB

MD5
27e1a2c5d79f613e8dbf874f4757d5f4

SHA1
f21057b7559100829a224d3382fad0ca8a50c65c

SHA256
32ca37d3f82d5dc889fc46896ff76f9a16f8037b0e8430338dc5f08be9c480e7

SHA512
cecc433ef12df5f733dd133484a215917ed69ca08bf8d5536de249a7a11274766442e27d7c073b0c93d648dc516743f81b811a22799ee7d79bf324863bfcb5f5

Download Submit
\Windows\SysWOW64\Lofifi32.exe

Filesize
96KB

MD5
b9251b69a9e7a83aa28778d109ea9e36

SHA1
90ae4b3301d1f87a51e06b87cf19c5d3f6bd3e18

SHA256
21f8a5c9d7740d0857a72a22441d2c88984d2d2228db9c4d3fb88d45439d73d7

SHA512
169cd228eda48169abed35bca2504cd8c781cd5df7f6b9f04aca4db07d30bb5ae7c40c7029f5b9f29e2675ab579324895368f477de0123040d3ec61fea00cf45

Download Submit
memory/580-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-180-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/684-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-89-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1960-107-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1960-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-221-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2000-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2164-11-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2224-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-206-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2228-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-154-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2284-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-78-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2672-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-128-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2748-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-27-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2768-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-54-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2820-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads