berbew | d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Size

93KB
MD5

6319c733be4900930ad3334d877bc2b0
SHA1

e7ea435375217d6d722d6f5143db33d7d1a52d57
SHA256

d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58
SHA512

429253fa2c2a5ae911fd6c0f54e492ccdad186b7832a17f55c500143fe7dd816508e504cdc3bfaeae35ba0062a6b0fde7fcb62be0344ba660620e45116c041da
SSDEEP

1536:sJ+PRW2QFb5tAuCi+9LrlotywsfFXO0ANpwdasP0LVksInd8Ron8vp4MqPa/:sJ+PRWPFUpxFoywsfxO0QO9KVksIdvnU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbbngf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbbngf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
2272	Kjfjbdle.exe
2632	Kocbkk32.exe
2728	Kbbngf32.exe
2556	Kebgia32.exe
2460	Keednado.exe
2000	Kbidgeci.exe
872	Kbkameaf.exe
2684	Llcefjgf.exe
2816	Lgjfkk32.exe
1924	Labkdack.exe
1936	Lmikibio.exe
800	Lfbpag32.exe
2688	Lcfqkl32.exe
1880	Libicbma.exe
3004	Mooaljkh.exe
2108	Mhhfdo32.exe
1772	Melfncqb.exe
844	Mlfojn32.exe
1296	Mdacop32.exe
1700	Maedhd32.exe
632	Mgalqkbk.exe
2200	Magqncba.exe
2312	Mpjqiq32.exe
1960	Nibebfpl.exe
1672	Nplmop32.exe
624	Ngfflj32.exe
2092	Nmbknddp.exe
2628	Npagjpcd.exe
2580	Nlhgoqhh.exe

Loads dropped DLL 62 IoCs

pid	Process
2736	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
2736	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
2272	Kjfjbdle.exe
2272	Kjfjbdle.exe
2632	Kocbkk32.exe
2632	Kocbkk32.exe
2728	Kbbngf32.exe
2728	Kbbngf32.exe
2556	Kebgia32.exe
2556	Kebgia32.exe
2460	Keednado.exe
2460	Keednado.exe
2000	Kbidgeci.exe
2000	Kbidgeci.exe
872	Kbkameaf.exe
872	Kbkameaf.exe
2684	Llcefjgf.exe
2684	Llcefjgf.exe
2816	Lgjfkk32.exe
2816	Lgjfkk32.exe
1924	Labkdack.exe
1924	Labkdack.exe
1936	Lmikibio.exe
1936	Lmikibio.exe
800	Lfbpag32.exe
800	Lfbpag32.exe
2688	Lcfqkl32.exe
2688	Lcfqkl32.exe
1880	Libicbma.exe
1880	Libicbma.exe
3004	Mooaljkh.exe
3004	Mooaljkh.exe
2108	Mhhfdo32.exe
2108	Mhhfdo32.exe
1772	Melfncqb.exe
1772	Melfncqb.exe
844	Mlfojn32.exe
844	Mlfojn32.exe
1296	Mdacop32.exe
1296	Mdacop32.exe
1700	Maedhd32.exe
1700	Maedhd32.exe
632	Mgalqkbk.exe
632	Mgalqkbk.exe
2200	Magqncba.exe
2200	Magqncba.exe
2312	Mpjqiq32.exe
2312	Mpjqiq32.exe
1960	Nibebfpl.exe
1960	Nibebfpl.exe
1672	Nplmop32.exe
1672	Nplmop32.exe
624	Ngfflj32.exe
624	Ngfflj32.exe
2092	Nmbknddp.exe
2092	Nmbknddp.exe
2628	Npagjpcd.exe
2628	Npagjpcd.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Kbidgeci.exe	Keednado.exe
File created	C:\Windows\SysWOW64\Pelggd32.dll	Keednado.exe
File created	C:\Windows\SysWOW64\Mmdcie32.dll	Llcefjgf.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File opened for modification	C:\Windows\SysWOW64\Mlfojn32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Kebgia32.exe	Kbbngf32.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Labkdack.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Llcefjgf.exe	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Lgjfkk32.exe	Llcefjgf.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Lmikibio.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mhhfdo32.exe	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Labkdack.exe	Lgjfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Kjfjbdle.exe	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
File created	C:\Windows\SysWOW64\Kocbkk32.exe	Kjfjbdle.exe
File opened for modification	C:\Windows\SysWOW64\Kebgia32.exe	Kbbngf32.exe
File created	C:\Windows\SysWOW64\Iimckbco.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Gcgnbi32.dll	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Keednado.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Labkdack.exe	Lgjfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
File created	C:\Windows\SysWOW64\Kbbngf32.exe	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbbngf32.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Labkdack.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kbbngf32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Aepjgc32.dll	Lgjfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Lcfqkl32.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Lmikibio.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2580	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keednado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmikibio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Labkdack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfqkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbbngf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbidgeci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcefjgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfjbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjfkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimckbco.dll"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll"	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll"	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbbngf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Keednado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmikde32.dll"	Kbbngf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll"	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llcefjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll"	Labkdack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2272	2736	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	28
PID 2736 wrote to memory of 2272	2736	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	28
PID 2736 wrote to memory of 2272	2736	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	28
PID 2736 wrote to memory of 2272	2736	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	28
PID 2272 wrote to memory of 2632	2272	Kjfjbdle.exe	29
PID 2272 wrote to memory of 2632	2272	Kjfjbdle.exe	29
PID 2272 wrote to memory of 2632	2272	Kjfjbdle.exe	29
PID 2272 wrote to memory of 2632	2272	Kjfjbdle.exe	29
PID 2632 wrote to memory of 2728	2632	Kocbkk32.exe	30
PID 2632 wrote to memory of 2728	2632	Kocbkk32.exe	30
PID 2632 wrote to memory of 2728	2632	Kocbkk32.exe	30
PID 2632 wrote to memory of 2728	2632	Kocbkk32.exe	30
PID 2728 wrote to memory of 2556	2728	Kbbngf32.exe	31
PID 2728 wrote to memory of 2556	2728	Kbbngf32.exe	31
PID 2728 wrote to memory of 2556	2728	Kbbngf32.exe	31
PID 2728 wrote to memory of 2556	2728	Kbbngf32.exe	31
PID 2556 wrote to memory of 2460	2556	Kebgia32.exe	32
PID 2556 wrote to memory of 2460	2556	Kebgia32.exe	32
PID 2556 wrote to memory of 2460	2556	Kebgia32.exe	32
PID 2556 wrote to memory of 2460	2556	Kebgia32.exe	32
PID 2460 wrote to memory of 2000	2460	Keednado.exe	33
PID 2460 wrote to memory of 2000	2460	Keednado.exe	33
PID 2460 wrote to memory of 2000	2460	Keednado.exe	33
PID 2460 wrote to memory of 2000	2460	Keednado.exe	33
PID 2000 wrote to memory of 872	2000	Kbidgeci.exe	34
PID 2000 wrote to memory of 872	2000	Kbidgeci.exe	34
PID 2000 wrote to memory of 872	2000	Kbidgeci.exe	34
PID 2000 wrote to memory of 872	2000	Kbidgeci.exe	34
PID 872 wrote to memory of 2684	872	Kbkameaf.exe	35
PID 872 wrote to memory of 2684	872	Kbkameaf.exe	35
PID 872 wrote to memory of 2684	872	Kbkameaf.exe	35
PID 872 wrote to memory of 2684	872	Kbkameaf.exe	35
PID 2684 wrote to memory of 2816	2684	Llcefjgf.exe	36
PID 2684 wrote to memory of 2816	2684	Llcefjgf.exe	36
PID 2684 wrote to memory of 2816	2684	Llcefjgf.exe	36
PID 2684 wrote to memory of 2816	2684	Llcefjgf.exe	36
PID 2816 wrote to memory of 1924	2816	Lgjfkk32.exe	37
PID 2816 wrote to memory of 1924	2816	Lgjfkk32.exe	37
PID 2816 wrote to memory of 1924	2816	Lgjfkk32.exe	37
PID 2816 wrote to memory of 1924	2816	Lgjfkk32.exe	37
PID 1924 wrote to memory of 1936	1924	Labkdack.exe	38
PID 1924 wrote to memory of 1936	1924	Labkdack.exe	38
PID 1924 wrote to memory of 1936	1924	Labkdack.exe	38
PID 1924 wrote to memory of 1936	1924	Labkdack.exe	38
PID 1936 wrote to memory of 800	1936	Lmikibio.exe	39
PID 1936 wrote to memory of 800	1936	Lmikibio.exe	39
PID 1936 wrote to memory of 800	1936	Lmikibio.exe	39
PID 1936 wrote to memory of 800	1936	Lmikibio.exe	39
PID 800 wrote to memory of 2688	800	Lfbpag32.exe	40
PID 800 wrote to memory of 2688	800	Lfbpag32.exe	40
PID 800 wrote to memory of 2688	800	Lfbpag32.exe	40
PID 800 wrote to memory of 2688	800	Lfbpag32.exe	40
PID 2688 wrote to memory of 1880	2688	Lcfqkl32.exe	41
PID 2688 wrote to memory of 1880	2688	Lcfqkl32.exe	41
PID 2688 wrote to memory of 1880	2688	Lcfqkl32.exe	41
PID 2688 wrote to memory of 1880	2688	Lcfqkl32.exe	41
PID 1880 wrote to memory of 3004	1880	Libicbma.exe	42
PID 1880 wrote to memory of 3004	1880	Libicbma.exe	42
PID 1880 wrote to memory of 3004	1880	Libicbma.exe	42
PID 1880 wrote to memory of 3004	1880	Libicbma.exe	42
PID 3004 wrote to memory of 2108	3004	Mooaljkh.exe	43
PID 3004 wrote to memory of 2108	3004	Mooaljkh.exe	43
PID 3004 wrote to memory of 2108	3004	Mooaljkh.exe	43
PID 3004 wrote to memory of 2108	3004	Mooaljkh.exe	43

C:\Users\Admin\AppData\Local\Temp\d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
"C:\Users\Admin\AppData\Local\Temp\d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Kjfjbdle.exe
  C:\Windows\system32\Kjfjbdle.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\Kocbkk32.exe
    C:\Windows\system32\Kocbkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\Kbbngf32.exe
      C:\Windows\system32\Kbbngf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Llcefjgf.exe
        
        C:\Windows\system32\Llcefjgf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Labkdack.exe
        
        C:\Windows\system32\Labkdack.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbidgeci.exe

Filesize
93KB

MD5
0f17082a677947e95b3e33551bc15d07

SHA1
5682675a64d18fd1fce60a136a6000dcc746a8f0

SHA256
1df074d9543630f55d5f1c36441e30f1b560c6ee29d7649288e8383c7a89a559

SHA512
b4dce2f3a24883af528ff6bce1d2004d3a3284ebcba9b4f28f16e5bd7ca8a8a42dde7faa05b9bfb3fbc080e77c519b49c443a7ce105eaae98517423d51664d63

Download Submit
C:\Windows\SysWOW64\Keednado.exe

Filesize
93KB

MD5
78062bfb7a8e1c76dc8faa1d9dcac3e2

SHA1
e6f48ad462b008eaba6447fb9a43cf0dc7925102

SHA256
8688da0be70d119c59adfc5a396de11afdcd56b7890ae815ff2942c504e4457b

SHA512
f6bc54766a72a838d84bd273124c4d8b43d7e9268d01528f929722a987d9732cb746a8e18d8e88c1ac01a5f345289fc01414d0022ef0ccc2b1dbaabd94bf876f

Download Submit
C:\Windows\SysWOW64\Kjfjbdle.exe

Filesize
93KB

MD5
f84e7dbe90616ba91c1fd69aa2898990

SHA1
ea35e565b969ec7291d5d57e3c4eb835947ef5dd

SHA256
ea5ef2b643b94c95512979cd53f67a06af875aaf1aeff2f7f9df3fa7f01cea72

SHA512
dad88169b2839b30c7b7bc0e50e7ff9c66012d7f18305d7d2c99be1948b5318b2156e367ce761445d5bf10653615b1576ea7507508bc4aea71401f2467f577e4

Download Submit
C:\Windows\SysWOW64\Llcefjgf.exe

Filesize
93KB

MD5
a1e26e265c5891d690f6d78e3577d53b

SHA1
63ce4378afea7656153c11434efd059bf3e87208

SHA256
ea6f898c2f8885ff687b2befcf73c24cdea865b2f81f18bc9565b2e0b3692d29

SHA512
c8b70453c5dec0172b4feeb9b9347be49ebd232989ffe9ab69b7aba7d110d20b769763ac5a124eada60e87c0742794351a1ea48968ed88643a9118fbe6629e5f

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
93KB

MD5
2c95505b6773c79789602cbe17470b6e

SHA1
5bfe2f6e255bb8f75edfdd6424873eb7e3b56714

SHA256
5b510703803a05cbeed1c7e9a593b256eb2f7ddc99558d213e4cd85a0ea21563

SHA512
f748921166f4e8bee463cb409b3c15f8c732904afc2d756915f494993121f239f55068f3e21751139a3d4da76c89b9565cdd80b42e34ea25454b3b61497fe5af

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
93KB

MD5
574a41457b1c32d050b178373c93d9cf

SHA1
84c16947e013ebcdd929ea3dad726fed88cc5e81

SHA256
ff5cee0393600bc2e45432097b57de2f602295ec5738da257f55016f8f977301

SHA512
c9c27ab4163663be164efb43c18ac3d870ed8d92cce5add216ed92699a02f04194a62ab7c491c6462511a4b2470d8342c82e3d5ecaaed9d09a3c82bbea061c05

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
93KB

MD5
504239ae714834ae11f9dc9129432f8d

SHA1
aa76e3e12a68ed21a13b2a0d218216ad20530147

SHA256
4b246a33f26e410a0dc3aad07c18972f1ae1f769d2bce2d230536196cec42f8f

SHA512
1489fd9905efb78081c46b883fb46cb524c956259ca8662f150f775d433e5dc568a5b81d26dcf79d2e649dc5fd06e7237d29057bd71591aeaa40fd297144e206

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
93KB

MD5
89d15dc11151e4c34e2606e90c9e8935

SHA1
e55134457374661985ffac016e9b2991379fe059

SHA256
0a1a7b4eb31049bda3dcb49607808956ca57e34169daa1d7f1a3911a4495600e

SHA512
8c1c65bc4a83c4c990eedcfd4dbb3609d1738ba1ddcb8e543497fc4a81e99f433f69d2bf3c9f5fc60105e31af2989f00e90c8ffbab34a998e0ddcb5ba738711d

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
93KB

MD5
c7d0a141c32873f7c430798f1e707938

SHA1
35e7d93a99737e2fbcf3982e7ccb3f10e55f89b3

SHA256
53d2066cef74f95a4f46fb2f7182ae2e4bc24b818e20ce556edbd097a3a66791

SHA512
c2ec4e26ac6fc3cad21a4d7da5a6cc1e6920acc1f5c94bb127dade014f84b4573ed76e18eb7b3763f85ece4f2aba202f8bbdf8ae5452ecc2761189410790101d

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
93KB

MD5
2f13bd9ea15e69840028e9fc6afbacfe

SHA1
8f37dd85a26c92ee302c2ab3c1940e96895adebc

SHA256
94f89868e292637ff0a914d8b99d0c1a607d069e7ef68b6dc599c8b02a298f68

SHA512
fb52308675c14daf0acaff5038b78a3fd416388a3dd004dfa0f6a6f54c379a47f79a7ecf6064b530eabb57339e35e9cfc46e933fd61493340099a634c7e4aeb7

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
93KB

MD5
639a206d22ed53b847f363e8c59f5c72

SHA1
7f6e426af0d6b0441cb5a20174e375b8bea0bb58

SHA256
5e66bf39c6a394e414d7e49fe1c694994a04d6fb3dc616c6d9896d784c666e4d

SHA512
9ab4f414b3dc720c97c9d0950ff13afe4daa71ef4c320df3e0b0a6c569ebceea92c437ac8fff0a1ae3b1a032c957202301ba72bf2bb80faa07fe6741a51ad6b3

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
93KB

MD5
abc298ad66e451ccb02b3e33b3dae315

SHA1
abe6115f81c48642bdc127b4477a218fd00458e1

SHA256
97463c373ce61a3c5e93aee91d43928268e4b4f67f18967b3bdd9502406656d8

SHA512
b31b30b7b6551090ba57cdafa5defa4182b67a6dffb418460802caab7d60ac1b38a524cc6232937f9eada28b85ead60deb6775338db2a988838880dc5c61a05f

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
93KB

MD5
17581689388976c9c3e78b07e812cb33

SHA1
c1805f11024573bea34ff94f5cc6e576dfd2bae1

SHA256
7be20089b16f0cf9bbd8b2bfbfcebcb0daaf098a11c28d74540486adf12cf5c2

SHA512
b0a924670ffffadcffb14e610886a7097c54f07ba193f1fbdf83a26b68e63d2bdaca983266aca14ca0134221a21d9b2c4f85f78033c821ee1037f5c5f668d0ba

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
93KB

MD5
35357e210dfad994416a6171b0d4d596

SHA1
0e80ec1048e4d2af1eb0627c3210ed5fa2714488

SHA256
5cf79a7c077074bc5e849decf9dde691a1180e46a34a467661719993e64693e5

SHA512
9c5c63398d3d9f54bce62f3491b3644f3b07b64e3129710c7c071a876ff2d69e9ecc3ac0b9c4a58ab3f3a9278ff2ca9aae2abe3dfa2e48a99cd8a8105a0e7190

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
93KB

MD5
90699a8401b40aad85a1b9413426752e

SHA1
2740eaae462b68a3351f20a0769f1a6fc21cfdc6

SHA256
73c9968d11215a7678649d739a955d665cda2ed9a38957e7d74611a61972bb1b

SHA512
0ce051ec36a0dac3ca97cc1ec2afdf030ee1f9a7cc63ce45ab07e62033a1bd422b644328440542382ada002a9176ea534c13b17b02e65e821a14577755932bf8

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
93KB

MD5
3b4b1e8323684cc9ffb014e25bfb1c58

SHA1
7b41fab2e3a33d5dfe0a2f99700a38a51ee2ad4e

SHA256
0a2495c4734e8f8d20c546abf827c4feec9b08577e8096bc29b0ed73dcb5a651

SHA512
d6a223ef2b404015666634b64db963b613da3205f8b1f5dcc651a6d838a754877a3e97d92937e130466a4cbd4cdc61d8b3b2e8f87a07c80108991760ebccd1ed

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
93KB

MD5
097e4824dfa531fe38e91890284f90bd

SHA1
dbe269bd1ee39c389651239a40e8157cb570ccc1

SHA256
1792b63c5b2462ecc48219345055c1aca659482922e6728ea5509a1426ba6084

SHA512
8e0b00656f4523bdb15217a2bfb74254267d987bde1e95d224fe73cf485feea7dee5e3f9f05d1505db92144cd1f8341145efe4fe07c6650be02211cddacfcfef

Download Submit
\Windows\SysWOW64\Kbbngf32.exe

Filesize
93KB

MD5
3226c260a14bd95fddf14fa978e938f7

SHA1
c51f6aa2c0910cceb39223b0c2272e902d7dba74

SHA256
3b02aba2e1fea2d5f8320d325091f327e8911691985b57a93721539ecd99eec3

SHA512
0f0bafe78da75a3eaeb378388752a1e4b1598c0272e163b252c41daf5b86df63828a68de6cf84a2611c5177a559987de5b120896a0ec2c39364e085da0c53929

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
93KB

MD5
19828c18c9603613494fa97e0f37ea80

SHA1
8465d78fa36228522d6ab08ccc128dcf9e610cd3

SHA256
d3e8162999aaa6af8c96f64ef7815e22c24d32b80d4de597735bbf3930a1eccf

SHA512
1069b717cf62e2410b23d95a5b798615163afc53fc14773ef08f31acd1c42fd35590c9b9d2f959facabe3c196962db46d2b28a815708810088a675a1441d6f3d

Download Submit
\Windows\SysWOW64\Kebgia32.exe

Filesize
93KB

MD5
3b4dc6d18ca75deaaf3f9a58cc179a74

SHA1
769030ea00d08b2b74c7d969e0b1cd1bb07a9501

SHA256
77d521bfbce758169ae0ccba1124bc95924974818e0853fe8a2e110232775959

SHA512
9272ee93489dc36f71ec4520f793aea4deb7d06beb129967fca53adb357baf0a34f3508cb0c247d1ae981e1559a21845f3ed13d7c16f6b3dae2440ca95fb0986

Download Submit
\Windows\SysWOW64\Kocbkk32.exe

Filesize
93KB

MD5
a11706cd9c4d14efe39028eb3d50c2bd

SHA1
8e14ed87634cd5140eedad097a350dc860109cca

SHA256
9cb8d744d7f96a87ac0b180b45d9316bd18931bb8e3558c2a7ca8585817252df

SHA512
829f280a2b58b564407b575e1d8d805f9b235e0ef87612616d836ee164fc688086fde74a0880cb1487953000f48c1802a6ebccd58413988bb1de1a266b8413e1

Download Submit
\Windows\SysWOW64\Labkdack.exe

Filesize
93KB

MD5
fde424412cff9533c02f47ea73559eb2

SHA1
5f5e0d4c17d141d7000a34ee2dce9930f6d4f7aa

SHA256
807453a3995e5b38f80d19fec6511c8296dd0d72a86555860fb201dd62d2dbf6

SHA512
89e868df2368ba7697eb53000d315b9cc1e140105d8d125066ba485f8964b38fb31f0f5b9b1ec864313b3a3789d852c3a9c8c62f2cd13b9360b788dd364502fe

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
93KB

MD5
d51be396bf6dbd3fbd740d77b73056a2

SHA1
1ea5757cb610ad935cc339b654462e78321f3921

SHA256
9da3495f6bdf33fe1043a3a8325d94ea5ee585b9f0ac3f480c3b3bc0eadfd207

SHA512
8934392d75c2ddf631486e96244923e44f4cc4f777862646860b4dabb737bb6a7ed32ec3da96ce30e3c5b75a95580483533bc6818e9437f4db3f2f23e3a3aeb1

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
93KB

MD5
386831389f6f62dc5b03d49e93a3f960

SHA1
cde0b3311be7c8559cc3888d44d1a13221830c6b

SHA256
3926f3dd984a704096fe4db75fb13ce8825179030c61674b753965c7e3fd7a54

SHA512
b8af7eaa18391f88e00df64e27ee7d180f02fb2490ece9393f47ae9d9b1d21992c112791fe7f18ca24bc8cb5555e69160ad5e1fa05d63d92f11db8925f8b5d74

Download Submit
\Windows\SysWOW64\Lgjfkk32.exe

Filesize
93KB

MD5
72f6578bb0da9371b432853bc79033f0

SHA1
a05661e32fcc602b612d7505f704eb75b847a52d

SHA256
7ee39e4cb4c1f24ad9634441c4a2dc90f2f401fe96df4e326f26ea0a41905199

SHA512
44cf7276990eff98827300b564871bf792529d13731d30a08749737fee15b1085669a36e695fb9073761c84e9317e80ef4e1e55140ab72755745235f83197afa

Download Submit
\Windows\SysWOW64\Libicbma.exe

Filesize
93KB

MD5
e1916890375285191641780c34477dab

SHA1
05cc5028334e25058b9f28236e0d6c60ccadd7bf

SHA256
9698a95cfbb2ed328efe82d177fdef4917502e662911ce928da16f76d29852cc

SHA512
c785a0a8c081e48791940c74d40345c206e45ecdeeda6eea3d33266393ed265d2e77652adad842b0662f59bc36f09ad28be4cccd0ad38919cf2ab372311c16ea

Download Submit
\Windows\SysWOW64\Lmikibio.exe

Filesize
93KB

MD5
867b242d5df38171a24f4ea8432e1ac6

SHA1
19796e34701d3d1dd15b5c4e5cf3fbd6e037be34

SHA256
7a287253c62cfe7c0e11b8e42a734d49ec8022353887378becb453953ba4aad8

SHA512
dd2fb605b78a336d4b1e8443d7012d45b6569f5a28457ad8385462a8e65651104e06bfcd1290f0a2324fd14dc6a926661ebe12d36c045d8cf793752c9ab01039

Download Submit
\Windows\SysWOW64\Mhhfdo32.exe

Filesize
93KB

MD5
192c7a2baad24543cfb107e9b13b91c7

SHA1
538272be8e9490adec68849964aaea7a4340654b

SHA256
3c30048ae6e030ed8c1288374b23f23fc408f75cf931c9fe13ab924e667f9005

SHA512
a6674943d8291f142b7586b590e3caf539ece21a6c9d5f56ec58fd9f14ed85169b4197cabadfc6d4de8f5a829a30638114500a0284c3bd49abd3f1bf72badf8e

Download Submit
\Windows\SysWOW64\Mooaljkh.exe

Filesize
93KB

MD5
68131864ecad0ff939fb8c496e85dcc6

SHA1
de0a5e0337d93719a5c710b43dba696808109e14

SHA256
85bbb0448102beccbb949e16422540e758a730d2a2a11e0a1db39dc4c1376c88

SHA512
4e2840cbeb3fb870a44fe7cc41071b35187c659ce9850a1e3417eeba327504b8c12f6ccf8714a38330f5d23f024f9084b74ecfea5c3eab9013c9a58c60a6f9e0

Download Submit
memory/624-326-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/624-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-325-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/624-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-274-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/632-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-172-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/844-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-242-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/872-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-253-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1296-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-314-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1672-315-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1672-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-197-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1880-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-149-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1924-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-305-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1960-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-303-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2000-90-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2000-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-337-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2092-333-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2092-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-227-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2200-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2272-351-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-293-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-80-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2460-81-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2460-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-66-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2556-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-348-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-347-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-34-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2684-117-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2684-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2728-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-17-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2736-18-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2736-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-212-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads