berbew | 98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
Size

108KB
MD5

ca63f81600cd5425627ea2f0d39aaf6e
SHA1

48b618b82f1ef08d78aa5f179de6c76a15bb9783
SHA256

98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4
SHA512

f6001ed392de066b357988f35f4530ca3f840150c3f0f109712901f4373e43429185f6265ccef6e0cf48d3a141ccdf07b9d324c9b965ccafab08b0728cba62d6
SSDEEP

3072:dYr83CiEcO+6xTJvqKoCu/WFcFmKcUsvKwFo:d6YO+6J1qKhamUs+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igioiacg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhndcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kghkppbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inajql32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkajkoml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifkmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehbfjia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnaokn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdigakic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhakp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcendc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlnbmikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koelibnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inajql32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkoidcaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlnbmikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklmoccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklmoccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcendc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiodliep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpiihgoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiihgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkoidcaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehbfjia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkafib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiodliep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jifkmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkajkoml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkepdbkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obamebfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiaaaicm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkafib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkepdbkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obamebfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igioiacg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiaaaicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koelibnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhndcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnaokn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjcnfcn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
2804	Inajql32.exe
2944	Igioiacg.exe
3004	Iiodliep.exe
2752	Jiaaaicm.exe
2708	Jehbfjia.exe
2596	Jifkmh32.exe
2028	Jaaoakmc.exe
2116	Jhndcd32.exe
1100	Kpiihgoh.exe
1144	Kkajkoml.exe
1200	Kghkppbp.exe
800	Koelibnh.exe
2204	Lklmoccl.exe
1160	Lkoidcaj.exe
2212	Lkafib32.exe
1124	Lnaokn32.exe
1644	Lkepdbkb.exe
2128	Mcendc32.exe
2564	Mlnbmikh.exe
2524	Mdigakic.exe
948	Mhgpgjoj.exe
920	Ndpmbjbk.exe
556	Nnhakp32.exe
2292	Ngafdepl.exe
1132	Ncjcnfcn.exe
1576	Obamebfc.exe
2816	Ohnemidj.exe

Loads dropped DLL 58 IoCs

pid	Process
2388	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
2388	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
2804	Inajql32.exe
2804	Inajql32.exe
2944	Igioiacg.exe
2944	Igioiacg.exe
3004	Iiodliep.exe
3004	Iiodliep.exe
2752	Jiaaaicm.exe
2752	Jiaaaicm.exe
2708	Jehbfjia.exe
2708	Jehbfjia.exe
2596	Jifkmh32.exe
2596	Jifkmh32.exe
2028	Jaaoakmc.exe
2028	Jaaoakmc.exe
2116	Jhndcd32.exe
2116	Jhndcd32.exe
1100	Kpiihgoh.exe
1100	Kpiihgoh.exe
1144	Kkajkoml.exe
1144	Kkajkoml.exe
1200	Kghkppbp.exe
1200	Kghkppbp.exe
800	Koelibnh.exe
800	Koelibnh.exe
2204	Lklmoccl.exe
2204	Lklmoccl.exe
1160	Lkoidcaj.exe
1160	Lkoidcaj.exe
2212	Lkafib32.exe
2212	Lkafib32.exe
1124	Lnaokn32.exe
1124	Lnaokn32.exe
1644	Lkepdbkb.exe
1644	Lkepdbkb.exe
2128	Mcendc32.exe
2128	Mcendc32.exe
2564	Mlnbmikh.exe
2564	Mlnbmikh.exe
2524	Mdigakic.exe
2524	Mdigakic.exe
948	Mhgpgjoj.exe
948	Mhgpgjoj.exe
920	Ndpmbjbk.exe
920	Ndpmbjbk.exe
556	Nnhakp32.exe
556	Nnhakp32.exe
2292	Ngafdepl.exe
2292	Ngafdepl.exe
1132	Ncjcnfcn.exe
1132	Ncjcnfcn.exe
1576	Obamebfc.exe
1576	Obamebfc.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jehbfjia.exe	Jiaaaicm.exe
File created	C:\Windows\SysWOW64\Jhndcd32.exe	Jaaoakmc.exe
File created	C:\Windows\SysWOW64\Kpnbgh32.dll	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Mlnbmikh.exe	Mcendc32.exe
File created	C:\Windows\SysWOW64\Apeblc32.dll	Nnhakp32.exe
File opened for modification	C:\Windows\SysWOW64\Jehbfjia.exe	Jiaaaicm.exe
File opened for modification	C:\Windows\SysWOW64\Lkepdbkb.exe	Lnaokn32.exe
File created	C:\Windows\SysWOW64\Ngafdepl.exe	Nnhakp32.exe
File opened for modification	C:\Windows\SysWOW64\Inajql32.exe	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
File opened for modification	C:\Windows\SysWOW64\Kpiihgoh.exe	Jhndcd32.exe
File opened for modification	C:\Windows\SysWOW64\Lkoidcaj.exe	Lklmoccl.exe
File created	C:\Windows\SysWOW64\Pajicf32.dll	Mcendc32.exe
File created	C:\Windows\SysWOW64\Iiicgkof.dll	Mdigakic.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Obamebfc.exe
File created	C:\Windows\SysWOW64\Ahjldnpp.dll	Jiaaaicm.exe
File created	C:\Windows\SysWOW64\Cmolej32.dll	Jaaoakmc.exe
File created	C:\Windows\SysWOW64\Qooplh32.dll	Kkajkoml.exe
File created	C:\Windows\SysWOW64\Jnllpnpo.dll	Lkoidcaj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhakp32.exe	Ndpmbjbk.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Inhpjehm.dll	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Iiodliep.exe	Igioiacg.exe
File created	C:\Windows\SysWOW64\Kpiihgoh.exe	Jhndcd32.exe
File created	C:\Windows\SysWOW64\Koelibnh.exe	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Lklmoccl.exe	Koelibnh.exe
File created	C:\Windows\SysWOW64\Lnaokn32.exe	Lkafib32.exe
File created	C:\Windows\SysWOW64\Lpjgehii.dll	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Lchqamfp.dll	Iiodliep.exe
File created	C:\Windows\SysWOW64\Ckhkbc32.dll	Lklmoccl.exe
File created	C:\Windows\SysWOW64\Mdigakic.exe	Mlnbmikh.exe
File opened for modification	C:\Windows\SysWOW64\Ngafdepl.exe	Nnhakp32.exe
File created	C:\Windows\SysWOW64\Jgkjfeka.dll	Igioiacg.exe
File opened for modification	C:\Windows\SysWOW64\Jiaaaicm.exe	Iiodliep.exe
File created	C:\Windows\SysWOW64\Imhgkp32.dll	Jehbfjia.exe
File created	C:\Windows\SysWOW64\Hjincg32.dll	Jifkmh32.exe
File created	C:\Windows\SysWOW64\Ofmhcg32.dll	Jhndcd32.exe
File created	C:\Windows\SysWOW64\Kkajkoml.exe	Kpiihgoh.exe
File opened for modification	C:\Windows\SysWOW64\Koelibnh.exe	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Gaopnk32.dll	Koelibnh.exe
File created	C:\Windows\SysWOW64\Klilah32.dll	Lkepdbkb.exe
File opened for modification	C:\Windows\SysWOW64\Igioiacg.exe	Inajql32.exe
File created	C:\Windows\SysWOW64\Ebgiin32.dll	Inajql32.exe
File created	C:\Windows\SysWOW64\Jifkmh32.exe	Jehbfjia.exe
File opened for modification	C:\Windows\SysWOW64\Lklmoccl.exe	Koelibnh.exe
File created	C:\Windows\SysWOW64\Lkafib32.exe	Lkoidcaj.exe
File created	C:\Windows\SysWOW64\Lkepdbkb.exe	Lnaokn32.exe
File created	C:\Windows\SysWOW64\Ndpmbjbk.exe	Mhgpgjoj.exe
File created	C:\Windows\SysWOW64\Jaaoakmc.exe	Jifkmh32.exe
File created	C:\Windows\SysWOW64\Kghkppbp.exe	Kkajkoml.exe
File opened for modification	C:\Windows\SysWOW64\Lkafib32.exe	Lkoidcaj.exe
File created	C:\Windows\SysWOW64\Blhphg32.dll	Lnaokn32.exe
File created	C:\Windows\SysWOW64\Bghlof32.dll	Mlnbmikh.exe
File created	C:\Windows\SysWOW64\Nnhakp32.exe	Ndpmbjbk.exe
File opened for modification	C:\Windows\SysWOW64\Jifkmh32.exe	Jehbfjia.exe
File opened for modification	C:\Windows\SysWOW64\Kkajkoml.exe	Kpiihgoh.exe
File opened for modification	C:\Windows\SysWOW64\Ndpmbjbk.exe	Mhgpgjoj.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Inajql32.exe	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
File created	C:\Windows\SysWOW64\Epljpl32.dll	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
File created	C:\Windows\SysWOW64\Lkoidcaj.exe	Lklmoccl.exe
File created	C:\Windows\SysWOW64\Dmlfacbk.dll	Lkafib32.exe
File created	C:\Windows\SysWOW64\Mhgpgjoj.exe	Mdigakic.exe
File created	C:\Windows\SysWOW64\Igioiacg.exe	Inajql32.exe
File created	C:\Windows\SysWOW64\Jiaaaicm.exe	Iiodliep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	2816	WerFault.exe	55

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifkmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcendc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obamebfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inajql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehbfjia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkoidcaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgpgjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiodliep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiaaaicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhndcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpiihgoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaaoakmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kghkppbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koelibnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnaokn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdigakic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngafdepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklmoccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlnbmikh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkepdbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkajkoml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkafib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpmbjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igioiacg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhakp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhkbc32.dll"	Lklmoccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllpnpo.dll"	Lkoidcaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnaokn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obamebfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiodliep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjincg32.dll"	Jifkmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpiihgoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcendc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeblc32.dll"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhgkp32.dll"	Jehbfjia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaopnk32.dll"	Koelibnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhphg32.dll"	Lnaokn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll"	Ndpmbjbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjldnpp.dll"	Jiaaaicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jifkmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiaaaicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiaaaicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmolej32.dll"	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklmoccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkoidcaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll"	Mcendc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igioiacg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchqamfp.dll"	Iiodliep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Obamebfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igioiacg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmhcg32.dll"	Jhndcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhndcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpiihgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnbgh32.dll"	Kghkppbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koelibnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inajql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhpjehm.dll"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkajkoml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhndcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlfacbk.dll"	Lkafib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehbfjia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkoidcaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkafib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhmkq32.dll"	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epljpl32.dll"	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiodliep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkajkoml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkjfeka.dll"	Igioiacg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicgkof.dll"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkafib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdigakic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklmoccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnaokn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jifkmh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2804	2388	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe	29
PID 2388 wrote to memory of 2804	2388	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe	29
PID 2388 wrote to memory of 2804	2388	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe	29
PID 2388 wrote to memory of 2804	2388	98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe	29
PID 2804 wrote to memory of 2944	2804	Inajql32.exe	30
PID 2804 wrote to memory of 2944	2804	Inajql32.exe	30
PID 2804 wrote to memory of 2944	2804	Inajql32.exe	30
PID 2804 wrote to memory of 2944	2804	Inajql32.exe	30
PID 2944 wrote to memory of 3004	2944	Igioiacg.exe	31
PID 2944 wrote to memory of 3004	2944	Igioiacg.exe	31
PID 2944 wrote to memory of 3004	2944	Igioiacg.exe	31
PID 2944 wrote to memory of 3004	2944	Igioiacg.exe	31
PID 3004 wrote to memory of 2752	3004	Iiodliep.exe	32
PID 3004 wrote to memory of 2752	3004	Iiodliep.exe	32
PID 3004 wrote to memory of 2752	3004	Iiodliep.exe	32
PID 3004 wrote to memory of 2752	3004	Iiodliep.exe	32
PID 2752 wrote to memory of 2708	2752	Jiaaaicm.exe	33
PID 2752 wrote to memory of 2708	2752	Jiaaaicm.exe	33
PID 2752 wrote to memory of 2708	2752	Jiaaaicm.exe	33
PID 2752 wrote to memory of 2708	2752	Jiaaaicm.exe	33
PID 2708 wrote to memory of 2596	2708	Jehbfjia.exe	34
PID 2708 wrote to memory of 2596	2708	Jehbfjia.exe	34
PID 2708 wrote to memory of 2596	2708	Jehbfjia.exe	34
PID 2708 wrote to memory of 2596	2708	Jehbfjia.exe	34
PID 2596 wrote to memory of 2028	2596	Jifkmh32.exe	35
PID 2596 wrote to memory of 2028	2596	Jifkmh32.exe	35
PID 2596 wrote to memory of 2028	2596	Jifkmh32.exe	35
PID 2596 wrote to memory of 2028	2596	Jifkmh32.exe	35
PID 2028 wrote to memory of 2116	2028	Jaaoakmc.exe	36
PID 2028 wrote to memory of 2116	2028	Jaaoakmc.exe	36
PID 2028 wrote to memory of 2116	2028	Jaaoakmc.exe	36
PID 2028 wrote to memory of 2116	2028	Jaaoakmc.exe	36
PID 2116 wrote to memory of 1100	2116	Jhndcd32.exe	37
PID 2116 wrote to memory of 1100	2116	Jhndcd32.exe	37
PID 2116 wrote to memory of 1100	2116	Jhndcd32.exe	37
PID 2116 wrote to memory of 1100	2116	Jhndcd32.exe	37
PID 1100 wrote to memory of 1144	1100	Kpiihgoh.exe	38
PID 1100 wrote to memory of 1144	1100	Kpiihgoh.exe	38
PID 1100 wrote to memory of 1144	1100	Kpiihgoh.exe	38
PID 1100 wrote to memory of 1144	1100	Kpiihgoh.exe	38
PID 1144 wrote to memory of 1200	1144	Kkajkoml.exe	39
PID 1144 wrote to memory of 1200	1144	Kkajkoml.exe	39
PID 1144 wrote to memory of 1200	1144	Kkajkoml.exe	39
PID 1144 wrote to memory of 1200	1144	Kkajkoml.exe	39
PID 1200 wrote to memory of 800	1200	Kghkppbp.exe	40
PID 1200 wrote to memory of 800	1200	Kghkppbp.exe	40
PID 1200 wrote to memory of 800	1200	Kghkppbp.exe	40
PID 1200 wrote to memory of 800	1200	Kghkppbp.exe	40
PID 800 wrote to memory of 2204	800	Koelibnh.exe	41
PID 800 wrote to memory of 2204	800	Koelibnh.exe	41
PID 800 wrote to memory of 2204	800	Koelibnh.exe	41
PID 800 wrote to memory of 2204	800	Koelibnh.exe	41
PID 2204 wrote to memory of 1160	2204	Lklmoccl.exe	42
PID 2204 wrote to memory of 1160	2204	Lklmoccl.exe	42
PID 2204 wrote to memory of 1160	2204	Lklmoccl.exe	42
PID 2204 wrote to memory of 1160	2204	Lklmoccl.exe	42
PID 1160 wrote to memory of 2212	1160	Lkoidcaj.exe	43
PID 1160 wrote to memory of 2212	1160	Lkoidcaj.exe	43
PID 1160 wrote to memory of 2212	1160	Lkoidcaj.exe	43
PID 1160 wrote to memory of 2212	1160	Lkoidcaj.exe	43
PID 2212 wrote to memory of 1124	2212	Lkafib32.exe	44
PID 2212 wrote to memory of 1124	2212	Lkafib32.exe	44
PID 2212 wrote to memory of 1124	2212	Lkafib32.exe	44
PID 2212 wrote to memory of 1124	2212	Lkafib32.exe	44

C:\Users\Admin\AppData\Local\Temp\98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe
"C:\Users\Admin\AppData\Local\Temp\98222fbdbe9d3ec83dcda9d50b788d9210550630784276f71965cf4ee22504c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\Inajql32.exe
  C:\Windows\system32\Inajql32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Igioiacg.exe
    C:\Windows\system32\Igioiacg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Iiodliep.exe
      C:\Windows\system32\Iiodliep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\Jiaaaicm.exe
        
        C:\Windows\system32\Jiaaaicm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Jehbfjia.exe
        
        C:\Windows\system32\Jehbfjia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Jifkmh32.exe
        
        C:\Windows\system32\Jifkmh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Jaaoakmc.exe
        
        C:\Windows\system32\Jaaoakmc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Jhndcd32.exe
        
        C:\Windows\system32\Jhndcd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Kpiihgoh.exe
        
        C:\Windows\system32\Kpiihgoh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Kkajkoml.exe
        
        C:\Windows\system32\Kkajkoml.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Kghkppbp.exe
        
        C:\Windows\system32\Kghkppbp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Koelibnh.exe
        
        C:\Windows\system32\Koelibnh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lklmoccl.exe
        
        C:\Windows\system32\Lklmoccl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lkoidcaj.exe
        
        C:\Windows\system32\Lkoidcaj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Lkafib32.exe
        
        C:\Windows\system32\Lkafib32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Lnaokn32.exe
        
        C:\Windows\system32\Lnaokn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Lkepdbkb.exe
        
        C:\Windows\system32\Lkepdbkb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Mcendc32.exe
        
        C:\Windows\system32\Mcendc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Mlnbmikh.exe
        
        C:\Windows\system32\Mlnbmikh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Mdigakic.exe
        
        C:\Windows\system32\Mdigakic.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Mhgpgjoj.exe
        
        C:\Windows\system32\Mhgpgjoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ndpmbjbk.exe
        
        C:\Windows\system32\Ndpmbjbk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Nnhakp32.exe
        
        C:\Windows\system32\Nnhakp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Ngafdepl.exe
        
        C:\Windows\system32\Ngafdepl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Obamebfc.exe
        
        C:\Windows\system32\Obamebfc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahjldnpp.dll

Filesize
7KB

MD5
d31868b9615b1cbfec13fc3a54f2fd5b

SHA1
629fec4ff510a9ae61dfb59a7a6ad23e66d27749

SHA256
2b67517dcfd7e0ac21f302ca137d05b05082b5e7fe3e938fd1a229b0ed5019cf

SHA512
3c6ba0556e04d5ed527273b9b8be785a4c375adfc05bfe703872d9720255867c9eb015038aca40dfecadeb4e4bf37b93f59dfac9298341179a20041600b76508

Download Submit
C:\Windows\SysWOW64\Inajql32.exe

Filesize
108KB

MD5
3d5f77e8ad445789bbcaa39d2ec2803e

SHA1
41d566298db30364b03054dceebf727a998c27b6

SHA256
5ad3351bb6ac835d459d791a17fd07ae909b59d5b8c1e2c7dd0b983b899eb1b0

SHA512
3be37a3ef2e0da6d6f6beb8da343dea624ccd9cbce8487f7c80d76d4af2b71f2ac51ae3efd280b826ab1cb845f7c6e87a489f50f6822ac484d1d2c35e6833841

Download Submit
C:\Windows\SysWOW64\Lkepdbkb.exe

Filesize
108KB

MD5
6a8a2a45797f8692b878427ecf65a3d8

SHA1
fe6897a04ca7882c529e138b0da6a490bfe99755

SHA256
4f0e62b59fec616068856c5294bf820bc53d3f375e94521e472cc14d0efc45c4

SHA512
e17bfe19121c2272d76c9a69b292a384155b7165031dc42e6cdc1b0b4923e504ee3f30d733b755c380be860717328bf8419a9068102957b026e141833f7850b9

Download Submit
C:\Windows\SysWOW64\Mcendc32.exe

Filesize
108KB

MD5
b0c8ef24b9a4ba8b1f82af503c144e65

SHA1
d285af49becf4634a2e5f34ee9ba1a452f6b9085

SHA256
88ee34848ccad88de6d75b4d59597bd434fd1873fc3ff1555335ee025899df54

SHA512
5a4c51e99d9504b426db7a44a2eb73b1972ade8e9f0d92bcc562b13783701208a3dd85d21a8eb3ae3d3a714d973081d8c189378e707f7336e09eea2e98322e6d

Download Submit
C:\Windows\SysWOW64\Mdigakic.exe

Filesize
108KB

MD5
6310a8caa312cd8e5ae266ccf39b60bf

SHA1
dc4af28cc1ae4bf7bca04bac6acb2cf467c2aff2

SHA256
6d5d9f063fa4ab43ad3430dc67da7b9af56df493cdaf888b55bf8739aa4faec0

SHA512
632421e8df87b84a2816a5bce1ddcd9a3cb126003ace824169c99329e84663aa92b6eb1d839ea5a460006d919c2890f350b7866eb8a4b576ef719f3122061ddb

Download Submit
C:\Windows\SysWOW64\Mhgpgjoj.exe

Filesize
108KB

MD5
a6360c533714b0a53759ae964f2e79d7

SHA1
3f4aa275d00606ce6d4995d6dc562a8daebe7234

SHA256
8555fa24e344bfe575922fe7f992428f8a3dc13f187ed140c168f9dec2dc7e66

SHA512
520463928dbbc3a367dd03ebeec190631bb15232f89d45844af7d678cd4a388a24b4d766ca5c464a7d67d80dfc70d5273c0499b3e27b1b87491d0149f41d5e7b

Download Submit
C:\Windows\SysWOW64\Mlnbmikh.exe

Filesize
108KB

MD5
e35cfac6c96836e6c2900760f9948e34

SHA1
3f758499749a328969efb52f64151b736a3ee8be

SHA256
1002370a671ced467d9f91c757dade885f81c289297da5ed5d6a4460867bb24e

SHA512
72cdfe693e5140f378b9bb3557b61b69e46f025995ea1850c474e087d2181cf60bf6af811580b2b5a4f9b78145cbe54d2a03e316328068eea3ad3a18860b1834

Download Submit
C:\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
108KB

MD5
050ff699aa9862f78976f71c3a13ebad

SHA1
3517dc2173cc4a7400371aade7adfbe783890b61

SHA256
6acf36bbff48be5c62e5ec2cf40e176691f8b3284a1abad47fecf33a2eff37d6

SHA512
15e3b80d812836cfb95fd537f47afd78bbeb414f40c22f3efde5b0a3150b01a992397f2f43d43f21a26ee2941525474b7b047ca16265a3cf46257a8e904f84ff

Download Submit
C:\Windows\SysWOW64\Ndpmbjbk.exe

Filesize
108KB

MD5
9656f2cbe2e59f35fe10365245b95934

SHA1
c2431ea700657434bc3403ab295da72067d6837f

SHA256
f3bdeebffe6c933d1461a168f3360837ebb4166350ae605d3bd4069ed6d61b7d

SHA512
5519aae8fc643fa8ebb2b6efe838d628eb8bff7120cc07213689343da423890ee7c58714b3685040e28c1a1336de12acc938c60341389024d153872f639dd452

Download Submit
C:\Windows\SysWOW64\Ngafdepl.exe

Filesize
108KB

MD5
16a1f73d86d643ad2b691ced7052100c

SHA1
f93c0087a2e5515f3e59273e3566be4173d70280

SHA256
97a56fdd1879c46dd2731248babcb5cccaf68bf1745f586091dee626d23471cf

SHA512
4988c6c9a4928450d70a1d3ce44edf5fbc03c52380af9557bab72c86d03538187153a574baeb09878ee71af266f98f813c12b9d772320a2ee69079b7e9b00e67

Download Submit
C:\Windows\SysWOW64\Nnhakp32.exe

Filesize
108KB

MD5
92997fe39deac8d0a3180882636fd352

SHA1
f2bbb8c67dce0be312b199796a82c0b8343a4f11

SHA256
c80018bd86bfa937b7c8adb0d88f680c6f513e6673567ff58a065cd64c9bd748

SHA512
d30d60361bc8c5b974679bb3e5f9670b624ed6fa19143ed9d50f4be18892932b4b629b017b4a3c71999dec4e88dc1f9a8fac5c02acfd0e0a8533647fe6e8f8d4

Download Submit
C:\Windows\SysWOW64\Obamebfc.exe

Filesize
108KB

MD5
0d8fbcacd482820fa1c0a6f39987fa4e

SHA1
e8e1657094ea38e5fb54b7139b377dce2cc07cfc

SHA256
fca84eb48c1066448a4516904e5c232e6c68e83693f7fe865933110041c76348

SHA512
8b07090112e6c9e914e4bbc46247aa62fbc41e09657acecee0e493d0928494c46313d27e0d58b546606668c9b306147dacaef5875facf7e6e8073045c548552d

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
108KB

MD5
802b60cf95d05a45632b50910ee5493d

SHA1
8d511da2946a941c66c29ae4609f320142f7e102

SHA256
48ea6f9a8bb64903ee02c35d266a1199a21e427900e73728e5d30e4b94f09d7d

SHA512
bf38376a8fe0a31aa5855c23a3578d0e5797b59970dd944eb71d63866abb33773c966f4405a28a240ae9f6451ca5d21545d6ff0c78538eeedbb7c8dba585fbd1

Download Submit
\Windows\SysWOW64\Igioiacg.exe

Filesize
108KB

MD5
1604911e0e7dcb029f70529dc3ac5948

SHA1
b2c790bc1254519c5edf4f84c5761e8ffd9ed76a

SHA256
59b533362f826f564d95a0d6e8186a67d9363d32f499c624c8bcad096ed20af9

SHA512
77aeaec04c8afd2ea49aee26f3b8226e678c4d855f99aba18e2dcf6c719fcac3b2bf42f0ba76980bd0d29faf46b6b415c1f66db8e694d1b18d9baee8df54de26

Download Submit
\Windows\SysWOW64\Iiodliep.exe

Filesize
108KB

MD5
b3db1d5766a1d1fd9add3ffa465ccb1f

SHA1
b7a2a227f11f8961738482322d4b674b161abe8c

SHA256
347e2eacbff35fa4e7336f6413a5ac5bd69320104781c3eccfd98d52e5cb24e7

SHA512
651211c0aa8ab3366f17ccb2c21d08b6079eee59590ebe854f32d1bb7f64d9d5d9370ed4a9c0fbe700b9acaa7e7eebdcc9626731c1f6a6c4ea0f6cb8c57f0b45

Download Submit
\Windows\SysWOW64\Jaaoakmc.exe

Filesize
108KB

MD5
2bd49bb30e6ac5a9444fc86d1c412d6b

SHA1
d6b5bbb8aa6ac1fd201e4517120551ee49a820a2

SHA256
064b1d33e0abda9a455bcdaf5dbf4ba3e97ccb58b725aef45f4bdb0aaaa8144f

SHA512
facfa49757f57ce6e890583ccd2e5a9667bdbf4c43955a2ddae60aaef49112278db1bf5675f5760556f0547db9bc5209b5f158dbb1356e3ef862d08e6d1b4616

Download Submit
\Windows\SysWOW64\Jehbfjia.exe

Filesize
108KB

MD5
c3f3905ff80a928686932f6f41749bef

SHA1
534bb276ecf92d4871f872d19a6a59399e8afc18

SHA256
8f159079b881f5bd5d7dce84b27ca5ae417363832147d9d234b49de5919bbf60

SHA512
ca40554d089f991b0bc90b04486ba6a3a2f0b58d4bf3dd2e18bc8072cc2059693e98f94b620f1e04ded99b1ebe673ba8fe8a156e37870f1b0d91310dd92444f3

Download Submit
\Windows\SysWOW64\Jhndcd32.exe

Filesize
108KB

MD5
13c89ae16ccf4d915fb40ce99d95d5ae

SHA1
c754728279c84b4a449ad43cff8da545af37247c

SHA256
6552a453772ed509790efcb5c1a8fb17513505fea0aa3376a733ce48e6e38b3c

SHA512
7978b84158fff3a70e68eff927dba2fe5233fbd5a13e5c5278885496e9ef2a0a2d56318d70e463ad59519343170a845ced3e893c7eee9d9cd9536b8d09a0d828

Download Submit
\Windows\SysWOW64\Jiaaaicm.exe

Filesize
108KB

MD5
80abbb3acd2f51279a8708fa800bf8d6

SHA1
0721d0d12479bbd8e5854d844ec1d8ac9c11d021

SHA256
6a7f35c9aa5c6dd43c3e344d03ed4d8591750b9b4c6fbd2e49a2b37d5903bf44

SHA512
e626a7d590410a02bffcce766affc2769ed90f9c1da0164727a16b7230355cef3dde2ebdd07c1a0398468c713b4c0ad1ec320f8a336b45a87f4d157018c6549a

Download Submit
\Windows\SysWOW64\Jifkmh32.exe

Filesize
108KB

MD5
d53873696c0622ed8e23a47453345eb2

SHA1
ece554174583ae88202ff9561479251c955f61b0

SHA256
d526fb8b0c03182303ae00c2b983126d72b827fa7da0b9cbf39f8aadbd03fe88

SHA512
8fc63b5e76c40e99367b95461125c8b4e4cdd5b55d70135a8d6c00c270f359317dbac191a3b502a9ccd69b158f6e7f7ca59d95f42bdac2f6f8aaca3776a58129

Download Submit
\Windows\SysWOW64\Kghkppbp.exe

Filesize
108KB

MD5
0a9d6102c5e67481c62393acdfa2fc2d

SHA1
859068c27b5dd56f5cf6f06e41264e099c3b047c

SHA256
f45ca991ea8d557d16269347f967b71a8256f453c5f21b91f10baf95593d7643

SHA512
f012630e059a58c4a5a3df6b480754c7e619b44eb725e063ae42f3b3222c7fed57ff28fdb607c662de4de73584e2355bfa1ab5c150dd7449962bc773dbe359d7

Download Submit
\Windows\SysWOW64\Kkajkoml.exe

Filesize
108KB

MD5
523d669bf26d8cb440c73fb290bb7555

SHA1
9f200166fb8165cf5de40d1bdddbdf0de163800e

SHA256
ffb7fa275eaeb09f4ad345067f9ad59ef46b12d9f7df46dbcd475c6f5c1dae04

SHA512
c1c7b1ef95522cbf16b9275c340ecbe8ffd11e7c52c2c4fa4f236b369f18f1d7d06e992b1fdf40263773720f68c8ae24fa40353b0283795264c9e8d91e758225

Download Submit
\Windows\SysWOW64\Koelibnh.exe

Filesize
108KB

MD5
73bf80165f27e512198c860b6974f145

SHA1
1368f1bffdc9baf46d5e34af59c4259e97f3906d

SHA256
5bf6afcfa0b65bad37610e5e864d7cf0b5572e824307a7fb9ad1c93c0d70d93c

SHA512
86e15d681c158339cd8a07bdc2fc7fdec6767bcd896037df3f2dc8a2a7410a6290c9c2513d388568636f93bd108e5acccedd8309c3057d4a8431b1277b0153cc

Download Submit
\Windows\SysWOW64\Kpiihgoh.exe

Filesize
108KB

MD5
ec487c3a3b695d8bed43885ff2041330

SHA1
c33bae4a60c2cca1e5fa7e5c04a0be5f6df78663

SHA256
bc0677e50d7188627a79ff5506e095252875adeaf4f2c06f558156eb0aac3c0a

SHA512
d3fbfc54845d49e28a80d3e5858706cc808ffc655f57ba298c4329cc40e06c540c442e16bf98d1f3618f8cc8f881067ec8b7c4e7ac52d3029cc38207183f7913

Download Submit
\Windows\SysWOW64\Lkafib32.exe

Filesize
108KB

MD5
6462666c9b6dcfc06a5086c4de0e86ce

SHA1
10250c1507a5c0ea01306c5dfe0341092cdfc74d

SHA256
94702572684aba5f6ba3284ec00013c7df255a6034249b198bc3d54f515f321d

SHA512
e61e6b614713ac01668f96d9dbec3cb35cf0b18cf8ed62577fa6d494165be539d636e560d4b541ab543f73aa4e9881b6aaff87aa41c48210bd7b266ed591a1e5

Download Submit
\Windows\SysWOW64\Lklmoccl.exe

Filesize
108KB

MD5
6e4e4955c732c342a73b8b343942b2c8

SHA1
4ca954ba6bcb330a4b4b36dfb56a595096a2386d

SHA256
e880dc78889ccffe797c1e98d3bf9f03637f8dc3cc273cf20b635f8e26ef640f

SHA512
fbf13dd1e0a84b9e80f6a5149a835311a68042815961bad45cdbffad1fce7ae711536d45990e399e602db0c8ac355c6e8d64d405cfc49c5bc058942aa912a0af

Download Submit
\Windows\SysWOW64\Lkoidcaj.exe

Filesize
108KB

MD5
93c476f5d5bfbc49629726cb55f2e1b5

SHA1
75d1f40a4742d7d0c220aa51241fee3ce85dbc17

SHA256
fac1fdfab070a34bce60b11070e96d5e9db1002c54e55118d3571297ad0c3be8

SHA512
b7699567aea162909862ea0bc1cd40cb15a8292151fda65a8213e695cba576516e802c0aa5c0fbf44024e09a3fbd19fdc72d55b3c719329c28d75b837776b82f

Download Submit
\Windows\SysWOW64\Lnaokn32.exe

Filesize
108KB

MD5
c2157355c352b2d188511415f7537db8

SHA1
1cedfbf997ef195c5c28785e0c16a6cb306dfe55

SHA256
326712ca15d10f03e31da502372649c92a15f6de9f78586ade029f7a47e6e71b

SHA512
3a82db01212db64a973cbc5f8de9d09dd5cd4e35143e3b99f1e6260d3dbc6082ed2936cd4c28957b1b6092e530d33f945ba1ce104a76c2788a0995224ecdf3df

Download Submit
memory/556-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-367-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-296-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/556-300-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/556-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-289-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/920-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-288-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/920-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/948-277-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/948-278-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/948-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/948-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-130-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1100-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-136-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1124-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1132-322-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/1132-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1132-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1132-321-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/1132-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-145-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1144-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-201-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1160-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1200-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1200-162-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1576-333-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1576-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-331-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-332-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1644-234-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/1644-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-235-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2028-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-104-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2028-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-117-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2116-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2128-245-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2128-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2128-244-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2204-184-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2204-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2204-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-311-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2292-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-307-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2388-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-13-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/2388-12-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/2524-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-267-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2524-266-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2524-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-255-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/2564-261-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/2564-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-78-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2752-65-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2752-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2752-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2752-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-27-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2804-24-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2804-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-41-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2944-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-51-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/3004-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads