berbew | 0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45a

Analysis

max time kernel
112s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/09/2024, 15:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Size

337KB
MD5

f0a6521c7cb003746da4b74485a12e70
SHA1

136fa9dd8cf20c4c7908a7955ce79ced7834f680
SHA256

0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45a
SHA512

e57b7d3287722406e465e6f15c97d714fd2af4c13bc6d49cf81b35008cb39d32b99c4ed79a7c09ec3f5459949ce73b757ef7f582c705646f9c02b6dd92357656
SSDEEP

3072:sBst1m+8UNmExgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:sK1maNrx1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loclai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 26 IoCs

pid	Process
2376	Jmfcop32.exe
2776	Jcqlkjae.exe
2724	Jpgmpk32.exe
2764	Jipaip32.exe
2624	Jplfkjbd.exe
2360	Kbjbge32.exe
1844	Keioca32.exe
3056	Kjeglh32.exe
2052	Kbmome32.exe
2824	Khjgel32.exe
2620	Kfodfh32.exe
2916	Kadica32.exe
2340	Kdbepm32.exe
848	Kdeaelok.exe
2356	Kkojbf32.exe
972	Lmmfnb32.exe
1016	Lgfjggll.exe
796	Llbconkd.exe
1584	Lcmklh32.exe
2104	Lifcib32.exe
2272	Lpqlemaj.exe
1992	Loclai32.exe
2304	Lcohahpn.exe
1460	Liipnb32.exe
2148	Lkjmfjmi.exe
1456	Lepaccmo.exe

Loads dropped DLL 56 IoCs

pid	Process
2188	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
2188	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
2376	Jmfcop32.exe
2376	Jmfcop32.exe
2776	Jcqlkjae.exe
2776	Jcqlkjae.exe
2724	Jpgmpk32.exe
2724	Jpgmpk32.exe
2764	Jipaip32.exe
2764	Jipaip32.exe
2624	Jplfkjbd.exe
2624	Jplfkjbd.exe
2360	Kbjbge32.exe
2360	Kbjbge32.exe
1844	Keioca32.exe
1844	Keioca32.exe
3056	Kjeglh32.exe
3056	Kjeglh32.exe
2052	Kbmome32.exe
2052	Kbmome32.exe
2824	Khjgel32.exe
2824	Khjgel32.exe
2620	Kfodfh32.exe
2620	Kfodfh32.exe
2916	Kadica32.exe
2916	Kadica32.exe
2340	Kdbepm32.exe
2340	Kdbepm32.exe
848	Kdeaelok.exe
848	Kdeaelok.exe
2356	Kkojbf32.exe
2356	Kkojbf32.exe
972	Lmmfnb32.exe
972	Lmmfnb32.exe
1016	Lgfjggll.exe
1016	Lgfjggll.exe
796	Llbconkd.exe
796	Llbconkd.exe
1584	Lcmklh32.exe
1584	Lcmklh32.exe
2104	Lifcib32.exe
2104	Lifcib32.exe
2272	Lpqlemaj.exe
2272	Lpqlemaj.exe
1992	Loclai32.exe
1992	Loclai32.exe
2304	Lcohahpn.exe
2304	Lcohahpn.exe
1460	Liipnb32.exe
1460	Liipnb32.exe
2148	Lkjmfjmi.exe
2148	Lkjmfjmi.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Lifcib32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Keioca32.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lifcib32.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Lpqlemaj.exe	Lifcib32.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Lkjmfjmi.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Llbconkd.exe
File created	C:\Windows\SysWOW64\Lifcib32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Loclai32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Loclai32.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kbmome32.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Keioca32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Loclai32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jplfkjbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	1456	WerFault.exe	55

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekhhnol.dll"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgfjggll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2376	2188	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe	30
PID 2188 wrote to memory of 2376	2188	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe	30
PID 2188 wrote to memory of 2376	2188	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe	30
PID 2188 wrote to memory of 2376	2188	0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe	30
PID 2376 wrote to memory of 2776	2376	Jmfcop32.exe	31
PID 2376 wrote to memory of 2776	2376	Jmfcop32.exe	31
PID 2376 wrote to memory of 2776	2376	Jmfcop32.exe	31
PID 2376 wrote to memory of 2776	2376	Jmfcop32.exe	31
PID 2776 wrote to memory of 2724	2776	Jcqlkjae.exe	32
PID 2776 wrote to memory of 2724	2776	Jcqlkjae.exe	32
PID 2776 wrote to memory of 2724	2776	Jcqlkjae.exe	32
PID 2776 wrote to memory of 2724	2776	Jcqlkjae.exe	32
PID 2724 wrote to memory of 2764	2724	Jpgmpk32.exe	33
PID 2724 wrote to memory of 2764	2724	Jpgmpk32.exe	33
PID 2724 wrote to memory of 2764	2724	Jpgmpk32.exe	33
PID 2724 wrote to memory of 2764	2724	Jpgmpk32.exe	33
PID 2764 wrote to memory of 2624	2764	Jipaip32.exe	34
PID 2764 wrote to memory of 2624	2764	Jipaip32.exe	34
PID 2764 wrote to memory of 2624	2764	Jipaip32.exe	34
PID 2764 wrote to memory of 2624	2764	Jipaip32.exe	34
PID 2624 wrote to memory of 2360	2624	Jplfkjbd.exe	35
PID 2624 wrote to memory of 2360	2624	Jplfkjbd.exe	35
PID 2624 wrote to memory of 2360	2624	Jplfkjbd.exe	35
PID 2624 wrote to memory of 2360	2624	Jplfkjbd.exe	35
PID 2360 wrote to memory of 1844	2360	Kbjbge32.exe	36
PID 2360 wrote to memory of 1844	2360	Kbjbge32.exe	36
PID 2360 wrote to memory of 1844	2360	Kbjbge32.exe	36
PID 2360 wrote to memory of 1844	2360	Kbjbge32.exe	36
PID 1844 wrote to memory of 3056	1844	Keioca32.exe	37
PID 1844 wrote to memory of 3056	1844	Keioca32.exe	37
PID 1844 wrote to memory of 3056	1844	Keioca32.exe	37
PID 1844 wrote to memory of 3056	1844	Keioca32.exe	37
PID 3056 wrote to memory of 2052	3056	Kjeglh32.exe	38
PID 3056 wrote to memory of 2052	3056	Kjeglh32.exe	38
PID 3056 wrote to memory of 2052	3056	Kjeglh32.exe	38
PID 3056 wrote to memory of 2052	3056	Kjeglh32.exe	38
PID 2052 wrote to memory of 2824	2052	Kbmome32.exe	39
PID 2052 wrote to memory of 2824	2052	Kbmome32.exe	39
PID 2052 wrote to memory of 2824	2052	Kbmome32.exe	39
PID 2052 wrote to memory of 2824	2052	Kbmome32.exe	39
PID 2824 wrote to memory of 2620	2824	Khjgel32.exe	40
PID 2824 wrote to memory of 2620	2824	Khjgel32.exe	40
PID 2824 wrote to memory of 2620	2824	Khjgel32.exe	40
PID 2824 wrote to memory of 2620	2824	Khjgel32.exe	40
PID 2620 wrote to memory of 2916	2620	Kfodfh32.exe	41
PID 2620 wrote to memory of 2916	2620	Kfodfh32.exe	41
PID 2620 wrote to memory of 2916	2620	Kfodfh32.exe	41
PID 2620 wrote to memory of 2916	2620	Kfodfh32.exe	41
PID 2916 wrote to memory of 2340	2916	Kadica32.exe	42
PID 2916 wrote to memory of 2340	2916	Kadica32.exe	42
PID 2916 wrote to memory of 2340	2916	Kadica32.exe	42
PID 2916 wrote to memory of 2340	2916	Kadica32.exe	42
PID 2340 wrote to memory of 848	2340	Kdbepm32.exe	43
PID 2340 wrote to memory of 848	2340	Kdbepm32.exe	43
PID 2340 wrote to memory of 848	2340	Kdbepm32.exe	43
PID 2340 wrote to memory of 848	2340	Kdbepm32.exe	43
PID 848 wrote to memory of 2356	848	Kdeaelok.exe	44
PID 848 wrote to memory of 2356	848	Kdeaelok.exe	44
PID 848 wrote to memory of 2356	848	Kdeaelok.exe	44
PID 848 wrote to memory of 2356	848	Kdeaelok.exe	44
PID 2356 wrote to memory of 972	2356	Kkojbf32.exe	45
PID 2356 wrote to memory of 972	2356	Kkojbf32.exe	45
PID 2356 wrote to memory of 972	2356	Kkojbf32.exe	45
PID 2356 wrote to memory of 972	2356	Kkojbf32.exe	45

C:\Users\Admin\AppData\Local\Temp\0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe
"C:\Users\Admin\AppData\Local\Temp\0d6c39dd3c7a68207e52188e1b00e8df83d3483b24a442869e43c5874386f45aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jmfcop32.exe
  C:\Windows\system32\Jmfcop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Jcqlkjae.exe
    C:\Windows\system32\Jcqlkjae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jpgmpk32.exe
      C:\Windows\system32\Jpgmpk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Lkjmfjmi.exe
        
        C:\Windows\system32\Lkjmfjmi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
337KB

MD5
fb727dd6422902e618f27be37d6af88a

SHA1
19cba0465751904a4e3ddf1313cfdb88a2d201cf

SHA256
65e6e4119725ca8db143e2ee125ba06a9eb8a6646d7e94f614563147cd486a05

SHA512
f70b211e626cdfe08650712ccc1ef90506f98d635a92446d63f2e90320ebab70970313fef047ed6bac19be48fbf746f1d7b3a1e38a69c9bf5a6483d671507cd4

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
337KB

MD5
4b7f634a015bd78e0616cb4996c28158

SHA1
ec19d314b13d6090752525bc2c27366e59f3eedb

SHA256
36c952f0dafc5e9af1a93911b15100ae455cc83d2b7b3ed2b814423292422600

SHA512
3f8d9a9acc3fa4a3838a24873bc85936b800db30d1970934520572573d8d117ac9ff6bf4b1fde78d01bf87bd7995dbf2c8245295d6cde909417ba17c68747718

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
337KB

MD5
901ab1f7a46b7c3a412743a314015dbe

SHA1
d4c5d0182d2bcf04a90216e88d0bc4d6e52054c8

SHA256
f263596c5baa09b5c129d20f5224cfd5a17bf90cdffe06cacb5c9b252fc7e7ae

SHA512
8e175da3daff3b417711d6d9ac474a8c61c6f467f5013903713b106f1d60a5ddf96d6b2adcc95855fdbc38fd909e8fd59c054f94cff1814c73d86f6e781dbe5b

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
337KB

MD5
3f675fef943f9084a4600a6c973945f0

SHA1
9780b6700a3636e36e9c4d90495ade5c5671c821

SHA256
c18ce0c31c8e0d3fd98a58906cb226194fb51181f05f98b9c3c241a854fd1766

SHA512
eba2555192764bfcc8ab22ac2e20388974aa9091c27bd6c0f3874461cda118ff2722b3de008e06319b92adcb4c0fbcc020f0f778486e054fcf7f92138b0bd52e

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
337KB

MD5
6c0f3ab6b1e49a2fde8fa08bf45cd2a4

SHA1
f13f613d1f2582aa6b4f8615022ff172ffe4a0e8

SHA256
fbcfe8ed339d31bc33701a9cae87ebde9ca0fa9facdc6e0d645bdbf2b4d7695e

SHA512
498f66eaaa5e490fbd633ebb85e452e6d6bd5078923582d411d16426cb3d5db37c1fedce13cf75e03b244ca7c7abad718cd1077a58c9abfadd5ee66968638878

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
337KB

MD5
62bd501fdc2f3b2d86dcb6c4689de729

SHA1
4bc7c0fdbfa35f70febf33f81454bfe084adabc7

SHA256
01dd724bb1462d09ab01d753763b8c889b6e7cc5c210cb2e8f7708a5ab31d6ad

SHA512
af05cb2f8d2e1f935375b8d4fe216a096f484af5abca7200f308580fa6a20284b5e7fde6303f083a8d6e59f9198612c05c81053a2ec4dc87412874f64e173332

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
337KB

MD5
0af24b059513b6c7c52172df22930459

SHA1
dc07487c11c1265d825183c3a66646400662e6cb

SHA256
808315cee11e48962401b4aecdc54f400921815b827a530789e6f50709f82bc9

SHA512
5d26bd6bcfd685fea5eeed569f7ae2ff8f800146f9112e4ca88faf47c842c2b9881ae01476db353ca007ce60c2a560846983092069a573fbd46acd0cb70a9ce7

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
337KB

MD5
aab6441df0474bb5d49f7be278e44851

SHA1
571086bf83ee476e400d757cffa57b4f4e818935

SHA256
08dfd2108e7f7d8fe744cc749614b9e125be447dfb0368821c13674613f2ec88

SHA512
4b2ad3f1136f4ebfbc70875e1328d4aaf58fec73ba8a1f3d9250528a2b95fe600a3704c233052346591ab0d6262001b13cf521406446530e8bd37f41c20eff70

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
337KB

MD5
ea6156629f7b16e99747441c7acf14bc

SHA1
a711aefe719cd9bf28b96f64f6b6519a0d5d504c

SHA256
5cb67448819f9b021bb1f3ad4ceae76f329ef0c7edada96b08b4445315d824a8

SHA512
5fcfbb364f65005f21e2c4d37781eaba98f1124f70bfabeaff0155b95495bfc1a7be10b93361925f8e804d4e6494273cf8aa5fd06c66a5106991ae612bc71ba8

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
337KB

MD5
c4375677ec2eb83eb37bde4093de8b83

SHA1
c8586c5aa89b8daa881f9807816ef06aa19c54f1

SHA256
55f0fc23d7c548ffa43418605d19101ddb661a71fb0d631377b4b0eadb10b0df

SHA512
40a64ea7c01b405dbdd9ed4f8463e5a39810d7adacea04cadd029f2217a5d5d147c88922da4190f5233e84e0c61fb461856f6d1e876eef9c9da4c6cccdd7941f

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
337KB

MD5
d8808721eeaa01fc733c7e97a8857cab

SHA1
26b8e998e4e278f7c430db15bd88dbdec09ca171

SHA256
f481e04514f40cbaa2f21fb9209b7531e1caf310efc6dd174cb230eb5ac3c62a

SHA512
eb050cf9b9ee771c5e703d2b395bd5d4ae0894dd9a75ecf62b8acb0e9759e193a6081a7708a9116c600e29bacbaa899c20dee6d9e38de7cc6cff7d0d3f72d8cd

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
337KB

MD5
a7296326ee9602a6927df739b00871a0

SHA1
99fbd6082860c99483fc35168c2a08c35c67e528

SHA256
03fd21ed3c8071dae0398d99f1992a5d4ca4ddf83387200228ce469f0f2db061

SHA512
5e4a5e0092469ba2ec8c322066773ba5edcdaa4e6226d84853114cecf542912a2fdff0a5fda5797546134390c671ee7b5f415a1ae361a3f65e5a1dc0479c1f2e

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
337KB

MD5
8515684c3fb6987324042a7815e5e13b

SHA1
23a865aed93af080cea6e973df856ffb09b93510

SHA256
0912d657e5a1564bf7b065e64e91882c824200021101618a0099c1bf2a0356b9

SHA512
7b4956283929e5c05d03fd0dc562038a9d592da92f202348750cb108ef9e070d9bef813d4350804e72184f46af26bd3f4dc0211f3daf50b79dd54528f550890e

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
337KB

MD5
e3247f2e914c3dd0a9fdcf84576b8b13

SHA1
a28df0f4d2e230159d18f959445c941cefd2e81e

SHA256
2a083b36a769334dd9a83332967fb69b58c0ab2181a67c97a57d6c9b8d4db523

SHA512
2c280b1df9e51f1cc5437fe02bc21d3e59e84c8b426a3c4bf3c18a0533b78d2702ac93737d81d5313e49380ede870cad04b906e321e8432c11506b1e60e48dc5

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
337KB

MD5
f405cd0e06ca4fbbc83b8bffbddd3e5c

SHA1
dd7ab42a06f962f22a7cc876cb35546efea62f49

SHA256
6524e8b58e9928384dc656fa234a5013fbfc9d5e1326eb8cd71654f5307c7cbe

SHA512
f78181deb41b9e89eb3ec7df702f0a7529ea7a418d965c936b9e6b430e736db8bdd159d2c475b60cc81fe9564d4c1260892f0ed75fdc2056bc710c790dce4942

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
337KB

MD5
cabb3676ead40dba800e7c31b98d87d9

SHA1
ff554ee51545cef8d2afd27df7b229ec25867496

SHA256
a24846bffeb5c5888026065393ae87b601ff347fa11a54ca2174fc698ee74df7

SHA512
63378167eb96a8503f4f7a5b514ac8d3ae557c962b6ee0c7dc012ab25d221fe6f05283bf450e0559c6177817d99d30f8c0e4349d120e87238c0a7aa27293333b

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
337KB

MD5
41feeec14234c21ba2a245ca87ad69a6

SHA1
d669e051520ed8c5910d0bdc40b1a7b2c6084f67

SHA256
a2504a33422a08868f8e248f0d4eb48a94425eaa647ecb61eb460cdcdf201bf7

SHA512
e0f2fd26568f09301e8f07b2f52b9a86b1c6207f6bec062480c54b8853f12bdea37720a5063df5ad94b55820c7f9dbfe81bd418e1934d0bb4355dca65e61fd3b

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
337KB

MD5
8ad626aeb154643f9b5327de6e581d2b

SHA1
cc2131e3ab3a9d66fad6548f65a4bac5251a3cd6

SHA256
b27e0fe0e9a85bc393c5e439e5f58ccff360b689df3ef5363966ac1ca22ddeae

SHA512
73963bef39ad95650dfbed4e993bef735ff05f377b8fb19ec5da6fbfab766de20405965ef2b909b253a3c6cbf9c52c349f960a0ceacbc12b36439481d77d4eb0

Download Submit
C:\Windows\SysWOW64\Lifcib32.exe

Filesize
337KB

MD5
f760ad070fb07429da6c48451423eb7f

SHA1
4e10b7e1d05b6d82487c4cf0f4fa6546e2a8ce2b

SHA256
e5948b4d5a6f28ab4465f17b5858b12b07e560108ccb8a4ed10b628f769f6f30

SHA512
1272f699d77c930267bc2bc4800f91b88894652480663f60789c4ddb28ed728271047a3900d66ac8d8f863ad617325f1c7f4cdfbf6a419b6c6f56fb72a702d4b

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
337KB

MD5
3c8b6712134a8b4aa57114e1345d88fd

SHA1
fb9abbf7859d5cf09c50a6b83b4ec9cc2bb30f0c

SHA256
0cec8787aa3024e8254af1cdacb488961e6a0f615c4def9394384d859af1324e

SHA512
6e0fe6b7908b55f9c37c76d75143d29514145d2eeaf39317bd80f4aab2f7cf53a2fdaa3e4825686af50f5c78715877177b042370cada03ccd47cf53b55da5c28

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
337KB

MD5
95ea859433e73107318a1e0e1659e8ce

SHA1
84596398335f298601363e24634cf9934ef1effe

SHA256
a75a4675117fac1332827d79298d5d989e1466844831ad5493305e7b31e8bd21

SHA512
1a2f806f7f023521ffe2438f29152614c767ca85fce9d3edf9fb59c845cbe8179f04cd0fad220168725d224efa232f28e116245f2941d75f3a5763d6f310e0eb

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
337KB

MD5
1fd74167d2d940d13f3b5297f24e87aa

SHA1
6d558759634d610b16af15f28c1d2b0d6979d22d

SHA256
2be19f1f12f2a72c70cb473db09a7b964c198f56aee712869b647a48ac4fba3e

SHA512
f909ae67d983bca8096c34b6c2beacf93566e0b334e55c58402da3a64cee13064e14d095053f89c1313e284ce29cd16d90a94cbe549a7902d9f11cc3fa2599e9

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
337KB

MD5
24a2fd144061415d90b4c97d2282e820

SHA1
505e8b8543a2fd180029e4939dceeedef94a872e

SHA256
0333edeca8da6bc121b9abd1691c8617a65896164d8f31c68ef439254246a5aa

SHA512
033ce0d9ae4637567df71b9048810bc6d0de795d67e26d4219312315f83fc023854fb3a2305b36dd3080f553f19b4326749fa2a72e4989769b0f63dcf69e5288

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
337KB

MD5
9260eb6dfd390ef69cc8f1ba8fd7a300

SHA1
4325f7efe3083b39016627cf54cad554d0d6c15f

SHA256
1354541bde15d3b34bcc89c84237759b7d6c5709d5ac61cbf21a18bc167f8241

SHA512
9b0b9dc4890d4eee3b7ae72e54a90107704a6ab60a908d024ea25810b3bbf0b765838ada66801a4a427d9f539e927c863c5dc1971c5aa09d602240120ff95023

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
337KB

MD5
1e6bb55e1839773a8b2ce25b74890973

SHA1
bc1ab4c367b67fa99097c033f6d8ce55ea84e59c

SHA256
3274414bd7e10911d112794b33c736a0f73b19b7278d83840d4e9d99e98f875e

SHA512
a83e456d9c0653dec594e48fa3b9543807beed13abe76c6db21e2f9de3a6260feb65d84e8164af8b1de26c3726ed3c9daee4c975bb0405716666ddc956328a3e

Download Submit
\Windows\SysWOW64\Lmmfnb32.exe

Filesize
337KB

MD5
afc67ade6a77348e479c95b6c5a67a30

SHA1
6e6605263552e80f4897f91d7c8a592e63d12816

SHA256
c52f2cb0f32005fc8cfca3ce5c16cb7853fdca86a28fedff559660ed1a2af806

SHA512
7a1ead489a0ecbc4470d5f7f7bca7b407c34b409611c0bc3210b914f8c7320b9fb6f4f59db5ebf4099245736a7c69d3098afe4434581908ed51a550df4c2f301

Download Submit
memory/796-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/796-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-251-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/848-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-203-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/972-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-229-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1016-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1016-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-313-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1460-309-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1584-261-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1584-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-257-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1844-102-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1844-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-135-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2052-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-271-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2104-267-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2148-319-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2148-323-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2148-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2188-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-13-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2188-351-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2272-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-281-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2272-283-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2304-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-301-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2304-302-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2340-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-185-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2356-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-218-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2360-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-89-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2376-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-164-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2620-156-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2620-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-76-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2724-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2764-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-63-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2764-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-352-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2824-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-144-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2916-177-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2916-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-121-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3056-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.