Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 15:23
Static task
static1
Behavioral task
behavioral1
Sample
2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe
Resource
win10v2004-20241007-en
General
-
Target
2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe
-
Size
340KB
-
MD5
f548f840a90729b28eaf6ff633ce35d0
-
SHA1
15156eb856505532d1f8bca315a62b6827211b0e
-
SHA256
2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585a
-
SHA512
a9ddd5a6fe61b05dcc80a8a6b3d7bf48c1f90f7911a467324e3c7470c0d4db98d386304c8a7f59000e4ce53fdd81f4338cc8f8f8a6eac2207e83a2c45830b535
-
SSDEEP
6144:U/A8IyedZwlNPjLs+H8rtMsQBJyJyymeH:UUyGZwlNPjLYRMsXJvmeH
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhiddoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leikbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdeaelok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leikbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laahme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeaelok.exe -
Berbew family
-
Executes dropped EXE 9 IoCs
pid Process 2688 Kfaalh32.exe 2652 Kmkihbho.exe 2808 Kdeaelok.exe 2660 Leikbd32.exe 2620 Loaokjjg.exe 3064 Lhiddoph.exe 2984 Laahme32.exe 1860 Lofifi32.exe 584 Lepaccmo.exe -
Loads dropped DLL 22 IoCs
pid Process 2640 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe 2640 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe 2688 Kfaalh32.exe 2688 Kfaalh32.exe 2652 Kmkihbho.exe 2652 Kmkihbho.exe 2808 Kdeaelok.exe 2808 Kdeaelok.exe 2660 Leikbd32.exe 2660 Leikbd32.exe 2620 Loaokjjg.exe 2620 Loaokjjg.exe 3064 Lhiddoph.exe 3064 Lhiddoph.exe 2984 Laahme32.exe 2984 Laahme32.exe 1860 Lofifi32.exe 1860 Lofifi32.exe 2788 WerFault.exe 2788 WerFault.exe 2788 WerFault.exe 2788 WerFault.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File created C:\Windows\SysWOW64\Loaokjjg.exe Leikbd32.exe File opened for modification C:\Windows\SysWOW64\Laahme32.exe Lhiddoph.exe File created C:\Windows\SysWOW64\Lepaccmo.exe Lofifi32.exe File created C:\Windows\SysWOW64\Ppdbln32.dll Lhiddoph.exe File opened for modification C:\Windows\SysWOW64\Lofifi32.exe Laahme32.exe File created C:\Windows\SysWOW64\Kfaalh32.exe 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe File created C:\Windows\SysWOW64\Lhiddoph.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Kdeaelok.exe Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe File created C:\Windows\SysWOW64\Kdeaelok.exe Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Lhiddoph.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Leikbd32.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Jingpl32.dll Leikbd32.exe File created C:\Windows\SysWOW64\Lofifi32.exe Laahme32.exe File created C:\Windows\SysWOW64\Laahme32.exe Lhiddoph.exe File created C:\Windows\SysWOW64\Mbbhfl32.dll Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lofifi32.exe File opened for modification C:\Windows\SysWOW64\Loaokjjg.exe Leikbd32.exe File opened for modification C:\Windows\SysWOW64\Leikbd32.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Mcohhj32.dll Kdeaelok.exe File created C:\Windows\SysWOW64\Nmdeem32.dll Loaokjjg.exe File created C:\Windows\SysWOW64\Oopqjabc.dll Laahme32.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Lofifi32.exe File created C:\Windows\SysWOW64\Phblkn32.dll 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe File created C:\Windows\SysWOW64\Kmkihbho.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe Kfaalh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2788 584 WerFault.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiddoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll" 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leikbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leikbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll" Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll" Lhiddoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laahme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll" Leikbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll" Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2688 2640 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe 30 PID 2640 wrote to memory of 2688 2640 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe 30 PID 2640 wrote to memory of 2688 2640 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe 30 PID 2640 wrote to memory of 2688 2640 2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe 30 PID 2688 wrote to memory of 2652 2688 Kfaalh32.exe 31 PID 2688 wrote to memory of 2652 2688 Kfaalh32.exe 31 PID 2688 wrote to memory of 2652 2688 Kfaalh32.exe 31 PID 2688 wrote to memory of 2652 2688 Kfaalh32.exe 31 PID 2652 wrote to memory of 2808 2652 Kmkihbho.exe 32 PID 2652 wrote to memory of 2808 2652 Kmkihbho.exe 32 PID 2652 wrote to memory of 2808 2652 Kmkihbho.exe 32 PID 2652 wrote to memory of 2808 2652 Kmkihbho.exe 32 PID 2808 wrote to memory of 2660 2808 Kdeaelok.exe 33 PID 2808 wrote to memory of 2660 2808 Kdeaelok.exe 33 PID 2808 wrote to memory of 2660 2808 Kdeaelok.exe 33 PID 2808 wrote to memory of 2660 2808 Kdeaelok.exe 33 PID 2660 wrote to memory of 2620 2660 Leikbd32.exe 34 PID 2660 wrote to memory of 2620 2660 Leikbd32.exe 34 PID 2660 wrote to memory of 2620 2660 Leikbd32.exe 34 PID 2660 wrote to memory of 2620 2660 Leikbd32.exe 34 PID 2620 wrote to memory of 3064 2620 Loaokjjg.exe 35 PID 2620 wrote to memory of 3064 2620 Loaokjjg.exe 35 PID 2620 wrote to memory of 3064 2620 Loaokjjg.exe 35 PID 2620 wrote to memory of 3064 2620 Loaokjjg.exe 35 PID 3064 wrote to memory of 2984 3064 Lhiddoph.exe 36 PID 3064 wrote to memory of 2984 3064 Lhiddoph.exe 36 PID 3064 wrote to memory of 2984 3064 Lhiddoph.exe 36 PID 3064 wrote to memory of 2984 3064 Lhiddoph.exe 36 PID 2984 wrote to memory of 1860 2984 Laahme32.exe 37 PID 2984 wrote to memory of 1860 2984 Laahme32.exe 37 PID 2984 wrote to memory of 1860 2984 Laahme32.exe 37 PID 2984 wrote to memory of 1860 2984 Laahme32.exe 37 PID 1860 wrote to memory of 584 1860 Lofifi32.exe 38 PID 1860 wrote to memory of 584 1860 Lofifi32.exe 38 PID 1860 wrote to memory of 584 1860 Lofifi32.exe 38 PID 1860 wrote to memory of 584 1860 Lofifi32.exe 38 PID 584 wrote to memory of 2788 584 Lepaccmo.exe 39 PID 584 wrote to memory of 2788 584 Lepaccmo.exe 39 PID 584 wrote to memory of 2788 584 Lepaccmo.exe 39 PID 584 wrote to memory of 2788 584 Lepaccmo.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe"C:\Users\Admin\AppData\Local\Temp\2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Lepaccmo.exeC:\Windows\system32\Lepaccmo.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 14011⤵
- Loads dropped DLL
- Program crash
PID:2788
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD54f56dee09dbee7a0d9b9ffd88851c499
SHA1463c44e261f3a41667f78358263dfc44721748d5
SHA256a114669cfbdff06de517ed5788b8e4fd724e4d7c6a24235f099d197a875c029e
SHA512c878400f474459176cd481864f30f474aedd5368a49359395b53b0bedefed0ba94fe9fa6f7e855820bdb0a2dba57954dd29f4c59e05587172c0f5e98518a6a1d
-
Filesize
340KB
MD5591b87b74fcb50d6525510c9e5c61479
SHA1e7e02392a0a8d2f74ac2889f7394182b3edeb73e
SHA2560362c21ceeee1d7864e6eec9475a5a95c80b898c69d5011e8e5748b0dcd68349
SHA512e07a85da0b1cf8ca49ce4f2a871102fc13945d816d4478d9d878784a97d9599adc1f8f74a6ff79950e6d14304fa1f0a0f6eddd7afc67a4f5e68c07983cf215ac
-
Filesize
340KB
MD57ecc874651a30fc4ae2b8a92221dfc49
SHA18cb07df52394b28897a4b944097abd727f73d3a3
SHA25667490ca5defc33725ddf6a755e097ae01ccb5ae3f354e4421ada75abd401c200
SHA512db68de84765fb924269a868bebc9ff50c1e357fdc48f270a4fb4f43808215fd1bf80b35ac429a21c0f8fdd3e9ecbf22c09b2fd64ca151889a69476161e7f33d9
-
Filesize
340KB
MD56e3dfcd4a00635a5101daecea191cb59
SHA17661d897ec708e176991c2f9bdc7c5e04a856586
SHA256de404a813136e799eadd3be9f5e3552f4b93a3ff94db7cfb55b43ecca90067ed
SHA51298e576b769a7ce10e91a06bbca2693463f7916d314f7389e2e85d754c10e45d767ebba949d43eb11f4e4d16f6df6c4ca94a7bdc89dfb4ca843d8ddc0cb2e9b51
-
Filesize
340KB
MD543ecc1aa8c51ec93ef41ac924672a780
SHA188bebc335b5dffb6c83f1f5d3e9acd4d3bba22dc
SHA256c2abf9c8e04805f84d38fca5e1231c28b1366d495e7b6bdb59fbcca4e9c6c431
SHA5123c73b936976c8a54d7a449912e05e3673463723f39fb36ebe24a0cb244557e359cd40216615506e385e0cabf201263631999c38c379be072893a9d7df5e64743
-
Filesize
340KB
MD58d3c390ece0b78b127e3705a0eada0e0
SHA1d07b76a6b83f71f7d7b59fae5a087cff6fda3e9c
SHA2566ca3c28cf66a0693331cca97614ade30dfb3ad9244f85a8d04650448b8d817f5
SHA512db01023f01728be691cbc6253a34bddf0b9ef0ebaecdff5007f896b067ba83c4159499c4da6888dc9acd203e9452650cb846b6270f4fa82559d05fa9c29931cc
-
Filesize
340KB
MD532ca0389da16ff674f38b5f249659691
SHA18aab84bf0a98f7e6832d0bc6b7c74be68bda88b7
SHA256d1bc55e7f95133717c253eae4bd747f4525476e36c1031cb6a4c8e953be067de
SHA5127ee96b352e595d24320442abe37474e181430f91b856aa5d58204b46660b20bcd32532c50a99be7984feea78151da50d22a1d0793148c76f2283ad78540aa6ec
-
Filesize
340KB
MD58651a70932fe288b5750e409cedf1bc5
SHA1f9949d53e9b6f48b255e4d7b5a3e87e0300bb728
SHA256e37be07c1c423bff03a273e084df2b92d21aa9f3d8de7ed6635d311f45430c99
SHA51220911b6b8ff3c132d2d07b89717ae48be0ef1759e0919e8ef7d8d476fb367a36ae8a34755a777d112830b6c25d43ea1759bec4c4ba377dae0cdc7b195c91bf57
-
Filesize
340KB
MD5f6f38f870f06c66649d6fb7856eb8aa7
SHA1cc23316ae4fe7d65c7a942150baafda0756ef18a
SHA25665153e238bc285b3c30c2f2afc08d76ef97c9959d77c47a0f331a89f3d6d89e7
SHA512770bbaa99290ac3c34c0de4eff3eecc8ab956c38d2a0001436cfcbb52752b398e885d70f85c3ba3a508176e5b20b302585b4a0016dc40272d5c4e934c2dd5efe