Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe
Resource
win10v2004-20241007-en
General
-
Target
431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe
-
Size
71KB
-
MD5
6a6bf7d7608c40716f9f6ad148c4de60
-
SHA1
50ff0f10fd6788982df217c1b3231cb9a96a8c2f
-
SHA256
431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affa
-
SHA512
ad67b16c3e9c98e89653f568fa2597fdbfffd23f93d5bf91dc2d0d25c938fc84b46e165a3d54974014dd9b8420478892f87d8e204caf8631f4d6dc5c4e2e51e1
-
SSDEEP
1536:9WTEQLQkEev/D7DxLF+YKSNYJ+zJSyHO8WmiUVaMsiYMdHUttSt++nScRcS39RQB:9CLQe3+dJeJKNJMD1Rcs9elEy032ya
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Japciodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laahme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iegeonpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khnapkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jefbnacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibfmmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iebldo32.exe -
Berbew family
-
Executes dropped EXE 23 IoCs
pid Process 2788 Iebldo32.exe 2848 Ibfmmb32.exe 2928 Iegeonpc.exe 2696 Ieibdnnp.exe 1300 Japciodd.exe 804 Jjhgbd32.exe 2028 Jimdcqom.exe 292 Jlnmel32.exe 2460 Jefbnacn.exe 2836 Jlqjkk32.exe 760 Klcgpkhh.exe 2652 Kapohbfp.exe 1064 Kjhcag32.exe 1980 Kenhopmf.exe 1984 Koflgf32.exe 2960 Khnapkjg.exe 1376 Kbhbai32.exe 1760 Lmmfnb32.exe 1672 Lidgcclp.exe 2284 Loaokjjg.exe 2040 Llepen32.exe 3016 Laahme32.exe 1632 Lepaccmo.exe -
Loads dropped DLL 50 IoCs
pid Process 1088 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe 1088 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe 2788 Iebldo32.exe 2788 Iebldo32.exe 2848 Ibfmmb32.exe 2848 Ibfmmb32.exe 2928 Iegeonpc.exe 2928 Iegeonpc.exe 2696 Ieibdnnp.exe 2696 Ieibdnnp.exe 1300 Japciodd.exe 1300 Japciodd.exe 804 Jjhgbd32.exe 804 Jjhgbd32.exe 2028 Jimdcqom.exe 2028 Jimdcqom.exe 292 Jlnmel32.exe 292 Jlnmel32.exe 2460 Jefbnacn.exe 2460 Jefbnacn.exe 2836 Jlqjkk32.exe 2836 Jlqjkk32.exe 760 Klcgpkhh.exe 760 Klcgpkhh.exe 2652 Kapohbfp.exe 2652 Kapohbfp.exe 1064 Kjhcag32.exe 1064 Kjhcag32.exe 1980 Kenhopmf.exe 1980 Kenhopmf.exe 1984 Koflgf32.exe 1984 Koflgf32.exe 2960 Khnapkjg.exe 2960 Khnapkjg.exe 1376 Kbhbai32.exe 1376 Kbhbai32.exe 1760 Lmmfnb32.exe 1760 Lmmfnb32.exe 1672 Lidgcclp.exe 1672 Lidgcclp.exe 2284 Loaokjjg.exe 2284 Loaokjjg.exe 2040 Llepen32.exe 2040 Llepen32.exe 3016 Laahme32.exe 3016 Laahme32.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bndneq32.dll Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kbhbai32.exe File created C:\Windows\SysWOW64\Lbfchlee.dll 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe File created C:\Windows\SysWOW64\Hpdjnn32.dll Ieibdnnp.exe File created C:\Windows\SysWOW64\Jjhgbd32.exe Japciodd.exe File opened for modification C:\Windows\SysWOW64\Jjhgbd32.exe Japciodd.exe File created C:\Windows\SysWOW64\Pehbqi32.dll Kenhopmf.exe File created C:\Windows\SysWOW64\Lepaccmo.exe Laahme32.exe File created C:\Windows\SysWOW64\Aekabb32.dll Ibfmmb32.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jlnmel32.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Laahme32.exe File created C:\Windows\SysWOW64\Laahme32.exe Llepen32.exe File created C:\Windows\SysWOW64\Japciodd.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jlnmel32.exe File created C:\Windows\SysWOW64\Mmofpf32.dll Jlqjkk32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Lmmfnb32.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Bcbonpco.dll Japciodd.exe File created C:\Windows\SysWOW64\Klcgpkhh.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Jingpl32.dll Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Llepen32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Iegeonpc.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Jlnmel32.exe Jimdcqom.exe File opened for modification C:\Windows\SysWOW64\Jlqjkk32.exe Jefbnacn.exe File created C:\Windows\SysWOW64\Kenhopmf.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Mnpkephg.dll Jimdcqom.exe File created C:\Windows\SysWOW64\Gpcafifg.dll Kapohbfp.exe File created C:\Windows\SysWOW64\Dneoankp.dll Lmmfnb32.exe File created C:\Windows\SysWOW64\Kjhcag32.exe Kapohbfp.exe File created C:\Windows\SysWOW64\Jpnghhmn.dll Kjhcag32.exe File created C:\Windows\SysWOW64\Koflgf32.exe Kenhopmf.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Jefbnacn.exe Jlnmel32.exe File opened for modification C:\Windows\SysWOW64\Kjhcag32.exe Kapohbfp.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Kenhopmf.exe File created C:\Windows\SysWOW64\Jkbcekmn.dll Koflgf32.exe File created C:\Windows\SysWOW64\Iebldo32.exe 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Laahme32.exe File created C:\Windows\SysWOW64\Ieibdnnp.exe Iegeonpc.exe File opened for modification C:\Windows\SysWOW64\Lidgcclp.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Loaokjjg.exe Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Iebldo32.exe 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe File opened for modification C:\Windows\SysWOW64\Jimdcqom.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Llepen32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Kapohbfp.exe Klcgpkhh.exe File opened for modification C:\Windows\SysWOW64\Kenhopmf.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Khnapkjg.exe Koflgf32.exe File created C:\Windows\SysWOW64\Ibfmmb32.exe Iebldo32.exe File created C:\Windows\SysWOW64\Jimdcqom.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Cbdmhnfl.dll Jjhgbd32.exe File created C:\Windows\SysWOW64\Biklma32.dll Jefbnacn.exe File opened for modification C:\Windows\SysWOW64\Klcgpkhh.exe Jlqjkk32.exe File opened for modification C:\Windows\SysWOW64\Loaokjjg.exe Lidgcclp.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Loaokjjg.exe File opened for modification C:\Windows\SysWOW64\Jlnmel32.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Ppdbln32.dll Llepen32.exe File created C:\Windows\SysWOW64\Caejbmia.dll Iebldo32.exe File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Jlqjkk32.exe Jefbnacn.exe File created C:\Windows\SysWOW64\Lidgcclp.exe Lmmfnb32.exe File opened for modification C:\Windows\SysWOW64\Khnapkjg.exe Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Laahme32.exe Llepen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 872 1632 WerFault.exe 52 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japciodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqjkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnapkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenhopmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidgcclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Khnapkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" Ieibdnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kapohbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll" Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" Jimdcqom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmmfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klcgpkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" Klcgpkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kenhopmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll" Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll" Kapohbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll" 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjhgbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlqjkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kapohbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lidgcclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieibdnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll" Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll" Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll" Iebldo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khnapkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibfmmb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2788 1088 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe 30 PID 1088 wrote to memory of 2788 1088 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe 30 PID 1088 wrote to memory of 2788 1088 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe 30 PID 1088 wrote to memory of 2788 1088 431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe 30 PID 2788 wrote to memory of 2848 2788 Iebldo32.exe 31 PID 2788 wrote to memory of 2848 2788 Iebldo32.exe 31 PID 2788 wrote to memory of 2848 2788 Iebldo32.exe 31 PID 2788 wrote to memory of 2848 2788 Iebldo32.exe 31 PID 2848 wrote to memory of 2928 2848 Ibfmmb32.exe 32 PID 2848 wrote to memory of 2928 2848 Ibfmmb32.exe 32 PID 2848 wrote to memory of 2928 2848 Ibfmmb32.exe 32 PID 2848 wrote to memory of 2928 2848 Ibfmmb32.exe 32 PID 2928 wrote to memory of 2696 2928 Iegeonpc.exe 33 PID 2928 wrote to memory of 2696 2928 Iegeonpc.exe 33 PID 2928 wrote to memory of 2696 2928 Iegeonpc.exe 33 PID 2928 wrote to memory of 2696 2928 Iegeonpc.exe 33 PID 2696 wrote to memory of 1300 2696 Ieibdnnp.exe 34 PID 2696 wrote to memory of 1300 2696 Ieibdnnp.exe 34 PID 2696 wrote to memory of 1300 2696 Ieibdnnp.exe 34 PID 2696 wrote to memory of 1300 2696 Ieibdnnp.exe 34 PID 1300 wrote to memory of 804 1300 Japciodd.exe 35 PID 1300 wrote to memory of 804 1300 Japciodd.exe 35 PID 1300 wrote to memory of 804 1300 Japciodd.exe 35 PID 1300 wrote to memory of 804 1300 Japciodd.exe 35 PID 804 wrote to memory of 2028 804 Jjhgbd32.exe 36 PID 804 wrote to memory of 2028 804 Jjhgbd32.exe 36 PID 804 wrote to memory of 2028 804 Jjhgbd32.exe 36 PID 804 wrote to memory of 2028 804 Jjhgbd32.exe 36 PID 2028 wrote to memory of 292 2028 Jimdcqom.exe 37 PID 2028 wrote to memory of 292 2028 Jimdcqom.exe 37 PID 2028 wrote to memory of 292 2028 Jimdcqom.exe 37 PID 2028 wrote to memory of 292 2028 Jimdcqom.exe 37 PID 292 wrote to memory of 2460 292 Jlnmel32.exe 38 PID 292 wrote to memory of 2460 292 Jlnmel32.exe 38 PID 292 wrote to memory of 2460 292 Jlnmel32.exe 38 PID 292 wrote to memory of 2460 292 Jlnmel32.exe 38 PID 2460 wrote to memory of 2836 2460 Jefbnacn.exe 39 PID 2460 wrote to memory of 2836 2460 Jefbnacn.exe 39 PID 2460 wrote to memory of 2836 2460 Jefbnacn.exe 39 PID 2460 wrote to memory of 2836 2460 Jefbnacn.exe 39 PID 2836 wrote to memory of 760 2836 Jlqjkk32.exe 40 PID 2836 wrote to memory of 760 2836 Jlqjkk32.exe 40 PID 2836 wrote to memory of 760 2836 Jlqjkk32.exe 40 PID 2836 wrote to memory of 760 2836 Jlqjkk32.exe 40 PID 760 wrote to memory of 2652 760 Klcgpkhh.exe 41 PID 760 wrote to memory of 2652 760 Klcgpkhh.exe 41 PID 760 wrote to memory of 2652 760 Klcgpkhh.exe 41 PID 760 wrote to memory of 2652 760 Klcgpkhh.exe 41 PID 2652 wrote to memory of 1064 2652 Kapohbfp.exe 42 PID 2652 wrote to memory of 1064 2652 Kapohbfp.exe 42 PID 2652 wrote to memory of 1064 2652 Kapohbfp.exe 42 PID 2652 wrote to memory of 1064 2652 Kapohbfp.exe 42 PID 1064 wrote to memory of 1980 1064 Kjhcag32.exe 43 PID 1064 wrote to memory of 1980 1064 Kjhcag32.exe 43 PID 1064 wrote to memory of 1980 1064 Kjhcag32.exe 43 PID 1064 wrote to memory of 1980 1064 Kjhcag32.exe 43 PID 1980 wrote to memory of 1984 1980 Kenhopmf.exe 44 PID 1980 wrote to memory of 1984 1980 Kenhopmf.exe 44 PID 1980 wrote to memory of 1984 1980 Kenhopmf.exe 44 PID 1980 wrote to memory of 1984 1980 Kenhopmf.exe 44 PID 1984 wrote to memory of 2960 1984 Koflgf32.exe 45 PID 1984 wrote to memory of 2960 1984 Koflgf32.exe 45 PID 1984 wrote to memory of 2960 1984 Koflgf32.exe 45 PID 1984 wrote to memory of 2960 1984 Koflgf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe"C:\Users\Admin\AppData\Local\Temp\431dec948ec20fc12f1579f764128ac9f63661b1547e5d806ab08b7454f9affaN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Japciodd.exeC:\Windows\system32\Japciodd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kjhcag32.exeC:\Windows\system32\Kjhcag32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Koflgf32.exeC:\Windows\system32\Koflgf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Lepaccmo.exeC:\Windows\system32\Lepaccmo.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 14025⤵
- Loads dropped DLL
- Program crash
PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD591ac16209f483e2a071bfb6a6d171d11
SHA1e3ae7ac67e27025f613a0dcd1ee561d1d07d5f2b
SHA256e304f3e2dab45a3ad1a34835b9930dd7233d57b85a33e1f1594d161dc37df0d1
SHA5120d9f7f6edbb2e2e13dc238dc5c87face9441ac7fcf1a0bfcb24f093501ff980dfae21b77aaa9a31137bdb0fe65060288713e17336d5c890a11cfceae88af4101
-
Filesize
71KB
MD5265e11e7137415a150b663ed484de87b
SHA145740e57ba3e8416f902770a1097541b47fca6b1
SHA2564dbbfbc85a05040d22df725c5c8a00a2ba1975d89d3549f8c240beda94737a3e
SHA51223432aa62a856b09e834d1b8e892246be58c63d277013a30006d4cae59b5452319f66583f687603cc2543b6325379819d9a0393f525b8baaca4b512f5ac8fd90
-
Filesize
71KB
MD53b9d85fd5f6a0e5952d709de0b709f58
SHA14129d5b06f2ebfce9724d3001ce39e163d1d3569
SHA25636f0d79c12e8a6f5f1724d08101a3c4bb9d25e1b42d79e09136583e6e2b911de
SHA5128229f3fabd9b4ca9b54a6dda4761751d5d21b98ae92636d21a84671b9a7955b86d8eeec6d4138835868d5175c80c4bb6dfe5c13296add3a6e50b138d168adaee
-
Filesize
71KB
MD5e389f0ab7deb11cb880eaf1dcbd82c1f
SHA1c1eb685efea8484571655de3ef00c5ddf358b137
SHA2563804b36c6a5982f982c15972ca9ddccb805d5a007ec23fbffd71302506512c3e
SHA5120ca70b2c80089688526c54e7fae2c530f860332fe62e6a7aac09cc956f3577856c23578c2d074e0ccedc3ab95457c37ea0454096a6e7a4a8f438bb44e8a800c6
-
Filesize
71KB
MD52bbae63d7c780b421a04017864cc3e8a
SHA134ffbf2a40692d947181d21ab1ea34b4055ccb4c
SHA2568b1ffcffcf81aaca676655558ba0b955958287b76200fc9bb010a7dc9a75c273
SHA5121652c96e3d2f04e0e3fb2befd2b0991cc66b0787773733acb29701ffb0c524458c825d894ea74afa4ca1329f4b31045fa59f1fa5bc3316686b6d2190337a8070
-
Filesize
71KB
MD58b4e70e08f17dfade9f2d55fb9e31929
SHA1a73364eac7bd6a63f160252af5bb48313066083d
SHA2565fe7e88d4e6d3a4d351f00af823a3d6c9279701b09be68d525e94182b033945c
SHA512e34a1626992ac0770c5b03676df4cbce8befe62cbb5f1863c927a734a037eca603a19e04ea3dbcfc645c8efaf8ac0311105cec2e4a1eeca159e1cde9525441eb
-
Filesize
71KB
MD513193b2fac4225cd1eb118bf2f17dbbd
SHA1bb7638d4dd89fce6947aeff5dc779c78c4d332e1
SHA2560813f63b5a37d9628f26d795c388e3e914d0fc75bb8d9aa10c231581fcc2b2a0
SHA512911ce3086ca4c233c8fada04ada899fe25bb9bface0d95191c8c59930a19ed73d1f09fd9cdfb737cb098fa58242a362201088493fa4a18923139e25024cea906
-
Filesize
71KB
MD5697810b7007c5549414301704a56efca
SHA14be2e20043edf9694aa52a81765cbe87ae67b417
SHA256fa40828fd606f27ad6fbd8e9938f94048eda23ea4317ffe8ff779c79950f87c7
SHA512b854ca21d703129992783fa5cb778c33ba1c0f0c1ecd438efc1146be6dc5ccab7cbd99bcdfaacd10b283df23d27845a41d17618877efb86353d18b44603c07f5
-
Filesize
71KB
MD5714989f72a150908686b0e2659a3e7ab
SHA1705cb8c953f7b93aed8b03e9d22268bbd6f13ad6
SHA2564eb45f7e3dfe42a1770bd04bbeb510a0a910c675c89de4bd45d79aa5f15ddee2
SHA5126fba326150318edca2c6b3db05aaae1dc0441a4f83776dbe7aae0cc1c198d749d309532c81b5e1ac1ecc972422f543c4b20d5e00e415d9b22a86acb96fb8c501
-
Filesize
71KB
MD57eee3ae4b9ba0c999ef8155ecfbeb898
SHA1e75479917fc782a32a62093dd95daf6aea611690
SHA25615374f8a7ca8222c9d3cc688518a7df1aa211e424efe0f95b2edf1db77495496
SHA5124ed0fad7efb60eb52d16d8036bcab02f58a1042895dd40ccb9ac989b7486edcb6a112650f70cf0a03075e94ec76d69d65d986bf29ceb71dd7eae282f53ef6fcc
-
Filesize
71KB
MD517e122d875f413d33acb90dbafdd2f82
SHA104d737e0912cc396e9c6e8ea4eb76cd1caf78e60
SHA2562989e6958c6a13cd65828507104b1808f5bfa994b843b5f79892d5254fff8e6f
SHA512adfc47ef8654bcbd489f2a69771b598474ccc0f0953621c7b3432929e0982ea6681ee64b367ad37c0dccccf38ef7484ec9f8defc9b0d4305eb2764b2c894599a
-
Filesize
71KB
MD52a5449d2e922671e31d1bdac8e37fa34
SHA1aeab5c5eead424944a47b03db6b044fe17a70f5e
SHA2567d71585aa8aac0457387048c52be90f99ddef89f953ef372bb263894ea7ca3fc
SHA51280aa1bc6974060839a1328e659d4e7320ff8157fb34917055d57bb7b3d5c1664989ccafd525d66b990d422ffa16716385c7ae2123aec2c6f60644489a80d256c
-
Filesize
71KB
MD5d8bbe60413436816d1c82cd10e4b7ab5
SHA1d42e867d9211853b265d2587cb397224ae845548
SHA256fd8bf8f31542f8bebd1883387d7b826510642880285707c8d9b4b0d5bd7bc112
SHA512f7fa59cd869474e70baea359016fdaaeb3d9db1146cacbda1d570aaa51b3765130969eff0cdc4465634489bba7e8431194abe614be6e3445cce9ec1f9897e296
-
Filesize
71KB
MD5c3f2d54b2fd459eabe672825d25e2504
SHA1c2bf5c15fdd97a35f6f40046234a5432b3bd5ea7
SHA256942b3d4aa2ead6690595caeb50b71d9c6c910278fa6f61fee6aae9ac1ba92255
SHA5127427f1768b6ec38226cebf081f59dde8a215177535e2a6628a03b27aa3719d0b4df0c869b57e971419b5156ecdc11771b5abaf99f4ccaf93ed29092105c915da
-
Filesize
71KB
MD5ded95666238ae57a2e2e455cfd1fd9c2
SHA1abe977489a47e137cd5aaf218c7845d221509759
SHA2565bd55fc9e152d9ed0fae8b740f44c3ec274203e15f1a7c0d1427ab1a28f675c0
SHA51200d1d035d6f2607bb79596a123568324c40c211e3b0731efa3e3dc1dc0bd69e87684fcec44ca4ef1f2a30830edc36d2eca4af5d50e472938f87620af0a4c2e7a
-
Filesize
71KB
MD50ff08627afb7225630d3975f1d1850aa
SHA10b9f57499f74aeffc6d9a9ca8cae3d9432e250aa
SHA25632a3186a2158fe9769e5bb058640fe598c1e8d540552fa5b54df48d7571715e5
SHA51299785b28bd58ce6612f0a965462599b680e87afe4e9e25f2459d833df85515e0b65c46e6ae1ed76772392a835e3af3e2927446ad409f052b252474e4867667b9
-
Filesize
71KB
MD5885d6205333c063db0037f6f99eed63a
SHA124b74837a656e6ca80f8ad225c085965f0fd8339
SHA25655466c1791874f14516e546612e819137ac11bfa013c1b0c4a1d03e7a42f277e
SHA512263102b0e1cb0167ce931f0d03817bbf9c33d00105c682804355db14ad42775b10d1592c1eaa565dffd66529ef3f31a616d59b2e1247defd978f48da9097921e
-
Filesize
71KB
MD5020e352e4f275b8c08b3577a4ff3bbe5
SHA1aad5629a5c95ba2f83a7cf8075acaae4bf9b5921
SHA256abefbb11a1277db5f72e8fda1dade15051e57a0860c3f5d8f378a264af0400ba
SHA512ffc4ae686a72c2824bf7702512819ae41053c5133dedc4d3a201601baa5ca5176defd375e44196f161ae2a4adf19b81ddc1e8b85d51562bb68b6fbe608b1a9fe
-
Filesize
71KB
MD5ee33f40223a51925fc3e1ebdf48abaa4
SHA1287dbb49e3bc8ff70251f831d9ce3500b52eb48b
SHA256bc642edd0a7d8601631392f628239652a338d173a782838379e5212ee3f22dbd
SHA512b915364e5ce02693f47b0da7ca20fb5bce2584d2099bc869c91ad76dacaf27f501632c9781a81578105c51d36316c8d1640457bb48cf0cad5c1e78d58be117b6
-
Filesize
71KB
MD5f690cfb519eae1d075387fd17cd0ca0d
SHA17ab6844136c4de551d975c076597a7016c3ca869
SHA2560a9f84a86eac0b21ed420f352faaa430e96cd81fa01457ba073db81a4e9a51b9
SHA5126bfdc1c24fc3647e1389d9a5d24360b4a1c61e7775e8d41bae4e3cc8d2e575e8d15054c34849813f588b9bc41927015677a0d0c2b58760808f75342436f319c9
-
Filesize
71KB
MD5614e4469a103bc094e8a792c656212b7
SHA1776280c1186f66894336108283167571cd5f13ee
SHA256a1569edc1460aae871959c5da868e49d6f17dd0b61275baae4a4fbee13a687c9
SHA512f5a0bdda83a85c485bb251c69697417f4d75fc037fc6a1bfbe707e62fa4ab944419deff6b183fd696def37e365059a272c860c4842aeebe6746b5dee5d54ffe8
-
Filesize
71KB
MD53a0690a7baa3752779fb6b72557403b2
SHA18f455fbed9da96bf0611551fccd05c2d5ef68383
SHA256f6d07b1ea68a8a2c8ac873ae18ecead3bace90151e0cef76b61e564ce7d53279
SHA512534fe4b1acbd43d9b527f15926620295805b33769bdb1d87e71a3722d707c7dbb89e8585f92b8cca430b4c71b5a6b1f86bb4a6bebfc30a1aab309350e8702fcb
-
Filesize
71KB
MD5cce9bca5e66da167f2250c4abf8b1f7a
SHA11584b652e50d8e87caa2fb27d7aac7a783759573
SHA2561e8682ffb924468b19e5f1ce13f0131dc786fe1ab8d81cf2d874af76aac68bc4
SHA512bd10891650e2270120364a00c7a2e0a14e66c78ea6e609ea2290dff42bb9bc9ac75320309a67b992d0b90e1f9ae7ad70df3586cd68331336dd35d739a1b04f71
-
Filesize
71KB
MD518bfb1f66632f5704b7a9821f8ff0aa2
SHA14ce22da1ba63813039b549945b05568b06a13c99
SHA256d205cf411937cb3f1bac52ca1dd999e9fa209a92fabc5c7234aec49339cca015
SHA5123ed634f564859a802d48d7ab135cd42aa86ab83e4fbb45d66ea16a8aef726151c441f4cc65e6eeae5b81f679bbacd5cf8c82cd173e0c1ab6b37fe386d5be91c0