berbew | 76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Size

192KB
MD5

b53e07df86809c7a8f5394faa7406828
SHA1

bc138d46318322ddf2356552bdc10d1d32e2636b
SHA256

76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea
SHA512

c959d4e9bdb9045b54bee8c0b8e7e91b850fedbb24537054226da4ea25f8c11889c891db0c50ea6267a91bb4bcdafe9ede26752822ea530b128b00400781e68c
SSDEEP

3072:ATMyeCqzBtHhxrHBqMART2kODIO6PbxYi/mjRrz3OaZFU24cQ7SZFU2:AT2F22IOmbxYi/GOORjMmR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igceej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igceej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinhdmma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinhdmma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieibdnnp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 25 IoCs

pid	Process
1064	Iinhdmma.exe
2252	Igceej32.exe
1500	Iakino32.exe
2808	Igebkiof.exe
2820	Ieibdnnp.exe
2828	Jfmkbebl.exe
2804	Jcqlkjae.exe
2724	Jpgmpk32.exe
892	Jedehaea.exe
2364	Jibnop32.exe
2404	Kbjbge32.exe
2292	Kbmome32.exe
2304	Kdnkdmec.exe
1944	Kenhopmf.exe
1548	Koflgf32.exe
1732	Kpgionie.exe
1992	Kdeaelok.exe
1288	Lgfjggll.exe
1720	Lidgcclp.exe
2716	Lcmklh32.exe
2560	Lekghdad.exe
1876	Lpqlemaj.exe
2148	Lcohahpn.exe
2976	Lcadghnk.exe
1620	Lepaccmo.exe

Loads dropped DLL 54 IoCs

pid	Process
2220	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
2220	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
1064	Iinhdmma.exe
1064	Iinhdmma.exe
2252	Igceej32.exe
2252	Igceej32.exe
1500	Iakino32.exe
1500	Iakino32.exe
2808	Igebkiof.exe
2808	Igebkiof.exe
2820	Ieibdnnp.exe
2820	Ieibdnnp.exe
2828	Jfmkbebl.exe
2828	Jfmkbebl.exe
2804	Jcqlkjae.exe
2804	Jcqlkjae.exe
2724	Jpgmpk32.exe
2724	Jpgmpk32.exe
892	Jedehaea.exe
892	Jedehaea.exe
2364	Jibnop32.exe
2364	Jibnop32.exe
2404	Kbjbge32.exe
2404	Kbjbge32.exe
2292	Kbmome32.exe
2292	Kbmome32.exe
2304	Kdnkdmec.exe
2304	Kdnkdmec.exe
1944	Kenhopmf.exe
1944	Kenhopmf.exe
1548	Koflgf32.exe
1548	Koflgf32.exe
1732	Kpgionie.exe
1732	Kpgionie.exe
1992	Kdeaelok.exe
1992	Kdeaelok.exe
1288	Lgfjggll.exe
1288	Lgfjggll.exe
1720	Lidgcclp.exe
1720	Lidgcclp.exe
2716	Lcmklh32.exe
2716	Lcmklh32.exe
2560	Lekghdad.exe
2560	Lekghdad.exe
1876	Lpqlemaj.exe
1876	Lpqlemaj.exe
2148	Lcohahpn.exe
2148	Lcohahpn.exe
2976	Lcadghnk.exe
2976	Lcadghnk.exe
444	WerFault.exe
444	WerFault.exe
444	WerFault.exe
444	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Lpqlemaj.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Igceej32.exe	Iinhdmma.exe
File created	C:\Windows\SysWOW64\Igebkiof.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Iinhdmma.exe	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Igebkiof.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Kbmome32.exe
File created	C:\Windows\SysWOW64\Leoebflm.dll	Iakino32.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Iakino32.exe	Igceej32.exe
File created	C:\Windows\SysWOW64\Fbbngc32.dll	Igebkiof.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Dmplbgpm.dll	Igceej32.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lekghdad.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Iinhdmma.exe	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
File created	C:\Windows\SysWOW64\Ikaihg32.dll	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
File created	C:\Windows\SysWOW64\Igceej32.exe	Iinhdmma.exe
File opened for modification	C:\Windows\SysWOW64\Iakino32.exe	Igceej32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Bgcmiq32.dll	Iinhdmma.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Igebkiof.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lekghdad.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lcohahpn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
444	1620	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igceej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iinhdmma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igebkiof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinhdmma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iakino32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinhdmma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll"	Iinhdmma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lekghdad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1064	2220	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe	30
PID 2220 wrote to memory of 1064	2220	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe	30
PID 2220 wrote to memory of 1064	2220	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe	30
PID 2220 wrote to memory of 1064	2220	76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe	30
PID 1064 wrote to memory of 2252	1064	Iinhdmma.exe	31
PID 1064 wrote to memory of 2252	1064	Iinhdmma.exe	31
PID 1064 wrote to memory of 2252	1064	Iinhdmma.exe	31
PID 1064 wrote to memory of 2252	1064	Iinhdmma.exe	31
PID 2252 wrote to memory of 1500	2252	Igceej32.exe	32
PID 2252 wrote to memory of 1500	2252	Igceej32.exe	32
PID 2252 wrote to memory of 1500	2252	Igceej32.exe	32
PID 2252 wrote to memory of 1500	2252	Igceej32.exe	32
PID 1500 wrote to memory of 2808	1500	Iakino32.exe	33
PID 1500 wrote to memory of 2808	1500	Iakino32.exe	33
PID 1500 wrote to memory of 2808	1500	Iakino32.exe	33
PID 1500 wrote to memory of 2808	1500	Iakino32.exe	33
PID 2808 wrote to memory of 2820	2808	Igebkiof.exe	34
PID 2808 wrote to memory of 2820	2808	Igebkiof.exe	34
PID 2808 wrote to memory of 2820	2808	Igebkiof.exe	34
PID 2808 wrote to memory of 2820	2808	Igebkiof.exe	34
PID 2820 wrote to memory of 2828	2820	Ieibdnnp.exe	35
PID 2820 wrote to memory of 2828	2820	Ieibdnnp.exe	35
PID 2820 wrote to memory of 2828	2820	Ieibdnnp.exe	35
PID 2820 wrote to memory of 2828	2820	Ieibdnnp.exe	35
PID 2828 wrote to memory of 2804	2828	Jfmkbebl.exe	36
PID 2828 wrote to memory of 2804	2828	Jfmkbebl.exe	36
PID 2828 wrote to memory of 2804	2828	Jfmkbebl.exe	36
PID 2828 wrote to memory of 2804	2828	Jfmkbebl.exe	36
PID 2804 wrote to memory of 2724	2804	Jcqlkjae.exe	37
PID 2804 wrote to memory of 2724	2804	Jcqlkjae.exe	37
PID 2804 wrote to memory of 2724	2804	Jcqlkjae.exe	37
PID 2804 wrote to memory of 2724	2804	Jcqlkjae.exe	37
PID 2724 wrote to memory of 892	2724	Jpgmpk32.exe	38
PID 2724 wrote to memory of 892	2724	Jpgmpk32.exe	38
PID 2724 wrote to memory of 892	2724	Jpgmpk32.exe	38
PID 2724 wrote to memory of 892	2724	Jpgmpk32.exe	38
PID 892 wrote to memory of 2364	892	Jedehaea.exe	39
PID 892 wrote to memory of 2364	892	Jedehaea.exe	39
PID 892 wrote to memory of 2364	892	Jedehaea.exe	39
PID 892 wrote to memory of 2364	892	Jedehaea.exe	39
PID 2364 wrote to memory of 2404	2364	Jibnop32.exe	40
PID 2364 wrote to memory of 2404	2364	Jibnop32.exe	40
PID 2364 wrote to memory of 2404	2364	Jibnop32.exe	40
PID 2364 wrote to memory of 2404	2364	Jibnop32.exe	40
PID 2404 wrote to memory of 2292	2404	Kbjbge32.exe	41
PID 2404 wrote to memory of 2292	2404	Kbjbge32.exe	41
PID 2404 wrote to memory of 2292	2404	Kbjbge32.exe	41
PID 2404 wrote to memory of 2292	2404	Kbjbge32.exe	41
PID 2292 wrote to memory of 2304	2292	Kbmome32.exe	42
PID 2292 wrote to memory of 2304	2292	Kbmome32.exe	42
PID 2292 wrote to memory of 2304	2292	Kbmome32.exe	42
PID 2292 wrote to memory of 2304	2292	Kbmome32.exe	42
PID 2304 wrote to memory of 1944	2304	Kdnkdmec.exe	43
PID 2304 wrote to memory of 1944	2304	Kdnkdmec.exe	43
PID 2304 wrote to memory of 1944	2304	Kdnkdmec.exe	43
PID 2304 wrote to memory of 1944	2304	Kdnkdmec.exe	43
PID 1944 wrote to memory of 1548	1944	Kenhopmf.exe	44
PID 1944 wrote to memory of 1548	1944	Kenhopmf.exe	44
PID 1944 wrote to memory of 1548	1944	Kenhopmf.exe	44
PID 1944 wrote to memory of 1548	1944	Kenhopmf.exe	44
PID 1548 wrote to memory of 1732	1548	Koflgf32.exe	45
PID 1548 wrote to memory of 1732	1548	Koflgf32.exe	45
PID 1548 wrote to memory of 1732	1548	Koflgf32.exe	45
PID 1548 wrote to memory of 1732	1548	Koflgf32.exe	45

C:\Users\Admin\AppData\Local\Temp\76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe
"C:\Users\Admin\AppData\Local\Temp\76067f2f41c69466d951ac8cedb207e5aa8430d131d69f5a0bc485b10bf01aea.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\Iinhdmma.exe
  C:\Windows\system32\Iinhdmma.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\Igceej32.exe
    C:\Windows\system32\Igceej32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\Iakino32.exe
      C:\Windows\system32\Iakino32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbbngc32.dll

Filesize
7KB

MD5
8973e0df1d720d879c6468283c6edb1e

SHA1
0d876882f03279cb5f556b4524c019af7f8b9806

SHA256
72da859190526655b541042e52ee82b5e3e9e278a266d492c09ad1d58c620d60

SHA512
acf63d0b47fb77b2190ced8d0923cee0685b89edda4f37f694398af184eed24de52d3882b693006fa15f41339a5ba4bc9846c29e96a70bad45ebb4acc71edf0b

Download Submit
C:\Windows\SysWOW64\Ieibdnnp.exe

Filesize
192KB

MD5
5e1120e9945352bc867ac53b5313e646

SHA1
13098beb1feb02f6df7559ec87f90ffe225f6ffd

SHA256
95d98033e2298e1eac5c0cf742a661d3842742fdc8f44526acc4ca7e0c2fd9c0

SHA512
4c40657a05abeca78ed3a313215d1fa96a2d849c3b367ac44791213f81b8d1f8a16778445c527c7bdb5c297b63eb51780c7858fbe0361301ffa7d154ace215ea

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
192KB

MD5
7e452d9ddf9eba0917b94343b984a3d2

SHA1
10efc0e5578b034e864a7667706c0459a5b3ad18

SHA256
49318c69500c8ff3ee0127a830b558d84a23ea82a787bcbbf029a38137b0c479

SHA512
e51680a249c5da71fa717bd94b751957c0a213120ffb670281a48d1620986688276f8758d17ea44aa0fca26c884ec1da45a2b948d4edec84458d7645286a096c

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
192KB

MD5
2a69969476368a27145dae7afb83cff8

SHA1
2f87d82763ca7efd5153dda5f91a0f4f28198c38

SHA256
7d7cac4ba378b5ef3d05741a1839c806bb52b8e892791b427cd103d43c62c438

SHA512
a0567505914b94aebd702713bd791ccbb60ba3ac9af2df9f4cddaa1d1546b0a84e00897a2a849b8bbeaa4aba486ed53e0a9059fb2e80865c72bcdc3205b8f2bf

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
192KB

MD5
61761a05a57a3b23742aa9a80abd095c

SHA1
76e59d7eb8d4c93407ad4d188b8175841e33e46a

SHA256
9391117295dc4f5a5143643cb8037b3ce2faea182d1d11a47fd86bab3214ae3e

SHA512
8ba95eedc0de3c81f3bd3ca0fa3e12fc73c4d9145954a12a8dec9c4d4d0a82dfac9df9596b1501f7ec374ee7ec6fa42c1fc4a5f680497e55b2a30765e5a5711b

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
192KB

MD5
462a16c35a6b181d8034f1a7ead91567

SHA1
3394e03507764a4d55f87f3cc6275adc4e7ee086

SHA256
3ea8779d383aa8fda1bfe912fb71a8673a70b7793e17ad0ebb483f8771191183

SHA512
b411271ad02b275ae17622678ecf1e378fb5b10c6e800d011c7674f9c543a9a556e16592c6072245e06fca60a8dc0207900b8d66f001a8a18d6262c8c41b0a54

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
192KB

MD5
581002c10a9e83e05174dfb97e857df4

SHA1
ea2e09417de6dc56bf223e4ef4435b6fab312ef6

SHA256
17c392549c54570c8e46fd16d6dd030d8c7a803f683e22ca1d3e3e02e06cf7bf

SHA512
07bc374a4f56fe63595477897cfe50e34e70a5e5cc653197e528f07cb75fde4a9523b761e4c2b8f016bf9a3e3196aef6f14864bf8458e61ad649ca7bcc228b30

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
192KB

MD5
972a3807964a8723b055f45efeccff38

SHA1
d00812581233f0a1270dd329eacfa8a10135f020

SHA256
728395b8e6f3b87bb10819d4cf5732c7b2b46566897b8e366bdbfe77999a3992

SHA512
3ec294b4f90eb8e948a0c2bf151fd82740b5341f24eea853892e6c7d2a0d386d0b589d55b68418acae1de11b5fbc343ae37d0f970fac74c3e4bb05bcb34e212a

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
192KB

MD5
a113d02934afcc761a398a16a90775d4

SHA1
cfd4bffd594efb1a42cbb8f2233193dd21ca962b

SHA256
435908a5f7847b940ca5bf3737781eb0d1760f5ad7c19ce58215faacbda4c89d

SHA512
5f3916654f8520346e5cc08714cd92926c45bcce2ad9b1fe3e1de20033fbc780c2070e7d93e3e6ecb5b80b9f95cee04a91e18eac47c284ea2339b53823c582a1

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
192KB

MD5
b1362c0149330c0673e24440d20f3846

SHA1
011f012e0d7f61f943bd3edee330ba5a0144e5b9

SHA256
696320992bdf45cc30e31319e928a26735bc915c0f37e60775779be32047d2a3

SHA512
1ffbb683e6adad4a16085b030d5feb067ca699247848e4de5b9babae89118b53e2e02a23f0a5ffbc825a44c797f176c5dbfdf85e3b95e6f0baacc4e9502b1e85

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
192KB

MD5
56dc43b627fba909d0a09a1291052693

SHA1
9748c7f608d6c2ca84ab21436b9538f2bbec71df

SHA256
a3ac64402fbf648883069f331f4aa345202cc9fb28010947da95e1c4010cf87a

SHA512
9948d489d6d2047ec54ae3432fcd8beaa43c5532bac8ceea0084772d819afeb963654e7ed304cfa93a75eb55d92172908eb2d7a3056ddc8b747b91dab966a6da

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
192KB

MD5
a70176c1a1d1f57a1503be4845743227

SHA1
1338c51a0ef42bf1f673cc177454fa484110ccae

SHA256
9fff26936a06cfc55815c145fa8f0a4b879010fa8b8f2f9b9b907b8efa5fa1fe

SHA512
4c19ac755596ccbf6897791b2029da0be9040053b16b853e3b007eeaa0226ab0fdc21d92f3fbf77ccf9c17b4872d1e5323042b4ab11064740b996d4c5789daab

Download Submit
\Windows\SysWOW64\Iakino32.exe

Filesize
192KB

MD5
d5635d96428afe221e5047b3aa599e2b

SHA1
4b8f0f333e993b89aa9242694c092b7f30f0663f

SHA256
1f2ba1705df5e1d0c09cb5230797fb2bef727a4681fd450171bc8730dfd265d8

SHA512
75fa73e5f9e446b7d633debc51cd9584fd8c07eafb7117226cb3649192165b8dad6d29683ed2c6f2bc886b5a1e8f13ee8b02c5581b55ca11fa2c29357dbbf1c6

Download Submit
\Windows\SysWOW64\Igceej32.exe

Filesize
192KB

MD5
503c4e8901d8cdce9499757fb1863628

SHA1
a9f4290bd1017b75da41eef9e7a6722ce57c58b5

SHA256
e983401abcf7dd720125f83387dde1095186bfafb2a10ebde1647fc3c96dcf28

SHA512
9d3807e49be6545950a57965892cb7c9e88a008dfe61b237568561fa1957e095460caa31e860ef295e50d1d753e62a6b498bc7b50fd05db800c4beea760c7bef

Download Submit
\Windows\SysWOW64\Igebkiof.exe

Filesize
192KB

MD5
dec3a8e0bbd0f5c6a58275f23ca40d52

SHA1
f391ce917fe7abaea0346c143a54922ca20b4919

SHA256
69bf95e112d0eacc394e2effb121c301df72f0e9ae3c2d74df30e5e6aaf2441c

SHA512
6b6d01d20d088d98f94efc931a5240de7f9343f28faff22b4bc3e8a048eff4a0e35e446f04ca70cf96d5b0a0fbd6b76c02e5d4579dd9837da3080645e143496c

Download Submit
\Windows\SysWOW64\Iinhdmma.exe

Filesize
192KB

MD5
fd9c5fbf6b898a11615f97b6907e8830

SHA1
ad35e2551682b8731b545a2317d8158d311df189

SHA256
137e29998d95b317d34e8e06acf69e8f806542db32ca5d7ca059a8bc04fee17b

SHA512
e8a8f7dd113aefd7d9c2b7601f4df169e4c99beea2eb93acfc47b38727c6c20d22a60141d7af6c16fa6b146fc5a786f67403a32d68dac7f633cdcb88548c7597

Download Submit
\Windows\SysWOW64\Jcqlkjae.exe

Filesize
192KB

MD5
c6ce196981d7205c7bf4e1b3f6df7522

SHA1
29c3bdc1ea9a36e8ef5a7ea7c7e135dfdacec5d5

SHA256
4dc437b2e110e0a40c378bac3a05de4ec3d2b37541a9854a3b5a5359922d3476

SHA512
3cbab3677309f5913bc3244ed7991ec0a21e16a02e1407b7dfcb68b25c76350d66526506dfce3f8a5aa2c2a8af70e71e434f0cb3caee21fb12cc233d022e5b93

Download Submit
\Windows\SysWOW64\Jedehaea.exe

Filesize
192KB

MD5
22325346f37fb9cd47921ce70cb9d81f

SHA1
b7d2a413f3b7211c23cfe79c322ef3b7f74acb8c

SHA256
710bddde8944cd38896f2d7f55fed17b4f1274e4562a0cb0cf49fe58d0b0cc6e

SHA512
f41caf4bb07a77f9ed20abb672025ec699bb2282b7e2e1e0bd4bb5c4a69450030080febc9f1c519ec7ef08dd63a40b2b7fde9bdb928c6cf5aa262e97c1e21d02

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
192KB

MD5
652a480eb4a7f3ccde026f7e5473adf6

SHA1
eb4ea584b090a16c600a118d3dfab6271cc4a81f

SHA256
3e60261521a6560c73878cb0436e3d4e157fac0d2179f1605d0783cde960bc23

SHA512
cc31854f0f9b20aa0a1d24ebf589623339fcf69bb4fe163b2faf0c7e5b87dddf6ec45e7020133cf416b50914eb54660145e9fa367395015a0f56c3a6f24a4085

Download Submit
\Windows\SysWOW64\Jibnop32.exe

Filesize
192KB

MD5
a0178e9d6eb67334cb4fc04308bb9ebc

SHA1
cdfd3a962454fa16b15d818b7dc0592fd97afc06

SHA256
ec433c09dcd0b6a11f67acd885ba0087f82893baacb333c8911a5c5d37ab3d2a

SHA512
9c448bba1cf5957c10462f812cada43d5de7390ff03e00b8d9af5b2b2f35190be3ccb3fe85131308c1ae805dc40e4dbc80cbedf5a6718e90f1b355a7f7bd64b5

Download Submit
\Windows\SysWOW64\Jpgmpk32.exe

Filesize
192KB

MD5
05b69d0f3550324433fe457ea74ceded

SHA1
d8441db72865ab182c6b09d08147105ee6ac9d99

SHA256
310ac30709d959c620b1d24a31904a0b4c83f6fe45ee6dd256995560f37ec7e2

SHA512
15a43213b03570302079a42073edd6c9eb8af9ee99dbe739fd23489741ecf673a4881cff6678f0c730cfbe904234c2cf9970abcee0afed838312cfb82b4a86cd

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
192KB

MD5
f03ca3df320f40492afc6e327666c179

SHA1
cfeeb0071ed7cf2e6ad315b691ae333c2ef0c73a

SHA256
638993eaf10648bd0046c005a43df9ba1a9166c3e23c302d3d937d414492edee

SHA512
97fcab59ffaae2efebaef31f6863f4e116d0cb0ec86db8fb220c6d2b555ead845172e34a81cef3b759ebbf090fd4662b525ea37dea67fcf70ca2992cf4fe46d7

Download Submit
\Windows\SysWOW64\Kbmome32.exe

Filesize
192KB

MD5
2d8db01058f83c163a2972d55a6ddaae

SHA1
772e000a890a2bd8f83a1ae189fc712ea6240bf1

SHA256
3f2edc382e33c3d5f64dfdc7c4954f41ad16b5afc1edd9b00b643bda2da939b8

SHA512
bd4c6a9bccf3e2d3117d4abaf020f7ff7027bc0e02fa4d6ce7314680a8cd7ccbde2426530f0e60598b0d37a73b8f0e9d92f498734d900b5571a2e1d6a839d5af

Download Submit
\Windows\SysWOW64\Kdnkdmec.exe

Filesize
192KB

MD5
dd30f48e7af6c6f3c1ebab6adf242301

SHA1
b0eaaf91174d74b68a0e13d4864064e58f63e379

SHA256
1e803d6bac044c454315734a8bc0c133a06c54d817bf5e9330a34c0a8375fbe2

SHA512
f5778f14de51e6080ce3c444e6947fc4f686b2f5afbb2798baf48e5b32ff624d54df09c58a2cf9dc3856fda5a996f2ee857bc3f3561974b55bb5cccbc3d785bf

Download Submit
\Windows\SysWOW64\Kenhopmf.exe

Filesize
192KB

MD5
9eaaa92cc7049add0effd9c01929a4f1

SHA1
59b0aa0a58e3c6727bcbe40b184374bbabdab756

SHA256
05b9f73fd5002d1566942e15db8f08fe8e6981e3184b616d59601729bf6a8c54

SHA512
04938db642d457fde0975dd10119273628413fe85d7b0796df9db51dacf71cb8a270743e168c074f56948d149b8416190b5b06c26af8a6f0ef4ceac5cec33ed0

Download Submit
\Windows\SysWOW64\Kpgionie.exe

Filesize
192KB

MD5
a94c388abd3b8f0516f261edf32863c6

SHA1
7c87fedec22a82039a9f394f51c658a9537df59b

SHA256
927cdaca0eb4b157dc9abfe4c42ba9082bf214dc88a158cfec1985a2ec0bb051

SHA512
911eb2723d1c83b62b830c635636afabfb73bd4b9273fb29f6c6f91769c11435385601733be93ff1282dc1eeee71b7ba6c0049c2be3fc9d515580432f75cd665

Download Submit
memory/892-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-131-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1064-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-27-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1288-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-243-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1500-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-55-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1548-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-215-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1548-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-252-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1732-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-227-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1732-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-285-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1876-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-286-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1876-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-234-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1992-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-296-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2148-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2220-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-11-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2220-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-40-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2292-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-184-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2364-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-157-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2560-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-275-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2560-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-262-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2724-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-104-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2804-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-82-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2820-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-307-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2976-306-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2976-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads