berbew | 83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Size

448KB
MD5

c5edad74accc3d3c61b27f881b250296
SHA1

6583254102b1ce16e69b362cef9a0e731caac1f7
SHA256

83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b
SHA512

0b156c472a225f79f6cd9dfd5d1205deb5a5a441de6a259f5bed461f964cc83e869c85ac02bd28ce7411a1fef89fbf9f8bf39e915de25cab5fc92ea3602408ac
SSDEEP

6144:CqEw+AGbM2yJT///NR5f7DM2y/JAQ///NR5fLYG3eujE:3EyoM1z/NzDMTx/NcZt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loclai32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2500	Iocgfhhc.exe
1540	Iikkon32.exe
2992	Ikjhki32.exe
2772	Ifolhann.exe
2904	Jpbcek32.exe
2944	Jjjdhc32.exe
2836	Jllqplnp.exe
2680	Kbjbge32.exe
2328	Khgkpl32.exe
2392	Kfodfh32.exe
2600	Kdbepm32.exe
708	Kageia32.exe
1800	Kgcnahoo.exe
1272	Llpfjomf.exe
1968	Lgfjggll.exe
1396	Llbconkd.exe
1792	Lcmklh32.exe
1248	Lekghdad.exe
1448	Llepen32.exe
2736	Loclai32.exe
1056	Lhlqjone.exe
2860	Lcadghnk.exe
2516	Lepaccmo.exe

Loads dropped DLL 50 IoCs

pid	Process
2272	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
2272	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
2500	Iocgfhhc.exe
2500	Iocgfhhc.exe
1540	Iikkon32.exe
1540	Iikkon32.exe
2992	Ikjhki32.exe
2992	Ikjhki32.exe
2772	Ifolhann.exe
2772	Ifolhann.exe
2904	Jpbcek32.exe
2904	Jpbcek32.exe
2944	Jjjdhc32.exe
2944	Jjjdhc32.exe
2836	Jllqplnp.exe
2836	Jllqplnp.exe
2680	Kbjbge32.exe
2680	Kbjbge32.exe
2328	Khgkpl32.exe
2328	Khgkpl32.exe
2392	Kfodfh32.exe
2392	Kfodfh32.exe
2600	Kdbepm32.exe
2600	Kdbepm32.exe
708	Kageia32.exe
708	Kageia32.exe
1800	Kgcnahoo.exe
1800	Kgcnahoo.exe
1272	Llpfjomf.exe
1272	Llpfjomf.exe
1968	Lgfjggll.exe
1968	Lgfjggll.exe
1396	Llbconkd.exe
1396	Llbconkd.exe
1792	Lcmklh32.exe
1792	Lcmklh32.exe
1248	Lekghdad.exe
1248	Lekghdad.exe
1448	Llepen32.exe
1448	Llepen32.exe
2736	Loclai32.exe
2736	Loclai32.exe
1056	Lhlqjone.exe
1056	Lhlqjone.exe
2860	Lcadghnk.exe
2860	Lcadghnk.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Ikjhki32.exe	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Mcbniafn.dll	Lekghdad.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Iocgfhhc.exe	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ipdbellh.dll	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ifolhann.exe	Ikjhki32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Iocgfhhc.exe	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
File created	C:\Windows\SysWOW64\Jjjdhc32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jpbcek32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Jpbcek32.exe	Ifolhann.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Llepen32.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Ikjhki32.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Ffdmihcc.dll	Ikjhki32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Ifolhann.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Llepen32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Iocgfhhc.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Iocgfhhc.exe
File created	C:\Windows\SysWOW64\Ifolhann.exe	Ikjhki32.exe

Program crash 1 IoCs

pid	pid_target	Process
2704	2516	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikjhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iocgfhhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll"	Ikjhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll"	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2500	2272	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe	30
PID 2272 wrote to memory of 2500	2272	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe	30
PID 2272 wrote to memory of 2500	2272	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe	30
PID 2272 wrote to memory of 2500	2272	83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe	30
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 1540 wrote to memory of 2992	1540	Iikkon32.exe	32
PID 1540 wrote to memory of 2992	1540	Iikkon32.exe	32
PID 1540 wrote to memory of 2992	1540	Iikkon32.exe	32
PID 1540 wrote to memory of 2992	1540	Iikkon32.exe	32
PID 2992 wrote to memory of 2772	2992	Ikjhki32.exe	33
PID 2992 wrote to memory of 2772	2992	Ikjhki32.exe	33
PID 2992 wrote to memory of 2772	2992	Ikjhki32.exe	33
PID 2992 wrote to memory of 2772	2992	Ikjhki32.exe	33
PID 2772 wrote to memory of 2904	2772	Ifolhann.exe	34
PID 2772 wrote to memory of 2904	2772	Ifolhann.exe	34
PID 2772 wrote to memory of 2904	2772	Ifolhann.exe	34
PID 2772 wrote to memory of 2904	2772	Ifolhann.exe	34
PID 2904 wrote to memory of 2944	2904	Jpbcek32.exe	35
PID 2904 wrote to memory of 2944	2904	Jpbcek32.exe	35
PID 2904 wrote to memory of 2944	2904	Jpbcek32.exe	35
PID 2904 wrote to memory of 2944	2904	Jpbcek32.exe	35
PID 2944 wrote to memory of 2836	2944	Jjjdhc32.exe	36
PID 2944 wrote to memory of 2836	2944	Jjjdhc32.exe	36
PID 2944 wrote to memory of 2836	2944	Jjjdhc32.exe	36
PID 2944 wrote to memory of 2836	2944	Jjjdhc32.exe	36
PID 2836 wrote to memory of 2680	2836	Jllqplnp.exe	37
PID 2836 wrote to memory of 2680	2836	Jllqplnp.exe	37
PID 2836 wrote to memory of 2680	2836	Jllqplnp.exe	37
PID 2836 wrote to memory of 2680	2836	Jllqplnp.exe	37
PID 2680 wrote to memory of 2328	2680	Kbjbge32.exe	38
PID 2680 wrote to memory of 2328	2680	Kbjbge32.exe	38
PID 2680 wrote to memory of 2328	2680	Kbjbge32.exe	38
PID 2680 wrote to memory of 2328	2680	Kbjbge32.exe	38
PID 2328 wrote to memory of 2392	2328	Khgkpl32.exe	39
PID 2328 wrote to memory of 2392	2328	Khgkpl32.exe	39
PID 2328 wrote to memory of 2392	2328	Khgkpl32.exe	39
PID 2328 wrote to memory of 2392	2328	Khgkpl32.exe	39
PID 2392 wrote to memory of 2600	2392	Kfodfh32.exe	40
PID 2392 wrote to memory of 2600	2392	Kfodfh32.exe	40
PID 2392 wrote to memory of 2600	2392	Kfodfh32.exe	40
PID 2392 wrote to memory of 2600	2392	Kfodfh32.exe	40
PID 2600 wrote to memory of 708	2600	Kdbepm32.exe	41
PID 2600 wrote to memory of 708	2600	Kdbepm32.exe	41
PID 2600 wrote to memory of 708	2600	Kdbepm32.exe	41
PID 2600 wrote to memory of 708	2600	Kdbepm32.exe	41
PID 708 wrote to memory of 1800	708	Kageia32.exe	42
PID 708 wrote to memory of 1800	708	Kageia32.exe	42
PID 708 wrote to memory of 1800	708	Kageia32.exe	42
PID 708 wrote to memory of 1800	708	Kageia32.exe	42
PID 1800 wrote to memory of 1272	1800	Kgcnahoo.exe	43
PID 1800 wrote to memory of 1272	1800	Kgcnahoo.exe	43
PID 1800 wrote to memory of 1272	1800	Kgcnahoo.exe	43
PID 1800 wrote to memory of 1272	1800	Kgcnahoo.exe	43
PID 1272 wrote to memory of 1968	1272	Llpfjomf.exe	44
PID 1272 wrote to memory of 1968	1272	Llpfjomf.exe	44
PID 1272 wrote to memory of 1968	1272	Llpfjomf.exe	44
PID 1272 wrote to memory of 1968	1272	Llpfjomf.exe	44
PID 1968 wrote to memory of 1396	1968	Lgfjggll.exe	45
PID 1968 wrote to memory of 1396	1968	Lgfjggll.exe	45
PID 1968 wrote to memory of 1396	1968	Lgfjggll.exe	45
PID 1968 wrote to memory of 1396	1968	Lgfjggll.exe	45

C:\Users\Admin\AppData\Local\Temp\83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe
"C:\Users\Admin\AppData\Local\Temp\83eb5b8b1edaa6887fef7e7ffa4f99d1a5f86a9cf77f9a98b0744da4410da70b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Iocgfhhc.exe
  C:\Windows\system32\Iocgfhhc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\Iikkon32.exe
    C:\Windows\system32\Iikkon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\Ikjhki32.exe
      C:\Windows\system32\Ikjhki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\Ifolhann.exe
        
        C:\Windows\system32\Ifolhann.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ifolhann.exe

Filesize
448KB

MD5
6cebd86b20651263c115efe1fcdb20e4

SHA1
94f8daa33cb1ef665f9d86184103d781713ab7e3

SHA256
36e0b61756b0f5311768c7c770ae28a416c74d7b5558c8075a4a95471243d0c4

SHA512
e1a75b2a9dbf291732521e35dcf418b9a1698b8e824b2b1dc4983c318e2f7116e32d31a4d6ec447a7670ebf83a3164510dcad12818b9901f44d6f74344a45696

Download Submit
C:\Windows\SysWOW64\Iikkon32.exe

Filesize
448KB

MD5
c412290b829088cf06bed3b282f834bb

SHA1
627b6c666f2dfbd1e72aafdaff21efa937809157

SHA256
4cf634e333f43daf306ac5e28d31e47d1b5cdfae869801f56640a49edc9a17d7

SHA512
f95d1e94db4a9a81bf16bc7dd72ea5a9156ec9a135cbd0f399d09c696ddfb3a4bf440f324ec4d8f4319b01cacca8e0475837778a8258ec54efab5a9b158a5785

Download Submit
C:\Windows\SysWOW64\Ikjhki32.exe

Filesize
448KB

MD5
d934fb4b5c8b1515e2e5899085a044a1

SHA1
b1b3e8ac89dcc0756b69de127a0c14f9f2f3b39b

SHA256
15b19249d9b8fee5c6833a25209e28f3efb1c9d1fb216e183ebbcb65a53d4f39

SHA512
c661d962bbf8e0e0ceb2fdfb94d3b2233e6ea5f67588a162998023ced2bc246659bda8ca07e905abd835e4c9741cb7141444ebcd59f9c2fda852cdf096d4c9d6

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
448KB

MD5
047501665970b79a9d7769ef38c80556

SHA1
9595fcc30fa031622542e84be419f0c1e8aebb10

SHA256
80af5a95168a4e62e9bda35f503328236a5757768dfcbf338349a001f27a215e

SHA512
0d32ab9100b1a78db1af049f162b54e9f3cd21511d108a787585b697920f3d6a8ac6405a82849c5bd3d4cc0d1114d45f101ec5fe5eb13cb68ceb88b432f8e602

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
448KB

MD5
a69a8d956a3bbdde85201bee825387e6

SHA1
3b02f2d7c8dda1942382306aaeeedaff37bd5674

SHA256
4d5a004ffb598bdcd59128f7b5aaf80ff52cfdba87f44cfe3e15ba4f75579283

SHA512
9773b10712dddace29d3ee1c3a6dcfcf9eab4a3a29ced456a19b7416a157c18a4e612486f09eb62db772ae746b63dfee81a9564932d1fb3346e871ebb57909d4

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
448KB

MD5
49dc5ee8bced6beaf38f5e8b4900a4bc

SHA1
236764de549b5d7bf517da16e215c35ec994f3c1

SHA256
9d0890dd04a68bbf9e8345a35a6ae33897e6bf379521788180d14038cf8d979f

SHA512
3666f03cce7ecb81b1b9f2ec8249fe9b78f92cd95b4d5314ea29089a912b5c6c300aaef1037f3c986cff27c3b5873b4cc15bf4189d5c3e5af83cbefc86ba840c

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
448KB

MD5
cdf4a430fd6f294d04c5b939c08eaed3

SHA1
88aa7051f9e7a3f6a9ea60833eba948ef4d66a5d

SHA256
d8b2dbca18434b1a241e2bbf8a5fda6bcd868a8189aa4ddaffd8d1e2944581c0

SHA512
d540feec4f4eeebeef6ed6586156b032dba78fe0dd23e4d6392b41af32c33f7662f305eb997301b3820daeaf994dc6c1d701b464d559fc61e29936c87de927b6

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
448KB

MD5
58537152b9bca8ce5314a8dfb7218012

SHA1
4075328f710a65a1df64b4616006f7c6c0b1d97b

SHA256
65d26342ef1dae75ad56f6d701de7be4d8c2c810774895701884e95399f2efd5

SHA512
dcde7f6540878f4655b257d2fbc10a33b5098998ac5b621a5afbaaf7e67d100bf155a5c876989648576819bfe995d25611bfa04b5b595f97a88c97f54766d08d

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
448KB

MD5
d0e8c1863e48dcc1011a40da7da9265a

SHA1
bb8d1cf8895cd528f144c96884d05294d092f848

SHA256
873e01974eee85883ef7d75733b047fbeecfdbc9d3e1b1ed154140956caff2f8

SHA512
182683a72503e40632f7c4c5bfc25901f864a980088a97d9fecfd9f41d083561339e574962e41b0006249c92281bc895993bad7b274edb2d2e313369b4e0555d

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
448KB

MD5
84ad9eb52f7ce076473d6a7a8c7f7065

SHA1
836f63a62d7fac1f741fc705c80ece8b15513ce6

SHA256
a3c985561a728feb74b94cb71adcd41d2e957784067fa9cb4db4de92ecb82c5a

SHA512
2ab90f6b28b0a180de7bc9cc14afe0852512b6dd31f43baf8a8a7d64e32de3ce48b7cd0566673de6442a8b0c480d6153eb1a682f9803168d909856aa949a62a9

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
448KB

MD5
714b28bf769d29c0511aac2b96832d5d

SHA1
f825a0fc72e0ca88310d3535a6f8618a6b3f85ba

SHA256
008a73a4ae666c378732e88f5c619677061adf8f3f1b89e8f4f2643acbbd53b8

SHA512
6e85f69ad317e9d9789f8e1cbc895a3596b4762747211609dec65346db2ca8c1f6c83d9f0b4e91388b24f0eee55883e0030582fac8814b20c1ea3794dcba17e5

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
448KB

MD5
c8caec3298203572995c225ed65eb7e7

SHA1
1436bdddd00709537fed7bcd8bd563098b4b7834

SHA256
343b22d1ec52b0f14d4fdb7a46c5bc629752202c122683e52b0048d1a0af4b81

SHA512
6018a91fc1682ae4391f3428ea697121af772a5d009d79109e35b4c458bc308bebdd851b5992a8f35ed4aa5bb084cd154718952ba68dee4ab86677534e6c4e53

Download Submit
C:\Windows\SysWOW64\Lhlqjone.exe

Filesize
448KB

MD5
d66f0fe738cf6496b7cf686fc41e222d

SHA1
0c828dcadd680c88a15b8684091f6d28392e373d

SHA256
2efe0fec110e7277a0ef2fa048e66517ec4af1836fdb00af25a0792609d848e3

SHA512
d4a014d780adfe534e879f6027944a74a54bc75a52f0a26d5979be8b07f4ea6d50bdf3002a33548f497d39c042fbc1cec7ac10355efa76899095e098a17fc3cd

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
448KB

MD5
465e4624ec8f5ab3fded8aac7e7150da

SHA1
d38ae43d8bb5c77bd7b23c40d51ddf7170b9a286

SHA256
aea52ba434be3b7b80b85925e6aa231ef407dc96f65acff0ae480ec92be73973

SHA512
e385e4434a6fd5804a0d8c42065d419338d26827590f46b417c1f2a0abf6af29e6845a38b87d124ee32f2fad8b3481b4712053b122a5838655d0774b6a535be8

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
448KB

MD5
94a71af928a8c272cea364233bb8732f

SHA1
607561cce39bb4c63295fc23da65377b4ad013d4

SHA256
54c2bf6dd8b569203917eefe3d72e44611d3a39ba8d7a7839c5f3e0c5e3e715a

SHA512
b68cd2cacb1acc56469199626a116f7d0a54293f24160e35440bfc19d5e16877b2b51b37768d5c00a779dd2c2bebb9b907d86630cbb04f06d9b0a8efa0a347a5

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
448KB

MD5
5b59af06cfd536be5d0b8ef5cf796e49

SHA1
c9b3df137d60165989d13a6ee0b80d4edfde4e93

SHA256
17d9464c64d2a7afd516fb18d1154a6c756f3152af9e289b5a099fa92a965e14

SHA512
578f97c6c78039c23d3a08e320c436c44fc6b2e2a8772a56ac4834b4d45fb6a63ce288e1bf3ed0153d911c3fbd02b0270a30813e175d7bbaa071bbeb7f889110

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
448KB

MD5
97f0f03e99b538214877f5ba46918c83

SHA1
db2cea5b8ac9dcdb4346666ced44dff657afa839

SHA256
ccd57921f9764fd5e64787fb6a0f0ecab63d2c714dcb736beaa6a019767013ee

SHA512
8fddcd373b265d992f612615624ca2814dc312fc2fe9085b5845d7559830938269d3fb32e1f90258d80e1bfa8c9002339ff6858c9bcc966b1de1b0d22e5e7188

Download Submit
\Windows\SysWOW64\Iocgfhhc.exe

Filesize
448KB

MD5
a26f7fe5b3abf9b8af8374de4768404b

SHA1
cb6e28c7da995fa3ddf7722eda42a7c5edac57bb

SHA256
66705311433112931109dfee3451bbd3a0da4917143c677d6123dcd52aaeb1c0

SHA512
34fb549c2b5ea3be75b714d2d1098b91d6582290a0c9266be2476c4a9952e0306554edfb4eb2b3602274943d600982de860515441986bf154e5aba86f74f31cd

Download Submit
\Windows\SysWOW64\Jjjdhc32.exe

Filesize
448KB

MD5
3da8b0ccf427b332dde189fad0ec00e0

SHA1
7b619bebe090422c073f7c3f6695776b056fc6fe

SHA256
60e0c3a72fba26fe28abfd631fa222f835fffae3705ad1cd4409823ed353aa18

SHA512
6684680eba23172076bf4d13621c99f89392938eed08d89ae9c3ef11b7417b238b5ec00451c0ac3b834d01052c8d7bf0804d8b60701ce58c3d3c1f55269b4685

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
448KB

MD5
2044c72651a970b18a18c97b045760df

SHA1
949b133a9534a53702d6fe6ce74771f74ca7478e

SHA256
a84229666fce081c6d88fc5e3817cd8776c09065e21a813ecec8d770a32f3116

SHA512
f89bdcc1405aa314f757b8081293e6ab7788ce12657bc827841480a6348bef82dda87d424dc446dd9bf0914e46acbef680977f1fc30646aed12f1b48de3ae65f

Download Submit
\Windows\SysWOW64\Jpbcek32.exe

Filesize
448KB

MD5
9937e354093bc4280ec8563460dc2ed6

SHA1
400728469f3ce6248b13062b7bd44aa7e411022f

SHA256
568e9e2bc89f0dfbba8f91a18476fcddb5211e925b8cc3e4739bab3c9e009640

SHA512
5c9a7c930c99827d9dde75dc9cf866cb398a523da66519ce306e5c15a271370074b11010a8dee2ad7d30d9a8cbd02985bd713784b63d5723cb5c10986bec1520

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
448KB

MD5
b955f0af1acc5a0028d3cbac4379f589

SHA1
450ee12822bd2ca0772345bbc06f77e78a7a67eb

SHA256
59959c9c7a60c1f149177dbbd8fc85d905956f07cb3d58e46c6b64b015cdaac2

SHA512
b71f4d08c10b98dc3cf4e80311bd0ba77ec5b4935504e8b6e9eded9384c1d0fec098db0c00fcac1ff9a196ffe7754221ce6c963538518d99bc828d045c945d97

Download Submit
\Windows\SysWOW64\Kgcnahoo.exe

Filesize
448KB

MD5
2480e6280bd17f2a4e8d783869ea8162

SHA1
0ec9025fd1bd3ee6dd561652f6c8eff2699a35a9

SHA256
ed77459739bbd732b107045dc5116c5ae93e92e43cf3e4b3c64d3346e8f7e12d

SHA512
adacec6593c0dc393bfcdd76cd62a4eaf93b9abc12b167bf096f4be959424c8f0de758f167a8a940f63847541ee7c3faa4da457c760fd1a610ed1944ed650153

Download Submit
memory/708-177-0x0000000000370000-0x00000000003EB000-memory.dmp

Filesize
492KB

Download
memory/708-176-0x0000000000370000-0x00000000003EB000-memory.dmp

Filesize
492KB

Download
memory/708-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/708-333-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-290-0x0000000000350000-0x00000000003CB000-memory.dmp

Filesize
492KB

Download
memory/1056-300-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-277-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-289-0x0000000000350000-0x00000000003CB000-memory.dmp

Filesize
492KB

Download
memory/1248-307-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1248-304-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1248-253-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1248-254-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1272-207-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1272-196-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1272-320-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1272-206-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1272-314-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-232-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/1396-227-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-312-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-310-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-233-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/1448-302-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1448-268-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1448-255-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1448-267-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1448-305-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1540-336-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1540-32-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1792-313-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1792-308-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1792-234-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1792-246-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1792-247-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1800-195-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1800-178-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-347-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-191-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1968-226-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/1968-208-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-224-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/1968-309-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-311-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2272-12-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/2272-11-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/2272-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2272-340-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2328-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2328-129-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/2328-345-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2328-130-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/2392-147-0x0000000002060000-0x00000000020DB000-memory.dmp

Filesize
492KB

Download
memory/2392-146-0x0000000002060000-0x00000000020DB000-memory.dmp

Filesize
492KB

Download
memory/2392-132-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2392-334-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2500-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2500-344-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2516-346-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2516-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2600-161-0x0000000001FC0000-0x000000000203B000-memory.dmp

Filesize
492KB

Download
memory/2600-165-0x0000000001FC0000-0x000000000203B000-memory.dmp

Filesize
492KB

Download
memory/2600-332-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2600-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2680-338-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2736-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2736-301-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2736-276-0x00000000004F0000-0x000000000056B000-memory.dmp

Filesize
492KB

Download
memory/2736-270-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2736-275-0x00000000004F0000-0x000000000056B000-memory.dmp

Filesize
492KB

Download
memory/2772-52-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2772-335-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2836-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2836-343-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2836-103-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/2860-337-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2860-298-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/2860-297-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/2860-292-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2904-341-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2904-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2904-77-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/2944-339-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2992-342-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads