berbew | cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Size

337KB
MD5

f66386730c3497ca644c7e77d5d793b0
SHA1

5da659a3e0af11bc6202517eacca18f4014b705d
SHA256

cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948
SHA512

0317f66c97bd23f87b547663cab8cbc1a9bfa6cf620ee8f05380600109ce6f319229c6950776edb3d2f705c672407c8480e44da08455f1f11e01e943ac672cac
SSDEEP

3072:um2uO9O6VLTav239gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:tMae391+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkilgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdogldmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjebjjck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnlikic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjebjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmacej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgbcofn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqfhqe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbemho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnlepioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhklha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maocekoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbopon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbile32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhklha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkgbcofn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbemho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqfhqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maocekoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdogldmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmnkglp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 23 IoCs

pid	Process
2760	Jkgbcofn.exe
2784	Jdogldmo.exe
2864	Jqfhqe32.exe
2604	Jjnlikic.exe
2636	Jnlepioj.exe
1804	Kgdiho32.exe
2840	Kjebjjck.exe
2144	Kkilgb32.exe
1016	Lckflc32.exe
3044	Lnqkjl32.exe
2380	Lhklha32.exe
1496	Mbemho32.exe
2996	Mmmnkglp.exe
2356	Mfebdm32.exe
968	Maocekoo.exe
1972	Mbopon32.exe
1112	Ndbile32.exe
2408	Nmjmekan.exe
1428	Nhpabdqd.exe
2296	Ndiomdde.exe
632	Nmacej32.exe
2564	Ncnlnaim.exe
1456	Opblgehg.exe

Loads dropped DLL 50 IoCs

pid	Process
572	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
572	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
2760	Jkgbcofn.exe
2760	Jkgbcofn.exe
2784	Jdogldmo.exe
2784	Jdogldmo.exe
2864	Jqfhqe32.exe
2864	Jqfhqe32.exe
2604	Jjnlikic.exe
2604	Jjnlikic.exe
2636	Jnlepioj.exe
2636	Jnlepioj.exe
1804	Kgdiho32.exe
1804	Kgdiho32.exe
2840	Kjebjjck.exe
2840	Kjebjjck.exe
2144	Kkilgb32.exe
2144	Kkilgb32.exe
1016	Lckflc32.exe
1016	Lckflc32.exe
3044	Lnqkjl32.exe
3044	Lnqkjl32.exe
2380	Lhklha32.exe
2380	Lhklha32.exe
1496	Mbemho32.exe
1496	Mbemho32.exe
2996	Mmmnkglp.exe
2996	Mmmnkglp.exe
2356	Mfebdm32.exe
2356	Mfebdm32.exe
968	Maocekoo.exe
968	Maocekoo.exe
1972	Mbopon32.exe
1972	Mbopon32.exe
1112	Ndbile32.exe
1112	Ndbile32.exe
2408	Nmjmekan.exe
2408	Nmjmekan.exe
1428	Nhpabdqd.exe
1428	Nhpabdqd.exe
2296	Ndiomdde.exe
2296	Ndiomdde.exe
632	Nmacej32.exe
632	Nmacej32.exe
2564	Ncnlnaim.exe
2564	Ncnlnaim.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogepbg32.dll	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
File created	C:\Windows\SysWOW64\Jdogldmo.exe	Jkgbcofn.exe
File created	C:\Windows\SysWOW64\Cadbgifg.dll	Jkgbcofn.exe
File opened for modification	C:\Windows\SysWOW64\Jqfhqe32.exe	Jdogldmo.exe
File created	C:\Windows\SysWOW64\Mbemho32.exe	Lhklha32.exe
File opened for modification	C:\Windows\SysWOW64\Mfebdm32.exe	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Kgdiho32.exe	Jnlepioj.exe
File created	C:\Windows\SysWOW64\Kkilgb32.exe	Kjebjjck.exe
File created	C:\Windows\SysWOW64\Mfebdm32.exe	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Gcjajedk.dll	Nmacej32.exe
File opened for modification	C:\Windows\SysWOW64\Ncnlnaim.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Kjebjjck.exe	Kgdiho32.exe
File created	C:\Windows\SysWOW64\Mmmnkglp.exe	Mbemho32.exe
File created	C:\Windows\SysWOW64\Gkokcp32.dll	Jdogldmo.exe
File created	C:\Windows\SysWOW64\Hjchkfnl.dll	Jqfhqe32.exe
File created	C:\Windows\SysWOW64\Nmjmekan.exe	Ndbile32.exe
File created	C:\Windows\SysWOW64\Jnlepioj.exe	Jjnlikic.exe
File opened for modification	C:\Windows\SysWOW64\Jnlepioj.exe	Jjnlikic.exe
File opened for modification	C:\Windows\SysWOW64\Lckflc32.exe	Kkilgb32.exe
File opened for modification	C:\Windows\SysWOW64\Lnqkjl32.exe	Lckflc32.exe
File created	C:\Windows\SysWOW64\Hfndae32.dll	Mbemho32.exe
File created	C:\Windows\SysWOW64\Oipenooj.dll	Nmjmekan.exe
File created	C:\Windows\SysWOW64\Ndiomdde.exe	Nhpabdqd.exe
File opened for modification	C:\Windows\SysWOW64\Jkgbcofn.exe	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
File opened for modification	C:\Windows\SysWOW64\Jdogldmo.exe	Jkgbcofn.exe
File created	C:\Windows\SysWOW64\Kebiiiec.dll	Jnlepioj.exe
File created	C:\Windows\SysWOW64\Lckflc32.exe	Kkilgb32.exe
File created	C:\Windows\SysWOW64\Lhklha32.exe	Lnqkjl32.exe
File created	C:\Windows\SysWOW64\Admljpij.dll	Ndbile32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdiho32.exe	Jnlepioj.exe
File created	C:\Windows\SysWOW64\Mgnigi32.dll	Kjebjjck.exe
File created	C:\Windows\SysWOW64\Lnqkjl32.exe	Lckflc32.exe
File created	C:\Windows\SysWOW64\Inbndm32.dll	Lhklha32.exe
File opened for modification	C:\Windows\SysWOW64\Nmjmekan.exe	Ndbile32.exe
File created	C:\Windows\SysWOW64\Ncnlnaim.exe	Nmacej32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Kkilgb32.exe	Kjebjjck.exe
File created	C:\Windows\SysWOW64\Dacppppl.dll	Kkilgb32.exe
File created	C:\Windows\SysWOW64\Mbopon32.exe	Maocekoo.exe
File created	C:\Windows\SysWOW64\Gaegla32.dll	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Jkgbcofn.exe	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
File created	C:\Windows\SysWOW64\Jjnlikic.exe	Jqfhqe32.exe
File opened for modification	C:\Windows\SysWOW64\Jjnlikic.exe	Jqfhqe32.exe
File opened for modification	C:\Windows\SysWOW64\Mbemho32.exe	Lhklha32.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mmmnkglp.exe
File opened for modification	C:\Windows\SysWOW64\Ndiomdde.exe	Nhpabdqd.exe
File created	C:\Windows\SysWOW64\Nmacej32.exe	Ndiomdde.exe
File opened for modification	C:\Windows\SysWOW64\Mmmnkglp.exe	Mbemho32.exe
File created	C:\Windows\SysWOW64\Maocekoo.exe	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Ddpidhgj.dll	Kgdiho32.exe
File created	C:\Windows\SysWOW64\Gfcdcl32.dll	Lckflc32.exe
File created	C:\Windows\SysWOW64\Gibcam32.dll	Maocekoo.exe
File created	C:\Windows\SysWOW64\Ndbile32.exe	Mbopon32.exe
File opened for modification	C:\Windows\SysWOW64\Nhpabdqd.exe	Nmjmekan.exe
File created	C:\Windows\SysWOW64\Hqnpad32.dll	Nhpabdqd.exe
File opened for modification	C:\Windows\SysWOW64\Nmacej32.exe	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Mbagfo32.dll	Jjnlikic.exe
File opened for modification	C:\Windows\SysWOW64\Mbopon32.exe	Maocekoo.exe
File opened for modification	C:\Windows\SysWOW64\Ndbile32.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Nhclfogi.dll	Mbopon32.exe
File opened for modification	C:\Windows\SysWOW64\Kjebjjck.exe	Kgdiho32.exe
File created	C:\Windows\SysWOW64\Iekcqo32.dll	Lnqkjl32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ncnlnaim.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	1456	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdogldmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnlikic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjmekan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbemho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maocekoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbopon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlepioj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqfhqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjebjjck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkilgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnqkjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhklha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndiomdde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgbcofn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhpabdqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckflc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjchkfnl.dll"	Jqfhqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbagfo32.dll"	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebiiiec.dll"	Jnlepioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lckflc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegla32.dll"	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadbgifg.dll"	Jkgbcofn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjebjjck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhklha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maocekoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbopon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdogldmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdiho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjebjjck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll"	Mbemho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll"	Maocekoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqfhqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpidhgj.dll"	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnigi32.dll"	Kjebjjck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipenooj.dll"	Nmjmekan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkgbcofn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lckflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhklha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhclfogi.dll"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqnpad32.dll"	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcdcl32.dll"	Lckflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacppppl.dll"	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqfhqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogepbg32.dll"	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbndm32.dll"	Lhklha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekcqo32.dll"	Lnqkjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpldngk.dll"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maocekoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmjmekan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2760	572	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe	30
PID 572 wrote to memory of 2760	572	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe	30
PID 572 wrote to memory of 2760	572	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe	30
PID 572 wrote to memory of 2760	572	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe	30
PID 2760 wrote to memory of 2784	2760	Jkgbcofn.exe	31
PID 2760 wrote to memory of 2784	2760	Jkgbcofn.exe	31
PID 2760 wrote to memory of 2784	2760	Jkgbcofn.exe	31
PID 2760 wrote to memory of 2784	2760	Jkgbcofn.exe	31
PID 2784 wrote to memory of 2864	2784	Jdogldmo.exe	32
PID 2784 wrote to memory of 2864	2784	Jdogldmo.exe	32
PID 2784 wrote to memory of 2864	2784	Jdogldmo.exe	32
PID 2784 wrote to memory of 2864	2784	Jdogldmo.exe	32
PID 2864 wrote to memory of 2604	2864	Jqfhqe32.exe	33
PID 2864 wrote to memory of 2604	2864	Jqfhqe32.exe	33
PID 2864 wrote to memory of 2604	2864	Jqfhqe32.exe	33
PID 2864 wrote to memory of 2604	2864	Jqfhqe32.exe	33
PID 2604 wrote to memory of 2636	2604	Jjnlikic.exe	34
PID 2604 wrote to memory of 2636	2604	Jjnlikic.exe	34
PID 2604 wrote to memory of 2636	2604	Jjnlikic.exe	34
PID 2604 wrote to memory of 2636	2604	Jjnlikic.exe	34
PID 2636 wrote to memory of 1804	2636	Jnlepioj.exe	35
PID 2636 wrote to memory of 1804	2636	Jnlepioj.exe	35
PID 2636 wrote to memory of 1804	2636	Jnlepioj.exe	35
PID 2636 wrote to memory of 1804	2636	Jnlepioj.exe	35
PID 1804 wrote to memory of 2840	1804	Kgdiho32.exe	36
PID 1804 wrote to memory of 2840	1804	Kgdiho32.exe	36
PID 1804 wrote to memory of 2840	1804	Kgdiho32.exe	36
PID 1804 wrote to memory of 2840	1804	Kgdiho32.exe	36
PID 2840 wrote to memory of 2144	2840	Kjebjjck.exe	37
PID 2840 wrote to memory of 2144	2840	Kjebjjck.exe	37
PID 2840 wrote to memory of 2144	2840	Kjebjjck.exe	37
PID 2840 wrote to memory of 2144	2840	Kjebjjck.exe	37
PID 2144 wrote to memory of 1016	2144	Kkilgb32.exe	38
PID 2144 wrote to memory of 1016	2144	Kkilgb32.exe	38
PID 2144 wrote to memory of 1016	2144	Kkilgb32.exe	38
PID 2144 wrote to memory of 1016	2144	Kkilgb32.exe	38
PID 1016 wrote to memory of 3044	1016	Lckflc32.exe	39
PID 1016 wrote to memory of 3044	1016	Lckflc32.exe	39
PID 1016 wrote to memory of 3044	1016	Lckflc32.exe	39
PID 1016 wrote to memory of 3044	1016	Lckflc32.exe	39
PID 3044 wrote to memory of 2380	3044	Lnqkjl32.exe	40
PID 3044 wrote to memory of 2380	3044	Lnqkjl32.exe	40
PID 3044 wrote to memory of 2380	3044	Lnqkjl32.exe	40
PID 3044 wrote to memory of 2380	3044	Lnqkjl32.exe	40
PID 2380 wrote to memory of 1496	2380	Lhklha32.exe	41
PID 2380 wrote to memory of 1496	2380	Lhklha32.exe	41
PID 2380 wrote to memory of 1496	2380	Lhklha32.exe	41
PID 2380 wrote to memory of 1496	2380	Lhklha32.exe	41
PID 1496 wrote to memory of 2996	1496	Mbemho32.exe	42
PID 1496 wrote to memory of 2996	1496	Mbemho32.exe	42
PID 1496 wrote to memory of 2996	1496	Mbemho32.exe	42
PID 1496 wrote to memory of 2996	1496	Mbemho32.exe	42
PID 2996 wrote to memory of 2356	2996	Mmmnkglp.exe	43
PID 2996 wrote to memory of 2356	2996	Mmmnkglp.exe	43
PID 2996 wrote to memory of 2356	2996	Mmmnkglp.exe	43
PID 2996 wrote to memory of 2356	2996	Mmmnkglp.exe	43
PID 2356 wrote to memory of 968	2356	Mfebdm32.exe	44
PID 2356 wrote to memory of 968	2356	Mfebdm32.exe	44
PID 2356 wrote to memory of 968	2356	Mfebdm32.exe	44
PID 2356 wrote to memory of 968	2356	Mfebdm32.exe	44
PID 968 wrote to memory of 1972	968	Maocekoo.exe	45
PID 968 wrote to memory of 1972	968	Maocekoo.exe	45
PID 968 wrote to memory of 1972	968	Maocekoo.exe	45
PID 968 wrote to memory of 1972	968	Maocekoo.exe	45

C:\Users\Admin\AppData\Local\Temp\cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
"C:\Users\Admin\AppData\Local\Temp\cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\Jkgbcofn.exe
  C:\Windows\system32\Jkgbcofn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Jdogldmo.exe
    C:\Windows\system32\Jdogldmo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\Jqfhqe32.exe
      C:\Windows\system32\Jqfhqe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Jjnlikic.exe
        
        C:\Windows\system32\Jjnlikic.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\Jnlepioj.exe
        
        C:\Windows\system32\Jnlepioj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kgdiho32.exe
        
        C:\Windows\system32\Kgdiho32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Kjebjjck.exe
        
        C:\Windows\system32\Kjebjjck.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kkilgb32.exe
        
        C:\Windows\system32\Kkilgb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lckflc32.exe
        
        C:\Windows\system32\Lckflc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Lnqkjl32.exe
        
        C:\Windows\system32\Lnqkjl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Lhklha32.exe
        
        C:\Windows\system32\Lhklha32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Mbemho32.exe
        
        C:\Windows\system32\Mbemho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Mfebdm32.exe
        
        C:\Windows\system32\Mfebdm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Maocekoo.exe
        
        C:\Windows\system32\Maocekoo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Mbopon32.exe
        
        C:\Windows\system32\Mbopon32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ndbile32.exe
        
        C:\Windows\system32\Ndbile32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Nmjmekan.exe
        
        C:\Windows\system32\Nmjmekan.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Nhpabdqd.exe
        
        C:\Windows\system32\Nhpabdqd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Ndiomdde.exe
        
        C:\Windows\system32\Ndiomdde.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdogldmo.exe

Filesize
337KB

MD5
20f6fe7540c5c38a60739464f86dae4f

SHA1
c3615c4b696cebe6a595511ca50f672029c2b499

SHA256
0d74af5606870207395731da1d2fb61efcc549c933153fb9d8b6a1cd125ce6f6

SHA512
138d6c57552597383fb9d2cc7665edf335b06a0b70798c750ef31759e5a14cffe8679af66bf71587f53f579538e8edf98896f20a22da61967b38ca2ccefb5f8a

Download Submit
C:\Windows\SysWOW64\Jjnlikic.exe

Filesize
337KB

MD5
63c3d6fd13cb1b08b8394a48afbf362b

SHA1
3f92d821217094b75d0737aea119f99639b26fa5

SHA256
e521a14aa892843fbf4d31adddeda10f65a446a1ccf60633c7d7f9190d1c8b65

SHA512
ecc07c3eddf1d486ccdb35ebf22edb908c235a85f0c2f04490f00133a92678b440fde537de5235c4e6080075fa29bbfdbee063e615e3c496903c4fc88be0bd0d

Download Submit
C:\Windows\SysWOW64\Jqfhqe32.exe

Filesize
337KB

MD5
778eb02ea00362151faa0de921dbe763

SHA1
31358e20c7ff6ffd8328e1b8200741851c0c4b51

SHA256
092baee30f7e20d4aa47e28d838ff535451ac43a1242d878f0bfd09fcd1c5016

SHA512
6f22e78c466784c9bac7d0aef9f74945149258a5c82624872bdd2ac5ea661312966856568f1b59c786b5c005c6e1f0d44afd3eb7178b943ba5e2c89a3308c2c7

Download Submit
C:\Windows\SysWOW64\Kkilgb32.exe

Filesize
337KB

MD5
e2a88ad147a31dad01c960d4e9e19b22

SHA1
987567e5339cb6c1e2186b93c819056bbf5352fc

SHA256
7b4ff7bc8d36d43348d46f466c948a8fad8d1783d69dfc453329616ecf96f85c

SHA512
db3ea27d63d03c07c7becf06abc01754be6c082b13fd6c495683f117e7065dad8968420aff5387c61479b6cbf5846900e1a517ba7acbeaac29755018e227a336

Download Submit
C:\Windows\SysWOW64\Mbemho32.exe

Filesize
337KB

MD5
7e2ec9d52f80cc0f143b61cd13a6157a

SHA1
16b5f36f7b0d6db60eb3e8b6532f88c30346a83d

SHA256
2df74627c3373ecddc14b82b91c3ad4a56680d4d20096cce75ffcd3e50cb3381

SHA512
91943d97620325e35f40fe2e2c746a47d64f49417c960791a77014091f7cb46c6e0563e43d37273f19aeecda7ec5a038ce28736b6cbcf942592020df07ff243b

Download Submit
C:\Windows\SysWOW64\Mbopon32.exe

Filesize
337KB

MD5
2558d17428e4995f35e6c1e05e7cf98e

SHA1
b3854f36f3a13f29288dcb7cdfb6ba1d9772b512

SHA256
99e7d3318ba1dc5a3af21bef4f5e94f5a0aa3a2ae34722ace62094e4131490a8

SHA512
35d2bf27272c1d168775c674904e22772a5aeb491840538e4d5339e373547a76db9e22403c8555f997a6bceda0f8d70a6f445945e21f2d95562e8f61cad7ace5

Download Submit
C:\Windows\SysWOW64\Mfebdm32.exe

Filesize
337KB

MD5
10a38daa5d19c75d372f06f78246ee47

SHA1
75ca4d94e37b1cf49e39284cebe03c7486861283

SHA256
520a5eea7606b221034e91d14edc5186b4225de50dad09e81ed519bea55f23f4

SHA512
45aef7b1c87a6fdfd3e26e77e7b855784cd901c0ca94a7562feafd1a4b3a614cff7da9ee95e8cb973e4e49810917563086b8d9fca6d9128b7a2bccebcb1efe91

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
337KB

MD5
bea8a7611298c8b0c46897feb0a501cb

SHA1
05d5a23c852dcf45c7c58bf0773ee718c5ec395f

SHA256
b13229fd8a2ee4493f69fab27fae52b30b8f853c84500cb2fcd217db7ec9b995

SHA512
9333b7fa7ace54d4958373e0087b2329bf3f05c1b3120f394fa32ce8f308d4af66afcfd3e5abfcc11f285ffd0bb20930639703f64bc1c1de058487b53685148e

Download Submit
C:\Windows\SysWOW64\Ncnlnaim.exe

Filesize
337KB

MD5
edec137aad07ca6368d5f092e3f930bb

SHA1
69b6b65d77387497a73a07e9f59894669af47ce6

SHA256
d56a96db38023cb2f105ff7cb7fe6829acccddb47ab29ab1b3de8f9a5870afd0

SHA512
b4fd81e22c05539c4409065a1b876a73f4b781aacb334f6f6b5c3ea1e6705fb380a3426a736d193c83c7659ab6ad0138bec5475331df0d9ecdaf99af83dfe9b2

Download Submit
C:\Windows\SysWOW64\Ndbile32.exe

Filesize
337KB

MD5
a59606a9ad0afb43b66752b1d40072ea

SHA1
f60d655dfe27cea42ea071967670538b1c880f60

SHA256
f7f9d9ee2f20d2c05f6aaae9e755eb7b4ac89b8e76237e8ba11895a17bbf6de3

SHA512
918ecde65754c0ad7d66eab17ad016d186f2ff9041cb265631508afc84f49728009779c2af1ea1480484407fd0245b7671b10b2aeb1da495bf706570989c6990

Download Submit
C:\Windows\SysWOW64\Ndiomdde.exe

Filesize
337KB

MD5
2fdb2d29afbdc62638484345244ea64e

SHA1
f11eabdbf9f1af98a287f1d4535864a395a7a659

SHA256
774bc53a0bc65dc1edb534bfdb9b757df44d60e4cc30a8238a479934d5b8da03

SHA512
6737cd68b2abae19bb76c13e3ba8b07c99e167d96344cccda18f54e126b87755b40b45d4ddac67272be69855873d2899bde738e7f3da7488655caea233d431cd

Download Submit
C:\Windows\SysWOW64\Nhpabdqd.exe

Filesize
337KB

MD5
a307064d592151f1541296836bc2e2f5

SHA1
158ea3627d9a0273d265b271a3f5ccaeade40499

SHA256
90586b187b03238901c2439a3344b0848ea4bd87fa500f6871bf8a19ed54b212

SHA512
51501634052f78b7e7501014861f338c3ddc1fabf559e4b664e3d68743396b796ecd3d374f7fcebda5484c0330751a09f190c38091ad4b9767fd74732171a7b8

Download Submit
C:\Windows\SysWOW64\Nmacej32.exe

Filesize
337KB

MD5
a86bd90973c73cee9eee8eee494ce58b

SHA1
897b6cd49ffe5c8924cba5f1578316de8c9587c9

SHA256
a0c90400c11b1236a5d549ac2fb6242d82d91118361a541ad16ddf7189808787

SHA512
05734cb1360eee9c0e6be558e500ea73ff7a51f1ca081bd0711e32a0a104e92cd8711ace9e6b3157a15a4e5775cc0779fc992cc8511555a3ce0b280617ceb0e6

Download Submit
C:\Windows\SysWOW64\Nmjmekan.exe

Filesize
337KB

MD5
00817ca420ca91bc361c75ec4250f204

SHA1
8a3d6ef94f248a57bb9623242d5f776760da5d22

SHA256
05a87d9274e0ae07896dcc722e64d7fad966f8111b426ec4d32ec6862fedcf07

SHA512
3aef22a608ce96d9252b58c8e56b6bc0abfbb2e4a361f7977cdb1d2bb1283dbb3abd4b6aacababae5072ae2baa98a9cd60c757da0a7f592babd045161b688d4f

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
337KB

MD5
889b8c7fa9906263fd70ceadecac6c4b

SHA1
fba2bc60a8e805c430d51aa1c19fa49382f275cb

SHA256
b9ddd15b076a8a637fa7668e8d20113d80e549ac4700914b7db85384d41497bc

SHA512
d60f56a09d980c73ac3b35e7074fd60cad0fc7be5e8e3d910102fcd3dd82e3dc510f74b2f824a32feb3bc9fca92e5824d0408c7ff84dc2f84ecf9a7fda0a8b1b

Download Submit
\Windows\SysWOW64\Jkgbcofn.exe

Filesize
337KB

MD5
733c063853899762eacf9539493e8caf

SHA1
6be8f0584fc7b4039fb12e68c79e890bb66d3250

SHA256
bec3fda44caa016ba3db9f12d50ff516672474fd846b4806182be25f0f1779d5

SHA512
5e78f5a656d746830b54531e4bf59db2cd7f3b3624859f2020f5e64dc4f48268c153f7d7bfd1d4a013bb912265e0bb46fa0fd7e3897f33e67fc7e3d00e566197

Download Submit
\Windows\SysWOW64\Jnlepioj.exe

Filesize
337KB

MD5
f248727f3add0cb11ff4c15ed0b64983

SHA1
bc0be8a31b75e42c75ebcf996f67b30d966d0c11

SHA256
186d9fafd941989cc72410a8f5a3dbcd118ffd657540586fc6c033619d5a213e

SHA512
02f3b95920fc4ba0150b024f41c88f6a76a6a80110ef83f8d997085b8a1e1864a6c5ef4cb93e063e80e937ef82d2872e7bdf0766a65f9a06a70003e0378d28a0

Download Submit
\Windows\SysWOW64\Kgdiho32.exe

Filesize
337KB

MD5
0c0382522389e9c27e59b0fbfc2a6f38

SHA1
804fd32bf26b6591ef45d90dec7e7f2c9907c84f

SHA256
5001af54dcdae94023c5d34f57a92eb3a8d21825c1aa08525f6fb8746f1c0209

SHA512
d56bf2c9a9e3e04422aa07e662e276f0d599e69e17b153290076c9314aa0e49c61b458e79fea52c43477f6086f1c156c17c3401688dedefbad57b9aaa3f7ac8e

Download Submit
\Windows\SysWOW64\Kjebjjck.exe

Filesize
337KB

MD5
920b5393dd238ccdef38535ab51ac8a3

SHA1
64dcff98ac8de49a8d6bced80123fa4d4f51e7b6

SHA256
7233a16bae1315f2519c15d885d47fbb9473fdea5e3782f3ba5e4b1d5e46c97e

SHA512
2c7bf048ef0f3b0a75e9ccd0c26742f9229d67858cbf1e03326f87e82d622adb7f87e6b3744f84b0ea26cbd496b4c7cae595b542b14ed3350ec345ab882b0e4c

Download Submit
\Windows\SysWOW64\Lckflc32.exe

Filesize
337KB

MD5
cd0f01b3c9a11e398791c1816a3b6ffc

SHA1
3574f467d89fed7434c98b8bb30ae1602871ed22

SHA256
97b53367cb4abe0b4f7a9cfc434cd1f2e8c0476a18f489bf9558673efa04c788

SHA512
52cd00c1090b39c68fb847ae6d08fac67b007fdbb7d6aea1444b7374f5041055ccf78d2c8b8ebf7f5d0e6f7b9fd6b2a191961ec99014d9d5b7d7888e82e6b7e9

Download Submit
\Windows\SysWOW64\Lhklha32.exe

Filesize
337KB

MD5
f9043dbdcbc114763166fd7f3e13359e

SHA1
80793001b56b8799772820ee9370b78c17c4a549

SHA256
80c5be03571d5f2315538c4cf4533c12260cfcb55a312e09043e940ab3ce16d2

SHA512
8f4efb88a7f944f48860783dca2fffb8adf2edcfd5e2128b7d87496231f054a45564e978e6def5de19b4b208ca27604e4416d5a0aecb5514a17d56a419a3b1ec

Download Submit
\Windows\SysWOW64\Lnqkjl32.exe

Filesize
337KB

MD5
1f5fe900ec44c524509eaf0d05043bae

SHA1
d803aa2185aee11e75ed1f70048a8ea72066f25d

SHA256
9b615caab4b490b0fff7f2e0becfa39c2dc9affe9240b54aeb60f4b27c5590ba

SHA512
ba42d2b6a97988e5ee14b1edbf2f3967cb362d4bbe795fcdda29f7b740d2fb8464a48e636905b35ece13d26bf5be99895cfce15bc3ce719f444c5cc51cb40b23

Download Submit
\Windows\SysWOW64\Maocekoo.exe

Filesize
337KB

MD5
ea99d9e8aa62eb0cb744cfdd74b90ebe

SHA1
b08065083b203a0cf337c160dc8ac7c99753e6de

SHA256
e1ecefebd554000e3083fa7c68bfe42ea5108685c1454c58c68fa1589c40a367

SHA512
338d19f4371899f08bccd2ddd0a3150f3ecce02d3048805cefc10fa6b8e4a95ab41af7585beec6aee3f38ee5a23847a975e87285a2b70e4e479ef65f37a65734

Download Submit
memory/572-12-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/572-6-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/572-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-278-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/968-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-217-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1016-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-134-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1016-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-235-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/1112-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-172-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/1496-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-88-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1972-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-228-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2144-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-120-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2144-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-267-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2296-268-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2356-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-199-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2380-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-163-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2408-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-248-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2408-244-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2564-288-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2564-289-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2564-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-80-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2636-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2760-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-36-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2840-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-54-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2864-339-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2996-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-186-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3044-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-146-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3044-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads