berbew | e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 05:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Size

99KB
MD5

f391e99b9ba0b26f9a379bca3023afb0
SHA1

182180d6df4914819244c99f198407d6e8399c9f
SHA256

e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9
SHA512

24e976b641f687c21541f88fae45db1267b34017fdef77087c38d6d0963d0331960b343c27202c31a2c7505e9ba54e826e0ae12e2c0d6757c1023a3da7da0067
SSDEEP

3072:FFRekcr4OiPpPa6hFnjeyupwoTRBmDRGGurhUI:/R5jpHhMcm7UI

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcnoejch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khldkllj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 23 IoCs

pid	Process
2764	Ijcngenj.exe
2736	Imbjcpnn.exe
2856	Ieibdnnp.exe
2740	Iclbpj32.exe
3032	Jcnoejch.exe
1492	Jmfcop32.exe
2956	Jcqlkjae.exe
2888	Jjjdhc32.exe
1472	Jpgmpk32.exe
804	Jnmiag32.exe
1448	Jfcabd32.exe
1628	Kbjbge32.exe
1568	Kidjdpie.exe
1040	Kbmome32.exe
2436	Klecfkff.exe
1104	Khldkllj.exe
1280	Kkjpggkn.exe
552	Kdbepm32.exe
2488	Kfaalh32.exe
1656	Kageia32.exe
1396	Kkojbf32.exe
2640	Libjncnc.exe
2800	Lbjofi32.exe

Loads dropped DLL 50 IoCs

pid	Process
2232	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
2232	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
2764	Ijcngenj.exe
2764	Ijcngenj.exe
2736	Imbjcpnn.exe
2736	Imbjcpnn.exe
2856	Ieibdnnp.exe
2856	Ieibdnnp.exe
2740	Iclbpj32.exe
2740	Iclbpj32.exe
3032	Jcnoejch.exe
3032	Jcnoejch.exe
1492	Jmfcop32.exe
1492	Jmfcop32.exe
2956	Jcqlkjae.exe
2956	Jcqlkjae.exe
2888	Jjjdhc32.exe
2888	Jjjdhc32.exe
1472	Jpgmpk32.exe
1472	Jpgmpk32.exe
804	Jnmiag32.exe
804	Jnmiag32.exe
1448	Jfcabd32.exe
1448	Jfcabd32.exe
1628	Kbjbge32.exe
1628	Kbjbge32.exe
1568	Kidjdpie.exe
1568	Kidjdpie.exe
1040	Kbmome32.exe
1040	Kbmome32.exe
2436	Klecfkff.exe
2436	Klecfkff.exe
1104	Khldkllj.exe
1104	Khldkllj.exe
1280	Kkjpggkn.exe
1280	Kkjpggkn.exe
552	Kdbepm32.exe
552	Kdbepm32.exe
2488	Kfaalh32.exe
2488	Kfaalh32.exe
1656	Kageia32.exe
1656	Kageia32.exe
1396	Kkojbf32.exe
1396	Kkojbf32.exe
2640	Libjncnc.exe
2640	Libjncnc.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Fbbngc32.dll	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	Jcnoejch.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Jnmiag32.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kbmome32.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Kobgmfjh.dll	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Cgngaoal.dll	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Iclbpj32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Pccohd32.dll	Jcnoejch.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Ijcngenj.exe	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
File created	C:\Windows\SysWOW64\Diodocki.dll	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	Jcnoejch.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Jcnoejch.exe	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jfcabd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	2800	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcnoejch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iclbpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll"	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcnoejch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jcnoejch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kfaalh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2764	2232	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe	30
PID 2232 wrote to memory of 2764	2232	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe	30
PID 2232 wrote to memory of 2764	2232	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe	30
PID 2232 wrote to memory of 2764	2232	e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe	30
PID 2764 wrote to memory of 2736	2764	Ijcngenj.exe	31
PID 2764 wrote to memory of 2736	2764	Ijcngenj.exe	31
PID 2764 wrote to memory of 2736	2764	Ijcngenj.exe	31
PID 2764 wrote to memory of 2736	2764	Ijcngenj.exe	31
PID 2736 wrote to memory of 2856	2736	Imbjcpnn.exe	32
PID 2736 wrote to memory of 2856	2736	Imbjcpnn.exe	32
PID 2736 wrote to memory of 2856	2736	Imbjcpnn.exe	32
PID 2736 wrote to memory of 2856	2736	Imbjcpnn.exe	32
PID 2856 wrote to memory of 2740	2856	Ieibdnnp.exe	33
PID 2856 wrote to memory of 2740	2856	Ieibdnnp.exe	33
PID 2856 wrote to memory of 2740	2856	Ieibdnnp.exe	33
PID 2856 wrote to memory of 2740	2856	Ieibdnnp.exe	33
PID 2740 wrote to memory of 3032	2740	Iclbpj32.exe	34
PID 2740 wrote to memory of 3032	2740	Iclbpj32.exe	34
PID 2740 wrote to memory of 3032	2740	Iclbpj32.exe	34
PID 2740 wrote to memory of 3032	2740	Iclbpj32.exe	34
PID 3032 wrote to memory of 1492	3032	Jcnoejch.exe	35
PID 3032 wrote to memory of 1492	3032	Jcnoejch.exe	35
PID 3032 wrote to memory of 1492	3032	Jcnoejch.exe	35
PID 3032 wrote to memory of 1492	3032	Jcnoejch.exe	35
PID 1492 wrote to memory of 2956	1492	Jmfcop32.exe	36
PID 1492 wrote to memory of 2956	1492	Jmfcop32.exe	36
PID 1492 wrote to memory of 2956	1492	Jmfcop32.exe	36
PID 1492 wrote to memory of 2956	1492	Jmfcop32.exe	36
PID 2956 wrote to memory of 2888	2956	Jcqlkjae.exe	37
PID 2956 wrote to memory of 2888	2956	Jcqlkjae.exe	37
PID 2956 wrote to memory of 2888	2956	Jcqlkjae.exe	37
PID 2956 wrote to memory of 2888	2956	Jcqlkjae.exe	37
PID 2888 wrote to memory of 1472	2888	Jjjdhc32.exe	38
PID 2888 wrote to memory of 1472	2888	Jjjdhc32.exe	38
PID 2888 wrote to memory of 1472	2888	Jjjdhc32.exe	38
PID 2888 wrote to memory of 1472	2888	Jjjdhc32.exe	38
PID 1472 wrote to memory of 804	1472	Jpgmpk32.exe	39
PID 1472 wrote to memory of 804	1472	Jpgmpk32.exe	39
PID 1472 wrote to memory of 804	1472	Jpgmpk32.exe	39
PID 1472 wrote to memory of 804	1472	Jpgmpk32.exe	39
PID 804 wrote to memory of 1448	804	Jnmiag32.exe	40
PID 804 wrote to memory of 1448	804	Jnmiag32.exe	40
PID 804 wrote to memory of 1448	804	Jnmiag32.exe	40
PID 804 wrote to memory of 1448	804	Jnmiag32.exe	40
PID 1448 wrote to memory of 1628	1448	Jfcabd32.exe	41
PID 1448 wrote to memory of 1628	1448	Jfcabd32.exe	41
PID 1448 wrote to memory of 1628	1448	Jfcabd32.exe	41
PID 1448 wrote to memory of 1628	1448	Jfcabd32.exe	41
PID 1628 wrote to memory of 1568	1628	Kbjbge32.exe	42
PID 1628 wrote to memory of 1568	1628	Kbjbge32.exe	42
PID 1628 wrote to memory of 1568	1628	Kbjbge32.exe	42
PID 1628 wrote to memory of 1568	1628	Kbjbge32.exe	42
PID 1568 wrote to memory of 1040	1568	Kidjdpie.exe	43
PID 1568 wrote to memory of 1040	1568	Kidjdpie.exe	43
PID 1568 wrote to memory of 1040	1568	Kidjdpie.exe	43
PID 1568 wrote to memory of 1040	1568	Kidjdpie.exe	43
PID 1040 wrote to memory of 2436	1040	Kbmome32.exe	44
PID 1040 wrote to memory of 2436	1040	Kbmome32.exe	44
PID 1040 wrote to memory of 2436	1040	Kbmome32.exe	44
PID 1040 wrote to memory of 2436	1040	Kbmome32.exe	44
PID 2436 wrote to memory of 1104	2436	Klecfkff.exe	45
PID 2436 wrote to memory of 1104	2436	Klecfkff.exe	45
PID 2436 wrote to memory of 1104	2436	Klecfkff.exe	45
PID 2436 wrote to memory of 1104	2436	Klecfkff.exe	45

C:\Users\Admin\AppData\Local\Temp\e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe
"C:\Users\Admin\AppData\Local\Temp\e1c39d32dc72e1236a12a2155a38169d63de901befcf4098e5c111bb96bac3b9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\Ijcngenj.exe
  C:\Windows\system32\Ijcngenj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Imbjcpnn.exe
    C:\Windows\system32\Imbjcpnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\Ieibdnnp.exe
      C:\Windows\system32\Ieibdnnp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Iclbpj32.exe
        
        C:\Windows\system32\Iclbpj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Jcnoejch.exe
        
        C:\Windows\system32\Jcnoejch.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgngaoal.dll

Filesize
7KB

MD5
e17006b97ff356b3da55b23dda2308ed

SHA1
416543a3d012219b3c5b3be27767194fcc36d0b8

SHA256
e34cb84a44f480ab16f808b707285bf7c02c7814d4c1835fd19a1abe4f64326b

SHA512
ac5a1ee79dab918a154c9646f9f22fb0f4b23af2b3332cd9d113de6cc92ec371a600f8b575bf06ee6ff144af683a8205397578560f591a40ab4f00cd95a878ba

Download Submit
C:\Windows\SysWOW64\Iclbpj32.exe

Filesize
99KB

MD5
a82962dc0686aaa0d0d3450a5695147e

SHA1
2e4f78253e94832a1f7def7b7a6a129f5549e7f5

SHA256
dcf0feb00784b15331ffdf915b7aa9a7469d21d2714f946289cf5caec53d32ba

SHA512
227e5b4abebc8809a4c929a07726fbf20702cd1a8a61f37e7e90b168172ea368ec324146d3ca3f25bb6f3d5447d0075c59fc9f645b2c989e3799f6f265b740dc

Download Submit
C:\Windows\SysWOW64\Ijcngenj.exe

Filesize
99KB

MD5
c3b092a34c18bd3bcbcb4441fd8810c1

SHA1
844e3e52671e20b79cd5e1190e5ae50d8573e0ce

SHA256
2e23a1198fc065f203d627400faff86d066a5480326b51279c305018464ac74a

SHA512
fcbacfced3a07688e7ea799e8b53fe28c8b04523f93f2f356fe242f53defa614df674bb4599042a992d96b48f46e372ab7711f68ccc4944a20082274f3ac0c68

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
99KB

MD5
1dfa1fd475ed82fa09d2e1d7a671492d

SHA1
aec4dced2ff4c3af40a6c8e3e63a009688abaca7

SHA256
8487e0c4b76139e5e9cb6c5ee17db91ce194269c71bbf161dce4367e6c2d4b68

SHA512
40166c59102b3962478c70f40cb33002a6d6fe9aa177a4cf1f865513435dc704ff1f497f7b76db79aba21209d4715065c25b81e384b75f660865df6e78ff635d

Download Submit
C:\Windows\SysWOW64\Jcnoejch.exe

Filesize
99KB

MD5
7e6f9b183dc8092a0d7b7fb660bd1397

SHA1
f4bb3b50706e24d7b25cf880f5637bb2d6480f5c

SHA256
a3e9f37836cb9183f0093b2722cc7feb74dd48aebd411188c7223de8274c0233

SHA512
fca1ec614bce6decf88a7ac8335078aef782973b912b8c4bc04a1ab404c2e6d2b1d3dd85a8469c87ca576ef1e8d23228d12c9e3ccc967cc8798a3b3a4d71b0f2

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
99KB

MD5
b0b2c9151660e8599d72b428b8ef44de

SHA1
687942a97b48106b6616b929513caaa5ebce3480

SHA256
2b7be8db5c9216510cf8e82d44cb535b4becc0fead41715e07faaf264b9e4395

SHA512
a9f163760f656466b4f2bde91291e9ac90d0f126ecf72ca9dde3d65fa26c269f03c8941d4f7779e6c234304fa4b04536a5765b92d3479edc3f25cd810840cb7e

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
99KB

MD5
2c5140d0c82a85e67dce38fd8309c000

SHA1
5b1e26081543a83bde993ef3f4d6c0248e88432d

SHA256
d4235b9d1c7439a988a413972864e22bf8d11a2294851e54222ddcbd9385da0c

SHA512
4c38288b873c55df5d5f386aefccf6cf04e0bd9e3dcf867c6a73e78b4d78749b4f4c0e6308ef6b3ff0b1be623be564e6ba886baff3a15b2cd523fbefac0f2510

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
99KB

MD5
5e8add01be366430da75ea499b61308b

SHA1
73b31615395b92e61da9e85448b37c83422db2e5

SHA256
db591ba6657e22ffb7f62e44dd00aad976089c7888f341dcca2b3d96c5f5a853

SHA512
e0f129367b90f5f9b94e1786288afce991cd57a424635c7afac6a4d3b5db4cd3be807fa7554bec514b02a367f318a7d6e224b79adb88c95666fa3fccd9200628

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
99KB

MD5
ebed47067371e212a308c75f458cb045

SHA1
ece86610e7966d2fd76d0ba87760792d8114abba

SHA256
a96f13e7338f67513b6831c2e69f377eed028a8af6e0ffb3ae9630c323d8023a

SHA512
483335422325ec8c2a690d09327b4787e649b87aaad9b1390930fc94e0c31ac69019982e9b17851a8870817bb0e70c4db9d3834398cb2ac6524c92fa4029437b

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
99KB

MD5
eb816b9bd4de9c9380d5cb7636375899

SHA1
89028615779c66d993d930bed3d4cfcbb947add2

SHA256
ebbed5f52da75dd3643d3cb3d2497538d790fcbdf9fac45d24de839be9aa1c05

SHA512
24af1607bd48adce5a009a3642a7c4a0cc6ae488880941069076d66f66a282296cd0ca43e7ad584a9117481dcdab3783068bdfbb164b6b90c9f1f230de2749ca

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
99KB

MD5
2bc8e9e082e56cbd6a707b81f06e3977

SHA1
c771412261a62a3fed85dc21a90641327b6e6904

SHA256
a1f50ffc2c2506eceaadb0ee997ca97985db87c17505ffd43bceaafff6ff8351

SHA512
140f8166787b88f871b0c451cc20d17edcdb608b2577422eaec4320ab7a7befb30fe193c018738095241c0acdf289d4651bf0b1a9a2a978806984126a4e49c68

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
99KB

MD5
774da986784c5f305e73abbfd33092b1

SHA1
87e9c9c75cd665fdb5d89180b7d04fa1bf3f78f3

SHA256
750e81bbc8cfd55deee4fb61d3d5eadd95e338774afc8e75a957bc67318d9691

SHA512
83dfd9ee11d5b332be891a0e623ff12c6b153106ba5175f0dd6cc483f6cf3bbccfc054ed677ebbf530bddf85658ccad6ef3630d697ce9a5826f3e4d672f2e18c

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
99KB

MD5
976268cb03298829734585551432a0a8

SHA1
2021741d8a724bffd1173b14e9762ca1e7acd5a2

SHA256
be77b278f43ca99a0164fc09d73fa061e9688282d275807cd52272d4ae8a7d2a

SHA512
29d3e8d6a5fe7477a7d0a3c673e5ec87a6542c830e7e44f1f7928dca28801cba8b9d0871ccfc4a709162ad4c1baf7b6041eb5166c1cc6480f54537cb27421d38

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
99KB

MD5
f8e6327be3958c5cb0b4cba8f2fbf580

SHA1
869f6f9f0496b8eb997bb9f80712b53288595a15

SHA256
df42878c9255adfa2f84e1b4a00ace887c1b15aaf6fdc4a048c3d122d4f72261

SHA512
fdb0799aaf33a5614c328057d4385d1f3daa9b0e1dc1cb773dacad2a10a74b96f53fbf35b5e9c00feef80d89dc08e792e1d2c2193bd229f7712fae36bbbb2583

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
99KB

MD5
c239a2a5b950dfd3d036afe154e0ad5c

SHA1
cdd9c7a495874a1c512f15114e6be622e771a7b7

SHA256
4965c170da743fec95cff0292f94150d3062031578fec47921ee5ae1a1ca713e

SHA512
a18d7e7155bdc1671afedf52ba07a3e5e6dc064a04c59b62578cc61e20f9be1e0936dc7fbc2c0acf6fb331f1df27398ebc1699ed6dbcbd190383cdef5533cef6

Download Submit
\Windows\SysWOW64\Ieibdnnp.exe

Filesize
99KB

MD5
270efbda8c0b20569b5e3438f39ecff4

SHA1
7174702873e866296e7753f09a63d87a2a920c3d

SHA256
b1db67d42f0064ab45cf70243863ee8bc134c48587bd0df2a4eb053dc2fba22a

SHA512
5e82786d607cb75268a04d9e0e0e472a17f79b83edbca07a01cf157d4e0f71589a2c47fd1b18e517bea514bd4448ed39453bc19be2756a0dc20c9038d8925795

Download Submit
\Windows\SysWOW64\Jcqlkjae.exe

Filesize
99KB

MD5
6d6f28e97bd859823e4c61f99d475159

SHA1
10a6d13b9bb43afc99e9041cf6440c558381ef65

SHA256
0cb1ccdd4322569b16b10170604e3c9f00a48ffafd1030db124a966ae998d07a

SHA512
dbfa2ca2fc59f7feff447319a3753699fc0da0a9d1f001a5f88ba963678a974aabfda23e63d9192de9360aa810aabde082ed52155e6d7beb9b08d338456b5ea9

Download Submit
\Windows\SysWOW64\Jjjdhc32.exe

Filesize
99KB

MD5
4032ddfd56c9f1b7081ee5ca598fbe2c

SHA1
c6ead30204993eb2bd45ed4892f5314735c1ec23

SHA256
a9a9cce676d7dc74987419477a60bca022205b9c655bf3138cd8e3fa11be5011

SHA512
1fbf05c4e1d4d63f42b37423c4c5276e4dc16ace6760255909525e8f1bfd0bf0a7e28753b68ee08ed02500e92dc954fe77f47ea3a1e49083549dceefbcb53f5b

Download Submit
\Windows\SysWOW64\Jmfcop32.exe

Filesize
99KB

MD5
adefe739bf50b183a012dda4aa634480

SHA1
8167d71e13d66569d91e75072ceab4f2b51c1f95

SHA256
92e1d777d78ebe9531c6577557c5b7462228a3d81fec63d759a71d165e626cbe

SHA512
885bf17025432f0978ed157fd6079be9508acc767187b962c28ad8d7f9c0565995b07b333ff195b4da091464ee26f2110a12319deffda277bc38c40d400cc91f

Download Submit
\Windows\SysWOW64\Jnmiag32.exe

Filesize
99KB

MD5
e0db2627ca26c80bda53f1ec94de3526

SHA1
af92961da719d2fa3354b2cb503ff93f7fe7ee62

SHA256
21c55b9e7126c70960a02dc21c29826370b94b79ebb650d5fd7e7de54481646a

SHA512
6e5e24e6156c9db19b4727708766bb0cbc834bbc1cf7947f4b9cbff359809fb3b056d4c1732bdf8f8aa491f0bb51c1184d0faae672cad8c474bef9e4ec490764

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
99KB

MD5
cb03e08c12f62b88afeaa40b68357d6e

SHA1
417d400d331656d82e311702a5058feb3b852755

SHA256
a161dc20f51646a6103356ac007d2722471e9d4f98a496521b4bbb3d1d9df75d

SHA512
1ea24a0e403d9d9951766c999f591c70d693bd786504b634a719c071fceb61ffb08c4fbfc04dac4e95e85a64bed66724a24ab3f91292254644c5f507f46e2573

Download Submit
\Windows\SysWOW64\Kbmome32.exe

Filesize
99KB

MD5
16efc8976932a424925df16e030bbcdc

SHA1
ea96c71109414b6e24a06583acf820b1ba69d71b

SHA256
2eff99ab91bf1aa46986990c471ac22231400bda1c1a61123c7580ba980ee9c2

SHA512
118cde00bf0a6bec3ce6a1e87a8f516d38033e6abbacb66feda693796bc1b9fa42f47f72d305eaac4439f0705aae77080e685a38eb2e0cdc02a38bf27a4b7de0

Download Submit
\Windows\SysWOW64\Khldkllj.exe

Filesize
99KB

MD5
ea807cfd92d7cb78eefcb22b9da7fcb9

SHA1
2f219455dcf779393bff433e0aff8a6976494337

SHA256
f34dcfc92321720826f96298a62a457cd8d84f98fdbb157acd84c370c2400624

SHA512
e23292221127623abbb74faa061fd68b9b6d16f71021fd7a187986b166793150c58a9afa1034e5ae35c61caa51f9befdbd7cac76eed63d86d9b5a95f1e62b3b7

Download Submit
\Windows\SysWOW64\Kidjdpie.exe

Filesize
99KB

MD5
288d1174674716bf452543953494aac4

SHA1
270ddfa221cc1cde4974b7e0f9b744dc8cb23d6c

SHA256
d75a8df1e6d1d22ae20a2c8ae37dc2ec23f96364097147bd002c4dd44dc1357a

SHA512
c0384b89c157c1c25116092ad6094410e2736be021c91ad7fee07f5384f70b85de6f8d0339c1eb6910816bcbdc93b8b633a6ca0e721c527deb1f2690cb981946

Download Submit
memory/552-271-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/552-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/804-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/804-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-308-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1280-259-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1280-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-299-0x0000000000600000-0x0000000000643000-memory.dmp

Filesize
268KB

Download
memory/1448-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-167-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1448-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-144-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1472-143-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1472-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-190-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-201-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1472-197-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1492-102-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1492-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-205-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1568-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-199-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1568-261-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1568-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-187-0x00000000004C0000-0x0000000000503000-memory.dmp

Filesize
268KB

Download
memory/1628-188-0x00000000004C0000-0x0000000000503000-memory.dmp

Filesize
268KB

Download
memory/1628-248-0x00000000004C0000-0x0000000000503000-memory.dmp

Filesize
268KB

Download
memory/1628-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-247-0x00000000004C0000-0x0000000000503000-memory.dmp

Filesize
268KB

Download
memory/1656-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1656-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-76-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2232-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-13-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2232-12-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2436-229-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2436-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-279-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2640-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-45-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2740-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-67-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2764-78-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-126-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2888-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-128-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2888-173-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2956-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-111-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/3032-83-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/3032-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-142-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads