berbew | e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 03:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Size

92KB
MD5

50628b98fb0f063486f21da733996c93
SHA1

58934898c8f2d17bdba6c8f8e4c23b8ed71d5ce4
SHA256

e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f
SHA512

7c20960b8ceaaad8949a11664550ed808f2141d024b586b854b53aa7487a72884731c413ccf97bbc4d975fec20f5562731e04654e227ae074fcd432e81e7450a
SSDEEP

1536:o9h6umBBGZamZvlQm0GrV+6GrkUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUlUUTo:M0Eay9QmLrV+6GrkUUUUUUUUUUUUUUUm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 24 IoCs

pid	Process
1880	Jfmkbebl.exe
3048	Jjhgbd32.exe
2864	Jmfcop32.exe
2628	Jpepkk32.exe
2644	Jllqplnp.exe
1876	Jcciqi32.exe
2512	Jedehaea.exe
2216	Jipaip32.exe
1820	Jbhebfck.exe
2840	Jlqjkk32.exe
1916	Kbjbge32.exe
2956	Kambcbhb.exe
484	Klcgpkhh.exe
772	Koaclfgl.exe
340	Kdnkdmec.exe
2372	Kjhcag32.exe
1292	Kmfpmc32.exe
856	Khldkllj.exe
1748	Kfodfh32.exe
2312	Kpgionie.exe
1992	Kkmmlgik.exe
1720	Kgcnahoo.exe
1712	Kkojbf32.exe
2068	Lbjofi32.exe

Loads dropped DLL 48 IoCs

pid	Process
2672	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
2672	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
1880	Jfmkbebl.exe
1880	Jfmkbebl.exe
3048	Jjhgbd32.exe
3048	Jjhgbd32.exe
2864	Jmfcop32.exe
2864	Jmfcop32.exe
2628	Jpepkk32.exe
2628	Jpepkk32.exe
2644	Jllqplnp.exe
2644	Jllqplnp.exe
1876	Jcciqi32.exe
1876	Jcciqi32.exe
2512	Jedehaea.exe
2512	Jedehaea.exe
2216	Jipaip32.exe
2216	Jipaip32.exe
1820	Jbhebfck.exe
1820	Jbhebfck.exe
2840	Jlqjkk32.exe
2840	Jlqjkk32.exe
1916	Kbjbge32.exe
1916	Kbjbge32.exe
2956	Kambcbhb.exe
2956	Kambcbhb.exe
484	Klcgpkhh.exe
484	Klcgpkhh.exe
772	Koaclfgl.exe
772	Koaclfgl.exe
340	Kdnkdmec.exe
340	Kdnkdmec.exe
2372	Kjhcag32.exe
2372	Kjhcag32.exe
1292	Kmfpmc32.exe
1292	Kmfpmc32.exe
856	Khldkllj.exe
856	Khldkllj.exe
1748	Kfodfh32.exe
1748	Kfodfh32.exe
2312	Kpgionie.exe
2312	Kpgionie.exe
1992	Kkmmlgik.exe
1992	Kkmmlgik.exe
1720	Kgcnahoo.exe
1720	Kgcnahoo.exe
1712	Kkojbf32.exe
1712	Kkojbf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jlqjkk32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Jlqjkk32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgbd32.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Kambcbhb.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
File opened for modification	C:\Windows\SysWOW64\Kambcbhb.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Aaqbpk32.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Pbkboega.dll	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Biklma32.dll	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Mmofpf32.dll	Kambcbhb.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Pccohd32.dll	Jjhgbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jpepkk32.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbjlj32.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlqjkk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1880	2672	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe	30
PID 2672 wrote to memory of 1880	2672	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe	30
PID 2672 wrote to memory of 1880	2672	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe	30
PID 2672 wrote to memory of 1880	2672	e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe	30
PID 1880 wrote to memory of 3048	1880	Jfmkbebl.exe	31
PID 1880 wrote to memory of 3048	1880	Jfmkbebl.exe	31
PID 1880 wrote to memory of 3048	1880	Jfmkbebl.exe	31
PID 1880 wrote to memory of 3048	1880	Jfmkbebl.exe	31
PID 3048 wrote to memory of 2864	3048	Jjhgbd32.exe	32
PID 3048 wrote to memory of 2864	3048	Jjhgbd32.exe	32
PID 3048 wrote to memory of 2864	3048	Jjhgbd32.exe	32
PID 3048 wrote to memory of 2864	3048	Jjhgbd32.exe	32
PID 2864 wrote to memory of 2628	2864	Jmfcop32.exe	33
PID 2864 wrote to memory of 2628	2864	Jmfcop32.exe	33
PID 2864 wrote to memory of 2628	2864	Jmfcop32.exe	33
PID 2864 wrote to memory of 2628	2864	Jmfcop32.exe	33
PID 2628 wrote to memory of 2644	2628	Jpepkk32.exe	34
PID 2628 wrote to memory of 2644	2628	Jpepkk32.exe	34
PID 2628 wrote to memory of 2644	2628	Jpepkk32.exe	34
PID 2628 wrote to memory of 2644	2628	Jpepkk32.exe	34
PID 2644 wrote to memory of 1876	2644	Jllqplnp.exe	35
PID 2644 wrote to memory of 1876	2644	Jllqplnp.exe	35
PID 2644 wrote to memory of 1876	2644	Jllqplnp.exe	35
PID 2644 wrote to memory of 1876	2644	Jllqplnp.exe	35
PID 1876 wrote to memory of 2512	1876	Jcciqi32.exe	36
PID 1876 wrote to memory of 2512	1876	Jcciqi32.exe	36
PID 1876 wrote to memory of 2512	1876	Jcciqi32.exe	36
PID 1876 wrote to memory of 2512	1876	Jcciqi32.exe	36
PID 2512 wrote to memory of 2216	2512	Jedehaea.exe	37
PID 2512 wrote to memory of 2216	2512	Jedehaea.exe	37
PID 2512 wrote to memory of 2216	2512	Jedehaea.exe	37
PID 2512 wrote to memory of 2216	2512	Jedehaea.exe	37
PID 2216 wrote to memory of 1820	2216	Jipaip32.exe	38
PID 2216 wrote to memory of 1820	2216	Jipaip32.exe	38
PID 2216 wrote to memory of 1820	2216	Jipaip32.exe	38
PID 2216 wrote to memory of 1820	2216	Jipaip32.exe	38
PID 1820 wrote to memory of 2840	1820	Jbhebfck.exe	39
PID 1820 wrote to memory of 2840	1820	Jbhebfck.exe	39
PID 1820 wrote to memory of 2840	1820	Jbhebfck.exe	39
PID 1820 wrote to memory of 2840	1820	Jbhebfck.exe	39
PID 2840 wrote to memory of 1916	2840	Jlqjkk32.exe	40
PID 2840 wrote to memory of 1916	2840	Jlqjkk32.exe	40
PID 2840 wrote to memory of 1916	2840	Jlqjkk32.exe	40
PID 2840 wrote to memory of 1916	2840	Jlqjkk32.exe	40
PID 1916 wrote to memory of 2956	1916	Kbjbge32.exe	41
PID 1916 wrote to memory of 2956	1916	Kbjbge32.exe	41
PID 1916 wrote to memory of 2956	1916	Kbjbge32.exe	41
PID 1916 wrote to memory of 2956	1916	Kbjbge32.exe	41
PID 2956 wrote to memory of 484	2956	Kambcbhb.exe	42
PID 2956 wrote to memory of 484	2956	Kambcbhb.exe	42
PID 2956 wrote to memory of 484	2956	Kambcbhb.exe	42
PID 2956 wrote to memory of 484	2956	Kambcbhb.exe	42
PID 484 wrote to memory of 772	484	Klcgpkhh.exe	43
PID 484 wrote to memory of 772	484	Klcgpkhh.exe	43
PID 484 wrote to memory of 772	484	Klcgpkhh.exe	43
PID 484 wrote to memory of 772	484	Klcgpkhh.exe	43
PID 772 wrote to memory of 340	772	Koaclfgl.exe	44
PID 772 wrote to memory of 340	772	Koaclfgl.exe	44
PID 772 wrote to memory of 340	772	Koaclfgl.exe	44
PID 772 wrote to memory of 340	772	Koaclfgl.exe	44
PID 340 wrote to memory of 2372	340	Kdnkdmec.exe	45
PID 340 wrote to memory of 2372	340	Kdnkdmec.exe	45
PID 340 wrote to memory of 2372	340	Kdnkdmec.exe	45
PID 340 wrote to memory of 2372	340	Kdnkdmec.exe	45

C:\Users\Admin\AppData\Local\Temp\e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe
"C:\Users\Admin\AppData\Local\Temp\e2baa0b21e1f1dd4a26f905075570f71eea67929e96dca8a8526c32cfc82e55f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\Jfmkbebl.exe
  C:\Windows\system32\Jfmkbebl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\Jjhgbd32.exe
    C:\Windows\system32\Jjhgbd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Jmfcop32.exe
      C:\Windows\system32\Jmfcop32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
92KB

MD5
e16f6bd53e8537f96140e88f95742644

SHA1
9d28ed45268da61cbed82a26fa81c9ab6afc282b

SHA256
06380c4e1952c0b54626240962ec37451f0dd4a7f5e05fcdd5e8bbe065025c50

SHA512
73fb9c2b14f53a11ae3c875f6bf2237ed505c2a35733e2b7464f13bbcbc2af24a740776b3075a2746a6eb30713ba0a30fbb9fcde522e13c4b3b2e69f2b0b54f8

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
92KB

MD5
593d54c004880084f3cdb89b40d019c0

SHA1
a58d04a6ba3973f1f318e233611b53f22d6ca9a1

SHA256
11d67e27f01c9bb42237abc660f131bdfcab68aba1cda38fd363b6fc9a7cda31

SHA512
f0635741660f37cd8f33578839163a67e3465c3ee73a75c392dd6f8cb746a48397d93ad2d9b817c18c67e94a1e04aafc0cebbfae1363d9ca6223b0a4447ac015

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
92KB

MD5
31a23b48de66280fe49eefb30dc23a3d

SHA1
88387ed7a308645592f83943abb8958195b1f252

SHA256
906d9877ba0f840327c398f7233ac8fa5ae49a9b845b17b46ef33477deb0fc62

SHA512
3e5d5b522d071163cde603777ff4160b688ab6cd3e69ed71411b7f6e8aa70facb3b9380a6ba213338539dcb8a0b7ca1424c50a4837a66817111e148f9be35253

Download Submit
C:\Windows\SysWOW64\Jllqplnp.exe

Filesize
92KB

MD5
933ef5cbb6f9b539603a5a47b0112bb8

SHA1
4ea847bebe69333f00bb82ae0df2385c30a19793

SHA256
808d5f34376e04786217577cea8b9bfc082ff66da88c6352efd1aa5c83bd8ce1

SHA512
9508b9de166fc28f822bd5ea5c0046e6d8aaee90ab1fb812aadefa40275e6b108a40ae8898c8f3a8bce3fd2be2d957c55aa5c99fbf290f5c9c89bf9469a59780

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
92KB

MD5
297f12669a76918ddc1b7cab92963ee0

SHA1
5ed522fb6c11de2d04e3de68c540b654c2f9a06d

SHA256
bc074dcc033dc4e3415b26d281cfb6937d8cc3f55ffdff746e0c06a22eefc66b

SHA512
e775f1ce1fb12352ef4856c886e99946b320d31c1e45cd7a7ca74b81c66b18900190a4f1bc6d9efb15f441cd389f7ae22196a72fde5e46dba53b28c34e21e986

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
92KB

MD5
11449e491ff3abceed14a63830f68e23

SHA1
95ada87f9c1e1d5cc72fef6f054058ab91dca3ab

SHA256
6ea1b7ab0e3d42813d4ee997fa2c8a0362e5d9fec25fd11e39b2928edc01b727

SHA512
75fea73a062255ec1358becf01e60aaaa858072a67897ca3e374e7593f0a37e404f60012a1ee8ccd0771f4c88522747a56335791b021fa5415b55cbaddf7bd8e

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
92KB

MD5
d110df15a71d8243849fb552d8d9f285

SHA1
524d193853107eb6d44591c16c49e15e17d4b22d

SHA256
634a4e81950bd33e61d9b139486e833db0af20dbf77a94ade33c378133a9f901

SHA512
6626380e40d25ec6800b75a4527e5404e315609c0aab08aa7f3a0ca632119f4812c62e6dce2704fa9b3b7bfb5ad7e95be6217a7ca1216cadc26e700c6ff8ef11

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
92KB

MD5
697dd8b6f75d519abe85aea7e6d6213d

SHA1
aafb93d1d0d00e5fcef48c7cd9fc9fe9628411a2

SHA256
0ad52fd5fd4c9e8fc35bf4b2f31fbbc2010bab934f4b1f53e4779609542efc14

SHA512
a4b3071d8e1012d67a0bd42038a3fa02539599c105a9cd2d850b7b53f7a5a1abebb9e2e37dbc52e3bc04596227f0e282ea806e0a0bfd32a45f02ff98975fb534

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
92KB

MD5
224cb2e74d829a6df8b2e2ec39eb67ac

SHA1
522a81976b0177bb89b761466b1d3cf49b2e7e7f

SHA256
316618cb6d23f2425fa566aa0fa1ee1b11f9977b2a02d4c5101c0e0dfc0ff6f8

SHA512
7c8a60a1c5797b48bd901f48887307e40096d849843304e4ab3242652019374498fd07fdb4824be45a1efe435488b483ead91b688041c26a8f9223f87ae26dde

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
92KB

MD5
edc8110d5bc39a1e82c21a1175165d80

SHA1
c19459ac424ccc1952c33585c85ecf3925a37216

SHA256
7937d09f29b2b8fe89b6da55abfb36be2d1097958c967cfcb8c1d33862a705d9

SHA512
7ba4e2fafe33483ed49a1043f6efe8f795deeae81cde27bddbf653cc9cacf0adccac24f55191f60b2cef1abf9281976411c461e2453265e6ab0b4268be6a27cf

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
92KB

MD5
e5e822315d93a6a7386054134f199fd9

SHA1
4bc0c30b7417ea6afec0752ccefd539e380314d9

SHA256
161b9e33b531c0e5cc0723216fb8322519d2edb0587836c426487dbf7867fc46

SHA512
806ce66bb809bbd2192454bc284fa994b609d150760bf4c9ada21362e5573d6a3acd90eb311540af2b77533272725271640973ed94fef6d0136b112c32a45b85

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
92KB

MD5
b2fdc92d47256ec2d2d1cdfee0de3534

SHA1
579b7d7010546252bc8ef1a04b501b5d5cb7ac23

SHA256
952cd6f463249e29d7c1db8fdabdb0a147c568b257856031dbd46fa8ba7a14eb

SHA512
75414b41b7ec64631f5d5a95f24ea265b9c2aa9d245ac17c91d45709e428ca12740f8c7645e5b6038bb2857b9f5419ef34233aedf295b6c2cc00b8a155c5df7f

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
92KB

MD5
d010b4a7174d0f1582439ad1b3a36f69

SHA1
d3198d83a0b58ccaaa8b344f010567f0c23200e6

SHA256
eb7e19efaea41d159109e957e47ee6f4b2f2af04e3f22d4e359038fc605910be

SHA512
72a3b7d93ae9cd93f1ee11682f2e7c0362fa5e43f6746dbbcb048f6025bbf61c9713bbf6d9bcdb7b73f933aeff490910d6e6558c07ed1c3dfa73a82043660e2c

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
92KB

MD5
b35ff023ff0e861f9afaca43df80b238

SHA1
818414ac287f1755763c2950dceb2a1c0d8c7dd8

SHA256
6905fffcf46d270215ca30213e11672c6db6acff2c553b2f04a92b2b9aa2569d

SHA512
9fb5942a4c425ae81bbc408e53cd4b0e11ce4619e6655992be0aa26843821b0f3947d706e3787d295790091e9106f6fdfc1fd07d56523681542d307f0e824e8d

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
92KB

MD5
446f5f83b8eb67bac98b2aa6f92862b0

SHA1
e0380de9cfffbb06a76eebb3b3e8586696888208

SHA256
5ec057226431d89bd79ba1ca52986cfde17ed0da6795062ee0257931d1d51754

SHA512
44a8667718b87059c995603d3b55dd67b59b2e181dd8d5ac06d99a607574f77616e903dcc7e73f31b056afc319d4d35fff232a4797eade8d2064cbbeeea4a944

Download Submit
\Windows\SysWOW64\Jcciqi32.exe

Filesize
92KB

MD5
f8c55b384cf23b16d88175696760cf33

SHA1
d54c36641386179066b39c20167c609d1dee4897

SHA256
4b9d585b0f23b44cb1cf5a81839335ff23a6e6562c6f447773352baf5c27dee2

SHA512
bf5b484510c7297fdc964426ca26e089fcb6ab2e8e02332e1fdc00b12efe8d39ab6ac4ceadb638cb5354d44a92165b9455bf541d17e0826b07a2e4eb2ce8f17c

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
92KB

MD5
d46625557e7567b21cf04c62a362f244

SHA1
0d364ef3dc652b0b8cd15047d2cf0a8f51aa6e78

SHA256
c27affa75e630ce6f6d934198d98108a5daeeacdab684961ec5b06d699851ce8

SHA512
2a4eeb9163322806ef8501ff9cd0ed04b22787feb3a06a9ff63a5b96b8c1aaf4df26b532aeb8ab09c2f360b3d5eaafe4a07b08c2d4591fb98ca1a6bff5928771

Download Submit
\Windows\SysWOW64\Jipaip32.exe

Filesize
92KB

MD5
473e943d7a64d4657e1233a72c9b7d16

SHA1
b42da17d8d115f2d9cf139c9a77c911bf2efe293

SHA256
80de0bfd28a277c67b43166b8cfe5f43a10e8b35e2d970574906792f3d819840

SHA512
f4146c450df901a90f765edb846cca0d68a4f23cc26effd01f044b4e764983820d81778920e49f78d6f2eb10efffa388ea4a746035d8fdad630e74f55e8fa6e4

Download Submit
\Windows\SysWOW64\Jlqjkk32.exe

Filesize
92KB

MD5
9277a4bd839bffefa480de570efc94f6

SHA1
de7ca27dfafbdbe6ae7951f38e77aa8140d51e12

SHA256
631aef2c9cc44c6749f6cd31e8ce24ae5a5ee713cf7bd70972ce1806af5f31e4

SHA512
27cd6f13ff93e310ee7007d444fe8b727b8904ce42a0b3ab55f36e53a52c7a941e145effff9ed12aa5322f23ea52c4c492a8cc3f6b8376b863706db75134e991

Download Submit
\Windows\SysWOW64\Kambcbhb.exe

Filesize
92KB

MD5
29eabd127debaae26e1733ddcf3fd844

SHA1
3398163f7f5b127c64da34e934f502c1c974dc51

SHA256
9d1fe4412f4dc2b6f4bffeaa8cd5e5f22ddc472e49b5412dc91ee2b549a4e162

SHA512
11ed3524f101805ec4ae7b2c1eec6ec8b08ca67272fcdea47f033532aeab8a064d2c5dd27b65d436d9c8a2897a5f4544478d29f956fd2dd9fc14b50390e6545f

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
92KB

MD5
26e5baffdcc3fbda5e01b39ecdf14031

SHA1
52364d7f23b44e7c5cc7943c1971b8b5c0413617

SHA256
a39ecbcb321de8ee451be13e3168506f67703e4f72568d23266cb266698610ee

SHA512
7ed2bb41d9a5e053fcad2b1b5de0aef3a7bb48764a6037672f8ed5047a786d8d117d5924bc5b56741c4e9ce6c37c5a85e133742a117d7b8f98b56a535eb9be9d

Download Submit
\Windows\SysWOW64\Kjhcag32.exe

Filesize
92KB

MD5
55056e671c61e91a2d12090102ccfbab

SHA1
b2486559829173b232f09a34a78c4b76f432bd77

SHA256
e580d4cdfc727721ce6fe55439153f9dd1dd996521e782c1e790302dcb0cd38a

SHA512
dbcc5bf5f41e5e6ebc3e73adbc9adefbadbf92b889463f93b54736f11a3788f84469310871c6057704ebc3dea369c5d1cb4006ae30cdb2c133391b1aba2f2cf0

Download Submit
\Windows\SysWOW64\Klcgpkhh.exe

Filesize
92KB

MD5
517192f98ad5e21c1eb1304a78b759da

SHA1
0d0f5208310a38bcbd175806ab95ee580476b18d

SHA256
f47f8b2741d11bcc7b5c9e94ad52e0788cefc42d1b098d308a8ee130422d35d1

SHA512
e86a06237976eed52cb463186156bbc1db9ca106b2941a8b5c3afa4026fd828cff60189832c72ddb86fe258be56cc46aed63fd0dbaf190d38f6041e8594fa984

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
92KB

MD5
f5165b953c7065c0e4f5bf5950757180

SHA1
1a4ad39159282361824a8a32db5e0fa2155e99f7

SHA256
5d983e14a2e0857d7ed9a59e7f83bd688dacd113e06c3e78c06842d3b99a582a

SHA512
8aee9b8399a882b7febdf3085359427b9540daf5cb3be086228f4eb30e6ed5ca5b6f41f0598aab0b4044fd3631018f26e7d9a290deecf839ba0a5e45075baadb

Download Submit
memory/340-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/340-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/484-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/484-186-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/484-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-245-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/856-244-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1292-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-233-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1292-234-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1292-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-295-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1712-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-288-0x0000000001F40000-0x0000000001F83000-memory.dmp

Filesize
268KB

Download
memory/1720-287-0x0000000001F40000-0x0000000001F83000-memory.dmp

Filesize
268KB

Download
memory/1748-256-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1748-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-251-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1820-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1880-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1880-31-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1916-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-285-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1992-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-280-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2068-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-267-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2312-262-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2312-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2512-101-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2512-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2512-106-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2512-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-62-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2628-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-17-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2672-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-18-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2840-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-147-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2864-54-0x0000000001F60000-0x0000000001FA3000-memory.dmp

Filesize
268KB

Download
memory/2864-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads