berbew | 38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Size

128KB
MD5

c8f6d9a49519c05692e219835b6e72b0
SHA1

652d98a558362107637671a7f93615407f5cc1d5
SHA256

38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280
SHA512

605f4ed76e4114987b1938428fdd319aef0809f3f276dd90270c852a5b2f791f16f65c0928e43a40ace6592b278a96e6255919c0f187f0b7b7b60299c80f1a17
SSDEEP

3072:IZ+TPImm504JVqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXq:IWmG4Jg4fQkjxqvak+PH/RARMHG2

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 21 IoCs

pid	Process
2652	Imbjcpnn.exe
2792	Ieibdnnp.exe
2636	Jfjolf32.exe
2544	Jpbcek32.exe
2200	Jfmkbebl.exe
2128	Jpepkk32.exe
2728	Jimdcqom.exe
668	Jipaip32.exe
1344	Jpjifjdg.exe
1136	Jplfkjbd.exe
2788	Keioca32.exe
780	Kekkiq32.exe
2356	Klecfkff.exe
2940	Kdphjm32.exe
1316	Kfodfh32.exe
1804	Kdbepm32.exe
1912	Kpieengb.exe
2848	Libjncnc.exe
984	Llpfjomf.exe
2480	Lplbjm32.exe
2404	Lbjofi32.exe

Loads dropped DLL 47 IoCs

pid	Process
2688	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
2688	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
2652	Imbjcpnn.exe
2652	Imbjcpnn.exe
2792	Ieibdnnp.exe
2792	Ieibdnnp.exe
2636	Jfjolf32.exe
2636	Jfjolf32.exe
2544	Jpbcek32.exe
2544	Jpbcek32.exe
2200	Jfmkbebl.exe
2200	Jfmkbebl.exe
2128	Jpepkk32.exe
2128	Jpepkk32.exe
2728	Jimdcqom.exe
2728	Jimdcqom.exe
668	Jipaip32.exe
668	Jipaip32.exe
1344	Jpjifjdg.exe
1344	Jpjifjdg.exe
1136	Jplfkjbd.exe
1136	Jplfkjbd.exe
2788	Keioca32.exe
2788	Keioca32.exe
780	Kekkiq32.exe
780	Kekkiq32.exe
2356	Klecfkff.exe
2356	Klecfkff.exe
2940	Kdphjm32.exe
2940	Kdphjm32.exe
1316	Kfodfh32.exe
1316	Kfodfh32.exe
1804	Kdbepm32.exe
1804	Kdbepm32.exe
1912	Kpieengb.exe
1912	Kpieengb.exe
2848	Libjncnc.exe
2848	Libjncnc.exe
984	Llpfjomf.exe
984	Llpfjomf.exe
2480	Lplbjm32.exe
2480	Lplbjm32.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpbcek32.exe	Jfjolf32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
File created	C:\Windows\SysWOW64\Fbbngc32.dll	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Omfpmb32.dll	Jfjolf32.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Jfjolf32.exe
File created	C:\Windows\SysWOW64\Jimdcqom.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jimdcqom.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Cbdmhnfl.dll	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jipaip32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Jfjolf32.exe	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Jimdcqom.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Jfjolf32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Pbpifm32.dll	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Keioca32.exe

Program crash 1 IoCs

pid	pid_target	Process
2764	2404	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2652	2688	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe	30
PID 2688 wrote to memory of 2652	2688	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe	30
PID 2688 wrote to memory of 2652	2688	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe	30
PID 2688 wrote to memory of 2652	2688	38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe	30
PID 2652 wrote to memory of 2792	2652	Imbjcpnn.exe	31
PID 2652 wrote to memory of 2792	2652	Imbjcpnn.exe	31
PID 2652 wrote to memory of 2792	2652	Imbjcpnn.exe	31
PID 2652 wrote to memory of 2792	2652	Imbjcpnn.exe	31
PID 2792 wrote to memory of 2636	2792	Ieibdnnp.exe	32
PID 2792 wrote to memory of 2636	2792	Ieibdnnp.exe	32
PID 2792 wrote to memory of 2636	2792	Ieibdnnp.exe	32
PID 2792 wrote to memory of 2636	2792	Ieibdnnp.exe	32
PID 2636 wrote to memory of 2544	2636	Jfjolf32.exe	33
PID 2636 wrote to memory of 2544	2636	Jfjolf32.exe	33
PID 2636 wrote to memory of 2544	2636	Jfjolf32.exe	33
PID 2636 wrote to memory of 2544	2636	Jfjolf32.exe	33
PID 2544 wrote to memory of 2200	2544	Jpbcek32.exe	34
PID 2544 wrote to memory of 2200	2544	Jpbcek32.exe	34
PID 2544 wrote to memory of 2200	2544	Jpbcek32.exe	34
PID 2544 wrote to memory of 2200	2544	Jpbcek32.exe	34
PID 2200 wrote to memory of 2128	2200	Jfmkbebl.exe	35
PID 2200 wrote to memory of 2128	2200	Jfmkbebl.exe	35
PID 2200 wrote to memory of 2128	2200	Jfmkbebl.exe	35
PID 2200 wrote to memory of 2128	2200	Jfmkbebl.exe	35
PID 2128 wrote to memory of 2728	2128	Jpepkk32.exe	36
PID 2128 wrote to memory of 2728	2128	Jpepkk32.exe	36
PID 2128 wrote to memory of 2728	2128	Jpepkk32.exe	36
PID 2128 wrote to memory of 2728	2128	Jpepkk32.exe	36
PID 2728 wrote to memory of 668	2728	Jimdcqom.exe	37
PID 2728 wrote to memory of 668	2728	Jimdcqom.exe	37
PID 2728 wrote to memory of 668	2728	Jimdcqom.exe	37
PID 2728 wrote to memory of 668	2728	Jimdcqom.exe	37
PID 668 wrote to memory of 1344	668	Jipaip32.exe	38
PID 668 wrote to memory of 1344	668	Jipaip32.exe	38
PID 668 wrote to memory of 1344	668	Jipaip32.exe	38
PID 668 wrote to memory of 1344	668	Jipaip32.exe	38
PID 1344 wrote to memory of 1136	1344	Jpjifjdg.exe	39
PID 1344 wrote to memory of 1136	1344	Jpjifjdg.exe	39
PID 1344 wrote to memory of 1136	1344	Jpjifjdg.exe	39
PID 1344 wrote to memory of 1136	1344	Jpjifjdg.exe	39
PID 1136 wrote to memory of 2788	1136	Jplfkjbd.exe	40
PID 1136 wrote to memory of 2788	1136	Jplfkjbd.exe	40
PID 1136 wrote to memory of 2788	1136	Jplfkjbd.exe	40
PID 1136 wrote to memory of 2788	1136	Jplfkjbd.exe	40
PID 2788 wrote to memory of 780	2788	Keioca32.exe	41
PID 2788 wrote to memory of 780	2788	Keioca32.exe	41
PID 2788 wrote to memory of 780	2788	Keioca32.exe	41
PID 2788 wrote to memory of 780	2788	Keioca32.exe	41
PID 780 wrote to memory of 2356	780	Kekkiq32.exe	42
PID 780 wrote to memory of 2356	780	Kekkiq32.exe	42
PID 780 wrote to memory of 2356	780	Kekkiq32.exe	42
PID 780 wrote to memory of 2356	780	Kekkiq32.exe	42
PID 2356 wrote to memory of 2940	2356	Klecfkff.exe	43
PID 2356 wrote to memory of 2940	2356	Klecfkff.exe	43
PID 2356 wrote to memory of 2940	2356	Klecfkff.exe	43
PID 2356 wrote to memory of 2940	2356	Klecfkff.exe	43
PID 2940 wrote to memory of 1316	2940	Kdphjm32.exe	44
PID 2940 wrote to memory of 1316	2940	Kdphjm32.exe	44
PID 2940 wrote to memory of 1316	2940	Kdphjm32.exe	44
PID 2940 wrote to memory of 1316	2940	Kdphjm32.exe	44
PID 1316 wrote to memory of 1804	1316	Kfodfh32.exe	45
PID 1316 wrote to memory of 1804	1316	Kfodfh32.exe	45
PID 1316 wrote to memory of 1804	1316	Kfodfh32.exe	45
PID 1316 wrote to memory of 1804	1316	Kfodfh32.exe	45

C:\Users\Admin\AppData\Local\Temp\38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe
"C:\Users\Admin\AppData\Local\Temp\38d3daeaa4fa4c01b77dd504de20960e7a679f2a5cb17d9b028c84f2a79b2280N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Imbjcpnn.exe
  C:\Windows\system32\Imbjcpnn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\Ieibdnnp.exe
    C:\Windows\system32\Ieibdnnp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Jfjolf32.exe
      C:\Windows\system32\Jfjolf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
128KB

MD5
f1dac3cb4624320cf593b064d02669cb

SHA1
31826cdfc6eda202bc7b1cc2a74e4adc0807d9ac

SHA256
a282777692b5f5217aefd7285cdc93418cb10bfb397b7aede45d1136a47dfe8c

SHA512
68b8b8435a2faebe4e662aad07ad41c8c46c15dbd0eab50d10f9dcb0ee94d5e449143587af4e010e10540951a155744c8eb5e0af5b5abf449026d45f8995e09c

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
128KB

MD5
4d97b41bcddb66fba44001ea30010df4

SHA1
dd310f5529f590f396655b09f3dbd21ba4078e8d

SHA256
468263a1ffee118a4c43ba2ad295f99fa62126319f939f107455700114378ea3

SHA512
21785da353445cd5e9bda0a14edf43ea482f03e94e77cf24ed5e79c94ace001c3db0adef1f4f77005559a6980a6d9188dd164637791d1b32d122a58d0c690b42

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
128KB

MD5
df38d199e001d583e239a667ecee03f4

SHA1
9a2f5c7fee78d8040790036e1f9d5b8a9745f8b5

SHA256
78344bce15c98eb9a2abb8e78807667839253f81714e4b24ea0b0bfeb19b8c62

SHA512
6f89bddaf15535766261caeeb67440b90c8d419d30990a14eb1dd432092fd39f18c964625d47bede3e873b2f925234ce051422a0e979e6da0a4b0152a249edad

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
128KB

MD5
5a4ba2922e412bc82735eef559ec166a

SHA1
b35f496748e51acc04607e5d09165eec44c5a1f8

SHA256
a127a615be4f3280bdd84376c4297dc97bb66874391b544aaf32c06e62a7012a

SHA512
587956818aa406ef260d930bf781edaed920dd2b0196bd7dd32f87e2c49c403402e557a3a37da355c82790c673191d16248c656712d0be7c4c141f1a501efc58

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
128KB

MD5
3e7e9957d0515b3f2a04a3ffac3d35c4

SHA1
46ba50a112de4c129a9aeb131f09df851679750b

SHA256
94b83847830f0d03ac3c722e62ff98874a47956e8c87d0c5f4e37ef366e20d70

SHA512
8d2a41c8e8285278fabe4d5ad8476e4ac5642d0998621b3ba12d6cf496a4b0d730ae08de2d05ba57b307f39186a371bf1c1df27a8a01fe0569bba90cbcf929f6

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
128KB

MD5
d560a415ab434f71c9dde97a408179f2

SHA1
7b4e2e7755f0c48cd82b735ef3504ff2b01b4f56

SHA256
78c4ec82276099f835ea90897553d0a6ffcc88090334c9d46f54a8bdb1d116dd

SHA512
3634eb712e026939a135377749cb8ffdea91d31583ce34cb39a85c740e148aec24a23624efb63a17d112d6e4a72ec85f0e34e3064f80df7e833c2b640735e0e5

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
128KB

MD5
64f126f450555d7a2c2c9ea26759b375

SHA1
2df9967e36c7874a31b3b02e39aea06cadb18b28

SHA256
daf1e154f3362517303318310220283dad88c3e19a096483f478b3f5e316def6

SHA512
8f5dbc96561a69349a8abc04b311f52885f5b81f938fd0a3f96257dc7f9f736e6297f96aca016692c1cf132dcb75dbc974067b5e4a464180a904076912e7e489

Download Submit
\Windows\SysWOW64\Ieibdnnp.exe

Filesize
128KB

MD5
215c769268a51dd48eb0a63d38d5e237

SHA1
26c2246323b600e3ccc9d445b2daa11bac59ddeb

SHA256
7676f676b8db9d4cb6937ea400d5040a0c9dcf6af7179da326c80b0c06766600

SHA512
9bb1380d71f983677a96719f4cb220f67bc9067d56fb5c74e8f8b960dd6d3db36ba72c22f4ad8ae7f3908c0275ff5d6ef89c356bae7be24e05cb9ac4909e1b78

Download Submit
\Windows\SysWOW64\Jfjolf32.exe

Filesize
128KB

MD5
79d185f2cc47545bad4be8e09a77f86c

SHA1
bf8182008a875d7c21a577a130bbd095d10576de

SHA256
4b78de63916039ac7e8b5875b220b8fb69a813e5845f6b09193c74eed6a185fa

SHA512
0fd81d35ee198aa7e88313a914091b42cce309427fbcd615d42add4e075b8042af3ac740a8f70890d4ae8907ecdc0ba7709560aa41b7017ee688d35b91738eb4

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
128KB

MD5
f0049245a79ea377cb0c2bba4ae77ce8

SHA1
534e02f84ec0850a91c0382f70d3cd24153ad7e7

SHA256
23c330b80914dbc132f7c72d4d1cca649729f5eed9d17c7d808f382b23e406be

SHA512
530d30556895e7b56a3fa13809ab9ab5e709d6f429fe2fcceac41c7832b96d1446a9092ef1888d1208a5557a74556addc1dad720bda2e945b077af2d2abe9a47

Download Submit
\Windows\SysWOW64\Jimdcqom.exe

Filesize
128KB

MD5
7885c1130b288a8e4dba257631aab4fb

SHA1
df6631b4aaadc3679e59a170e02377f3321e16e0

SHA256
b104c40e46b4de831629f3303908f3e8e26f3bcde9d7b10290abaa54d2ff178a

SHA512
98f0903de2812c5ef6ba25522d5a171b0e685116a03bf70ec585121597a6a7b1b19fc646d40a3cb00c95ed8dd0330e750dcec000bca7872654b1ccc5ae88bdcd

Download Submit
\Windows\SysWOW64\Jipaip32.exe

Filesize
128KB

MD5
4c619f21526acf1c20e73f4d71d9daf0

SHA1
3e22920f85fc72d1e867459fb2f5392f28546137

SHA256
29bd974731a781b8ddd15d9c4eec5553fb0f18f5bce34550f78bb082c3508e44

SHA512
281c94b941de07aa84397e9f0b56971f1063388e421a13160cc4279883b4e60fa3367b7121a898456b074295315cb34dc79a60da58d3394fe1fa137b488393b6

Download Submit
\Windows\SysWOW64\Jpbcek32.exe

Filesize
128KB

MD5
a9f5bfd63811f7b0c9e544c734341831

SHA1
e85845646a1f77edab0100c1faad007df40f9143

SHA256
b090cff57e568cbe4b751b38273cc8e9cb820df7fe6b630e656b4ed4d590c2e6

SHA512
befa70016bf5999133f30c65bbaebe82599c5d617050db81c357b3e3afb983e2fc7b28c984de9fdcaad74ce60bc23a3d87f2b5785bcd0e24fa91aebbdb2e977f

Download Submit
\Windows\SysWOW64\Jpepkk32.exe

Filesize
128KB

MD5
6f56224701eed52fdd3d0d627d7c2fab

SHA1
b634a36e45de8b1eb0a5397ef3f94883851a39a1

SHA256
5f3c39d7dc1f77f1ad27d9d391643bc1c4b1c7e7b5d8bbe4a5da31508bd95c97

SHA512
16d74e5db6a0d747dab8e75e7130a523dc059192d7c1d3efcddea16ae98889d6b1914e74014bdfd38b7a5cfd1186a79ac79492051b3cad3eca8c28b906f10472

Download Submit
\Windows\SysWOW64\Jplfkjbd.exe

Filesize
128KB

MD5
8234d738bf87a019f2084162a8fd4015

SHA1
4048b4a0b55c3ee24d120e3945667b3182fbd231

SHA256
bb0a850aac964f7337536639e1730fea1ef5b033388040126d9fa85149bb69c8

SHA512
e696d3237e69d338d53c314bcca4e8fe541fb976b9f87cd5192c39b2de722daf656bfa42b7c79f5a21b30489ceaa296a0632b961162a52c31388a15d633c5719

Download Submit
\Windows\SysWOW64\Kdbepm32.exe

Filesize
128KB

MD5
bd4584faa445e017beb2a37e80abd6b4

SHA1
43378eeb2785dde0b5fa9d2c1b79c4704a4787b0

SHA256
0aa8cfb3883d4c90a5dfca1dbe148044738c188a01f6c90305184e629fd63928

SHA512
e45cc4f02044a57829fc69ea20e7b11bf9bce1b3963d54a0fb97c4b8d50343aeac6b9aec53c19c87e02dfd644b99df92b42ce32f2749abace18f3a1a99f6603b

Download Submit
\Windows\SysWOW64\Kdphjm32.exe

Filesize
128KB

MD5
913e92d73eaf5ae6838ee9a54beb1763

SHA1
cab91dc9d98f04b093ca56ee1d381d7f222046b0

SHA256
2b7feef963bc984f54bfb4b6952deb1ce58d39cb4760098bee6ec1d854dcda75

SHA512
589d89e8847827b141d5770641169a59b9ead35932946857fa032710cf310c908b08e2f2ec95020ea332cfbabc6b90b7fa3484f7bcbf97534e57812ed89df19f

Download Submit
\Windows\SysWOW64\Keioca32.exe

Filesize
128KB

MD5
bd7baf2690d9b3b389df4c0f9932a9ed

SHA1
ddbab7030daca3a1deeb06a01009278acb8f1689

SHA256
051d545b028be182a35de9cbd64d472f5b36136bc36319a48e305b146b39d85a

SHA512
5806251ea5a49980529463611907d15b8d3d744989d106a9bc513b1f0c27b93fb8112b09cc15c18d21ee8af3c0eaa7cdd79bd189aded9119cb4475d5af3e1eb5

Download Submit
\Windows\SysWOW64\Kekkiq32.exe

Filesize
128KB

MD5
5aafa6dd5914a8ee405179e155ad7380

SHA1
5ac6291165b6bf0a0104c4cab17937bdd26cf87b

SHA256
11f47fd4ce4aa1b673f64e22c008057b14e32a0cab70625cf35554bccce11e78

SHA512
0db9609c2ff193f8b7f9d62e5b504917afc4433a53e5548876bb6f164e17bd23334060a61a13182cf987bfb2e96b8665713c2e9c224073dfa13597c553ed3468

Download Submit
\Windows\SysWOW64\Kfodfh32.exe

Filesize
128KB

MD5
2f4c4299e06774a5c26fffd1e5388941

SHA1
ce4e88f7484c31b80c9429a5569de334d795fba4

SHA256
2efdc057ce72594607d87089b820f8880eafd1660bdac77ab77566368763a050

SHA512
b1305835e1fe870eccbdc975fc81f94899dd000567910b2e6a345e636b9bf1a5e9728f98e1de2a6dc122cdc87865901ba6f81fe3d6eb5dddfa663f6b7cbb297a

Download Submit
\Windows\SysWOW64\Klecfkff.exe

Filesize
128KB

MD5
ec336e9957b27598407cd5564ef01e62

SHA1
ac1489b19203546af152f712e15894d7f1eb1fe4

SHA256
f198beca363fb80e611d5250cd32ea77dc1385e539b2ff7c93ac19aad7affeec

SHA512
451c5cb4241d705d31c5d4f5ea0e8c2e3f674ff544b2daa517827dad7f28a35304ee2d79d5c489f7474efab73a407b5d3ac52193adddb6b614b082b73d735df7

Download Submit
memory/668-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/668-189-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/668-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/668-133-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/668-132-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/780-192-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/780-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-250-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/780-197-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/984-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-296-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1136-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1136-163-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1136-165-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1136-217-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1316-295-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1316-239-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1316-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1344-214-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1344-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1344-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1344-144-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1804-305-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1804-257-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1804-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-307-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1912-270-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1912-308-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1912-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-272-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1912-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-99-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2128-93-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2128-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-164-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2128-151-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2128-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-135-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2200-127-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2356-259-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2356-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-213-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2404-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2480-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2480-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-118-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2544-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-69-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2636-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-92-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-52-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2636-98-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2636-101-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2652-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-12-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2688-11-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2688-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-54-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2728-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-110-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2728-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-176-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2788-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-38-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/2848-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-271-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads