berbew | e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5e

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Size

93KB
MD5

7d891515867f7b7a129c555b7e7be090
SHA1

39306fd41950ed550d99fa5eb760b50d0275797a
SHA256

e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5e
SHA512

1127f46c50b8e0c9de3a01c8ff9f4ff3561522dae11b9d37b01b79dd2075ebc0a3c792d4ca6bfbcf644677e81bfe5dc8bf043142a7f0d39680f7b1b2e52433a3
SSDEEP

1536:9HOPwoYU6QZy3nIeAUFs3R+41DaYfMZRWuLsV+1Z:0Il+EcBU4gYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laidie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebpchmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hddoep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidlodkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbeqem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmplqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpegka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laidie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebpchmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcohbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcohbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hddoep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmhjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liibigjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpegka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnljc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidlodkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnljc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikqcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icqagkqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icqagkqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imkbeqem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhqiegh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgljfmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkahbkgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmplqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jccjln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhmhi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 24 IoCs

pid	Process
2644	Hcohbh32.exe
2948	Hddoep32.exe
2776	Ikqcgj32.exe
3036	Ibmhjc32.exe
3004	Icqagkqp.exe
2668	Imkbeqem.exe
436	Jmnpkp32.exe
1836	Jmplqp32.exe
2956	Jfhqiegh.exe
2656	Jgljfmkd.exe
2848	Jccjln32.exe
776	Kmnljc32.exe
840	Kidlodkj.exe
2476	Kfhmhi32.exe
3056	Kbajci32.exe
2568	Lebcdd32.exe
2532	Laidie32.exe
2296	Lkahbkgk.exe
1584	Looahi32.exe
1572	Liibigjq.exe
2196	Mdnffpif.exe
2040	Mpegka32.exe
2508	Mebpchmb.exe
2428	Mllhpb32.exe

Loads dropped DLL 53 IoCs

pid	Process
2304	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
2304	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
2644	Hcohbh32.exe
2644	Hcohbh32.exe
2948	Hddoep32.exe
2948	Hddoep32.exe
2776	Ikqcgj32.exe
2776	Ikqcgj32.exe
3036	Ibmhjc32.exe
3036	Ibmhjc32.exe
3004	Icqagkqp.exe
3004	Icqagkqp.exe
2668	Imkbeqem.exe
2668	Imkbeqem.exe
436	Jmnpkp32.exe
436	Jmnpkp32.exe
1836	Jmplqp32.exe
1836	Jmplqp32.exe
2956	Jfhqiegh.exe
2956	Jfhqiegh.exe
2656	Jgljfmkd.exe
2656	Jgljfmkd.exe
2848	Jccjln32.exe
2848	Jccjln32.exe
776	Kmnljc32.exe
776	Kmnljc32.exe
840	Kidlodkj.exe
840	Kidlodkj.exe
2476	Kfhmhi32.exe
2476	Kfhmhi32.exe
3056	Kbajci32.exe
3056	Kbajci32.exe
2568	Lebcdd32.exe
2568	Lebcdd32.exe
2532	Laidie32.exe
2532	Laidie32.exe
2296	Lkahbkgk.exe
2296	Lkahbkgk.exe
1584	Looahi32.exe
1584	Looahi32.exe
1572	Liibigjq.exe
1572	Liibigjq.exe
2196	Mdnffpif.exe
2196	Mdnffpif.exe
2040	Mpegka32.exe
2040	Mpegka32.exe
2508	Mebpchmb.exe
2508	Mebpchmb.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laidie32.exe	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Bgaengmn.dll	Laidie32.exe
File created	C:\Windows\SysWOW64\Hcohbh32.exe	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
File opened for modification	C:\Windows\SysWOW64\Jmplqp32.exe	Jmnpkp32.exe
File created	C:\Windows\SysWOW64\Eamqahed.dll	Jfhqiegh.exe
File created	C:\Windows\SysWOW64\Ikcakg32.dll	Jccjln32.exe
File created	C:\Windows\SysWOW64\Kidlodkj.exe	Kmnljc32.exe
File created	C:\Windows\SysWOW64\Hddoep32.exe	Hcohbh32.exe
File opened for modification	C:\Windows\SysWOW64\Jgljfmkd.exe	Jfhqiegh.exe
File created	C:\Windows\SysWOW64\Pdopmade.dll	Jgljfmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kidlodkj.exe	Kmnljc32.exe
File opened for modification	C:\Windows\SysWOW64\Mebpchmb.exe	Mpegka32.exe
File opened for modification	C:\Windows\SysWOW64\Kfhmhi32.exe	Kidlodkj.exe
File opened for modification	C:\Windows\SysWOW64\Kbajci32.exe	Kfhmhi32.exe
File created	C:\Windows\SysWOW64\Fkbqmd32.dll	Mebpchmb.exe
File created	C:\Windows\SysWOW64\Eghkhikg.dll	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
File created	C:\Windows\SysWOW64\Mckghggc.dll	Ikqcgj32.exe
File created	C:\Windows\SysWOW64\Jmnpkp32.exe	Imkbeqem.exe
File created	C:\Windows\SysWOW64\Mjelbl32.dll	Imkbeqem.exe
File created	C:\Windows\SysWOW64\Jccjln32.exe	Jgljfmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jmnpkp32.exe	Imkbeqem.exe
File created	C:\Windows\SysWOW64\Kfbhhdep.dll	Jmnpkp32.exe
File created	C:\Windows\SysWOW64\Liibigjq.exe	Looahi32.exe
File created	C:\Windows\SysWOW64\Ikqcgj32.exe	Hddoep32.exe
File created	C:\Windows\SysWOW64\Jgljfmkd.exe	Jfhqiegh.exe
File opened for modification	C:\Windows\SysWOW64\Jccjln32.exe	Jgljfmkd.exe
File created	C:\Windows\SysWOW64\Mpegka32.exe	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Mebpchmb.exe	Mpegka32.exe
File created	C:\Windows\SysWOW64\Dhgjjgoq.dll	Hcohbh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnljc32.exe	Jccjln32.exe
File opened for modification	C:\Windows\SysWOW64\Lebcdd32.exe	Kbajci32.exe
File opened for modification	C:\Windows\SysWOW64\Liibigjq.exe	Looahi32.exe
File created	C:\Windows\SysWOW64\Mdnffpif.exe	Liibigjq.exe
File created	C:\Windows\SysWOW64\Icqagkqp.exe	Ibmhjc32.exe
File created	C:\Windows\SysWOW64\Jfhqiegh.exe	Jmplqp32.exe
File created	C:\Windows\SysWOW64\Kmnljc32.exe	Jccjln32.exe
File created	C:\Windows\SysWOW64\Bafeoijd.dll	Mpegka32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmhjc32.exe	Ikqcgj32.exe
File created	C:\Windows\SysWOW64\Modieece.dll	Kidlodkj.exe
File created	C:\Windows\SysWOW64\Kbajci32.exe	Kfhmhi32.exe
File created	C:\Windows\SysWOW64\Ffccjk32.dll	Kfhmhi32.exe
File created	C:\Windows\SysWOW64\Lkahbkgk.exe	Laidie32.exe
File opened for modification	C:\Windows\SysWOW64\Mllhpb32.exe	Mebpchmb.exe
File created	C:\Windows\SysWOW64\Onqjglfg.dll	Ibmhjc32.exe
File opened for modification	C:\Windows\SysWOW64\Imkbeqem.exe	Icqagkqp.exe
File created	C:\Windows\SysWOW64\Haoikd32.dll	Icqagkqp.exe
File created	C:\Windows\SysWOW64\Looahi32.exe	Lkahbkgk.exe
File opened for modification	C:\Windows\SysWOW64\Mpegka32.exe	Mdnffpif.exe
File opened for modification	C:\Windows\SysWOW64\Hcohbh32.exe	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
File created	C:\Windows\SysWOW64\Dgenpi32.dll	Kmnljc32.exe
File created	C:\Windows\SysWOW64\Lebcdd32.exe	Kbajci32.exe
File opened for modification	C:\Windows\SysWOW64\Laidie32.exe	Lebcdd32.exe
File opened for modification	C:\Windows\SysWOW64\Looahi32.exe	Lkahbkgk.exe
File opened for modification	C:\Windows\SysWOW64\Hddoep32.exe	Hcohbh32.exe
File created	C:\Windows\SysWOW64\Imkbeqem.exe	Icqagkqp.exe
File opened for modification	C:\Windows\SysWOW64\Jfhqiegh.exe	Jmplqp32.exe
File created	C:\Windows\SysWOW64\Jcgjno32.dll	Kbajci32.exe
File created	C:\Windows\SysWOW64\Anedmjke.dll	Jmplqp32.exe
File opened for modification	C:\Windows\SysWOW64\Lkahbkgk.exe	Laidie32.exe
File created	C:\Windows\SysWOW64\Ljaplc32.dll	Liibigjq.exe
File created	C:\Windows\SysWOW64\Kfhmhi32.exe	Kidlodkj.exe
File created	C:\Windows\SysWOW64\Lijgiokj.dll	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Mebpchmb.exe
File created	C:\Windows\SysWOW64\Jmplqp32.exe	Jmnpkp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2444	2428	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcohbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhqiegh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgljfmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmnljc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpegka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebcdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laidie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hddoep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibmhjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icqagkqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imkbeqem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmplqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfhmhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidlodkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbajci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkahbkgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebpchmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqcgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmnpkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jccjln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Looahi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibigjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnffpif.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcohbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hddoep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haoikd32.dll"	Icqagkqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgljfmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcakg32.dll"	Jccjln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfhmhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbajci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghkhikg.dll"	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onqjglfg.dll"	Ibmhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmplqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anedmjke.dll"	Jmplqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidlodkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Looahi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcohbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaengmn.dll"	Laidie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdnffpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpegka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmplqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamqahed.dll"	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdopmade.dll"	Jgljfmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll"	Kbajci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laidie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpegka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mebpchmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmhjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbajci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijgiokj.dll"	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikqcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafeoijd.dll"	Mpegka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Mebpchmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaiefep.dll"	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikqcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icqagkqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelbl32.dll"	Imkbeqem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbhhdep.dll"	Jmnpkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgenpi32.dll"	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljaplc32.dll"	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liibigjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mebpchmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffppc32.dll"	Hddoep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icqagkqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hddoep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkbeqem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modieece.dll"	Kidlodkj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2644	2304	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe	29
PID 2304 wrote to memory of 2644	2304	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe	29
PID 2304 wrote to memory of 2644	2304	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe	29
PID 2304 wrote to memory of 2644	2304	e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe	29
PID 2644 wrote to memory of 2948	2644	Hcohbh32.exe	30
PID 2644 wrote to memory of 2948	2644	Hcohbh32.exe	30
PID 2644 wrote to memory of 2948	2644	Hcohbh32.exe	30
PID 2644 wrote to memory of 2948	2644	Hcohbh32.exe	30
PID 2948 wrote to memory of 2776	2948	Hddoep32.exe	31
PID 2948 wrote to memory of 2776	2948	Hddoep32.exe	31
PID 2948 wrote to memory of 2776	2948	Hddoep32.exe	31
PID 2948 wrote to memory of 2776	2948	Hddoep32.exe	31
PID 2776 wrote to memory of 3036	2776	Ikqcgj32.exe	32
PID 2776 wrote to memory of 3036	2776	Ikqcgj32.exe	32
PID 2776 wrote to memory of 3036	2776	Ikqcgj32.exe	32
PID 2776 wrote to memory of 3036	2776	Ikqcgj32.exe	32
PID 3036 wrote to memory of 3004	3036	Ibmhjc32.exe	33
PID 3036 wrote to memory of 3004	3036	Ibmhjc32.exe	33
PID 3036 wrote to memory of 3004	3036	Ibmhjc32.exe	33
PID 3036 wrote to memory of 3004	3036	Ibmhjc32.exe	33
PID 3004 wrote to memory of 2668	3004	Icqagkqp.exe	34
PID 3004 wrote to memory of 2668	3004	Icqagkqp.exe	34
PID 3004 wrote to memory of 2668	3004	Icqagkqp.exe	34
PID 3004 wrote to memory of 2668	3004	Icqagkqp.exe	34
PID 2668 wrote to memory of 436	2668	Imkbeqem.exe	35
PID 2668 wrote to memory of 436	2668	Imkbeqem.exe	35
PID 2668 wrote to memory of 436	2668	Imkbeqem.exe	35
PID 2668 wrote to memory of 436	2668	Imkbeqem.exe	35
PID 436 wrote to memory of 1836	436	Jmnpkp32.exe	36
PID 436 wrote to memory of 1836	436	Jmnpkp32.exe	36
PID 436 wrote to memory of 1836	436	Jmnpkp32.exe	36
PID 436 wrote to memory of 1836	436	Jmnpkp32.exe	36
PID 1836 wrote to memory of 2956	1836	Jmplqp32.exe	37
PID 1836 wrote to memory of 2956	1836	Jmplqp32.exe	37
PID 1836 wrote to memory of 2956	1836	Jmplqp32.exe	37
PID 1836 wrote to memory of 2956	1836	Jmplqp32.exe	37
PID 2956 wrote to memory of 2656	2956	Jfhqiegh.exe	38
PID 2956 wrote to memory of 2656	2956	Jfhqiegh.exe	38
PID 2956 wrote to memory of 2656	2956	Jfhqiegh.exe	38
PID 2956 wrote to memory of 2656	2956	Jfhqiegh.exe	38
PID 2656 wrote to memory of 2848	2656	Jgljfmkd.exe	39
PID 2656 wrote to memory of 2848	2656	Jgljfmkd.exe	39
PID 2656 wrote to memory of 2848	2656	Jgljfmkd.exe	39
PID 2656 wrote to memory of 2848	2656	Jgljfmkd.exe	39
PID 2848 wrote to memory of 776	2848	Jccjln32.exe	40
PID 2848 wrote to memory of 776	2848	Jccjln32.exe	40
PID 2848 wrote to memory of 776	2848	Jccjln32.exe	40
PID 2848 wrote to memory of 776	2848	Jccjln32.exe	40
PID 776 wrote to memory of 840	776	Kmnljc32.exe	41
PID 776 wrote to memory of 840	776	Kmnljc32.exe	41
PID 776 wrote to memory of 840	776	Kmnljc32.exe	41
PID 776 wrote to memory of 840	776	Kmnljc32.exe	41
PID 840 wrote to memory of 2476	840	Kidlodkj.exe	42
PID 840 wrote to memory of 2476	840	Kidlodkj.exe	42
PID 840 wrote to memory of 2476	840	Kidlodkj.exe	42
PID 840 wrote to memory of 2476	840	Kidlodkj.exe	42
PID 2476 wrote to memory of 3056	2476	Kfhmhi32.exe	43
PID 2476 wrote to memory of 3056	2476	Kfhmhi32.exe	43
PID 2476 wrote to memory of 3056	2476	Kfhmhi32.exe	43
PID 2476 wrote to memory of 3056	2476	Kfhmhi32.exe	43
PID 3056 wrote to memory of 2568	3056	Kbajci32.exe	44
PID 3056 wrote to memory of 2568	3056	Kbajci32.exe	44
PID 3056 wrote to memory of 2568	3056	Kbajci32.exe	44
PID 3056 wrote to memory of 2568	3056	Kbajci32.exe	44

C:\Users\Admin\AppData\Local\Temp\e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe
"C:\Users\Admin\AppData\Local\Temp\e5172e14e746e871df630151f69167b3bc8c91d65997e5ac8bac0875a3e63c5eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\Hcohbh32.exe
  C:\Windows\system32\Hcohbh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\Hddoep32.exe
    C:\Windows\system32\Hddoep32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\Ikqcgj32.exe
      C:\Windows\system32\Ikqcgj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Ibmhjc32.exe
        
        C:\Windows\system32\Ibmhjc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\Icqagkqp.exe
        
        C:\Windows\system32\Icqagkqp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Imkbeqem.exe
        
        C:\Windows\system32\Imkbeqem.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Jmnpkp32.exe
        
        C:\Windows\system32\Jmnpkp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Jmplqp32.exe
        
        C:\Windows\system32\Jmplqp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Jfhqiegh.exe
        
        C:\Windows\system32\Jfhqiegh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Jgljfmkd.exe
        
        C:\Windows\system32\Jgljfmkd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Jccjln32.exe
        
        C:\Windows\system32\Jccjln32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Kmnljc32.exe
        
        C:\Windows\system32\Kmnljc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Kidlodkj.exe
        
        C:\Windows\system32\Kidlodkj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Kfhmhi32.exe
        
        C:\Windows\system32\Kfhmhi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Kbajci32.exe
        
        C:\Windows\system32\Kbajci32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Lebcdd32.exe
        
        C:\Windows\system32\Lebcdd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Laidie32.exe
        
        C:\Windows\system32\Laidie32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Lkahbkgk.exe
        
        C:\Windows\system32\Lkahbkgk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Looahi32.exe
        
        C:\Windows\system32\Looahi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Liibigjq.exe
        
        C:\Windows\system32\Liibigjq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Mdnffpif.exe
        
        C:\Windows\system32\Mdnffpif.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Mpegka32.exe
        
        C:\Windows\system32\Mpegka32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mebpchmb.exe
        
        C:\Windows\system32\Mebpchmb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Imkbeqem.exe

Filesize
93KB

MD5
fa157d314526ca60da07d495d023c622

SHA1
332a91c6733820b7d2cbbd8494b9a24f30ac85cd

SHA256
33d815e8d8496feb8f2f211e74d595addf211e13fc3fb69dabdb1cfd314c2c57

SHA512
4ef04e5e367813e10a8f824c7aef81c6cddb63b01232e46f5284b24dadfba1b1699d4f067d6870f709b1c6439ba958cf22cce3c5bd439b50d6e91646e2bbb90d

Download Submit
C:\Windows\SysWOW64\Jmplqp32.exe

Filesize
93KB

MD5
669218674f1d4b68627f7f062fd04f17

SHA1
9b841b95ddf750d466b03f25ea1d3d76d9f84633

SHA256
648c52586ba64ee8643e31325234908d3a58ebdd4190d77718a3e1fa9470c97e

SHA512
abcc26b43aeffb7e6b144b485cc222c9aec257707c6aefdbbd5b10d914997a49b022b88322939ba506d325ffd829cd3ae13c57815cebf1062d860ce2059787b3

Download Submit
C:\Windows\SysWOW64\Kidlodkj.exe

Filesize
93KB

MD5
4f07cf8ce6c7ad0929f258a0b1b41d8b

SHA1
6930e32a39e5e22dad2b0139b6d1a29d7e4d250c

SHA256
26848afa87f279adf98f185921145612cfcbc6911f9d0c3e7d153fa64eada03c

SHA512
014aa79d6f9d1e04d2d94d7646be4c8accdd8f87a4db8d19d995c1b77e7076ab4ccc3ed33f7de18e94afb196fbb29f32290fca2a611b46c56d6c7230f4073769

Download Submit
C:\Windows\SysWOW64\Laidie32.exe

Filesize
93KB

MD5
a5c1b4c56242eb2f0b3ac10db906fb2e

SHA1
83e3451984702e1d56429ea37be6ccdc6a0a0df3

SHA256
77d04b6b6b3df38b24566c8fe64a8230b64be455aa1776576fb9eedc9638e1e0

SHA512
b3cb44c3c0c50fd2f85c501da3c6db06625552ae37acb2fe53283bd902252350069c45dda2c6a42a34b3f59527870caf1ae13fac1b205e452e6382797e0ba495

Download Submit
C:\Windows\SysWOW64\Liibigjq.exe

Filesize
93KB

MD5
1af52db561e9665e51fcca071be72b8d

SHA1
c8ee09d0f67f24812209120fb57fe6c4ed752e24

SHA256
905719eae1cd70fc5372412043b57cde953f76bf9a90c0d756d0dcde921a5ce9

SHA512
d2cff7af9cd38eb4adb184716d9d6c3600c14983e5d24d29b0066a155b3b26af27c534a65e3f0a447fe59ba8d96e0504eba3978dac4f94b127379772398caa26

Download Submit
C:\Windows\SysWOW64\Lkahbkgk.exe

Filesize
93KB

MD5
2074952af3225d8b08c4bb8f83d8f34a

SHA1
01fcf8c60b7c8999e21033bd6829dddf9428a537

SHA256
227ea3e7257bb5664821f3d17d017710538bf29426ec02cbd0307d906ed737a5

SHA512
b3bc615fa166764183fa6b658da1b108e8740b02fa6d1d96c5128c2da5303b73372df8c357d27a2b49f3bf8c675a98b1c8fef14a4577fc856c6a94bae1a61c8f

Download Submit
C:\Windows\SysWOW64\Looahi32.exe

Filesize
93KB

MD5
2378e7121115b9ed797979792d35335c

SHA1
7439627b0d558676deb5077de1e5b2ef9e542db2

SHA256
b67341e4d39bfa039617b1b35a2fa8fb583a76899f282a1da7e0e9c44d7232aa

SHA512
e45efca862723bccaf9e978212fd7f58f76e43e9c81aa11e7fb27d1e60447ea1600b8318cf673d112c51a225c0940c3ab5c835ad229cfbd4b84fb84d892e3053

Download Submit
C:\Windows\SysWOW64\Mdnffpif.exe

Filesize
93KB

MD5
00a7fd3dccf7e1bcf81d491f1892a2b2

SHA1
d7f2ba25c4241b3287735bf6691ee7b4a100ae7c

SHA256
ba4d117e5081ebb03fad312bdc840041d8245585070be1211b7c49448c88d1dd

SHA512
49495d15554802c8b23e87342bb5f0df29b20803c5c710b6db9cb83785b1a5e302b60d75d3472a58d03f05c95a33e159d817fdec4c00e32cef843120d83501b4

Download Submit
C:\Windows\SysWOW64\Mebpchmb.exe

Filesize
93KB

MD5
53f1ea50a84d2874b185076a26236a3c

SHA1
d400ddcf600defb47ee0d8ee992e258dab9aa755

SHA256
b5fa63b49c05ad8ab25d2e8bc1ba0b3f830813ef13de4e1045289029367944ed

SHA512
c36ae4829b45e963a1c94217b361a8ac88b881a1a9b9b233946fe39d95159e3feb3cffb4282255959d417ab9a1adb4310de52d5d633aa411d579b2283a9c10f0

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
93KB

MD5
8b052f5831ca897ae5851841773c1b0b

SHA1
0022fc70a073796df7276927fc40346d149cfc1f

SHA256
ccdec44c067fe4b89304febefe09bfff96414ba27b395705d5d653896370bea4

SHA512
6081afd61033a4638d3f6daef62c7a1430477401baa586c33baf2830c79d996b83128415bf2e24039fa193ed13e55802faa01568cbe8766e34a36c21c532a3c5

Download Submit
C:\Windows\SysWOW64\Mpegka32.exe

Filesize
93KB

MD5
60e812514775b650eda552dc67c46d7b

SHA1
5242929dd72fe0124588bbd2db1907768cc0481a

SHA256
cc7550630e4116a92aafe939ff791f0e8e98d35c31765189fbde4bb68fdb304e

SHA512
aee4c01d338d2db5f3cbe6152db16289f08ba24a3bf6421883445bff4c27eb91709dbe541ac868070eeb5b9ca5510e0beba481a9383074e7086f471e1f35fe38

Download Submit
\Windows\SysWOW64\Hcohbh32.exe

Filesize
93KB

MD5
76e878d9c54563064869269c0f1776c8

SHA1
a97f870fb60040fb09925f20e45e772023265b35

SHA256
accc3be411237a5982575bbaaef5cdc2416de54b3fda6b8e63f5a50cb453114e

SHA512
99d51d539088c8ec55a4d6027018ae005df9841a7f036310e6311ef80cc5afc05fd973553021f12c0647bd2eb119418f28e8e2a26f9bfd3049049399353d3a17

Download Submit
\Windows\SysWOW64\Hddoep32.exe

Filesize
93KB

MD5
405a64548e29399b6aacedd5120ac5ae

SHA1
1f827e7b7cca15bdec480befbc6d413471a970eb

SHA256
2bcceba5f82cb92e56aab4638b7449650719f6de2f5026181ea7535aaa39738c

SHA512
a6334b59d55f18053ea7c84e0f3eab5b2951d026ba268f79a3a3dfd566fdd3c9dfe6d9c5a7f957d181fcca9c6aae2de8998e6a3dc3aa7f9591f4352dadb32d81

Download Submit
\Windows\SysWOW64\Ibmhjc32.exe

Filesize
93KB

MD5
687ec1228b5d44d0a5dbb9934775bcf4

SHA1
7faaccdba5e39c0808043d4753673acf65e3e711

SHA256
ab8a83952843e4d0704c78d3112ea3e4c303c4566bbddeb5719e11dd0346eff2

SHA512
06770c7e618f1f291d12e29f85835523eaeb29fd0321fa75d4303d6d994e0f348eb091ee70256c4c3c4a761698bf3af9fde50a78c3391ede90699002ec61b78b

Download Submit
\Windows\SysWOW64\Icqagkqp.exe

Filesize
93KB

MD5
dd6fa64dd35d10a7b4a7767b2e78acf2

SHA1
adb96d21597630be96c2db7562e4ae8d24b31dca

SHA256
fc559584ab7674f683f5fa4be1470ad8f46486d36d875d391668824af5ba44e7

SHA512
7c539ae9d85d03b64e0a5b69561e96da1d3a13cf418bd009c2f80753356537875d481a8bc6835590b471901f2e5720c9cb9a3eb18db646c36e6f0f666e7dbd18

Download Submit
\Windows\SysWOW64\Ikqcgj32.exe

Filesize
93KB

MD5
6e39464e00575320a98cd5d58bf2a154

SHA1
53c4e7b88ad8e3df8239587356f153ff8bf59348

SHA256
d3e6e3e9c2a94ee723b97ef0bfb53cef4549c5d93b3b6ad7973e54aebb106803

SHA512
b5f4a364e18731988d2e374b462b51d1e3f4786e0bc827b8e276520aa7d7c20c48a5142ac5700fb639d3a6cc32005cf03de5e0baa2ed968bd61345ec1667e3d4

Download Submit
\Windows\SysWOW64\Jccjln32.exe

Filesize
93KB

MD5
7e4243c2211875264fcc7f372f9960b7

SHA1
42e41a29f0137f6a62525691477a84508d3be99b

SHA256
5ba84e012237670d35e418a1b223cd6bff2b5946d8d8f411561f9d1080de22b4

SHA512
aaec7bbe4bbaca0695e91f1eb3464bd7ff25522f2dc39a955a5fb13d6eca5ea7c938436f3f557ef7fba315b32f4f6a912aff44a577ca1d071a2ba9ec1d321b4c

Download Submit
\Windows\SysWOW64\Jfhqiegh.exe

Filesize
93KB

MD5
930a6b8a228f6d22751cd8a2b4022f4e

SHA1
42fe753dabf17ac2411985b537da2554f72d801c

SHA256
727a29caa03e752431e10ac865c2f0ed4ef941144901508b97be17a4fb06b0a6

SHA512
7f1e4f6d7dc81dbe5b728e44b8447d346e015746ec799e91f6778f1880275767e65f0a8f610aa6f940e6bb4f782c8db0d7f45e206a53b0d53223f420b5dcb07a

Download Submit
\Windows\SysWOW64\Jgljfmkd.exe

Filesize
93KB

MD5
73870d566a02819858da6f601763f641

SHA1
f798c4c1a75c3902013a5c9441f4fbfb0c9a8b4a

SHA256
53df4a6735beedce507a4af7d4d5272888ee0667d3d979232022c17e05578e9c

SHA512
8fc5dee9967111c1902f14482137ee13732f0cfe6025c36cef6b1d1ef86a216f54bbc2bf4ef0c0e2b12f86b700639acefa19e0e35c56b598e465c325c70bba80

Download Submit
\Windows\SysWOW64\Jmnpkp32.exe

Filesize
93KB

MD5
5aa034f310136603bb5a2a0a3e3c28e6

SHA1
91543f5a57cb0d7ba45de81c080b7843a53fd569

SHA256
61212dbb60c88c0139ff4b7458e120ae8b39f52550b37354ae7aef1214861924

SHA512
e9bae96c8e0b6aa12ab43b16b74fcb0d73cdcefa3a20a7378ec5cc367b09cc3ef38f6292339193ee603f78bafb1db4decb8c00be4bada9c86d3e9c5bc7356a31

Download Submit
\Windows\SysWOW64\Kbajci32.exe

Filesize
93KB

MD5
c7a2435794e250a60af1e1a3af152b17

SHA1
ea96468876e8228fe2c66ea4fa3fcfc43af0512a

SHA256
2d28eb28a1224f4b7c204056564bcad008824665c49a04062c11fe15d6ac5213

SHA512
ad5e3df37de18eb58c3f79a6b3d951046bcea7ab69131f06c3ce72e2140ce8dbec24ceaf9c6409760057254e058b2f333a18525c1caf08baab8d6b9766809972

Download Submit
\Windows\SysWOW64\Kfhmhi32.exe

Filesize
93KB

MD5
62559ff0a1a1f5f68a11dbb9e46b0910

SHA1
5ae15d8fac2cadcbed1bc9da400551d7c8f0bc19

SHA256
9ba89fc7f39702b06bbd3fa7be0baeb1860f921450d5515825ed2ffcd836d932

SHA512
e1465130dd0dccc4831a1c62e01ae7f44fb9aac97f354aaeaa32a3d87bf192eae26e860703a9c64a00dde8b3451fb8495e5021c207393578ddb84350adf49c55

Download Submit
\Windows\SysWOW64\Kmnljc32.exe

Filesize
93KB

MD5
d97aa13473b4655f8fe7b2c3db4e102a

SHA1
1429b875e5ff3c09905498400380448d1832dd43

SHA256
7263c3d0052cd94bdbbe3f92a657b71514b42b70ec064db3e1807f76522c25c3

SHA512
197b4076bc1e0096b1f6e3fdff9cbb9a9a83a63cb1ea07396bf711797115a249405bf9bdf1d0c4fdcd09a01a8971ba11973c00fee8d7f40efa14f8cfdbd230fd

Download Submit
\Windows\SysWOW64\Lebcdd32.exe

Filesize
93KB

MD5
d5dfa01a297fb8eb3c6f1c8ee1c1d1a1

SHA1
d9b5bd735a738f7ce2ceabdc141ea1a0cca5fa17

SHA256
c5fcc2c4fcf063d8d8ebe4e3c95bafe52b72b8c84793f342604dd63377dfb53c

SHA512
9d5fdf2f20bf7af569f32e889bd2c54dc212a99a4b3c12a17543f40274f377aac1f7e8adb2c00e7e41b31a438ddac4d32be4061fdb763dace2047bf6f2358514

Download Submit
memory/436-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-189-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/840-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-259-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1584-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-281-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2040-277-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2040-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-11-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2304-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2304-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-292-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2508-288-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2508-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-232-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2532-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-22-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2644-28-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2644-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-145-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2656-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-50-0x0000000001BA0000-0x0000000001BD3000-memory.dmp

Filesize
204KB

Download
memory/2848-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-41-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2948-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-131-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3004-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-68-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3036-69-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3056-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads