berbew | 29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Size

93KB
MD5

0e343a116046d6f78aeee1ddcd0e93f7
SHA1

bd1a0ae7bfb9c8963f49b2aa259d38bfa6cd28f6
SHA256

29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693
SHA512

748ced16871bb0553d69e255206f3eefcb4ec86c9cb576536bd041d882f6ddde275db9297f911e320dbcff4eeed7e583fabfc5fb817a8ba38bde4963adda8673
SSDEEP

1536:ZiQtydSM7pLYAxuVc089e9iWfEID4Xcta1DaYfMZRWuLsV+1r:ZDtyFpx089DcEI8MogYfc0DV+1r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikqnlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpcca32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 22 IoCs

pid	Process
2788	Ifolhann.exe
2952	Iogpag32.exe
2612	Ikqnlh32.exe
2584	Iclbpj32.exe
2260	Jjhgbd32.exe
2136	Jbclgf32.exe
2144	Jllqplnp.exe
2472	Jipaip32.exe
2080	Jbhebfck.exe
764	Jibnop32.exe
1488	Kjeglh32.exe
2244	Kdnkdmec.exe
1812	Kdphjm32.exe
2240	Kadica32.exe
896	Kipmhc32.exe
1652	Kbhbai32.exe
2548	Lmpcca32.exe
2004	Lcmklh32.exe
2300	Lekghdad.exe
1200	Lpqlemaj.exe
988	Llgljn32.exe
2956	Lepaccmo.exe

Loads dropped DLL 48 IoCs

pid	Process
1956	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
1956	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
2788	Ifolhann.exe
2788	Ifolhann.exe
2952	Iogpag32.exe
2952	Iogpag32.exe
2612	Ikqnlh32.exe
2612	Ikqnlh32.exe
2584	Iclbpj32.exe
2584	Iclbpj32.exe
2260	Jjhgbd32.exe
2260	Jjhgbd32.exe
2136	Jbclgf32.exe
2136	Jbclgf32.exe
2144	Jllqplnp.exe
2144	Jllqplnp.exe
2472	Jipaip32.exe
2472	Jipaip32.exe
2080	Jbhebfck.exe
2080	Jbhebfck.exe
764	Jibnop32.exe
764	Jibnop32.exe
1488	Kjeglh32.exe
1488	Kjeglh32.exe
2244	Kdnkdmec.exe
2244	Kdnkdmec.exe
1812	Kdphjm32.exe
1812	Kdphjm32.exe
2240	Kadica32.exe
2240	Kadica32.exe
896	Kipmhc32.exe
896	Kipmhc32.exe
1652	Kbhbai32.exe
1652	Kbhbai32.exe
2548	Lmpcca32.exe
2548	Lmpcca32.exe
2004	Lcmklh32.exe
2004	Lcmklh32.exe
2300	Lekghdad.exe
2300	Lekghdad.exe
1200	Lpqlemaj.exe
1200	Lpqlemaj.exe
988	Llgljn32.exe
988	Llgljn32.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Ifolhann.exe	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Kjeglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Kjeglh32.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgbd32.exe	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Ikqnlh32.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Lmpcca32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Llgljn32.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Ifolhann.exe
File created	C:\Windows\SysWOW64\Bocndipc.dll	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lekghdad.exe
File created	C:\Windows\SysWOW64\Ccmkid32.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lekghdad.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Llgljn32.exe
File opened for modification	C:\Windows\SysWOW64\Iogpag32.exe	Ifolhann.exe
File created	C:\Windows\SysWOW64\Iclbpj32.exe	Ikqnlh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Lgfikc32.dll	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Ikqnlh32.exe	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Jibnop32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Lmpcca32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Jbclgf32.exe	Jjhgbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Agpdah32.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Iogpag32.exe	Ifolhann.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Jbclgf32.exe	Jjhgbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Llgljn32.exe
File created	C:\Windows\SysWOW64\Kobgmfjh.dll	Ikqnlh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Lmpcca32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqlemaj.exe	Lekghdad.exe
File opened for modification	C:\Windows\SysWOW64\Ifolhann.exe	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
File created	C:\Windows\SysWOW64\Ffdmihcc.dll	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
File opened for modification	C:\Windows\SysWOW64\Iclbpj32.exe	Ikqnlh32.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Llgljn32.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jipaip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1156	2956	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqnlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbclgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iclbpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpcca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfikc32.dll"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll"	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll"	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll"	Iogpag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2788	1956	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe	30
PID 1956 wrote to memory of 2788	1956	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe	30
PID 1956 wrote to memory of 2788	1956	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe	30
PID 1956 wrote to memory of 2788	1956	29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe	30
PID 2788 wrote to memory of 2952	2788	Ifolhann.exe	31
PID 2788 wrote to memory of 2952	2788	Ifolhann.exe	31
PID 2788 wrote to memory of 2952	2788	Ifolhann.exe	31
PID 2788 wrote to memory of 2952	2788	Ifolhann.exe	31
PID 2952 wrote to memory of 2612	2952	Iogpag32.exe	32
PID 2952 wrote to memory of 2612	2952	Iogpag32.exe	32
PID 2952 wrote to memory of 2612	2952	Iogpag32.exe	32
PID 2952 wrote to memory of 2612	2952	Iogpag32.exe	32
PID 2612 wrote to memory of 2584	2612	Ikqnlh32.exe	33
PID 2612 wrote to memory of 2584	2612	Ikqnlh32.exe	33
PID 2612 wrote to memory of 2584	2612	Ikqnlh32.exe	33
PID 2612 wrote to memory of 2584	2612	Ikqnlh32.exe	33
PID 2584 wrote to memory of 2260	2584	Iclbpj32.exe	34
PID 2584 wrote to memory of 2260	2584	Iclbpj32.exe	34
PID 2584 wrote to memory of 2260	2584	Iclbpj32.exe	34
PID 2584 wrote to memory of 2260	2584	Iclbpj32.exe	34
PID 2260 wrote to memory of 2136	2260	Jjhgbd32.exe	35
PID 2260 wrote to memory of 2136	2260	Jjhgbd32.exe	35
PID 2260 wrote to memory of 2136	2260	Jjhgbd32.exe	35
PID 2260 wrote to memory of 2136	2260	Jjhgbd32.exe	35
PID 2136 wrote to memory of 2144	2136	Jbclgf32.exe	36
PID 2136 wrote to memory of 2144	2136	Jbclgf32.exe	36
PID 2136 wrote to memory of 2144	2136	Jbclgf32.exe	36
PID 2136 wrote to memory of 2144	2136	Jbclgf32.exe	36
PID 2144 wrote to memory of 2472	2144	Jllqplnp.exe	37
PID 2144 wrote to memory of 2472	2144	Jllqplnp.exe	37
PID 2144 wrote to memory of 2472	2144	Jllqplnp.exe	37
PID 2144 wrote to memory of 2472	2144	Jllqplnp.exe	37
PID 2472 wrote to memory of 2080	2472	Jipaip32.exe	38
PID 2472 wrote to memory of 2080	2472	Jipaip32.exe	38
PID 2472 wrote to memory of 2080	2472	Jipaip32.exe	38
PID 2472 wrote to memory of 2080	2472	Jipaip32.exe	38
PID 2080 wrote to memory of 764	2080	Jbhebfck.exe	39
PID 2080 wrote to memory of 764	2080	Jbhebfck.exe	39
PID 2080 wrote to memory of 764	2080	Jbhebfck.exe	39
PID 2080 wrote to memory of 764	2080	Jbhebfck.exe	39
PID 764 wrote to memory of 1488	764	Jibnop32.exe	40
PID 764 wrote to memory of 1488	764	Jibnop32.exe	40
PID 764 wrote to memory of 1488	764	Jibnop32.exe	40
PID 764 wrote to memory of 1488	764	Jibnop32.exe	40
PID 1488 wrote to memory of 2244	1488	Kjeglh32.exe	41
PID 1488 wrote to memory of 2244	1488	Kjeglh32.exe	41
PID 1488 wrote to memory of 2244	1488	Kjeglh32.exe	41
PID 1488 wrote to memory of 2244	1488	Kjeglh32.exe	41
PID 2244 wrote to memory of 1812	2244	Kdnkdmec.exe	42
PID 2244 wrote to memory of 1812	2244	Kdnkdmec.exe	42
PID 2244 wrote to memory of 1812	2244	Kdnkdmec.exe	42
PID 2244 wrote to memory of 1812	2244	Kdnkdmec.exe	42
PID 1812 wrote to memory of 2240	1812	Kdphjm32.exe	43
PID 1812 wrote to memory of 2240	1812	Kdphjm32.exe	43
PID 1812 wrote to memory of 2240	1812	Kdphjm32.exe	43
PID 1812 wrote to memory of 2240	1812	Kdphjm32.exe	43
PID 2240 wrote to memory of 896	2240	Kadica32.exe	44
PID 2240 wrote to memory of 896	2240	Kadica32.exe	44
PID 2240 wrote to memory of 896	2240	Kadica32.exe	44
PID 2240 wrote to memory of 896	2240	Kadica32.exe	44
PID 896 wrote to memory of 1652	896	Kipmhc32.exe	45
PID 896 wrote to memory of 1652	896	Kipmhc32.exe	45
PID 896 wrote to memory of 1652	896	Kipmhc32.exe	45
PID 896 wrote to memory of 1652	896	Kipmhc32.exe	45

C:\Users\Admin\AppData\Local\Temp\29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe
"C:\Users\Admin\AppData\Local\Temp\29217d64e38b312e78cc170e41f02c28222e7f74a963ffa659a3d56cfd155693.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\Ifolhann.exe
  C:\Windows\system32\Ifolhann.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\Iogpag32.exe
    C:\Windows\system32\Iogpag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Ikqnlh32.exe
      C:\Windows\system32\Ikqnlh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Iclbpj32.exe
        
        C:\Windows\system32\Iclbpj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Jbclgf32.exe
        
        C:\Windows\system32\Jbclgf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Lmpcca32.exe
        
        C:\Windows\system32\Lmpcca32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ikqnlh32.exe

Filesize
93KB

MD5
435faf0ab30f7268270d98e453213ede

SHA1
542ea1860b193a6b7ee1ded77ea96ae663cea76b

SHA256
d6fdbaa79adb42a6a686d6e493d0558cdaa37fa118756fe20e2e2539761137f8

SHA512
f312a3591c6b14bb82cfea1dfe89e0a3268ff2ab928f5269ffe4d5d38ada23b508824fdff2712c2b645a9d9b2be698161bcd46c6996e81c9e2b229d476f9095f

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
93KB

MD5
d21868227bf21894144c98bf2fd6f5f7

SHA1
2e25e6d4a7e808946a8a8d435ace93dc54d5cc17

SHA256
692df68e68403fa78eb143ed0e003c2c14f1dd7c5fd0bea9fec84b0f00368265

SHA512
c141c39978c0fc15779c3ab736891e2a49580c7c82be1bf4969f349bb02c071f625dca7e74d4f8aa757acf8b949ec87e3c2e4cc94345bf2223a49ddc5ba92594

Download Submit
C:\Windows\SysWOW64\Jbclgf32.exe

Filesize
93KB

MD5
6bf0d7aa919367c9ea1b6dcea0eae799

SHA1
43fd9b86289e9890c3bb543be79609ccfa037718

SHA256
e58938b0f0b5a1c374d1ca2b9ea76576b1dbd2d1a66b5c81f8b274f8f6f2e643

SHA512
1f239cf87132afa501b7f570c36fc96c4f7938c8d6ab8b4845c85cf9e8d53d11964bc60b60f9cb6fad34bfc0f89b4e96c6337e3f02940e9002efc1b24ebb5b9c

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
93KB

MD5
7a9e33d1d36eb4052e5a93d520153ffe

SHA1
a55dfb77f3b5c9ce06094dabeeef19e7c4ba4d1f

SHA256
2039f61052c737c92a2df040b021244314c00b7d3d793f0a2e9c62d2328cdc69

SHA512
b6fad54af9581bc58703280f74850602813a77f62803dffa1ab47328bbe35c3f9d028e046a2eedbcd2f10f566216782a49ac14b9a0c8461e6d0fdfcb22212a84

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
93KB

MD5
d77a5e09a7ef4c555e2eba248879e77e

SHA1
3787e373ddd3f7da248a0a12560a78f25ae0d470

SHA256
626300a2683c6f86274f2e883d000c89db570933b16268362d5e7ec2c4a44e39

SHA512
c6e9fef0379e5a924698b4728e2636a1d0695572a53c0065ec71e320551b08822a68467447a624a5894829a365a0e6ffb3223a22f7f6013394554eb3f1944a4f

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
93KB

MD5
e4f046e21e24dbf52339b9e2b7f7f15e

SHA1
fcbd4771b5190665ce29fc18913a99bb9bb08dd2

SHA256
479686117ba45eba0bdc5150e4f505bfaac64e845d413061e2451ac5eb475c18

SHA512
a13626d12a6aeee7c4797cdfb96e7ef871a2fe78ce77c1a8ed59d4bf73e4f5453ecf483d115b89986c46016811ab1482c1724387878c41bcaa6dd2428fc5ca48

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
93KB

MD5
3dd2f1a8bd6c2355c94fa39cb429b3a3

SHA1
e478e2e7020faa3baf06f5dfd1dc9cdb608004bd

SHA256
0497b8c7b6e87a7e949941b2985fd891f61b2b97bb9f30afb7ba883dcb1d1365

SHA512
5cc6688d4ec812ddc098d79b886efe440d11a153d91e871978fb959172190c1370f3dc279f4934f1e122513133d9ea42525da993fce9cc67df8eeeb9aa18330d

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
93KB

MD5
5a81c16bf9c1ec83b90af59e2566aeae

SHA1
6fff70edef1b6fd991641eb0428caea791c9b21a

SHA256
028ef08bc5bbc35075e77e939f53563ea1ad2ca929422b728570c3cb6ca07fe3

SHA512
48383cef47f99dd24b0c6e2c325d64ea4bc1fdb77f47437c913380b0028dbe76ed0515fb6e9663048f9569be6219a070b9369190ed2302c96cef5c371f6dc7f0

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
93KB

MD5
7903ef3b4bf38f1a784805b9534cf5ce

SHA1
320b364f5659117faa661b3d6fa66cdc10da62e2

SHA256
491c2bc3514cf49d11e15fa5f353b5fc3a5dab47b0e1329842ee296046361273

SHA512
559b77577b8f3873560903272d5221fe8e85c0fe8996a8ec92f0a27aa0d7aea43035b752df09aef8d11697fd114614e1304e09e2315feb3adcfaa8d21df57a87

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
93KB

MD5
097d13f0d8336d2ac411355aada07284

SHA1
c7ef2d8039ea6db302eebde8ca32cdb19cd052af

SHA256
d2f461b3006235f93787611fb7af499a31b66eebfd9a4c906feca537b4d2e89c

SHA512
34c3980d9da4b8a02c83b26fbedc29add385c51cc55f80f3fce76a5075735da23d021605eaa30083d57301952a5400f6f06c883f2356deb59faa53919aa6e463

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
93KB

MD5
e48aed9496912e03b61b86f84b9afe16

SHA1
808da3701ebdb8b7cfad3e38a5f77213c07cb9e0

SHA256
b78b4cc8c246eb38f1c2a1c7c9b45d017940c982931862b22838c08aef4fcc13

SHA512
2813875ef4c6e4c927748685e0d54a20aadf856ccb25bdf1c2f018982f302a1aacb966dad26983299d9b8ff180d1023afcf122d144646615915fc33bc9f9c384

Download Submit
C:\Windows\SysWOW64\Lmpcca32.exe

Filesize
93KB

MD5
dd1b2716d097cefd0bfe1536606e7b88

SHA1
32ba822065c53459506e8d3d4200aad0820972aa

SHA256
e644f876364022bd1830dd93ae6b9e5b7cd89aa54d49d09eefffadaa6fb7f4f3

SHA512
6a3cf4d74182d19082898efaa917c0818f95f88bf0403a2ec6c81cbf249069fbbef9a8c82a391fdb05628a9556163c8c80a7e75b855dadf3070267dd3338649c

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
93KB

MD5
cef50048b77858c0df651ebab2c18704

SHA1
da2ebd838394d9bb1a722c3f8c143a8a1da2d264

SHA256
1d35bf024d6237f275ba8932f38bc39d0f2c962e4c6b1b6b1950184e1d52f0c0

SHA512
a347c312aeaf08af968a52768b6ddbc9815424d69a81aed262fa790ddc57243f35726df37cfb0ffb98b941e59e37163cb2593d838ad45ac8305e16051a525863

Download Submit
\Windows\SysWOW64\Iclbpj32.exe

Filesize
93KB

MD5
ca74832f4debfeb9ea803a0a02512447

SHA1
4a77841691c4ac0b3b8402f9fbb6e4362e1c84c5

SHA256
f384e470b1f93b2b5deffa1d115ccefca4a29dc995add2199ae0b38c9de3e125

SHA512
ee4e72934afdeff430728268bfa7b5624b5b614ff9dc2666435a9cb15c5f3bdba1fa38943d3599e69a5c91c9ab7e40a72f5df67ad6853b147f01809a59b39f69

Download Submit
\Windows\SysWOW64\Ifolhann.exe

Filesize
93KB

MD5
1d5984e2864e637110e869c32f7c1c26

SHA1
a37ce82e5f86d80d4cdb0148e970cfbf3a728b32

SHA256
ecedd4019875456cf1dbd10f802f528e29d9ff8eb24847402dc7b1ff3542e932

SHA512
f9eff71abf84fd6154fcda6a32667debc74b5f66fa8cd792ea96f63dc49a8e841e60a70b6c9329fdd96f2b86dfcd129e6898441a93a4eef2e722900ed9e61987

Download Submit
\Windows\SysWOW64\Jibnop32.exe

Filesize
93KB

MD5
a096b78bcb8a9b4521b4cd1423fa4fed

SHA1
d1d7ac52a1ad94c90335957a147ec592000ef00d

SHA256
84680fa31ac7e31d749ae1f13f931e0d334259915bb39185e03cfe7a0a5a31d0

SHA512
af055bb4a6becd6a758142b3763906b278031fad0f314556f6ec5615083504fe0fdbaf879215cf7d4ff88f7703826835c198fd0ee5100b6191ddcdfe5767b5c3

Download Submit
\Windows\SysWOW64\Jjhgbd32.exe

Filesize
93KB

MD5
bbac058ab89a0ef28370e511dab61d5c

SHA1
d6f724b48968d158720c0e11b653960a956b585a

SHA256
dd2a1d09075fa7cf54d944e84cbf5dcaff2316b54ef3483daf3415b9d3387c96

SHA512
9e45d37396999b7a38ee8b7d2980a173be0ffd35b8262277dcd22ffe5319b080eba83933fd3558511613ffad6ed94788eb17492b78a94dc684c45f8fcd8991a0

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
93KB

MD5
d6f8e7f62d4c442f10d53ec26649d115

SHA1
db095bdeb845656ee2ccf012d618bf8b6925db1f

SHA256
5403a429accec961a1c9d6614acdab72c928eb24cb8c856e4f7a937d90957727

SHA512
7cda5755c5ee9c5cf3247882733e29b5c028dfcf9b64129476414efab490c3f98a6f085c20fff30d2d83dd3f3e8e15b5871cbb0a041783e22f1ff189d78f788b

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
93KB

MD5
760a8f795214dae67aa594762037090b

SHA1
04cc63e1dfd09ea1f72732342aa04794127dbf91

SHA256
394f4e72b3e73ffbbbc55da9f3d035a2a7efc9f50eb0062ea143b2d1fa22e4b4

SHA512
ede5527dd8f82cd80c0a7ac03beb228e01fd713459ddd4e25b0a99646cfbfc8ac152bccb836ea2293265aeaf61a7a32273177b5ec747f2796fd615248f643286

Download Submit
\Windows\SysWOW64\Kdphjm32.exe

Filesize
93KB

MD5
f1bb56084ae3bbb54dd82ccdbb4ec99f

SHA1
243d20053db86932bfc0280e5eb36759e42570b8

SHA256
7f4ca64144f70d8c459a431657380202e41b261e00dabc526ff087a143a02655

SHA512
45c254425dec0dd0358d2373dcaca33186ba80f562c99032aaa7f064950b143d2dbcfeccc7db3331176b7ba4382f133007cc81d078b836cef7577203fd54ec4c

Download Submit
\Windows\SysWOW64\Kipmhc32.exe

Filesize
93KB

MD5
6c1e1892ad05517862928cfd880f59cc

SHA1
640ba26cc470fb2ee48982dd9d34c66ebd6ab1f2

SHA256
9710a3a39d34135f3243f08677c055aa62f1c195f25fd54f855bc4f700f568cb

SHA512
31322ddf4ee52ea0485341dbd541b06ed59db5d6cadcbe2f5c19cde684834e461f1e64fcca556b437dc88cc698e0065249b0c1bb9b8c7c38f3a8a3b5136bd17f

Download Submit
\Windows\SysWOW64\Kjeglh32.exe

Filesize
93KB

MD5
533e2070942751b1df007a0fe8e6a328

SHA1
7d3c1828e6aa56a275b2a4d5f07d3d6e8b0fd0c3

SHA256
78f5de08d1475215f81310322f81e802de06b84503ea33682707e27895fa90ee

SHA512
635059857b0cb9440fb9b781c83b4c586da70af5561063f35c70084be66ede3fbbe6e69cfc972dc05da5ec4fb2b60d44d93fc87868fb14c155788c6cef8f75dd

Download Submit
memory/764-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-146-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/896-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-219-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/896-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-266-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1200-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-228-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1652-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1956-24-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1956-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-250-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2004-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-137-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2136-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-96-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2136-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-205-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2240-199-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2240-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-173-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2260-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-83-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2300-260-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2300-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-123-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2472-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-63-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2612-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-54-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2788-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2788-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2956-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads