berbew | 0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558

Analysis

max time kernel
30s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Size

482KB
MD5

af204d6382d9a86fec9a2f8c61f94650
SHA1

52bc74564b8ce6b367b52b1ce0c9ffb0c20128bf
SHA256

0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558
SHA512

6b6b2940b964c64373e05383316b8c3a29e5854262f36d01cec86fbeff32c3f12c9ecd275b16d4a82f748f36d01334a85e23be179c742e94b640989a0ec82e24
SSDEEP

6144:S77fDai2rrLl+wGXAF2PbgKLVGFM6234lKm3mo8Yvi4KsLTFM6234lKm3:AajLMwGXAF5KLVGFB24lwR45FB24l

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lghjel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icmegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idnaoohk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnkpbcjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmefooki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnkpbcjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmefooki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Knmhgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icmegf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikfmfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmhgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2776	Ikfmfi32.exe
2564	Icmegf32.exe
2872	Idnaoohk.exe
2568	Jnkpbcjg.exe
2816	Jchhkjhn.exe
792	Jcmafj32.exe
2652	Kmefooki.exe
2204	Kebgia32.exe
1292	Kklpekno.exe
1612	Knmhgf32.exe
376	Kbkameaf.exe
2032	Lghjel32.exe
3060	Ljffag32.exe
1960	Mlaeonld.exe
688	Mieeibkn.exe
1712	Mlhkpm32.exe
2256	Mmihhelk.exe
280	Ndhipoob.exe
1596	Ngfflj32.exe
652	Nekbmgcn.exe
2512	Nmbknddp.exe
584	Nlhgoqhh.exe

Loads dropped DLL 48 IoCs

pid	Process
2708	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
2708	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
2776	Ikfmfi32.exe
2776	Ikfmfi32.exe
2564	Icmegf32.exe
2564	Icmegf32.exe
2872	Idnaoohk.exe
2872	Idnaoohk.exe
2568	Jnkpbcjg.exe
2568	Jnkpbcjg.exe
2816	Jchhkjhn.exe
2816	Jchhkjhn.exe
792	Jcmafj32.exe
792	Jcmafj32.exe
2652	Kmefooki.exe
2652	Kmefooki.exe
2204	Kebgia32.exe
2204	Kebgia32.exe
1292	Kklpekno.exe
1292	Kklpekno.exe
1612	Knmhgf32.exe
1612	Knmhgf32.exe
376	Kbkameaf.exe
376	Kbkameaf.exe
2032	Lghjel32.exe
2032	Lghjel32.exe
3060	Ljffag32.exe
3060	Ljffag32.exe
1960	Mlaeonld.exe
1960	Mlaeonld.exe
688	Mieeibkn.exe
688	Mieeibkn.exe
1712	Mlhkpm32.exe
1712	Mlhkpm32.exe
2256	Mmihhelk.exe
2256	Mmihhelk.exe
280	Ndhipoob.exe
280	Ndhipoob.exe
1596	Ngfflj32.exe
1596	Ngfflj32.exe
652	Nekbmgcn.exe
652	Nekbmgcn.exe
2512	Nmbknddp.exe
2512	Nmbknddp.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Icmegf32.exe	Ikfmfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jcmafj32.exe	Jchhkjhn.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Ljffag32.exe
File created	C:\Windows\SysWOW64\Mpcnkg32.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Ikfmfi32.exe	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Knmhgf32.exe
File created	C:\Windows\SysWOW64\Lghjel32.exe	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Jnkpbcjg.exe	Idnaoohk.exe
File created	C:\Windows\SysWOW64\Epecke32.dll	Jchhkjhn.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Knmhgf32.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Lghjel32.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Ljffag32.exe	Lghjel32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Knmhgf32.exe	Kklpekno.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Knmhgf32.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Kmefooki.exe	Jcmafj32.exe
File opened for modification	C:\Windows\SysWOW64\Kebgia32.exe	Kmefooki.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Lafcif32.dll	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
File opened for modification	C:\Windows\SysWOW64\Idnaoohk.exe	Icmegf32.exe
File opened for modification	C:\Windows\SysWOW64\Ljffag32.exe	Lghjel32.exe
File created	C:\Windows\SysWOW64\Jnkpbcjg.exe	Idnaoohk.exe
File created	C:\Windows\SysWOW64\Kebgia32.exe	Kmefooki.exe
File created	C:\Windows\SysWOW64\Jcmafj32.exe	Jchhkjhn.exe
File created	C:\Windows\SysWOW64\Kmefooki.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Kklpekno.exe	Kebgia32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Ikfmfi32.exe	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
File opened for modification	C:\Windows\SysWOW64\Icmegf32.exe	Ikfmfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kmefooki.exe
File created	C:\Windows\SysWOW64\Hkeapk32.dll	Kklpekno.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Ljffag32.exe
File created	C:\Windows\SysWOW64\Dkqahbgm.dll	Icmegf32.exe
File created	C:\Windows\SysWOW64\Jchhkjhn.exe	Jnkpbcjg.exe
File created	C:\Windows\SysWOW64\Jjnbaf32.dll	Kebgia32.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Idnaoohk.exe	Icmegf32.exe
File created	C:\Windows\SysWOW64\Nqdgapkm.dll	Jnkpbcjg.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Ccfcekqe.dll	Idnaoohk.exe
File created	C:\Windows\SysWOW64\Jfoagoic.dll	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Alfadj32.dll	Lghjel32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Jnbfqn32.dll	Ikfmfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2280	584	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnkpbcjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmafj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icmegf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idnaoohk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jchhkjhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmefooki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikfmfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kklpekno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knmhgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll"	Ikfmfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jchhkjhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icmegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmikde32.dll"	Kmefooki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Knmhgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqahbgm.dll"	Icmegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmefooki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmefooki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll"	Idnaoohk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll"	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll"	Jnkpbcjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnkpbcjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnkpbcjg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2776	2708	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe	30
PID 2708 wrote to memory of 2776	2708	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe	30
PID 2708 wrote to memory of 2776	2708	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe	30
PID 2708 wrote to memory of 2776	2708	0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe	30
PID 2776 wrote to memory of 2564	2776	Ikfmfi32.exe	31
PID 2776 wrote to memory of 2564	2776	Ikfmfi32.exe	31
PID 2776 wrote to memory of 2564	2776	Ikfmfi32.exe	31
PID 2776 wrote to memory of 2564	2776	Ikfmfi32.exe	31
PID 2564 wrote to memory of 2872	2564	Icmegf32.exe	32
PID 2564 wrote to memory of 2872	2564	Icmegf32.exe	32
PID 2564 wrote to memory of 2872	2564	Icmegf32.exe	32
PID 2564 wrote to memory of 2872	2564	Icmegf32.exe	32
PID 2872 wrote to memory of 2568	2872	Idnaoohk.exe	33
PID 2872 wrote to memory of 2568	2872	Idnaoohk.exe	33
PID 2872 wrote to memory of 2568	2872	Idnaoohk.exe	33
PID 2872 wrote to memory of 2568	2872	Idnaoohk.exe	33
PID 2568 wrote to memory of 2816	2568	Jnkpbcjg.exe	34
PID 2568 wrote to memory of 2816	2568	Jnkpbcjg.exe	34
PID 2568 wrote to memory of 2816	2568	Jnkpbcjg.exe	34
PID 2568 wrote to memory of 2816	2568	Jnkpbcjg.exe	34
PID 2816 wrote to memory of 792	2816	Jchhkjhn.exe	35
PID 2816 wrote to memory of 792	2816	Jchhkjhn.exe	35
PID 2816 wrote to memory of 792	2816	Jchhkjhn.exe	35
PID 2816 wrote to memory of 792	2816	Jchhkjhn.exe	35
PID 792 wrote to memory of 2652	792	Jcmafj32.exe	36
PID 792 wrote to memory of 2652	792	Jcmafj32.exe	36
PID 792 wrote to memory of 2652	792	Jcmafj32.exe	36
PID 792 wrote to memory of 2652	792	Jcmafj32.exe	36
PID 2652 wrote to memory of 2204	2652	Kmefooki.exe	37
PID 2652 wrote to memory of 2204	2652	Kmefooki.exe	37
PID 2652 wrote to memory of 2204	2652	Kmefooki.exe	37
PID 2652 wrote to memory of 2204	2652	Kmefooki.exe	37
PID 2204 wrote to memory of 1292	2204	Kebgia32.exe	38
PID 2204 wrote to memory of 1292	2204	Kebgia32.exe	38
PID 2204 wrote to memory of 1292	2204	Kebgia32.exe	38
PID 2204 wrote to memory of 1292	2204	Kebgia32.exe	38
PID 1292 wrote to memory of 1612	1292	Kklpekno.exe	39
PID 1292 wrote to memory of 1612	1292	Kklpekno.exe	39
PID 1292 wrote to memory of 1612	1292	Kklpekno.exe	39
PID 1292 wrote to memory of 1612	1292	Kklpekno.exe	39
PID 1612 wrote to memory of 376	1612	Knmhgf32.exe	40
PID 1612 wrote to memory of 376	1612	Knmhgf32.exe	40
PID 1612 wrote to memory of 376	1612	Knmhgf32.exe	40
PID 1612 wrote to memory of 376	1612	Knmhgf32.exe	40
PID 376 wrote to memory of 2032	376	Kbkameaf.exe	41
PID 376 wrote to memory of 2032	376	Kbkameaf.exe	41
PID 376 wrote to memory of 2032	376	Kbkameaf.exe	41
PID 376 wrote to memory of 2032	376	Kbkameaf.exe	41
PID 2032 wrote to memory of 3060	2032	Lghjel32.exe	42
PID 2032 wrote to memory of 3060	2032	Lghjel32.exe	42
PID 2032 wrote to memory of 3060	2032	Lghjel32.exe	42
PID 2032 wrote to memory of 3060	2032	Lghjel32.exe	42
PID 3060 wrote to memory of 1960	3060	Ljffag32.exe	43
PID 3060 wrote to memory of 1960	3060	Ljffag32.exe	43
PID 3060 wrote to memory of 1960	3060	Ljffag32.exe	43
PID 3060 wrote to memory of 1960	3060	Ljffag32.exe	43
PID 1960 wrote to memory of 688	1960	Mlaeonld.exe	44
PID 1960 wrote to memory of 688	1960	Mlaeonld.exe	44
PID 1960 wrote to memory of 688	1960	Mlaeonld.exe	44
PID 1960 wrote to memory of 688	1960	Mlaeonld.exe	44
PID 688 wrote to memory of 1712	688	Mieeibkn.exe	45
PID 688 wrote to memory of 1712	688	Mieeibkn.exe	45
PID 688 wrote to memory of 1712	688	Mieeibkn.exe	45
PID 688 wrote to memory of 1712	688	Mieeibkn.exe	45

C:\Users\Admin\AppData\Local\Temp\0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe
"C:\Users\Admin\AppData\Local\Temp\0f48217d1372c35b8b618f4edf8797c8cc5d7bcae44b5f7ff1073340ebe9d558N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\Ikfmfi32.exe
  C:\Windows\system32\Ikfmfi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Icmegf32.exe
    C:\Windows\system32\Icmegf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Idnaoohk.exe
      C:\Windows\system32\Idnaoohk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Jnkpbcjg.exe
        
        C:\Windows\system32\Jnkpbcjg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\Jchhkjhn.exe
        
        C:\Windows\system32\Jchhkjhn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Jcmafj32.exe
        
        C:\Windows\system32\Jcmafj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Kmefooki.exe
        
        C:\Windows\system32\Kmefooki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Knmhgf32.exe
        
        C:\Windows\system32\Knmhgf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:280
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Icmegf32.exe

Filesize
482KB

MD5
9c000b281dc9cc611f647653b47b4503

SHA1
bc411661a818144d2a5a2d0a96cd6a0c369590a8

SHA256
5b8e5f77915e185f732c819ce2622a49146c573825d09a3ba22d863654db43ab

SHA512
36de17c638cd5be919cbb6124eb330f7a46c06c3c002af19791c8bdc7cc7425c03cf67ba822706872a2657405f8877e49cc09f3dd84d1ef9abc5984c23d6cf17

Download Submit
C:\Windows\SysWOW64\Jchhkjhn.exe

Filesize
482KB

MD5
c01c677cc99dc373e2aa13e37310098b

SHA1
deba8ea0edb9ecfdf35aeeda1c21e34909ce2b4d

SHA256
d8d5e484c3e970b7edd7179edc327a0616c301538d6d64704367df78a76cbd62

SHA512
37cdbd9c9bbc823d72c36aa7b91a78f14eaa6711f56ff462b4a5771fd44724e4b0505bc2ae499fb313c4d055f9ea038ef91d0b75599e250d1bbd880b65d6adb7

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
482KB

MD5
d3881435a3bd3836d1344737a52d373c

SHA1
29f24dd47f41c11503f7da06cebd48442ede7bb5

SHA256
04a10b9a5f8f4f298f1a1f601c9b7064e9444230e0dce6d767099733b64783ee

SHA512
41b263170a9566801fe4ed8023f5a57ddb8e21e88aaaac9f763b41f933e4111e7696bf62714b414b63951786fa9682abdd6e0d38b3ccb99817417e7f41f202f5

Download Submit
C:\Windows\SysWOW64\Kebgia32.exe

Filesize
482KB

MD5
09439e8a7772154481ac8f172d853e3f

SHA1
6e1090101fa50f96fd3fab7ee2de534d0b45434c

SHA256
6fc8c3f8c7fe4ccb2458614b71221a60e5424acd796093097ee3e20432c2aa1d

SHA512
54ed6404a12130475cfc7bbc56cd237b6e596f26d1e6f51bb632e5544643c93cf17b65406354f1f5a0ad56699c1102a987c9a4fc3db5fa6b20c860db92dcf20e

Download Submit
C:\Windows\SysWOW64\Kmefooki.exe

Filesize
482KB

MD5
4316b9cab17dbb61ec392edef76aa89c

SHA1
b3285ae05f20ea8151572d770fd29e8506da17db

SHA256
9c75a9a8b7b87db7474855dc855698db91f879f2db8020c070c9fc417050f308

SHA512
6f950071041c85e9e3d2534e998b461247f3c1fdf57d3d07d336531507a3e24c63ee795baa2c8767a0020748e9c6ce51fd9ecc3d7144105163db926dcd4320a6

Download Submit
C:\Windows\SysWOW64\Knmhgf32.exe

Filesize
482KB

MD5
e2c7e599af2c8328f97510838d156791

SHA1
003f1f30f136829c7f3f9d214fd28ae59e660082

SHA256
d252b7ffb7723a7ddfd47bfd1ff543e0fc43632adee51ff636e00fba924565a1

SHA512
71795e8d9a7306fb87849450f4950c75cdcfea70a4a2d48de7f1a84d83db2427e3023a7c862327121b12f07af85e103674b7a46073c1178b25655fdd405b1dfb

Download Submit
C:\Windows\SysWOW64\Lghjel32.exe

Filesize
482KB

MD5
48f5d15fb4d923ef0692ec3c34368ae9

SHA1
ba0714c0580ef86845d1da7791c3ef3d91e6e094

SHA256
f632e1ad42b11ec1000c24128893d639d03fd0c0c0c3e928e7382f53aba5da47

SHA512
8595a7b19816ff29292cae7495f344c25685a5f13d8efb7842da2f332f5aaa5e94a784c3f926f589395f5be7a43165d5daf4fcfc0e16c1b0d4f160d1b0f043ab

Download Submit
C:\Windows\SysWOW64\Ljffag32.exe

Filesize
482KB

MD5
1740ef47c4d61485e08be9f75168ceff

SHA1
097422f6807abc032f5105675b765f60f47d1653

SHA256
62a7faa3ac47365ee66c05c4ce85bc1ac1702dc450c4d48b8d2a57e9ecafdff5

SHA512
2f13f9fe9a0da3c5419ab9500baaa2b2bb3aa932a10fa5778234cffb51108687182f3e6139dc24bd99f079945f34a9580fa6dcc5a2f9067edb9b60c6838eadf4

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
482KB

MD5
65fb7a38334a5d283a65066329649956

SHA1
19a0ee57550040633763f5d2e940308fb9fb7334

SHA256
22144737f99057bd0f0e293f03c13a398119af9eacee12eff934753677f67b05

SHA512
c79412b2cc64cc8c3b1cf9523559c26e9f0ff56ac17aaec9fd6df8c735ed2adfd5c4bb9fd7e742f87ec025f2bffc5f4fa63a3cdbcc253219f47482a80d3e85b8

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
482KB

MD5
8a7cafe77763f9659706dd7c72437a90

SHA1
6026d8272b186bb1af5b267aa20490eee83fcbe8

SHA256
98bdf416a393f07ef5d48e7625ae5c6fd118613a82d9d9c60e8fe242d48ffbef

SHA512
febf97a54b4e61ed4a02a3305a270b20a0cb93b7d8b28bc695a2bcba200f03afffeefe9750123d1b4ec274e6ea4b8e636522854fd83295ce5dc84b95438eca25

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
482KB

MD5
225927e082154bfc8757137620d3b52c

SHA1
eb2fd2b9f0372e21bca22bcb149a8dcf22278728

SHA256
7d7d0e8b2d4aff1e84d7018eee0b98c8db8862ccc3f2f714ccdd798d0fc3291e

SHA512
e3ae25254fe24a29418999f2886dc38bce1d39d5960e0cc4682ab810b2585d56d2cf86d73e48c6322a9f6d32f8ebeaf5dfdef10ce1032aa499671949b9d8e988

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
482KB

MD5
55e0df15d530f89dddb7a30738eb7d2c

SHA1
dbb434820ca63f2f1f3ffd616a357b71b0b11b3a

SHA256
b76d04fe18ce313202af031ef9e896c536d8b1c61c233102a5d2b1be98034fe4

SHA512
1a2fc8a153df36976b2575e422d23c5a7d898ec5ce884eb1e1b721305b480fb061062860cd9aa53ae6ad81db73daabd47015a93757098e1c0e4c2ac04615e325

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
482KB

MD5
8a6909c061f381062ebb52f531f2bc1c

SHA1
56f3bd7f21d1e47d3cc016e52abb080ba50ac290

SHA256
7b7fccfd5fb7b5db29e81feb0fb43f73fbcfeecef5eaf219fad41bf0fd8251b5

SHA512
c3d81853eccf49b2b44025f4c6647aebfd4b9205acd37b76fa287b0e3371b93f18a53a12cc92c38c431470c9a2e67f98131ac33f84cc817eb3b3e77b8598d48b

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
482KB

MD5
5b8fc316d95e68fe1b81d61b48159e4a

SHA1
9681b25aabb181c0adc596f94d449db2c6e1beed

SHA256
575084e33bd9ac0f07c07bd37ddc24edd5965d6cae7e7a8863e20ff99b04b605

SHA512
3400712d0c4b745a39bd2d9002c4f5d3768dd4fdbe8065cb70a2d223b19a41cd6e28f36c50cc76948b36bd4dc4ff92d62c318e68c1ab5cad75dd43f674509ebf

Download Submit
C:\Windows\SysWOW64\Nqdgapkm.dll

Filesize
7KB

MD5
5881e59755e5d5e49b3a8b2186e234c0

SHA1
32df55a0235f5c63d69472cf16144d4938e00de2

SHA256
39e389a281996e0b736505de78b32e2e5bb00f78f1f16fd546073a5e2407a5ce

SHA512
e09e5019156ec7a0eefefa1eadc38f859ec4441418b45bcfca3b5b4760cfee28ef6ffedaca7b7df200f88c9c76b1a841ef368aa053337cce2c42a34e60dd06e8

Download Submit
\Windows\SysWOW64\Idnaoohk.exe

Filesize
482KB

MD5
f5af69295c2f5fd288b6e3a2971b8453

SHA1
bd0778909c3ccb7b5237425ea64d033dbb0f7d0f

SHA256
aef78c5a93d655e9200e0924e0c0ce8ee0160731f1061e248ad037854c406530

SHA512
7a35d68be985097ce98c107f5db55a793b2adf769971d795298e27baa0259e954885f86924614c43903b8fea17269de6a1701aa84ba4d2c91eb4cc18827a220f

Download Submit
\Windows\SysWOW64\Ikfmfi32.exe

Filesize
482KB

MD5
dd8e8fc17808cabac1601a9bbc16d8ae

SHA1
d957f928d0b9d6cbecc9f2980cdf6188ee106b4d

SHA256
0f5c9c0e41fc02be329e6ece5832a0fce69776ded9ff2993116c204ea4283fa5

SHA512
ef4de70cd0fc1f1e38456cdbdaa2fe600e9e901711b3431188fb2c617a970dcfee6b4831d4cd00dce276c84f34e786eac4f1c3eba3d4f36e3433f33030938074

Download Submit
\Windows\SysWOW64\Jcmafj32.exe

Filesize
482KB

MD5
939f2de6ad927853ffb0e7c9ddfdc001

SHA1
ec4faf72bf1b6a6bd925e62f85759dc6ee4d650f

SHA256
3617a377c0a8b7f0c797aada1939546dc62237a4981f0fbe5ae1106c25d5d0c8

SHA512
7f48522b2b4f430115f79728c34de53dc188aaa89beb0030565c99a29a1127f5fb6cf0cf765da1de8792b36822e60d1a4dfb4746ab1ca2ffa69c468433f76b1a

Download Submit
\Windows\SysWOW64\Jnkpbcjg.exe

Filesize
482KB

MD5
79b248ba624f5c24f3c6a7fb76ca254e

SHA1
439deec70cefa3759713d2409147535234225aba

SHA256
fddb7ca6f3393c3a1e00013bb89179678dadf708b31de8f721adea8dc585ef1a

SHA512
60f6312b1c2ec45c1bb1ca8e97b883360336aed17749c4798282976c1463addba67236b17d657616e7babbf9180c98ae4731e211d1ad4fbab41baed08a64265c

Download Submit
\Windows\SysWOW64\Kklpekno.exe

Filesize
482KB

MD5
71762acfcdccf2305ea57dd51eec6af6

SHA1
2612a353c40a744e786f6410acb8fcf23a7500df

SHA256
ba7a6c715fbc251286840e35389842d616a3161314978e0921ec691e638792cf

SHA512
00bdfbf0c940a7e1dd6d2328e7e35c47a0fb31ee1ab0cab9c0f7af0296c0cde2db1bcc59d70109758d2cf5a9dafa6b0db764fe78eda44e6d0596c8e04444d22a

Download Submit
\Windows\SysWOW64\Mieeibkn.exe

Filesize
482KB

MD5
a3c2ac92ea5bb23e128d5cdd6d32ac78

SHA1
bf23119aa1bc30053ec305fe6944a0661e597367

SHA256
b75202070edbf518967967594afcfd0c8a3f6ee68ad0eb2ee950e8932fcf8f14

SHA512
06e5fece5e55744af0a20c8b629ef18e209c355e960a121bbc20f2189b43fc8d22049208cafa339e53550680e544246eaa5b1a57f7dbc7bbc1da607766299fe8

Download Submit
\Windows\SysWOW64\Mlaeonld.exe

Filesize
482KB

MD5
a78daab456d0c09978f3f6413a418f38

SHA1
e0abd16c61f2ef50781df3fa79eb7b0e5420924f

SHA256
2d168fe1cbab8464089a90d1b5ca5b39230bdd6d50a37c453e42c09c5984cdd1

SHA512
a2895e939dd61475a2231f0a83cc946150961927e14fcdcb092ee37ee03d07b46d4b85df2607f75222221cac90f495e2e6d9168a74d1d58874eee0bd8d2f18c6

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
482KB

MD5
2e7ae8d8ce67a819b326d432ee033a64

SHA1
e59133b02e237f4cee8b93b74f66bf1085e5ffd2

SHA256
fe971946f2c5175f35565e63e8786023d51cfec2e774003c5d1f167789d99f67

SHA512
037616ff5914497bf4b128d73bbb2e0b30cc1882202cf710db013ab122b67e4b1efb82b40961c615f14c3496954e381fd9a0f8d7c47495c9076250a0033bae4f

Download Submit
memory/280-257-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/280-298-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/280-256-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/280-251-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/376-166-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/376-168-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/376-311-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/584-290-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/584-313-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/652-273-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/652-278-0x0000000000260000-0x00000000002CF000-memory.dmp

Filesize
444KB

Download
memory/652-292-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/652-294-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/688-222-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/688-221-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/688-312-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/688-209-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/792-321-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/792-323-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/792-86-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1292-335-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1292-121-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1292-140-0x0000000000390000-0x00000000003FF000-memory.dmp

Filesize
444KB

Download
memory/1292-336-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1596-258-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1596-267-0x0000000000370000-0x00000000003DF000-memory.dmp

Filesize
444KB

Download
memory/1596-268-0x0000000000370000-0x00000000003DF000-memory.dmp

Filesize
444KB

Download
memory/1596-297-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1612-149-0x0000000000260000-0x00000000002CF000-memory.dmp

Filesize
444KB

Download
memory/1612-316-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1612-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1612-150-0x0000000000260000-0x00000000002CF000-memory.dmp

Filesize
444KB

Download
memory/1712-229-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1712-303-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1712-234-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/1712-235-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/1960-195-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1960-310-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1960-202-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1960-207-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2032-169-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2032-309-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2032-177-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/2032-178-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/2204-108-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2204-319-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2256-314-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2256-236-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2256-245-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/2256-246-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/2512-293-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2512-288-0x00000000004B0000-0x000000000051F000-memory.dmp

Filesize
444KB

Download
memory/2512-289-0x00000000004B0000-0x000000000051F000-memory.dmp

Filesize
444KB

Download
memory/2512-279-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2512-291-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2564-31-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2564-332-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2564-34-0x0000000000310000-0x000000000037F000-memory.dmp

Filesize
444KB

Download
memory/2568-66-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/2568-334-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2652-94-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2652-107-0x0000000000270000-0x00000000002DF000-memory.dmp

Filesize
444KB

Download
memory/2652-320-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2708-12-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/2708-329-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2708-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2776-326-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2776-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2776-328-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2816-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2816-324-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2816-74-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2872-333-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2872-40-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2872-52-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/3060-179-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3060-191-0x00000000004D0000-0x000000000053F000-memory.dmp

Filesize
444KB

Download
memory/3060-307-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3060-190-0x00000000004D0000-0x000000000053F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads