berbew | 9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60bea

Analysis

max time kernel
62s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Size

96KB
MD5

f99f276fef2a0e2f7665e498dc3002b0
SHA1

4b68a8e3ed894d2fc4e35b7158268a6f0bf20988
SHA256

9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60bea
SHA512

89246111ca8e81e313b5c5c53d35b40194e0da1c85d1495a90a9ba57e1a73964c36170b9518b1457f267f3282e5cd1b117779877c6d9645ef862c4264429afd9
SSDEEP

1536:5hihkJSsYnGhz3r8V4qQ2LnsBMu/HCmiDcg3MZRP3cEW3AE:7inYhz3r8V4qBna6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmfcop32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
2376	Jfmkbebl.exe
2776	Jmfcop32.exe
2804	Jfohgepi.exe
2628	Jpgmpk32.exe
2644	Jedehaea.exe
1792	Jpjifjdg.exe
1872	Jbhebfck.exe
1680	Kbjbge32.exe
1932	Keioca32.exe
1652	Khgkpl32.exe
1020	Koaclfgl.exe
2940	Khjgel32.exe
2136	Kjhcag32.exe
324	Kablnadm.exe
1568	Khldkllj.exe
1752	Kfodfh32.exe
972	Kmimcbja.exe
1700	Kadica32.exe
1608	Kmkihbho.exe
1676	Kageia32.exe
2180	Kbhbai32.exe
380	Kgcnahoo.exe
1220	Lmmfnb32.exe
1988	Lbjofi32.exe

Loads dropped DLL 52 IoCs

pid	Process
2188	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
2188	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
2376	Jfmkbebl.exe
2376	Jfmkbebl.exe
2776	Jmfcop32.exe
2776	Jmfcop32.exe
2804	Jfohgepi.exe
2804	Jfohgepi.exe
2628	Jpgmpk32.exe
2628	Jpgmpk32.exe
2644	Jedehaea.exe
2644	Jedehaea.exe
1792	Jpjifjdg.exe
1792	Jpjifjdg.exe
1872	Jbhebfck.exe
1872	Jbhebfck.exe
1680	Kbjbge32.exe
1680	Kbjbge32.exe
1932	Keioca32.exe
1932	Keioca32.exe
1652	Khgkpl32.exe
1652	Khgkpl32.exe
1020	Koaclfgl.exe
1020	Koaclfgl.exe
2940	Khjgel32.exe
2940	Khjgel32.exe
2136	Kjhcag32.exe
2136	Kjhcag32.exe
324	Kablnadm.exe
324	Kablnadm.exe
1568	Khldkllj.exe
1568	Khldkllj.exe
1752	Kfodfh32.exe
1752	Kfodfh32.exe
972	Kmimcbja.exe
972	Kmimcbja.exe
1700	Kadica32.exe
1700	Kadica32.exe
1608	Kmkihbho.exe
1608	Kmkihbho.exe
1676	Kageia32.exe
1676	Kageia32.exe
2180	Kbhbai32.exe
2180	Kbhbai32.exe
380	Kgcnahoo.exe
380	Kgcnahoo.exe
1220	Lmmfnb32.exe
1220	Lmmfnb32.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jedehaea.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Keioca32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Jfohgepi.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Keioca32.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Pccohd32.dll	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kbhbai32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1336	1988	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2376	2188	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe	30
PID 2188 wrote to memory of 2376	2188	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe	30
PID 2188 wrote to memory of 2376	2188	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe	30
PID 2188 wrote to memory of 2376	2188	9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe	30
PID 2376 wrote to memory of 2776	2376	Jfmkbebl.exe	31
PID 2376 wrote to memory of 2776	2376	Jfmkbebl.exe	31
PID 2376 wrote to memory of 2776	2376	Jfmkbebl.exe	31
PID 2376 wrote to memory of 2776	2376	Jfmkbebl.exe	31
PID 2776 wrote to memory of 2804	2776	Jmfcop32.exe	32
PID 2776 wrote to memory of 2804	2776	Jmfcop32.exe	32
PID 2776 wrote to memory of 2804	2776	Jmfcop32.exe	32
PID 2776 wrote to memory of 2804	2776	Jmfcop32.exe	32
PID 2804 wrote to memory of 2628	2804	Jfohgepi.exe	33
PID 2804 wrote to memory of 2628	2804	Jfohgepi.exe	33
PID 2804 wrote to memory of 2628	2804	Jfohgepi.exe	33
PID 2804 wrote to memory of 2628	2804	Jfohgepi.exe	33
PID 2628 wrote to memory of 2644	2628	Jpgmpk32.exe	34
PID 2628 wrote to memory of 2644	2628	Jpgmpk32.exe	34
PID 2628 wrote to memory of 2644	2628	Jpgmpk32.exe	34
PID 2628 wrote to memory of 2644	2628	Jpgmpk32.exe	34
PID 2644 wrote to memory of 1792	2644	Jedehaea.exe	35
PID 2644 wrote to memory of 1792	2644	Jedehaea.exe	35
PID 2644 wrote to memory of 1792	2644	Jedehaea.exe	35
PID 2644 wrote to memory of 1792	2644	Jedehaea.exe	35
PID 1792 wrote to memory of 1872	1792	Jpjifjdg.exe	36
PID 1792 wrote to memory of 1872	1792	Jpjifjdg.exe	36
PID 1792 wrote to memory of 1872	1792	Jpjifjdg.exe	36
PID 1792 wrote to memory of 1872	1792	Jpjifjdg.exe	36
PID 1872 wrote to memory of 1680	1872	Jbhebfck.exe	37
PID 1872 wrote to memory of 1680	1872	Jbhebfck.exe	37
PID 1872 wrote to memory of 1680	1872	Jbhebfck.exe	37
PID 1872 wrote to memory of 1680	1872	Jbhebfck.exe	37
PID 1680 wrote to memory of 1932	1680	Kbjbge32.exe	38
PID 1680 wrote to memory of 1932	1680	Kbjbge32.exe	38
PID 1680 wrote to memory of 1932	1680	Kbjbge32.exe	38
PID 1680 wrote to memory of 1932	1680	Kbjbge32.exe	38
PID 1932 wrote to memory of 1652	1932	Keioca32.exe	39
PID 1932 wrote to memory of 1652	1932	Keioca32.exe	39
PID 1932 wrote to memory of 1652	1932	Keioca32.exe	39
PID 1932 wrote to memory of 1652	1932	Keioca32.exe	39
PID 1652 wrote to memory of 1020	1652	Khgkpl32.exe	40
PID 1652 wrote to memory of 1020	1652	Khgkpl32.exe	40
PID 1652 wrote to memory of 1020	1652	Khgkpl32.exe	40
PID 1652 wrote to memory of 1020	1652	Khgkpl32.exe	40
PID 1020 wrote to memory of 2940	1020	Koaclfgl.exe	41
PID 1020 wrote to memory of 2940	1020	Koaclfgl.exe	41
PID 1020 wrote to memory of 2940	1020	Koaclfgl.exe	41
PID 1020 wrote to memory of 2940	1020	Koaclfgl.exe	41
PID 2940 wrote to memory of 2136	2940	Khjgel32.exe	42
PID 2940 wrote to memory of 2136	2940	Khjgel32.exe	42
PID 2940 wrote to memory of 2136	2940	Khjgel32.exe	42
PID 2940 wrote to memory of 2136	2940	Khjgel32.exe	42
PID 2136 wrote to memory of 324	2136	Kjhcag32.exe	43
PID 2136 wrote to memory of 324	2136	Kjhcag32.exe	43
PID 2136 wrote to memory of 324	2136	Kjhcag32.exe	43
PID 2136 wrote to memory of 324	2136	Kjhcag32.exe	43
PID 324 wrote to memory of 1568	324	Kablnadm.exe	44
PID 324 wrote to memory of 1568	324	Kablnadm.exe	44
PID 324 wrote to memory of 1568	324	Kablnadm.exe	44
PID 324 wrote to memory of 1568	324	Kablnadm.exe	44
PID 1568 wrote to memory of 1752	1568	Khldkllj.exe	45
PID 1568 wrote to memory of 1752	1568	Khldkllj.exe	45
PID 1568 wrote to memory of 1752	1568	Khldkllj.exe	45
PID 1568 wrote to memory of 1752	1568	Khldkllj.exe	45

C:\Users\Admin\AppData\Local\Temp\9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe
"C:\Users\Admin\AppData\Local\Temp\9cc7cf419abaca26c5508340ac2c3f93479fd82782556cfe0032fa855dc60beaN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jfmkbebl.exe
  C:\Windows\system32\Jfmkbebl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Jmfcop32.exe
    C:\Windows\system32\Jmfcop32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jfohgepi.exe
      C:\Windows\system32\Jfohgepi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
96KB

MD5
cafa055b08af966302d7c3d3decfff9b

SHA1
1051a9a6dc59c85b0b315a2fa235af9f81334b06

SHA256
eb7a329d29ce84487102f0691fe8b825acd12c4eefe5f35b58027b9fa62d2433

SHA512
6fecc37947f6e20849c417ff8a42cb6ffe6b3353b5af480c89990ef1339d3fd0338a686644912f0ac59c39bb9718e9841a10709c1e67d395e88657b548d044af

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
96KB

MD5
5378b37fa7ec740dc67d7dc6d968d4c6

SHA1
d5569c7ca7052c4a9c208b0863b0fa7e34c6ecdd

SHA256
73025eb9bafd405b41943974a85cc17d1b3ae11fccc1f56cb173b8899f1d42a6

SHA512
9a7edf061511f4222efac3c1cdf5e919331e1881e538189820cadf43a8a88ff432d6a523df02411e799cae930d42591bacb8f2fd5b010f72b187cb0b78688eb5

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
96KB

MD5
27c88316f2b79258fd149515c9569313

SHA1
bd82a59f06dd2f1428b6d761587f303d9e0794cd

SHA256
dfd2af69bf06a6f798faaf5ebe8703f6ed699859dca82d93418350afe2411453

SHA512
7b1cc2c58499fef49d6ac5e92d79ea63a31a68f5528f9fc2f6b8fefa1e10bf42fe8a250e3f9f3495abb892dd2ee4b8ac110eeff66f2b3e98fc34069785a55d31

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
96KB

MD5
db1ac1487adecd48afa2f3e6537a7308

SHA1
0e215fcc29684b0aeff7d91a7cc3604ac16b1cd0

SHA256
5f19c387b7aa3ca8657c2fd1a20660be8f3823dfceba81d009803a70d8144555

SHA512
1b57f3167523aa13b96c8288c43c47495b3de569135c3e201523ac86ffc00e016008bf19a08903b5b9344cdd733d817a801a396e155654154a848091909187d9

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
96KB

MD5
a0040ec018f306a89596ae916f9150ef

SHA1
58b05f775b95b663dad1f0101378fd8b496c03f2

SHA256
ef84013c4e4c947bd95c51653a95fc1ad0587059762d7d908286ef3e94d2999d

SHA512
a3b992810c4c8438c3da6a598daa91f7800175d1659902381cd717b03a55dfb8223f156ccac0b6837a1275ad24fe599f4922adf4868c11fa9126574d9fec48c8

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
96KB

MD5
6e20d17fe13853d2b525ea912ee9afb4

SHA1
5c472924a0b8fce39152ce76ea86ceff92eab617

SHA256
269c6488b3ca8e7322c031551b7fe362e5211f3a8607ea797fade74d12a4d0e5

SHA512
4c0a2dd76ded77bea4e076328b02a1ea9eecefcbc111a214d9ca31d2a46a6943a82a8aae4a9abaae7ffea56e594486da21a878f841367e35d7d57c3d30bebfff

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
96KB

MD5
46d01dd2b5986107f421d3fb8e36dc66

SHA1
67a1da130e9dc2d708961a43a35c18e0eb1ea944

SHA256
862f290c4c0fe4cbd9655b4d8a743f86d7bdefad009cfb2d73e493f395fe8a0b

SHA512
2ab90f6bc691d4802effa1793aaf8601fa63bc83b1981f11e39b7d8d19dac7f717c60bf2fe726d35910242e50229128b0e4595169b4daa03ad93699ec20f3909

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
96KB

MD5
ae8d8b9d1f7756fba262e35c1d6e849b

SHA1
35139e6c8401a1c8706455d1215cc297d1faefd8

SHA256
291744ea811cb832469ed63937d5ab6e42211e5146af3b744819f5b60e988fb8

SHA512
b9ba58fed2121220c7553c08e319256e190240c1c3f9ae1aedfa6053617a1e5fa093af42c448eb3a016df3f532de075777e41dce8960134aae79b11ce6194962

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
96KB

MD5
44273017c05eec1bff7338051a68a399

SHA1
5fa9e23f8a0fd081e32ea224dac2f85b0de42a4f

SHA256
c03fec9d1d7c7d415585c7e6c55916346536f4e81d108076b94d56f70c141b97

SHA512
59ca269abeab245797897b65a0601f81354f48ad957f64b44146d9c857543f88fd0597296d8c765ae9bd44f237144b43e2f31efc4699d539c29e497b3774780f

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
96KB

MD5
f3ea58397f98d7af5bc729a10de6ce01

SHA1
99b892d498d3352d2bb91061cf658dbf651a5504

SHA256
90b89a8e793e7cdee906ccbdbd0fd2ca1be33309b7faf013c840508c37d0fcb9

SHA512
d8bb520fabfb06c903a188626e3e16078ba335cb089e410ca67768a74af9d352664fe1a1dc91a5802ad97384be168b118bd3aa544a1fc996ce581b2319475b57

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
96KB

MD5
13ac26a3146714ca6ce09b73d9f62e6d

SHA1
5e01e98ef667be36168656481e53e035d6d7ba55

SHA256
2b14125617788b90a1556624020401844a652869b6b46fe0e386d36b8b6ef1ff

SHA512
5a92a29c09d7015273011e6d1f0cc8760fe55764535b5fd10a0e0daf18c4289d30c6a2f975f9f2b32ff7a454e2adf2590846dcfb32199a2ad732f39431d56813

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
96KB

MD5
2452c53fa14dda4643f017a528c29492

SHA1
bf91ca46f203e2100b59425609fa3356f19c2a99

SHA256
dba4b3fd5f414b9bb1028d2663f94da48461a9bd8580570d96015bfec3c8593a

SHA512
242ac0763820dc879bccec4fcb3b32af30dbf959fecd0944ae5ab8e0e7584181262e43800120fcfe40d376bcdf47feb5f600bad2bfb14edb7da76df559a902d6

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
96KB

MD5
34b2a930e831fac44982889c573bdd04

SHA1
7c5ca8f6414ce703e2246ca27a945bb7f8d6483b

SHA256
a988aad494a4d5dd2724382352825358c10c9596023a7d4123d91dcab39cd675

SHA512
8796200556275efa89770ce50875f2e201d462075a4e9eb39e1a78f6b05874f547832be1cf3521f8ed562afa3aec53b41f20661bec74daf9df724e8e362224aa

Download Submit
\Windows\SysWOW64\Jedehaea.exe

Filesize
96KB

MD5
2aa4353121424d4dd32edc2273f1f31e

SHA1
95b1940b78f005d24ce280a0a146b19953b51058

SHA256
c305772a483b3df788e7fb0e6c0a11df3cefd895269f2320c31c413a42ec3f14

SHA512
c45a528889abfda0162067c61233ba9388886604f3c7f46b0f64bd59792cd2e4a1fa02109144fb6c5d54e8c15770220cba3d6c152020ed66f44f221a9258191c

Download Submit
\Windows\SysWOW64\Jfohgepi.exe

Filesize
96KB

MD5
3257032cf1adcf170d8a74327c24a739

SHA1
405e06c3982a9eadc0142f193d46dc827f280b08

SHA256
11f39b629ae6035fdc3e16cbc488b1407b988e38dfb84222d26d06b248430b7c

SHA512
3558b262ebbe5db0ee5c83d60e3caa5f500b5d6f6dbaddbeddb3fd188bd7b9b5e0afd1e9192d8a2c6bb97798fc6f7463e26e518c86faaa1ec8b3244c8a1d6bae

Download Submit
\Windows\SysWOW64\Jpgmpk32.exe

Filesize
96KB

MD5
2354ee60316e30099648f213f638dbfc

SHA1
09f9e9524e8519f0f78b1f3c63708e3a2be3b602

SHA256
d74ba83e447df81a458d6bb6d7cece84bad0e1a81cedce411bdee0ce4e59e0ff

SHA512
a60a956c37cef10b052901f281cd2386f10c35642d078174181935b82e17802b174fc4cda78b9edcbb72adab49cb49e64f8bc3f7950d7d49de43c1b11d8cf569

Download Submit
\Windows\SysWOW64\Jpjifjdg.exe

Filesize
96KB

MD5
c623a216908b214544b49a91e557dc46

SHA1
6c0d796c0243c3272212d8e8bf65a14ea9df277b

SHA256
2dc64c9abbe68879665ceffc09dc82e44412b190a794371d2e2b1db1f6c0688e

SHA512
2c3d96610e83fd50a64f91b77a8f2f0a4f23f97e4d1dd2d1a962da8abf4f39db110844af7d553f818f06467677a9469a5b96ac23f111c286919187d5042df003

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
96KB

MD5
e68cbd487007d26ad0d60ae7d85c937d

SHA1
4185119b393903ce96ac2f808fa88330276ff638

SHA256
884dfd885791ebfd2e9189515e8d1a925116a396de6b6e09750673e3e7e6641d

SHA512
65ff41e6cbcd8906da066d9f6e9de496caf603398cbc193f62e5d066ab606e35beaad094cd726ab27e9a569e73c56e9c7a7ac5b842593d278c7de02b00afe620

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
96KB

MD5
f238b619c22c00957472fad622a3481e

SHA1
30d1f3c6f7287949a5912dc75ff94ab3d3882455

SHA256
c96fd03fc22e949ccd7024730499b52c3e8cf7766d95641c9e9dd1eb15254ed6

SHA512
bda1e0daed610a86ee0534ef479b4057f1f25c3215bd6b77a8ee0e1d6408371cbdf3b708718e6894a41cea637090e508bf0a15bab9c2a771b0656cb8112e3149

Download Submit
\Windows\SysWOW64\Keioca32.exe

Filesize
96KB

MD5
8defb427d2aecf5654b3e7751b3c8777

SHA1
a24021f54a1b8d4e93a730b7a3680e1f9a9c363e

SHA256
8bff8b40778117b547c9422d6925d01c9be694c9d61d046dea1a62f1d044dbbd

SHA512
5bb27a6a2df1d6db40d97ade9ca0aadbf0801870aba92b317fe3056584f7046f4698637fc0a63c8f176217ea60f7d00143f6229240f717630b33d458ecb639d9

Download Submit
\Windows\SysWOW64\Khgkpl32.exe

Filesize
96KB

MD5
0d4bead9d22712d45e1c753662970942

SHA1
d381b7d979ed254deffab109be26617af5960f8a

SHA256
70f208b6a4ec9eb54792928d17316ee5a17c9e36b2feadd1c9f2874fdac6ac0b

SHA512
f62151dbf16ce4a664e6944d330f43529770c09ad5026f0cd1628ea334cb8d0ddde6e92e9e7d370a228f357bd5772fe9806cef12b076ecce44420fe4f944b4ed

Download Submit
\Windows\SysWOW64\Khjgel32.exe

Filesize
96KB

MD5
e8634ef8e79aa965539ef17f5936d2d4

SHA1
e4389b2ed2fbcd8c02009fb7da8701427b1545ae

SHA256
07d44710c1a2455918fe77f61346181454fb817aacf552f93d4a29d9906fefa4

SHA512
a252fa584d94f137b057b05d958c98576dede1d7c21eba998d61f410fd938a9890600ceafe85c19e73323eb2c503e7587f3493b5e287d03884c0f9b020089a66

Download Submit
\Windows\SysWOW64\Kjhcag32.exe

Filesize
96KB

MD5
3b24d62b35d38661bec43e26fba5ef16

SHA1
03e138b76cfd5539782c7ae04d827a0694559004

SHA256
2f4d79883d2baa96ee7d11df12fd7b37781d92099cced0a12b903617170696e3

SHA512
161f6452c40648ead748e2aaf2640c01598af42d752f2328f47671a56c36b41b143f45824c63c71ffd704c37f0266edf5fddd2dc66554686101253f365eddddc

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
96KB

MD5
4e849b76680fcaefa158416f8c0553b8

SHA1
299d829efa76d996cb765a7056c56ac3fce8ad61

SHA256
c792f17a31f3ad390dc2f87504e9f4d327fcf3d0b6da9b5ccb00aaf97f4412fe

SHA512
c8de9517712ce7174a22e9eb1c41668f7b55d15157bbf2dc1666823915d0b32046a3859e06072abee0c5c02d5280a6f7dc419d33f3f300ebcc8eb7c2afa51de1

Download Submit
memory/324-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-237-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1020-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-162-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1020-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-297-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1220-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-250-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-98-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1792-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-107-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1872-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-137-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1932-139-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1988-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-189-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2136-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-275-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2180-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-13-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2188-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-12-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2188-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2376-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-29-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2376-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-83-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2776-42-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-43-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-52-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2804-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads