berbew | df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Size

462KB
MD5

b28b72f9693687f06fcbe26d13e6d25c
SHA1

781f6007d827fb77e7ebd358cfa2c02d58027698
SHA256

df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392
SHA512

8ed06d6e10838f5bd290679a07d0b7333d19c53fcea921f2c334fc0f9e261ced679784444a93dd9fde7f755e22b204204d98f1c63caaefe816fe881a496e11d1
SSDEEP

6144:W3H/c6nw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojwszeXmOEgHixuqjwszeXm:Icxlr54ujjgj+HiPj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdmmdnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjdmmdnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclnemgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 25 IoCs

pid	Process
2880	Jdgdempa.exe
2608	Jgfqaiod.exe
2716	Jjdmmdnh.exe
2708	Kiijnq32.exe
2664	Kkjcplpa.exe
2532	Kbdklf32.exe
2984	Kiqpop32.exe
808	Kpjhkjde.exe
1660	Lclnemgd.exe
2820	Ljffag32.exe
764	Lmgocb32.exe
1656	Lfpclh32.exe
1560	Lfbpag32.exe
1204	Lfdmggnm.exe
1960	Melfncqb.exe
2944	Mlfojn32.exe
2024	Mdacop32.exe
3064	Mmldme32.exe
812	Naimccpo.exe
2200	Nckjkl32.exe
2580	Ndjfeo32.exe
2164	Ngibaj32.exe
2240	Nmbknddp.exe
768	Niikceid.exe
1588	Nlhgoqhh.exe

Loads dropped DLL 54 IoCs

pid	Process
1860	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
1860	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
2880	Jdgdempa.exe
2880	Jdgdempa.exe
2608	Jgfqaiod.exe
2608	Jgfqaiod.exe
2716	Jjdmmdnh.exe
2716	Jjdmmdnh.exe
2708	Kiijnq32.exe
2708	Kiijnq32.exe
2664	Kkjcplpa.exe
2664	Kkjcplpa.exe
2532	Kbdklf32.exe
2532	Kbdklf32.exe
2984	Kiqpop32.exe
2984	Kiqpop32.exe
808	Kpjhkjde.exe
808	Kpjhkjde.exe
1660	Lclnemgd.exe
1660	Lclnemgd.exe
2820	Ljffag32.exe
2820	Ljffag32.exe
764	Lmgocb32.exe
764	Lmgocb32.exe
1656	Lfpclh32.exe
1656	Lfpclh32.exe
1560	Lfbpag32.exe
1560	Lfbpag32.exe
1204	Lfdmggnm.exe
1204	Lfdmggnm.exe
1960	Melfncqb.exe
1960	Melfncqb.exe
2944	Mlfojn32.exe
2944	Mlfojn32.exe
2024	Mdacop32.exe
2024	Mdacop32.exe
3064	Mmldme32.exe
3064	Mmldme32.exe
812	Naimccpo.exe
812	Naimccpo.exe
2200	Nckjkl32.exe
2200	Nckjkl32.exe
2580	Ndjfeo32.exe
2580	Ndjfeo32.exe
2164	Ngibaj32.exe
2164	Ngibaj32.exe
2240	Nmbknddp.exe
2240	Nmbknddp.exe
768	Niikceid.exe
768	Niikceid.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkjcplpa.exe	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Bpmiamoh.dll	Kbdklf32.exe
File created	C:\Windows\SysWOW64\Ljffag32.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Jgfqaiod.exe	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Lfdmggnm.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Indgjihl.dll	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
File opened for modification	C:\Windows\SysWOW64\Kbdklf32.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Lmgocb32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Lfpclh32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Jdgdempa.exe	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
File created	C:\Windows\SysWOW64\Kpjhkjde.exe	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Pghhkllb.dll	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Badffggh.dll	Jdgdempa.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mlfojn32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Jjdmmdnh.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Lmgocb32.exe
File opened for modification	C:\Windows\SysWOW64\Ljffag32.exe	Lclnemgd.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Eppddhlj.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Naimccpo.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Jdgdempa.exe	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
File opened for modification	C:\Windows\SysWOW64\Kiijnq32.exe	Jjdmmdnh.exe
File created	C:\Windows\SysWOW64\Pbefefec.dll	Kiijnq32.exe
File created	C:\Windows\SysWOW64\Kbdklf32.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Pplhdp32.dll	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Dlfdghbq.dll	Ljffag32.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Jgfqaiod.exe	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Alfadj32.dll	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Kiqpop32.exe	Kbdklf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgocb32.exe	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Hcpbee32.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Nafmbhpm.dll	Jgfqaiod.exe
File opened for modification	C:\Windows\SysWOW64\Mlfojn32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Cljiflem.dll	Jjdmmdnh.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Jjdmmdnh.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Lmgocb32.exe	Ljffag32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2228	1588	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjhkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiqpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgfqaiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdmmdnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjcplpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdgdempa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiijnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbdklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclnemgd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badffggh.dll"	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiflem.dll"	Jjdmmdnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjdmmdnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjdmmdnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll"	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lclnemgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiijnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll"	Jgfqaiod.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2880	1860	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe	28
PID 1860 wrote to memory of 2880	1860	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe	28
PID 1860 wrote to memory of 2880	1860	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe	28
PID 1860 wrote to memory of 2880	1860	df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe	28
PID 2880 wrote to memory of 2608	2880	Jdgdempa.exe	29
PID 2880 wrote to memory of 2608	2880	Jdgdempa.exe	29
PID 2880 wrote to memory of 2608	2880	Jdgdempa.exe	29
PID 2880 wrote to memory of 2608	2880	Jdgdempa.exe	29
PID 2608 wrote to memory of 2716	2608	Jgfqaiod.exe	30
PID 2608 wrote to memory of 2716	2608	Jgfqaiod.exe	30
PID 2608 wrote to memory of 2716	2608	Jgfqaiod.exe	30
PID 2608 wrote to memory of 2716	2608	Jgfqaiod.exe	30
PID 2716 wrote to memory of 2708	2716	Jjdmmdnh.exe	31
PID 2716 wrote to memory of 2708	2716	Jjdmmdnh.exe	31
PID 2716 wrote to memory of 2708	2716	Jjdmmdnh.exe	31
PID 2716 wrote to memory of 2708	2716	Jjdmmdnh.exe	31
PID 2708 wrote to memory of 2664	2708	Kiijnq32.exe	32
PID 2708 wrote to memory of 2664	2708	Kiijnq32.exe	32
PID 2708 wrote to memory of 2664	2708	Kiijnq32.exe	32
PID 2708 wrote to memory of 2664	2708	Kiijnq32.exe	32
PID 2664 wrote to memory of 2532	2664	Kkjcplpa.exe	33
PID 2664 wrote to memory of 2532	2664	Kkjcplpa.exe	33
PID 2664 wrote to memory of 2532	2664	Kkjcplpa.exe	33
PID 2664 wrote to memory of 2532	2664	Kkjcplpa.exe	33
PID 2532 wrote to memory of 2984	2532	Kbdklf32.exe	34
PID 2532 wrote to memory of 2984	2532	Kbdklf32.exe	34
PID 2532 wrote to memory of 2984	2532	Kbdklf32.exe	34
PID 2532 wrote to memory of 2984	2532	Kbdklf32.exe	34
PID 2984 wrote to memory of 808	2984	Kiqpop32.exe	35
PID 2984 wrote to memory of 808	2984	Kiqpop32.exe	35
PID 2984 wrote to memory of 808	2984	Kiqpop32.exe	35
PID 2984 wrote to memory of 808	2984	Kiqpop32.exe	35
PID 808 wrote to memory of 1660	808	Kpjhkjde.exe	36
PID 808 wrote to memory of 1660	808	Kpjhkjde.exe	36
PID 808 wrote to memory of 1660	808	Kpjhkjde.exe	36
PID 808 wrote to memory of 1660	808	Kpjhkjde.exe	36
PID 1660 wrote to memory of 2820	1660	Lclnemgd.exe	37
PID 1660 wrote to memory of 2820	1660	Lclnemgd.exe	37
PID 1660 wrote to memory of 2820	1660	Lclnemgd.exe	37
PID 1660 wrote to memory of 2820	1660	Lclnemgd.exe	37
PID 2820 wrote to memory of 764	2820	Ljffag32.exe	38
PID 2820 wrote to memory of 764	2820	Ljffag32.exe	38
PID 2820 wrote to memory of 764	2820	Ljffag32.exe	38
PID 2820 wrote to memory of 764	2820	Ljffag32.exe	38
PID 764 wrote to memory of 1656	764	Lmgocb32.exe	39
PID 764 wrote to memory of 1656	764	Lmgocb32.exe	39
PID 764 wrote to memory of 1656	764	Lmgocb32.exe	39
PID 764 wrote to memory of 1656	764	Lmgocb32.exe	39
PID 1656 wrote to memory of 1560	1656	Lfpclh32.exe	40
PID 1656 wrote to memory of 1560	1656	Lfpclh32.exe	40
PID 1656 wrote to memory of 1560	1656	Lfpclh32.exe	40
PID 1656 wrote to memory of 1560	1656	Lfpclh32.exe	40
PID 1560 wrote to memory of 1204	1560	Lfbpag32.exe	41
PID 1560 wrote to memory of 1204	1560	Lfbpag32.exe	41
PID 1560 wrote to memory of 1204	1560	Lfbpag32.exe	41
PID 1560 wrote to memory of 1204	1560	Lfbpag32.exe	41
PID 1204 wrote to memory of 1960	1204	Lfdmggnm.exe	42
PID 1204 wrote to memory of 1960	1204	Lfdmggnm.exe	42
PID 1204 wrote to memory of 1960	1204	Lfdmggnm.exe	42
PID 1204 wrote to memory of 1960	1204	Lfdmggnm.exe	42
PID 1960 wrote to memory of 2944	1960	Melfncqb.exe	43
PID 1960 wrote to memory of 2944	1960	Melfncqb.exe	43
PID 1960 wrote to memory of 2944	1960	Melfncqb.exe	43
PID 1960 wrote to memory of 2944	1960	Melfncqb.exe	43

C:\Users\Admin\AppData\Local\Temp\df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe
"C:\Users\Admin\AppData\Local\Temp\df7301928fc34aedc0702bc084397c3afd676c680e0cf4e293632411ff593392.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\Jdgdempa.exe
  C:\Windows\system32\Jdgdempa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Jgfqaiod.exe
    C:\Windows\system32\Jgfqaiod.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Jjdmmdnh.exe
      C:\Windows\system32\Jjdmmdnh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Kiijnq32.exe
        
        C:\Windows\system32\Kiijnq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kbdklf32.exe
        
        C:\Windows\system32\Kbdklf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdgdempa.exe

Filesize
462KB

MD5
5cfd6dabd52bcf9beb826319084bd6cf

SHA1
1370093cace2677d7dc2956889168a38187ce5f0

SHA256
71488fc155dc8c81eb9944c5392957da62e7b53cdcf9bd94939499eb401b10ff

SHA512
806a5e54bdd3d5ef481b34bc392553d372e242ce1e3c546720ebe32978e044d5873a1461394000d99047634af27b1648e5da0e0155de20699b804216cb7bbd98

Download Submit
C:\Windows\SysWOW64\Kpjhkjde.exe

Filesize
462KB

MD5
f8cbd10e2f433eb14e597ab440e2efc3

SHA1
a5aa99826bd12793bcaf554d61d282a8c40d9276

SHA256
57eee0c732e00e3e35be2f9fdb09ef4b371c9f9d737aa8475e9f4d3df074b857

SHA512
d11fba25f89d93880e276d2d7e6bcd1a9e50bf04eba574c8ca9f1ee46ffad4c12ce8f1cf45d45660b898490a2400bf0735eb29a31759c25e00f4810844897165

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
462KB

MD5
ed21a7b3a54e5e4a7dd34bebe7a87e5f

SHA1
565993d102a29896f2544eaab3a8c354b607f673

SHA256
90466bdb6b3d7f8fe3d6d5d0598a96fb9b6d45f31df017578dd0558824a68f98

SHA512
b08cbe27cfc19f1d50ba136d225580e19965f5e9aa235052488e0e6e22da27ad7eb58a9dd495a304e36b7926c69f7e4d6fd9c12f4681042aeb2694af45b012a7

Download Submit
C:\Windows\SysWOW64\Ljffag32.exe

Filesize
462KB

MD5
186cbce4826b4474a39e3f5a6d59a030

SHA1
e2763309673533ca3e91eea7be9a8883d2f96525

SHA256
bb7d46a21bc2762b7ec202506b4949fc37afd305cdedb66629570824196e6841

SHA512
cf1e726f3dcb6221e1d40cecbdb9fda8196b1ca0f8ec2189499bc76e12a2f3390513239253a5cb24b27d8b777bd1c0d5e91672daa9c24ac892de9a3d581be6eb

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
462KB

MD5
6241901c5231ff509a0b462de73e66c0

SHA1
fc2d41d5e31861b6a9d7648cf5993a5362b8ed99

SHA256
4446c6a79c79b72b19b08c3d83177d10b3002bb8ceb6284dedd117b2dc171136

SHA512
7b531a0bb4cfa5c773a927c5aaeb72eaef3ac8c686cdac298ec245dca6d497ede9ad83320c5dcf7ebf5f9ad302076a387d15ac6aa55968a2d70d158be989e16c

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
462KB

MD5
0a0121f9f7a7cc7214e6e5d377638d94

SHA1
10e3e0372b0cf4dde287f3a4499bf884d3506f8d

SHA256
1f8b2a4bf4bf092ecfe902e2d999baeb1caf63265ebdec14514af77dea02ef9b

SHA512
c50c474c6f0296ebc8a523af7544a388d4d4853f89f2d45190a7599ae31bd41962150b37234e218aad87c07d46b81dfa5f8ca6f4240847f316f5ec1749f6608f

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
462KB

MD5
c8607065bcc3994eb0fc5d1be0b4a29a

SHA1
1ef315bd795d7f7d23cfac5a5d1b8e9a6d329325

SHA256
ce4e18e15f53d8010cfe14c402bf1a96a060d1958f69206d38af884012543cfb

SHA512
fdfc2cba1a8bfdf77895fb1245fe6f1c5fe1fba86e6320a23a4ccbc4be101309977778f2b0f15f4366ff5d4596819892a5c17b00bdf63198fd2045be8b3c3a97

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
462KB

MD5
7ef4786cd94f53bed97feba34576f77a

SHA1
8fcf2f1da45f1545e0e9a44a5a39aea2a0bdfca6

SHA256
6ffe210d7cd672290fe7e2df1881223f23292c450dc7b55756704f2bca150040

SHA512
845a83c2c3f3e8d14fb0772dd10b297ce0385da5a22822242dd9f2164ccffc8d53839d8e0debbd82a80ad8304370f3033c3f592e160b9b8f81cf4b96546fab8d

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
462KB

MD5
8620bf7d0a14b10b141d768031bfefd3

SHA1
36b1767bb67231c0d9c5bfc90e2b13261f7aac1e

SHA256
34aaa9fc335bd6a9bb02920fd5c37a65407c1841d81601f0303e9976437f8d84

SHA512
930901130411be4f1ba04846ff0a8662c72e94eb10af523febf159cda2b8686020136eb176b0d8d0718e3ac32c04afb75ad98051ed1f679e954bf2a50416f523

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
462KB

MD5
cadc3d995f8acd7a078d276fea4415e2

SHA1
f4ec930c06db8d576fe1a3c2b47a77f9314e3901

SHA256
923bea5c1801270fc984792ae4527c7272cbed91692d03eb8977220560f83e25

SHA512
d40786ce74e5049f457bed889697b2517493ee22fdcdf4926ebb25e1959eaa8391c555ff2a3bbb6ec0636b509260e2e5c48a90166932dc895b6b807326511bc3

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
462KB

MD5
fc972028cbbfc91600a16e6869430e83

SHA1
411590c9d49db592046dad679daed47646164069

SHA256
e88d14f21081ede80d012507877538ce004f137117ce452b96a4c3db5bfd6c5d

SHA512
ef362eb3bb72abc789241c60597765ba70966b43bf86e55727c05a9235f2826cd4279a9c1b0e0ff3498ecd56e758603427c7714260b74dd8559c9d6a4521db98

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
462KB

MD5
682195b573a78cb7ecbe19785f61a29f

SHA1
2de6c583354100208e6ef2f803b5873891b17958

SHA256
35352d4ce15d4161fd036e2f469d0bfbadb497f56b0644eacda84330f70b86c3

SHA512
082ff41b3aadbd130c4c511d08dc2bfe4a1267eaf2e26eec4c3b46795a02aa17121f9ab2028a8eb8b0796f4403bfd73cc944906eb435cb43d2d9d213a57d54e5

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
462KB

MD5
d187359c31e77aae06e9ca6bcf97f474

SHA1
9a1785a788fba7f541aca8565c9bb7cd241dce2f

SHA256
15b61b839730f8d5624c162352d8d563fe810ca0f1a78dad7f9be16c7dea3d5d

SHA512
b8e5c4af04c33bb346f30b1819efe03d0d917b86fc7566cb5fbd65d87dfad38340dbccda59dda50149f00ade871a85e05532e2e194c75645539f038d2017e845

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
462KB

MD5
0ae16ab90ae000793a23a476e9cb2259

SHA1
da27823f3ae0a115dea2fa71093c1c3d9d7e28b1

SHA256
b152ee4bf1514908d8e1114a56e8f5b165938dda83676c5952a898a36b1fda8d

SHA512
2ea866c0307bbc111bc8ad8bfdd41a2ac0ca931972eb746c6094883f19fca96a91284770798a485ff1da133037127a68fb245559a016d7bbf20fb4b990ae973c

Download Submit
\Windows\SysWOW64\Jgfqaiod.exe

Filesize
462KB

MD5
3174848f608f202742588027ae44e2c0

SHA1
895ef31cf527ef0f786aa47121f50f1d3e99fab7

SHA256
2c16263acf8c57becac5955fe558ee1c4a5321b8b057fb35334659096817f745

SHA512
662c2a3784eee33675564138bdbb67ec5eecad0d6216f878a2d2bc387e16670b0b2db37ca933cc08dbd67a6a41249490ddb85cd68d5cc71dd24387cc34940fcb

Download Submit
\Windows\SysWOW64\Jjdmmdnh.exe

Filesize
462KB

MD5
ede9d9b8ca9db3a4eeef126c335b9a26

SHA1
24db7775b55045240f5858b439942513db5e9c2a

SHA256
e57c92bc25b4ccf77ae606a7a1e94d24e339af2b00e0ba22d5d80b0e12e5def4

SHA512
66e2a088ee29304f1e74e78e164ff7a8f7ccdd9728d272fb4e3e83045da6aac09a02c0bf816bd1dfd983494ded9de6fcbef42f64fb5143b79120202fdabeeb6d

Download Submit
\Windows\SysWOW64\Kbdklf32.exe

Filesize
462KB

MD5
34f8248460864fde53a30bd23718a93e

SHA1
53b8a7aa74cd819a236e92d791fd9e324d16f178

SHA256
e0feffc9d7ab13f0f02216451f83ee1948343b794f8ee0a20a24ca0dae55485a

SHA512
78f367f5d992fcfaefc8c813d4f58e15e3888cb922dbc250bf1b9e5e11ba6aafb16508e3dcae44f73f75c319d17f24ccfb607209975613e9e828c150aac111c5

Download Submit
\Windows\SysWOW64\Kiijnq32.exe

Filesize
462KB

MD5
3de63242597e72e8fcf0755a0f42ebf1

SHA1
4a363b47115d66f1d530439f024d23d06633b803

SHA256
9e03db92c76352e12d30c01407296e838e70ef105da05122527124a2ac51b07d

SHA512
18a6d2e73dab2afaa23ec817ce68e6ec9778769721e64d59220ceadfbfecf0205ebcc5679f78bec5670ec50c1abd872aeca78c1f276e7bda10a5d5c8716687e0

Download Submit
\Windows\SysWOW64\Kiqpop32.exe

Filesize
462KB

MD5
84ecd7512fcce43b7a457d656871a910

SHA1
ba24793efb3c1783a2e0f6a8fc209d8756821d01

SHA256
6fecdca63d8541d875e39c7b8ed4c3a694549d64f73d51cbef1f4aa0ef1904aa

SHA512
6790201c587699990131b290d1b59ae62e6ff0842ec6399b4e4afcffe7e4344500f0f6adc9d5ca802e119f24fae3e11153ba13ee3527765968eb18b525f67273

Download Submit
\Windows\SysWOW64\Kkjcplpa.exe

Filesize
462KB

MD5
0d747b6005c20c183f78c8a123c588b4

SHA1
59e601d62c2df74d27a6473d5084fdaee3296497

SHA256
440e4b97ea69c69994ca8dfb9a6e92330a736865d3cb067db717c4f21d998809

SHA512
f20186f7036142ed7f0db2283609b83e31f80f18629c32a35d227926ecc606d0f8d2aa4d67984427b22e67b3778f40ef6f38f56acfc054bccf31791e5025d9dd

Download Submit
\Windows\SysWOW64\Lclnemgd.exe

Filesize
462KB

MD5
fbd96cc6eb9f56b3c1c89907a28edcde

SHA1
85fa3a3551599a8870acccb78bd53a18fa914ab0

SHA256
ceef8c887034ee3612a035d06a8bcb498fa847256f2724fe2d6e5e6878bd3318

SHA512
75382b04834a6fde2394bd1b59045b917fa86ee884bd9e6f71ec768e704270bea8bb282e8d7279705959202200badf2ecd7884fb4c2111b51315119c9c057dc8

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
462KB

MD5
f24ce7110c2d8e3d266a4170f3d34a4c

SHA1
1ff2ec93633487811a72fbdd9782a2f8459562df

SHA256
9d6c97780066cbdccd1c5e3eb08b513b717253d22b1b6bdf3aa39b18405a02a9

SHA512
9601dcc977345b9865cbd8a3a772d1ce004495a293852450d330b0618d378707f08d7e848b68485967d660bcc36ef707f9756254679da2b0da4f765a2a0bc9b6

Download Submit
\Windows\SysWOW64\Lfpclh32.exe

Filesize
462KB

MD5
e014f42272a8f2b5973c7f3f35b9b435

SHA1
6232cac142ddb6637758df29f6b045449f26c5b7

SHA256
02046916f98393216076f3729c46184e054f92dc4691f54dc224964bb7f72b87

SHA512
013a6cce0e7cbd1d38f5548224fc1266f557338800eb83dea256a9a4eaeb638b4f30577474b03fae6aab331b3ac07cfa05521c2009d6a2e25339c845462b0b04

Download Submit
\Windows\SysWOW64\Lmgocb32.exe

Filesize
462KB

MD5
ef8b0b941604df31c26328ec587bc2a6

SHA1
1635def32df80edb1d35b9f5fb92810191e2a6c5

SHA256
db1a5c246d71ef9b9a384057d978afeb6be3f02b78d956b32177c8670beb3537

SHA512
5ec6528c881e45b55ad4ae22825d43673344b24220a8861ed4599271184f5a2fbf4c8f2d04cf28767f0ab8b2ae2f01e1115a41193aab367b0e7cf9bfd9746a7d

Download Submit
\Windows\SysWOW64\Melfncqb.exe

Filesize
462KB

MD5
ec5b85b78a07adfd52c51693f0fcd931

SHA1
b1615c0c03f42ebb162bd410f0ba6f005808960b

SHA256
ab8ecbbeffd3a6c3338beedb0913bd128a41b9e481adc6a0ea9b856311e58e64

SHA512
8565bca6d42dad5c7423d5f33468b201e0efd15275c6c866de7032a5b5a5b65bf929191e54adc1665d89e84c13bcfa3438a07f26db87a00f137c7b18f4b14641

Download Submit
memory/764-356-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/764-167-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/764-162-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/764-155-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/768-323-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/768-327-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/768-343-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/768-320-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/808-361-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/808-111-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/808-124-0x0000000001FD0000-0x0000000002045000-memory.dmp

Filesize
468KB

Download
memory/808-123-0x0000000001FD0000-0x0000000002045000-memory.dmp

Filesize
468KB

Download
memory/812-267-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/812-336-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/812-272-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1204-353-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1204-199-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1204-211-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1204-212-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1560-185-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1560-197-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1560-196-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1560-351-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1588-328-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1588-340-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1588-338-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1656-368-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1656-181-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1656-170-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1656-182-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1660-360-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1660-144-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1660-358-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1860-11-0x0000000000340000-0x00000000003B5000-memory.dmp

Filesize
468KB

Download
memory/1860-12-0x0000000000340000-0x00000000003B5000-memory.dmp

Filesize
468KB

Download
memory/1860-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1860-377-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1860-375-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1960-226-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1960-227-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/1960-218-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1960-348-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2024-344-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2024-250-0x0000000002030000-0x00000000020A5000-memory.dmp

Filesize
468KB

Download
memory/2024-251-0x0000000002030000-0x00000000020A5000-memory.dmp

Filesize
468KB

Download
memory/2024-245-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2164-332-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2164-329-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2164-305-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2164-304-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2164-299-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2200-335-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2200-333-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2200-282-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2200-283-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2200-273-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2240-315-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/2240-346-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2240-309-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2240-316-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/2532-91-0x0000000001FA0000-0x0000000002015000-memory.dmp

Filesize
468KB

Download
memory/2532-365-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2532-83-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2532-363-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2580-293-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/2580-288-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2580-331-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2580-330-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2580-294-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/2608-33-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2608-37-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2608-380-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2608-378-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2664-366-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2664-77-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2664-369-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2708-372-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2708-56-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2708-68-0x00000000002F0000-0x0000000000365000-memory.dmp

Filesize
468KB

Download
memory/2708-370-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2716-42-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2716-50-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/2716-373-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2716-371-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2820-151-0x0000000000370000-0x00000000003E5000-memory.dmp

Filesize
468KB

Download
memory/2820-355-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2820-357-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2820-152-0x0000000000370000-0x00000000003E5000-memory.dmp

Filesize
468KB

Download
memory/2820-138-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-374-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-376-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-27-0x0000000000320000-0x0000000000395000-memory.dmp

Filesize
468KB

Download
memory/2944-379-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2944-240-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/2944-229-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2944-239-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/2984-109-0x0000000000250000-0x00000000002C5000-memory.dmp

Filesize
468KB

Download
memory/2984-362-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2984-97-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2984-364-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3064-262-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/3064-339-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3064-261-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/3064-252-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads