berbew | 2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490ca

Analysis

max time kernel
62s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Size

60KB
MD5

ddebbab34311fd645655b649e7d02900
SHA1

77b7a0927bb828a11d2e04360497a6a1ccf20b8e
SHA256

2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490ca
SHA512

aa10253614c92af1b3f03e9c4117bedcabd80de26fe03691bdc7dba2fdb7a163385e090493de59dc7137f8ff8c39bda527534b8f146d03e8a1e780a6dc48b492
SSDEEP

768:Do2O0McWd/rJh3W4M8mAHTvTCiqL/j5F9JuaXPtmMfMZ4/1H5CEB+XdnhMl/XdnY:DfEdzJoSjqLlFTuaXFaYzB86l1rs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2228	Jikhnaao.exe
2736	Jcqlkjae.exe
2804	Jjjdhc32.exe
2868	Jllqplnp.exe
2612	Jcciqi32.exe
1792	Jbfilffm.exe
1740	Jlnmel32.exe
2064	Jefbnacn.exe
292	Jhenjmbb.exe
1496	Khgkpl32.exe
2060	Klcgpkhh.exe
1300	Kocpbfei.exe
2200	Kablnadm.exe
2448	Kfodfh32.exe
2192	Kadica32.exe
1016	Kdbepm32.exe
1584	Khnapkjg.exe
2104	Kipmhc32.exe
2252	Kageia32.exe
2664	Kbhbai32.exe
1220	Lmmfnb32.exe
880	Lplbjm32.exe
2108	Lbjofi32.exe

Loads dropped DLL 46 IoCs

pid	Process
2264	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
2264	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
2228	Jikhnaao.exe
2228	Jikhnaao.exe
2736	Jcqlkjae.exe
2736	Jcqlkjae.exe
2804	Jjjdhc32.exe
2804	Jjjdhc32.exe
2868	Jllqplnp.exe
2868	Jllqplnp.exe
2612	Jcciqi32.exe
2612	Jcciqi32.exe
1792	Jbfilffm.exe
1792	Jbfilffm.exe
1740	Jlnmel32.exe
1740	Jlnmel32.exe
2064	Jefbnacn.exe
2064	Jefbnacn.exe
292	Jhenjmbb.exe
292	Jhenjmbb.exe
1496	Khgkpl32.exe
1496	Khgkpl32.exe
2060	Klcgpkhh.exe
2060	Klcgpkhh.exe
1300	Kocpbfei.exe
1300	Kocpbfei.exe
2200	Kablnadm.exe
2200	Kablnadm.exe
2448	Kfodfh32.exe
2448	Kfodfh32.exe
2192	Kadica32.exe
2192	Kadica32.exe
1016	Kdbepm32.exe
1016	Kdbepm32.exe
1584	Khnapkjg.exe
1584	Khnapkjg.exe
2104	Kipmhc32.exe
2104	Kipmhc32.exe
2252	Kageia32.exe
2252	Kageia32.exe
2664	Kbhbai32.exe
2664	Kbhbai32.exe
1220	Lmmfnb32.exe
1220	Lmmfnb32.exe
880	Lplbjm32.exe
880	Lplbjm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Aaqbpk32.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Jlnmel32.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Jbfilffm.exe	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Klcgpkhh.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Jlnmel32.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Kmnfciac.dll	Jlnmel32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Jefbnacn.exe	Jlnmel32.exe
File created	C:\Windows\SysWOW64\Lpgcln32.dll	Jefbnacn.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Jhenjmbb.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Jhenjmbb.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Mnpkephg.dll	Jbfilffm.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Jcciqi32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Jefbnacn.exe	Jlnmel32.exe
File created	C:\Windows\SysWOW64\Mmofpf32.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Jjjdhc32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Jhenjmbb.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbnacn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnmel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll"	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnmel32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2228	2264	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe	30
PID 2264 wrote to memory of 2228	2264	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe	30
PID 2264 wrote to memory of 2228	2264	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe	30
PID 2264 wrote to memory of 2228	2264	2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe	30
PID 2228 wrote to memory of 2736	2228	Jikhnaao.exe	31
PID 2228 wrote to memory of 2736	2228	Jikhnaao.exe	31
PID 2228 wrote to memory of 2736	2228	Jikhnaao.exe	31
PID 2228 wrote to memory of 2736	2228	Jikhnaao.exe	31
PID 2736 wrote to memory of 2804	2736	Jcqlkjae.exe	32
PID 2736 wrote to memory of 2804	2736	Jcqlkjae.exe	32
PID 2736 wrote to memory of 2804	2736	Jcqlkjae.exe	32
PID 2736 wrote to memory of 2804	2736	Jcqlkjae.exe	32
PID 2804 wrote to memory of 2868	2804	Jjjdhc32.exe	33
PID 2804 wrote to memory of 2868	2804	Jjjdhc32.exe	33
PID 2804 wrote to memory of 2868	2804	Jjjdhc32.exe	33
PID 2804 wrote to memory of 2868	2804	Jjjdhc32.exe	33
PID 2868 wrote to memory of 2612	2868	Jllqplnp.exe	34
PID 2868 wrote to memory of 2612	2868	Jllqplnp.exe	34
PID 2868 wrote to memory of 2612	2868	Jllqplnp.exe	34
PID 2868 wrote to memory of 2612	2868	Jllqplnp.exe	34
PID 2612 wrote to memory of 1792	2612	Jcciqi32.exe	35
PID 2612 wrote to memory of 1792	2612	Jcciqi32.exe	35
PID 2612 wrote to memory of 1792	2612	Jcciqi32.exe	35
PID 2612 wrote to memory of 1792	2612	Jcciqi32.exe	35
PID 1792 wrote to memory of 1740	1792	Jbfilffm.exe	36
PID 1792 wrote to memory of 1740	1792	Jbfilffm.exe	36
PID 1792 wrote to memory of 1740	1792	Jbfilffm.exe	36
PID 1792 wrote to memory of 1740	1792	Jbfilffm.exe	36
PID 1740 wrote to memory of 2064	1740	Jlnmel32.exe	37
PID 1740 wrote to memory of 2064	1740	Jlnmel32.exe	37
PID 1740 wrote to memory of 2064	1740	Jlnmel32.exe	37
PID 1740 wrote to memory of 2064	1740	Jlnmel32.exe	37
PID 2064 wrote to memory of 292	2064	Jefbnacn.exe	38
PID 2064 wrote to memory of 292	2064	Jefbnacn.exe	38
PID 2064 wrote to memory of 292	2064	Jefbnacn.exe	38
PID 2064 wrote to memory of 292	2064	Jefbnacn.exe	38
PID 292 wrote to memory of 1496	292	Jhenjmbb.exe	39
PID 292 wrote to memory of 1496	292	Jhenjmbb.exe	39
PID 292 wrote to memory of 1496	292	Jhenjmbb.exe	39
PID 292 wrote to memory of 1496	292	Jhenjmbb.exe	39
PID 1496 wrote to memory of 2060	1496	Khgkpl32.exe	40
PID 1496 wrote to memory of 2060	1496	Khgkpl32.exe	40
PID 1496 wrote to memory of 2060	1496	Khgkpl32.exe	40
PID 1496 wrote to memory of 2060	1496	Khgkpl32.exe	40
PID 2060 wrote to memory of 1300	2060	Klcgpkhh.exe	41
PID 2060 wrote to memory of 1300	2060	Klcgpkhh.exe	41
PID 2060 wrote to memory of 1300	2060	Klcgpkhh.exe	41
PID 2060 wrote to memory of 1300	2060	Klcgpkhh.exe	41
PID 1300 wrote to memory of 2200	1300	Kocpbfei.exe	42
PID 1300 wrote to memory of 2200	1300	Kocpbfei.exe	42
PID 1300 wrote to memory of 2200	1300	Kocpbfei.exe	42
PID 1300 wrote to memory of 2200	1300	Kocpbfei.exe	42
PID 2200 wrote to memory of 2448	2200	Kablnadm.exe	43
PID 2200 wrote to memory of 2448	2200	Kablnadm.exe	43
PID 2200 wrote to memory of 2448	2200	Kablnadm.exe	43
PID 2200 wrote to memory of 2448	2200	Kablnadm.exe	43
PID 2448 wrote to memory of 2192	2448	Kfodfh32.exe	44
PID 2448 wrote to memory of 2192	2448	Kfodfh32.exe	44
PID 2448 wrote to memory of 2192	2448	Kfodfh32.exe	44
PID 2448 wrote to memory of 2192	2448	Kfodfh32.exe	44
PID 2192 wrote to memory of 1016	2192	Kadica32.exe	45
PID 2192 wrote to memory of 1016	2192	Kadica32.exe	45
PID 2192 wrote to memory of 1016	2192	Kadica32.exe	45
PID 2192 wrote to memory of 1016	2192	Kadica32.exe	45

C:\Users\Admin\AppData\Local\Temp\2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe
"C:\Users\Admin\AppData\Local\Temp\2730ffe272b72f1da7c6622103e270f8901e49e17f73ad98303fe28ea65490caN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\Jikhnaao.exe
  C:\Windows\system32\Jikhnaao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Jcqlkjae.exe
    C:\Windows\system32\Jcqlkjae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\Jjjdhc32.exe
      C:\Windows\system32\Jjjdhc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Jlnmel32.exe
        
        C:\Windows\system32\Jlnmel32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Jefbnacn.exe
        
        C:\Windows\system32\Jefbnacn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
60KB

MD5
2c3733f08f4c1b6eec52faf892d25acb

SHA1
4f0ebaca9932bac2e4a68091f910d697648bcb77

SHA256
02eda79fef3f8fe570462069efafa92cc46bd026931ca7546a36016d60159364

SHA512
9678a7c420b5caed26d49f57ae97428ecc5c71b1992d565fd342e6a327368f3b7bacd184a51b3406c073b8e493ff224746aa72d89ed06e1c235636bbb026182f

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
60KB

MD5
f5ae8d5a3b8ffa61ee8c54ad310127f1

SHA1
8c12d69066edf3bb797740c2d696b764bddb6bc7

SHA256
d7673be0e5e3aad64fba8e5bfb8f4f4ecbe35d0b0dd2d64a3cf7a3a51b9d3b58

SHA512
47f4729beb71123c6e70ad8cf2b0b7d6a6ca9f9b44e164079ad142d01a9c0536435e4d7fd1db82eb3a648233bd0e6ecbd80b5f3403ee36ed698c070e8ca4ede8

Download Submit
C:\Windows\SysWOW64\Jhenjmbb.exe

Filesize
60KB

MD5
911a952ff18ad25e826505b401348ddd

SHA1
7b79889990e96a80655fb3667c026272c5a5c501

SHA256
4550665444c0d4ab9bbb797f3f7a9d7a7767aece3632228658197477ec4ebfe2

SHA512
a3d22af832a7e9d7f3ca79dac57587fffe22e2008eec46ca9187c3cd29d6292074ab612cb45612cb1358ecc2a46fb022a3b03fd2e1880289f804de2f05e35f14

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
60KB

MD5
09f6fe19597ef8b6ad4e47ffeb66c203

SHA1
6ab6b9f7fa9f08dfbaf1d7278109e866b635d7f1

SHA256
61a9e897dcf70f1d26cb08d956465b3ff7882ca013fbdc604279239d81a52edf

SHA512
6d56e2c414d9bb9f44a81d39e1d5787e8d9152cceea625b81ca39cd0fcfa79894bd174142cffce3ad5b380e9f2c8ec4b98e5e299682d9c04789ead55869581bf

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
60KB

MD5
5fddcc91752ef542527639c8a824e8f5

SHA1
457f0fda5bbaf95d3255d0b0c21a75fbb1560df7

SHA256
b11d245c4bbe83537ce37ad74c8b8c3410129659cd4438cd391911e8d419538e

SHA512
83226235a64df6c8805fbd7edffde49b7010dac312800a515f0c1b19587586f1a02213d7cf293114b81ca599ab7f30d55e61ed9847eec6327f993a2c699fd1fc

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
60KB

MD5
46ae0706d8a20382508b80aabdb45c37

SHA1
578c771f1edf6d2c0c75c02c6f604584155509e5

SHA256
8a0f4cec9016676abb175309c643758fd3f719d12b18d25ccd9d4bb80c525b2c

SHA512
628d3de156deb607b2879c6ab93d528b471f900e0f41dbdefe7090c71f73fde385b6f6c1289f4e931e2d7f3e42c2b45228a30518dccbec1c674cf03e06d37308

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
60KB

MD5
66c0a16aeecd74b4b46eb09f42b758b1

SHA1
05f3456015a79189de93e0ce66598af67933bb00

SHA256
8716d980f3051128b8924f20f67a1b5d573bcf12ac377ce9ef45de0592851a57

SHA512
29b753b61fa3a9fc44802d1b613048d2b645a70bc24259d5c32c1dc81a10da8b1d890c08f489d215614e838272d9a3914ada68f5d63ca3eaf142971ae8aa5f49

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
60KB

MD5
86f00be5636a5a83d4632686e55c5f89

SHA1
d45ac0061fb132cba1af2f9b5a18d5d88848348c

SHA256
db48e2d5fb8bf0d0d61130010206d0f93c05820e81dc58dc8d11671e6ddd89af

SHA512
e3c91219830042552b97bee9eb08646aa121f23aea0bcbbd8c0a41de09527bf271479c0fbb03d5632a369e73e637800f01170007afe923d3dac2875d1b65d073

Download Submit
C:\Windows\SysWOW64\Klcgpkhh.exe

Filesize
60KB

MD5
b861c15032954577f4caeba23d92323c

SHA1
0957625eaa1f9a94f36835f3459f4afd8d3a2714

SHA256
4e2c907e22950242ce5ee117ce84b7d00a5a2c48f4b5ac149d56935eb7518837

SHA512
11151db002a00b2e5aaeca09f16be3ae9bd4e3e3dfc9a9404e78057cd8f089a53e0bd64f815af9aab1ccce51e856ba2b7dcbb15fa3f535d92215e33d57de69df

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
60KB

MD5
933d26cfbdedcc8034cde867fdb493cf

SHA1
ab26893f0d6d6b050955e2749c8081b7c623f2ed

SHA256
cfe8c24012ec4dae953cd912995d1344fc43b7f67bf384fdd3d68dda8631ff20

SHA512
645b42d66f5676e8d07c7a7fa7ef4c0f9771137ccbb8fe1bb28567920994848eb3c8a06b6b8f9ecf0037aca63516e990ca149bea52d80710dc89823468b88244

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
60KB

MD5
fee7bc4ccfd11d5e40d8081b22ae4209

SHA1
d84973c0c9c099291f9ddfc7ab93d6cc43b889c2

SHA256
74009bd6654ffad456a63ebb6810fdd9aea5224aa6b31cdbc4ae66d08ec579ad

SHA512
79c4f3924ba75130214ebffdef6301f28d866d355d359c6814712f7893283055500cb05b2f9269f023675e818556adecf7f95e2f4a16e9edfef84a9dec19a9f7

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
60KB

MD5
383eef5b08df1412d2708ff9c8dafe06

SHA1
52ed0fb0d24f794546a8b28f7275428b49cb6bb6

SHA256
b795f0a3da2820382fa393c20937df4a9ec966281c696a5a926cae4538bb079a

SHA512
e19b7c2314bf24edb07280d9de2bc84fc8e3956936b5927addb192b2a494cbecaf33a59cc049ccabe3c7ae1984d0abbf5108efdd3234f76e67c50d858fd9057f

Download Submit
\Windows\SysWOW64\Jcciqi32.exe

Filesize
60KB

MD5
1064fd6bde3543c955fa7d72817852af

SHA1
4cc9d68c78c98bc897b6f4e32a0b8f1632294d72

SHA256
130a25fc33a74ab9df88e31519db2e76c316cb7db6896d8c8dcaac6e3100e0b5

SHA512
c114909effa6a2cabf9efcc2c748359ae0f439c0ee83306039e250e1ea94b8eefc92afe88fac912143a0881d5780264342e96ce257c8f23e0647cdfb1f336e5d

Download Submit
\Windows\SysWOW64\Jefbnacn.exe

Filesize
60KB

MD5
98e26bb690bc9873e855df8397454d7f

SHA1
c13732ab352823a9e52a50b9956c65fe24698a72

SHA256
29540e1e2580c18b17e3aad71df9fc937c0a1600417d0c3a315ab95cdb92665e

SHA512
6b867bdba5eee106560ba1483c4bf62898b021f7a850446435f9ca4a646c62f8d38dbb79ba1a0c6f5a2179071df89bfd5260f1384f4b3ecf14008ba0faddb36d

Download Submit
\Windows\SysWOW64\Jikhnaao.exe

Filesize
60KB

MD5
d14169f494b44ddec25f69c6361ed2bc

SHA1
bf8a26562d22b8883ab2b0f8b2d8dab4d9eb13ac

SHA256
a6b7dcdafd06d7f7da1623cf1ecc735f570462353732613a188bd149f9c81852

SHA512
c34f4cee2bc07cd2f05936b4885f355e9253dec112dde241acf36c533c950ad2dc0a21676228ebbfab7dd40a7c9bada9491d6b37bf8ef9fbe6d7d9e27a07c049

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
60KB

MD5
9c8ae1ce98cff631b29b92e479e13ea5

SHA1
a3d9f35b3b0998fad9478b7c1222e5fc23cdaa0a

SHA256
ff1236e0defee52b18a6417ce66e4c1f6b860606b8172e5f02a6d2350c728820

SHA512
6bcf0740229ee27b9485290cb63afd3ad54c39509114b7d9782b47e56fda58fedda8351b488ad2b5a76a7862fe00eb2731e1d1a4338926777086c07af88dc8d3

Download Submit
\Windows\SysWOW64\Jlnmel32.exe

Filesize
60KB

MD5
19c05860a6a0ca071f1265d1aff47152

SHA1
737a559ab02c3cc06ded1825d9037cc9daae5793

SHA256
23fc1067ec0d0e31b0e1a79da50f0de745cbc2c8df3750eaa8ab773836c7627f

SHA512
b561d23b96d1c895a26f52ed286d2f3b88e533608e6483879462768bb2a6ef89b1a3162c44aae174693ee45a852f5213ba1596369c496a8c1bf607a7ffc9a7db

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
60KB

MD5
8e82a0899d99181e1ac1f987eebc75ca

SHA1
eb9d8f23a2c7735e4b3f4d286afa1fbdff41ca5d

SHA256
20b4a51072573fb4365c8a160a40823ad36c72226a837ed92ef6fece3098a1c3

SHA512
e389ecf1c03bf4e73ec2eb81a9b50bf6c1314e5fdbcaaaa8e1824c591671b8330136af0d54007dc920b2db11c0bda65e245ed7ca48a14aa9e67056a17480c8a1

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
60KB

MD5
a3b639e9877aaf35a14b7325607605ce

SHA1
07c0bba2ef4bfba3d78cfd8362a288c9769decb1

SHA256
d7828a814591a0faee4d4cbae9b6a8a901ed487707af698de61418e5702b91b7

SHA512
1af996fc906d2259b79ebf5fae26777f0bb5c8bd5063b0297d52791ef8f891b751e624efa36cef81bd011b4e4e899295393dc434cf127d4d253eee24b775c3e3

Download Submit
\Windows\SysWOW64\Kdbepm32.exe

Filesize
60KB

MD5
5463a8a0af5360bfb7feb8b6bee5e983

SHA1
597e78365d769039278a374f4a5760e5a67a4155

SHA256
135e25c250543d1f35f1e3b83ff2e13af70bf31616bc8dfb593b0c1752ac3888

SHA512
1e0405d743f1dcb1c88860808bb1449d650d961cee92fc77bd25ab4fc65720c06af33b87ceec268b01b0409822d21615782dac006e80774399c535da670ab2cd

Download Submit
\Windows\SysWOW64\Kfodfh32.exe

Filesize
60KB

MD5
4c3594e8542da5b23162d97f9389552d

SHA1
1d29d8e74d3219ba8bd3b0c4c131d6f6084eb81a

SHA256
60a4be5618778680be0c1d55d06f8d7ef6da540c38ad26dcb79f3e17fa17661d

SHA512
71f5a4304c92dc04222040644fa9271febc1566330bd9ffbcb9fcb16ed31506ed204583232560123168ae8cbf9758629246f03723963df4b924b2f3049601e4e

Download Submit
\Windows\SysWOW64\Khgkpl32.exe

Filesize
60KB

MD5
303073180bbc0c478514f5bbd5ab0d66

SHA1
12ce0de3e35a67b18450e3853375ef783c143ff1

SHA256
0f85555edd0d05ee8bc3dcb19425bad9616394c6db38565e281515c5795f4332

SHA512
03fbe7bdf1355de1005f634a02b474c0c5314c6e60bb68a7171b188b0696dd321c3cda9c2927eb7f94ede8ba75f303f07e180445fdd1f41b7301fd8d7492bf3b

Download Submit
\Windows\SysWOW64\Kocpbfei.exe

Filesize
60KB

MD5
6479353b6ed545afb7e8d50a6935196a

SHA1
621c4a80c3a05c235108c612142eb769b707384f

SHA256
53d5d0ad49b6ddf125637d19eb86573c5a02b842bdbcc9ad46918f549fce9e95

SHA512
49a4e1089723db7672f8f376d4734632f77c4f1b159f9ddb05102d6a43a495946d4565dea62331b9cea79da9834cdbd227382dbe9f51be35ee6888ae41f473dc

Download Submit
memory/292-201-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/292-145-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/292-142-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/292-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-289-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1016-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-294-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1220-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1300-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-160-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1496-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-203-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-217-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1584-295-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1584-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-248-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1584-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-112-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1740-113-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1792-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1792-99-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1792-98-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1792-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1792-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-218-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-173-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2064-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-188-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2064-129-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2064-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-128-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2104-305-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2104-296-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2104-260-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2104-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-261-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2104-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-310-0x00000000776D0000-0x00000000777EF000-memory.dmp

Filesize
1.1MB

Download
memory/2108-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-311-0x00000000775D0000-0x00000000776CA000-memory.dmp

Filesize
1000KB

Download
memory/2108-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2192-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2192-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-262-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2200-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-189-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-28-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2228-21-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2228-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-270-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2252-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-75-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/2264-13-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/2264-12-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/2264-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-329-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-224-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2448-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-88-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2612-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-143-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2612-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-84-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2664-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-354-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-119-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2804-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-54-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2868-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2868-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads