berbew | 619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Size

96KB
MD5

c31cc084a5ac177104ea050b8b2cf8fa
SHA1

b395b2c74c5be24f4765e4556c53b09dfa21438e
SHA256

619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514
SHA512

1ef0eb8ce3284dacef3d48b3b854ddf43650c471c9c15031ae9b413d91652f112356b6b67745bda881c3234ce361f915bcac09ff0ae1929f1acd3c9fff33a8ae
SSDEEP

3072:/4mvEfArxxR2bzUAYb7Ye+XHrtG9MW3+3l2X:/XxsbqzgtGDuMX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbjfcnkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecdji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpgdnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncgollm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llpaha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mejoei32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ionehnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdiho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgppmpjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lncgollm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mejoei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdiho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdofebo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhopjqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ionehnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jflgph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmdofebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miaaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbjfcnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggkipci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iecdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgppmpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Miaaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jflgph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjhopjqi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnqkjl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
1888	Iecdji32.exe
3024	Ionehnbm.exe
2924	Jhfjadim.exe
2932	Jflgph32.exe
2816	Jgppmpjp.exe
2092	Jknicnpf.exe
2328	Kgdiho32.exe
1520	Kmdofebo.exe
2280	Kjhopjqi.exe
2240	Kcpcho32.exe
1688	Kpgdnp32.exe
1012	Lpiacp32.exe
2468	Llpaha32.exe
2340	Lnqkjl32.exe
2608	Lncgollm.exe
2024	Miaaki32.exe
2072	Mbjfcnkg.exe
908	Mejoei32.exe
2676	Mbopon32.exe
2732	Mlgdhcmb.exe
1648	Ngqeha32.exe
1704	Nmogpj32.exe
1468	Nggkipci.exe
1820	Opblgehg.exe

Loads dropped DLL 52 IoCs

pid	Process
2004	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
2004	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
1888	Iecdji32.exe
1888	Iecdji32.exe
3024	Ionehnbm.exe
3024	Ionehnbm.exe
2924	Jhfjadim.exe
2924	Jhfjadim.exe
2932	Jflgph32.exe
2932	Jflgph32.exe
2816	Jgppmpjp.exe
2816	Jgppmpjp.exe
2092	Jknicnpf.exe
2092	Jknicnpf.exe
2328	Kgdiho32.exe
2328	Kgdiho32.exe
1520	Kmdofebo.exe
1520	Kmdofebo.exe
2280	Kjhopjqi.exe
2280	Kjhopjqi.exe
2240	Kcpcho32.exe
2240	Kcpcho32.exe
1688	Kpgdnp32.exe
1688	Kpgdnp32.exe
1012	Lpiacp32.exe
1012	Lpiacp32.exe
2468	Llpaha32.exe
2468	Llpaha32.exe
2340	Lnqkjl32.exe
2340	Lnqkjl32.exe
2608	Lncgollm.exe
2608	Lncgollm.exe
2024	Miaaki32.exe
2024	Miaaki32.exe
2072	Mbjfcnkg.exe
2072	Mbjfcnkg.exe
908	Mejoei32.exe
908	Mejoei32.exe
2676	Mbopon32.exe
2676	Mbopon32.exe
2732	Mlgdhcmb.exe
2732	Mlgdhcmb.exe
1648	Ngqeha32.exe
1648	Ngqeha32.exe
1704	Nmogpj32.exe
1704	Nmogpj32.exe
1468	Nggkipci.exe
1468	Nggkipci.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jcmodmbk.dll	Kpgdnp32.exe
File created	C:\Windows\SysWOW64\Ionehnbm.exe	Iecdji32.exe
File opened for modification	C:\Windows\SysWOW64\Kmdofebo.exe	Kgdiho32.exe
File created	C:\Windows\SysWOW64\Kebiiiec.dll	Jknicnpf.exe
File created	C:\Windows\SysWOW64\Gfcdcl32.dll	Llpaha32.exe
File opened for modification	C:\Windows\SysWOW64\Mbjfcnkg.exe	Miaaki32.exe
File created	C:\Windows\SysWOW64\Mbopon32.exe	Mejoei32.exe
File created	C:\Windows\SysWOW64\Mlgdhcmb.exe	Mbopon32.exe
File opened for modification	C:\Windows\SysWOW64\Mlgdhcmb.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Nggkipci.exe	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Jhfjadim.exe	Ionehnbm.exe
File opened for modification	C:\Windows\SysWOW64\Jknicnpf.exe	Jgppmpjp.exe
File created	C:\Windows\SysWOW64\Miaaki32.exe	Lncgollm.exe
File created	C:\Windows\SysWOW64\Faqkji32.dll	Mbopon32.exe
File opened for modification	C:\Windows\SysWOW64\Nmogpj32.exe	Ngqeha32.exe
File opened for modification	C:\Windows\SysWOW64\Kcpcho32.exe	Kjhopjqi.exe
File created	C:\Windows\SysWOW64\Dlmfob32.dll	Lpiacp32.exe
File opened for modification	C:\Windows\SysWOW64\Mbopon32.exe	Mejoei32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdiho32.exe	Jknicnpf.exe
File created	C:\Windows\SysWOW64\Kjhopjqi.exe	Kmdofebo.exe
File created	C:\Windows\SysWOW64\Depfiffk.dll	Kmdofebo.exe
File created	C:\Windows\SysWOW64\Lpiacp32.exe	Kpgdnp32.exe
File created	C:\Windows\SysWOW64\Cgefap32.dll	Jflgph32.exe
File created	C:\Windows\SysWOW64\Qcehpcal.dll	Kgdiho32.exe
File opened for modification	C:\Windows\SysWOW64\Ngqeha32.exe	Mlgdhcmb.exe
File opened for modification	C:\Windows\SysWOW64\Jflgph32.exe	Jhfjadim.exe
File created	C:\Windows\SysWOW64\Kgdiho32.exe	Jknicnpf.exe
File opened for modification	C:\Windows\SysWOW64\Nggkipci.exe	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Gcnemg32.dll	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Iecdji32.exe	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
File created	C:\Windows\SysWOW64\Mpqaniil.dll	Jhfjadim.exe
File created	C:\Windows\SysWOW64\Chmglegi.dll	Mbjfcnkg.exe
File created	C:\Windows\SysWOW64\Dgbddi32.dll	Ngqeha32.exe
File opened for modification	C:\Windows\SysWOW64\Miaaki32.exe	Lncgollm.exe
File created	C:\Windows\SysWOW64\Mejoei32.exe	Mbjfcnkg.exe
File opened for modification	C:\Windows\SysWOW64\Kpgdnp32.exe	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Gibcam32.dll	Mejoei32.exe
File created	C:\Windows\SysWOW64\Nmogpj32.exe	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Jknicnpf.exe	Jgppmpjp.exe
File created	C:\Windows\SysWOW64\Kpgdnp32.exe	Kcpcho32.exe
File opened for modification	C:\Windows\SysWOW64\Jhfjadim.exe	Ionehnbm.exe
File created	C:\Windows\SysWOW64\Caolfcmm.dll	Kjhopjqi.exe
File created	C:\Windows\SysWOW64\Kemqig32.dll	Lnqkjl32.exe
File opened for modification	C:\Windows\SysWOW64\Mejoei32.exe	Mbjfcnkg.exe
File opened for modification	C:\Windows\SysWOW64\Iecdji32.exe	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
File opened for modification	C:\Windows\SysWOW64\Ionehnbm.exe	Iecdji32.exe
File created	C:\Windows\SysWOW64\Doahjaco.dll	Jgppmpjp.exe
File opened for modification	C:\Windows\SysWOW64\Kjhopjqi.exe	Kmdofebo.exe
File opened for modification	C:\Windows\SysWOW64\Lpiacp32.exe	Kpgdnp32.exe
File opened for modification	C:\Windows\SysWOW64\Llpaha32.exe	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Lncgollm.exe	Lnqkjl32.exe
File created	C:\Windows\SysWOW64\Miokdmmk.dll	Lncgollm.exe
File created	C:\Windows\SysWOW64\Jgppmpjp.exe	Jflgph32.exe
File opened for modification	C:\Windows\SysWOW64\Jgppmpjp.exe	Jflgph32.exe
File created	C:\Windows\SysWOW64\Naflocji.dll	Miaaki32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Nggkipci.exe
File created	C:\Windows\SysWOW64\Mdpnaccc.dll	Kcpcho32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Nggkipci.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Nggkipci.exe
File created	C:\Windows\SysWOW64\Jebopgbd.dll	Ionehnbm.exe
File created	C:\Windows\SysWOW64\Kmdofebo.exe	Kgdiho32.exe
File created	C:\Windows\SysWOW64\Ngqeha32.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Bghemo32.dll	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Jflgph32.exe	Jhfjadim.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	1820	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ionehnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jknicnpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miaaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfjadim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jflgph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhopjqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpcho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mejoei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgdhcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecdji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdofebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncgollm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbjfcnkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbopon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgppmpjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpiacp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnqkjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmogpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggkipci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbddi32.dll"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnemg32.dll"	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhfjadim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llpaha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Miaaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Miaaki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mejoei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffndn32.dll"	Iecdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doahjaco.dll"	Jgppmpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jknicnpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjhopjqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Nggkipci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jknicnpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemqig32.dll"	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpnaccc.dll"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mejoei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbopon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iecdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqaniil.dll"	Jhfjadim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgefap32.dll"	Jflgph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jflgph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebopgbd.dll"	Ionehnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdiho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfob32.dll"	Lpiacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmglegi.dll"	Mbjfcnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgiogam.dll"	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iecdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebiiiec.dll"	Jknicnpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lncgollm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbjfcnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jflgph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbjfcnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqkji32.dll"	Mbopon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmdofebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depfiffk.dll"	Kmdofebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caolfcmm.dll"	Kjhopjqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpiacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll"	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcehpcal.dll"	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmdofebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naflocji.dll"	Miaaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnqkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll"	Mejoei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ionehnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ionehnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdiho32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1888	2004	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe	30
PID 2004 wrote to memory of 1888	2004	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe	30
PID 2004 wrote to memory of 1888	2004	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe	30
PID 2004 wrote to memory of 1888	2004	619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe	30
PID 1888 wrote to memory of 3024	1888	Iecdji32.exe	31
PID 1888 wrote to memory of 3024	1888	Iecdji32.exe	31
PID 1888 wrote to memory of 3024	1888	Iecdji32.exe	31
PID 1888 wrote to memory of 3024	1888	Iecdji32.exe	31
PID 3024 wrote to memory of 2924	3024	Ionehnbm.exe	32
PID 3024 wrote to memory of 2924	3024	Ionehnbm.exe	32
PID 3024 wrote to memory of 2924	3024	Ionehnbm.exe	32
PID 3024 wrote to memory of 2924	3024	Ionehnbm.exe	32
PID 2924 wrote to memory of 2932	2924	Jhfjadim.exe	33
PID 2924 wrote to memory of 2932	2924	Jhfjadim.exe	33
PID 2924 wrote to memory of 2932	2924	Jhfjadim.exe	33
PID 2924 wrote to memory of 2932	2924	Jhfjadim.exe	33
PID 2932 wrote to memory of 2816	2932	Jflgph32.exe	34
PID 2932 wrote to memory of 2816	2932	Jflgph32.exe	34
PID 2932 wrote to memory of 2816	2932	Jflgph32.exe	34
PID 2932 wrote to memory of 2816	2932	Jflgph32.exe	34
PID 2816 wrote to memory of 2092	2816	Jgppmpjp.exe	35
PID 2816 wrote to memory of 2092	2816	Jgppmpjp.exe	35
PID 2816 wrote to memory of 2092	2816	Jgppmpjp.exe	35
PID 2816 wrote to memory of 2092	2816	Jgppmpjp.exe	35
PID 2092 wrote to memory of 2328	2092	Jknicnpf.exe	36
PID 2092 wrote to memory of 2328	2092	Jknicnpf.exe	36
PID 2092 wrote to memory of 2328	2092	Jknicnpf.exe	36
PID 2092 wrote to memory of 2328	2092	Jknicnpf.exe	36
PID 2328 wrote to memory of 1520	2328	Kgdiho32.exe	37
PID 2328 wrote to memory of 1520	2328	Kgdiho32.exe	37
PID 2328 wrote to memory of 1520	2328	Kgdiho32.exe	37
PID 2328 wrote to memory of 1520	2328	Kgdiho32.exe	37
PID 1520 wrote to memory of 2280	1520	Kmdofebo.exe	38
PID 1520 wrote to memory of 2280	1520	Kmdofebo.exe	38
PID 1520 wrote to memory of 2280	1520	Kmdofebo.exe	38
PID 1520 wrote to memory of 2280	1520	Kmdofebo.exe	38
PID 2280 wrote to memory of 2240	2280	Kjhopjqi.exe	39
PID 2280 wrote to memory of 2240	2280	Kjhopjqi.exe	39
PID 2280 wrote to memory of 2240	2280	Kjhopjqi.exe	39
PID 2280 wrote to memory of 2240	2280	Kjhopjqi.exe	39
PID 2240 wrote to memory of 1688	2240	Kcpcho32.exe	40
PID 2240 wrote to memory of 1688	2240	Kcpcho32.exe	40
PID 2240 wrote to memory of 1688	2240	Kcpcho32.exe	40
PID 2240 wrote to memory of 1688	2240	Kcpcho32.exe	40
PID 1688 wrote to memory of 1012	1688	Kpgdnp32.exe	41
PID 1688 wrote to memory of 1012	1688	Kpgdnp32.exe	41
PID 1688 wrote to memory of 1012	1688	Kpgdnp32.exe	41
PID 1688 wrote to memory of 1012	1688	Kpgdnp32.exe	41
PID 1012 wrote to memory of 2468	1012	Lpiacp32.exe	42
PID 1012 wrote to memory of 2468	1012	Lpiacp32.exe	42
PID 1012 wrote to memory of 2468	1012	Lpiacp32.exe	42
PID 1012 wrote to memory of 2468	1012	Lpiacp32.exe	42
PID 2468 wrote to memory of 2340	2468	Llpaha32.exe	43
PID 2468 wrote to memory of 2340	2468	Llpaha32.exe	43
PID 2468 wrote to memory of 2340	2468	Llpaha32.exe	43
PID 2468 wrote to memory of 2340	2468	Llpaha32.exe	43
PID 2340 wrote to memory of 2608	2340	Lnqkjl32.exe	44
PID 2340 wrote to memory of 2608	2340	Lnqkjl32.exe	44
PID 2340 wrote to memory of 2608	2340	Lnqkjl32.exe	44
PID 2340 wrote to memory of 2608	2340	Lnqkjl32.exe	44
PID 2608 wrote to memory of 2024	2608	Lncgollm.exe	45
PID 2608 wrote to memory of 2024	2608	Lncgollm.exe	45
PID 2608 wrote to memory of 2024	2608	Lncgollm.exe	45
PID 2608 wrote to memory of 2024	2608	Lncgollm.exe	45

C:\Users\Admin\AppData\Local\Temp\619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
"C:\Users\Admin\AppData\Local\Temp\619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\Iecdji32.exe
  C:\Windows\system32\Iecdji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Ionehnbm.exe
    C:\Windows\system32\Ionehnbm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\Jhfjadim.exe
      C:\Windows\system32\Jhfjadim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\Jflgph32.exe
        
        C:\Windows\system32\Jflgph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Jgppmpjp.exe
        
        C:\Windows\system32\Jgppmpjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Jknicnpf.exe
        
        C:\Windows\system32\Jknicnpf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Kgdiho32.exe
        
        C:\Windows\system32\Kgdiho32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Kmdofebo.exe
        
        C:\Windows\system32\Kmdofebo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Kjhopjqi.exe
        
        C:\Windows\system32\Kjhopjqi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Kcpcho32.exe
        
        C:\Windows\system32\Kcpcho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Kpgdnp32.exe
        
        C:\Windows\system32\Kpgdnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Lpiacp32.exe
        
        C:\Windows\system32\Lpiacp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Llpaha32.exe
        
        C:\Windows\system32\Llpaha32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Lnqkjl32.exe
        
        C:\Windows\system32\Lnqkjl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Lncgollm.exe
        
        C:\Windows\system32\Lncgollm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Miaaki32.exe
        
        C:\Windows\system32\Miaaki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mbjfcnkg.exe
        
        C:\Windows\system32\Mbjfcnkg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Mejoei32.exe
        
        C:\Windows\system32\Mejoei32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Mbopon32.exe
        
        C:\Windows\system32\Mbopon32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Mlgdhcmb.exe
        
        C:\Windows\system32\Mlgdhcmb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ngqeha32.exe
        
        C:\Windows\system32\Ngqeha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Nmogpj32.exe
        
        C:\Windows\system32\Nmogpj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Nggkipci.exe
        
        C:\Windows\system32\Nggkipci.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgefap32.dll

Filesize
7KB

MD5
256c584f0b8c29b38311bbbdd92e7620

SHA1
cb84857a562970808d2b8fb215d7e5ade95e08fc

SHA256
a7aaad4f993f4d1f4aea79143477c564f968e825a76603da01316a315a38fe6b

SHA512
77e99f021970a315f9235bcd3cb80b43d04387c1b2ec3f49c0824a96d2a0977ec070ba8dad1d5648a53d3fcf907fc0eb85a065ac4602ddfe4b2b0e0552c60c81

Download Submit
C:\Windows\SysWOW64\Iecdji32.exe

Filesize
96KB

MD5
836b588164d9436df2760c093941d98c

SHA1
fe432ddde8c65271decf821f10f978067042b72b

SHA256
93128f76a4693850b4659d6295d6dee44b30b7260027b16ef23c4e4944883164

SHA512
0e32ab4cc92b602a7737a90c5eb64010f9719714255187d272f8c1aa0586874a7251ecf9c4b6491094fd7c0052f1607d422e319270e8890d02b398917dc72fdc

Download Submit
C:\Windows\SysWOW64\Jhfjadim.exe

Filesize
96KB

MD5
07e65b4b7ed248bce03b419b60511abe

SHA1
3d2cd2903183adc01daf691c49e870d33ee79163

SHA256
a74041cb2dbddf69a85154b9f010780e4be57b0bc2620b43a9649c75555621dd

SHA512
68e9e2c1703ecfd0794e19af61d1b4c0e18a85f5e683a4830d7fe0f9d28263517f646d95c08db9fbbffc110e903204fb33b65dd046c7d2a2612949c65a8c32fb

Download Submit
C:\Windows\SysWOW64\Kjhopjqi.exe

Filesize
96KB

MD5
3f45a3a7ff8dfa7de6cb0c2114661029

SHA1
e4ab1ca7c8eb3b4c4a6e1db4fc8483d9583820d6

SHA256
caef528e6ea9b75ab8a8d68e5631ee4661a657267e5dc6f8bb075ac85b2e5976

SHA512
b64bc3e032402d9205fc279260d4c9702704b13e1858a80890b405c295de739847cdc79d6fe9c32679f092544798a0415e24e3a85e5f1de78d3a80250e24c649

Download Submit
C:\Windows\SysWOW64\Kmdofebo.exe

Filesize
96KB

MD5
d5e9d9df5130cc6cce2fde98fdbcee88

SHA1
2ae165a14abbd6e832c1e8d2239a8a8113edf019

SHA256
ba96f049126f2451350b198ef1e10cc2322a742f29a7a0e84a2417a76eac59b5

SHA512
214b358dc4b7acaff06d04acc14621b67c8358ac4c3af4292558bca9f3e5e827093363702c82634929c0508edc2da3b88345eecf0e7e2b7dfc3f59b75da9b079

Download Submit
C:\Windows\SysWOW64\Mbjfcnkg.exe

Filesize
96KB

MD5
dd5174335b5fc23be1a0dcae81113038

SHA1
1061499e9d18f0d3a36b8e509e7811fd67ac9950

SHA256
a60fd1bd4508b2a781ea19b829fc81344940fc66daea8e89d4d42cbd3d19453a

SHA512
866650422815073452bf7600f30ee34591b465a2778c76c4f5e8da743a66cc1627c2dbd8e66dba1e171828b8791a18ba93dd1f78f439fae5044fc471dbb9ee6b

Download Submit
C:\Windows\SysWOW64\Mbopon32.exe

Filesize
96KB

MD5
84ae58843023da762d55ca5239ff5914

SHA1
855fcd56e30de2344c56afc686a4fcb29c08b8d9

SHA256
fb83b242e0bd6ad6cb984e68dc14188d4f8f0fadef3150cb897d11f24cb5ce70

SHA512
1b03a99c5bb7da940763f9018afc559a4213e4914d66d69cb8512f703a874a4319478e937d88369aee806b1aa8d46f624b778b78234761779cd6e2ec4722eba7

Download Submit
C:\Windows\SysWOW64\Mejoei32.exe

Filesize
96KB

MD5
f6d8049b0b4d67bd2843d677b366c0fd

SHA1
dc57139910a7d95709c16484517ae354c4fc9529

SHA256
751d571cf14b821125c2fde0937454aad0614715e9238f7a641bdfc9379ea759

SHA512
b16e4f6e980a243b63dae87b1e7e275add595f460404adb400425a1de392683fa3347e8c451a57645af2313c02490e2a369b700317d504762aac6775fd44ff30

Download Submit
C:\Windows\SysWOW64\Mlgdhcmb.exe

Filesize
96KB

MD5
982cf0d4385b87b7c765bda035c24943

SHA1
d8bffa420e064e8a06f2f5d24a52dfacd906c6db

SHA256
a58dff75960700ca48f00a38b7502dce874ecea386ccf84132be4832f732b69a

SHA512
6c32cb90310b1b12d6cbbdd2db8881c1cf231bada2b558ff751f2fb35ee4ce5ece5137ea0d5eee7e44c08cac1249f7657a455c225141afa30fb1548b4d9f3fad

Download Submit
C:\Windows\SysWOW64\Nggkipci.exe

Filesize
96KB

MD5
046fa94e86c187a161f01285f1d9eb4f

SHA1
5ac6618e05cb7f17e23d22e49bf7a97dcf6e7806

SHA256
6c21e276176f1cc1212a8c8dd7e7e4e2062f0aa85cb2c264669f2bcaf38a59b8

SHA512
8059db34453ad730cea4a068c35a5f8609a0234522c65eb1be15d9ade35cdc8763f5d1832d7a23565dbc5de4a97051ed38c594661eac8d4da230738a928be2f4

Download Submit
C:\Windows\SysWOW64\Ngqeha32.exe

Filesize
96KB

MD5
a4c8d1b009ef3b69b06c315a8f19c209

SHA1
ed53521d8990c8fb4e58e094f5f1a0c500ff0837

SHA256
8a94fef596a86104ea8f7f86529e5226869c18501e105ef4b5d7dc7d717bb338

SHA512
c90d26cb95ec53a73c8e6c9ddc1485aaad9034a86c318249a6952332e321c8d5d18e155c2b574324544241a82970cb36cee691264bc3f7a0696e938a11bf5931

Download Submit
C:\Windows\SysWOW64\Nmogpj32.exe

Filesize
96KB

MD5
28cf7ecb6986dcbd0a7a6fc5e0d41089

SHA1
2d610cfa931c9ba1cd80c79b642bd5c5e4f19c36

SHA256
a354d8d03d38a35d08ebeee14c74b87950e9221e0f418e6715169640e7c0e5db

SHA512
7c880539ef0059c4669ef4b01d7e3e6adc54ebecc3018344311b5f2da00053246446ca3ecd871f25b9fd4ad23a7654b42ce77d88c73e6733f4cbf734e8084c4b

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
96KB

MD5
dcb67e7526212e345d8c6b0473651f31

SHA1
051cee5355b2995b9b2dd9833eb5dd0e4109c859

SHA256
f71ecc69613dfc0d9e45eb520bed92d6a718602c1e197cb0e493e8be5f637938

SHA512
c94886bf0468c0ce26c8f722511e7ca95c79c8dfcd71c69dc525536c84fead78fe8af1cf99cceda92be68ab7c884a97a3ea28594ebe424aba2e37551b3f717ad

Download Submit
\Windows\SysWOW64\Ionehnbm.exe

Filesize
96KB

MD5
36a90f17b53c9799cce09e6cf1d03819

SHA1
d2f075ea61a56add3a3779b6201e79d3d9d71834

SHA256
ea791a5a8fe32eb9926674eb7e3e35bd212ec78856c185d6f4cb43e2b28360ae

SHA512
4f43b21d01de7303043cc7122b846cb1f94fd9ad2c55c74c6b8d62f305083a930a428397ec6972b54c8192a704653b615ee94b64e867a1b6735d472b78d92a1a

Download Submit
\Windows\SysWOW64\Jflgph32.exe

Filesize
96KB

MD5
a73698c2c0ee36b1bef34fa771096691

SHA1
eb3a48fd8431a745ac412c0ba0ccd93e67875265

SHA256
3740ff15de1e46d8311ddc3ef82d9c6bee8584445ede71c927b11b9039b73837

SHA512
28d7b8711ff0d6f15c4146a7bed6f28ac2c7a5472028e8fbaa5223809d0994667632eb91eaabbcf5a5e23ddfbd91d97bd641c27fa62748de80c803655be1cc58

Download Submit
\Windows\SysWOW64\Jgppmpjp.exe

Filesize
96KB

MD5
aa3a5148f6cd32a4976b14b57cb1ae3a

SHA1
60367dfbcf890fdd76e69cbc562a10c0be388351

SHA256
ce2ebfd03e399c578d8fce789bbc7afb3c856e43df78bc8a0f7d1927971bed57

SHA512
a2b3168d76cc85d00162d778ecf23f5bce6c505895960f60a6645032b35c992ef5a0ca60a7c99f8204cc1082bf4cfeb9f73e3447daa0a913cde3bb4528dc9e61

Download Submit
\Windows\SysWOW64\Jknicnpf.exe

Filesize
96KB

MD5
68c3582e6f801c1b9f6ef64e4715ad4e

SHA1
33d0393b0f4b4f5b545a3bf922443c581dfb55ce

SHA256
e1d3bfe3f21dbaee29c1e8435a351d13301db5194198a1bb6b2cb76d18277477

SHA512
12de328f4f5ab9aed497b36892b722ee9979b3c5ef02034a55c1e7bc2644d325d5e44bcedb09c27c9121e8a950a875b8068b2d7091f1bfaa94d89bb8e767dd7f

Download Submit
\Windows\SysWOW64\Kcpcho32.exe

Filesize
96KB

MD5
58535863573326f3c1fc4f132c42b76c

SHA1
a960d961ee8be16755bff8f4d8d30597baebbe21

SHA256
5cb4da86c45adaa2233a56f49b04758b25b9e55d052d579663d42c4d41c7f874

SHA512
6946f6a12f1591c3679a3eaa05c3815f3966a2c366c795ef5dfdf1a29a5409fc6b7db34e0c5a3dc5a1680c067e542713f5b42819a06078d42eda4421e22847ee

Download Submit
\Windows\SysWOW64\Kgdiho32.exe

Filesize
96KB

MD5
64998b5d70e1b21a3851eadbca63efa6

SHA1
207b7dd51c6ab0f9463e588660d8023970a7f584

SHA256
e38ffdbb72ce59a6a81c852c19bf3571661e14494b0be0bf41e3d4d9c4a708d0

SHA512
0d7ac4f340ea9e782fa8b819ede7a6f88cbd129492ecb9e629d51f938bace6b908c4ad58952d8d9b68188a3fedf5baf1328b78cb75c2b7dd85b2b14c72aacac4

Download Submit
\Windows\SysWOW64\Kpgdnp32.exe

Filesize
96KB

MD5
ba467a5013ac3ef4b040a456a20a1db2

SHA1
2e097b5e9acec7e2f9790217ea4d7de91f944d1e

SHA256
5aea207f24cf678375d705b2521148e1b6129592762e86f9674ebc81ff5b7b7b

SHA512
ca08014e002f3988f73a819930c89e8003a5816cec8012476ac042b3a96aca1460a27de4b104ee01dbd0be9ae8788ffb670648e70a5261fa1172d7dfdf3e6526

Download Submit
\Windows\SysWOW64\Llpaha32.exe

Filesize
96KB

MD5
ff2ebad05ac37e73c4600738d4e7f230

SHA1
8c0beea7797a4aea745141603e28204a3ede96f6

SHA256
404d6bbca25d33f9d1c0c145444dc7bf0527c221fff7b5f42ad181f05d487a20

SHA512
8bdfa491b6aa69a911c9ca6d5f50bfbfef849cd244b8bca756809745acf09d8c2585d67fd4dd885ee5b50b4a8eea6969409c25136e59b275a9d436aa93f79a1a

Download Submit
\Windows\SysWOW64\Lncgollm.exe

Filesize
96KB

MD5
81526c009ef3f0a9fd366df26133e49a

SHA1
867c7b377679517dd4a0ea284e8c02cc0099281c

SHA256
b913edefda80b8dadee23f3d00c4e4f367604608d52342007fda4c719c3d87de

SHA512
f539433d82542a13c5a3af174c14b34217184444d5283e79f29abd3492de441f3cc06ab5269be52b6e19be575483540cec3cf37422be98dd85b5b871b341d6cf

Download Submit
\Windows\SysWOW64\Lnqkjl32.exe

Filesize
96KB

MD5
66365fd370bc2be612dd78d87fa76e66

SHA1
53b81c9ce4fc021b05ee5599a89e705c2bc75c10

SHA256
d0471cdf8beb4b558d2333259d7a5ffee2289eecdd07eb8ecff267d2cd61b48d

SHA512
2603909d2dfca687b52710703af71d90ea497d77ad8d02de5db325fd3b4921ef7910ffac7552d3a3b611bcec7d4c5daad92f8762a3b4bb1200728f7853d9c553

Download Submit
\Windows\SysWOW64\Lpiacp32.exe

Filesize
96KB

MD5
e342d1f637f862711b3c1b0194e4ff84

SHA1
71e6ee54fccb02b2feb5989691476f92c700bcd5

SHA256
477caa2915f1502adb49215bb95c214621988eaab7ff4790cb1f79f7a7894586

SHA512
d9ca8abe62f3bf1fe1f564964f1b8abdb1faa1723e1ee24c4b048679bfa68ed985b763c53b1718fe6a7d3de33e05be2b10a6c0b60bda530a650e9032e05b2a36

Download Submit
\Windows\SysWOW64\Miaaki32.exe

Filesize
96KB

MD5
0c8e9d064c5c3d27cb06450c40dfedea

SHA1
76cd8f9574f6d7256b13450208f5a46f6eca2618

SHA256
1542a0524ddffb2ece7dc982062526555c1d935d434f99f5c4ebc55b2e97935a

SHA512
8f495feb62dbe6639b45eaf04f35f5ff7367ef0b16817f1967edacf3127157081bb5bdc71343145a522fc58590d9ab6fa6ffedac3ca3e6d8ba143b80b781b130

Download Submit
memory/908-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-247-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/908-248-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1012-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-301-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1468-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-300-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1468-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1520-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1520-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-281-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1648-280-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1688-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-162-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1688-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-22-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/1888-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-28-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2004-12-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2004-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-13-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2024-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-224-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/2072-234-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2072-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-141-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2280-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-108-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2328-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-185-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2468-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-212-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2608-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-259-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2676-255-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2732-269-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2732-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-270-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2816-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-55-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2924-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-54-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2932-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads