njrat | 79fd00a01228c48adab48a4950b1fd90ec278beaf3b2ad06bead3568f1211c49

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fe0395d6f991bde2f0292197f74cc0N.exe
Size

337KB
MD5

25fe0395d6f991bde2f0292197f74cc0
SHA1

33f2bc8462f60907d812ae3744e5747fda9aff3e
SHA256

79fd00a01228c48adab48a4950b1fd90ec278beaf3b2ad06bead3568f1211c49
SHA512

c7a020f703cdb40221d977f6d394f807c9797fd4e2001009c0710cfbe106834f9e90fb828067f652c673452a7a0b847b58a0a99c991681e08263d10ae66cc001
SSDEEP

3072:TwFhYsXH/X4RTgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:GhYsXf4RT1+fIyG5jZkCwi8r

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capdpcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiqjao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpmkbl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpmkbl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	25fe0395d6f991bde2f0292197f74cc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmqffonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphehidc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	25fe0395d6f991bde2f0292197f74cc0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmqffonj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajipkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 26 IoCs

pid	Process
2216	Pmqffonj.exe
2820	Qcjoci32.exe
2788	Qfkgdd32.exe
2696	Ajipkb32.exe
2708	Abdeoe32.exe
2740	Aphehidc.exe
2988	Aiqjao32.exe
2116	Aicfgn32.exe
2320	Aankkqfl.exe
2984	Bmelpa32.exe
348	Bhjpnj32.exe
2404	Bmjekahk.exe
568	Bdcnhk32.exe
320	Bmlbaqfh.exe
2060	Bdfjnkne.exe
1872	Beggec32.exe
1800	Biccfalm.exe
2168	Bpmkbl32.exe
1616	Cggcofkf.exe
1868	Ceickb32.exe
1468	Clclhmin.exe
2212	Ccnddg32.exe
1948	Capdpcge.exe
1700	Chjmmnnb.exe
2124	Cenmfbml.exe
2756	Coindgbi.exe

Loads dropped DLL 52 IoCs

pid	Process
2748	25fe0395d6f991bde2f0292197f74cc0N.exe
2748	25fe0395d6f991bde2f0292197f74cc0N.exe
2216	Pmqffonj.exe
2216	Pmqffonj.exe
2820	Qcjoci32.exe
2820	Qcjoci32.exe
2788	Qfkgdd32.exe
2788	Qfkgdd32.exe
2696	Ajipkb32.exe
2696	Ajipkb32.exe
2708	Abdeoe32.exe
2708	Abdeoe32.exe
2740	Aphehidc.exe
2740	Aphehidc.exe
2988	Aiqjao32.exe
2988	Aiqjao32.exe
2116	Aicfgn32.exe
2116	Aicfgn32.exe
2320	Aankkqfl.exe
2320	Aankkqfl.exe
2984	Bmelpa32.exe
2984	Bmelpa32.exe
348	Bhjpnj32.exe
348	Bhjpnj32.exe
2404	Bmjekahk.exe
2404	Bmjekahk.exe
568	Bdcnhk32.exe
568	Bdcnhk32.exe
320	Bmlbaqfh.exe
320	Bmlbaqfh.exe
2060	Bdfjnkne.exe
2060	Bdfjnkne.exe
1872	Beggec32.exe
1872	Beggec32.exe
1800	Biccfalm.exe
1800	Biccfalm.exe
2168	Bpmkbl32.exe
2168	Bpmkbl32.exe
1616	Cggcofkf.exe
1616	Cggcofkf.exe
1868	Ceickb32.exe
1868	Ceickb32.exe
1468	Clclhmin.exe
1468	Clclhmin.exe
2212	Ccnddg32.exe
2212	Ccnddg32.exe
1948	Capdpcge.exe
1948	Capdpcge.exe
1700	Chjmmnnb.exe
1700	Chjmmnnb.exe
2124	Cenmfbml.exe
2124	Cenmfbml.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Abdeoe32.exe	Ajipkb32.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Aphehidc.exe	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Bmjekahk.exe	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmjekahk.exe	Bhjpnj32.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Bdcnhk32.exe
File created	C:\Windows\SysWOW64\Capdpcge.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Qcjoci32.exe	Pmqffonj.exe
File opened for modification	C:\Windows\SysWOW64\Aiqjao32.exe	Aphehidc.exe
File created	C:\Windows\SysWOW64\Bhjpnj32.exe	Bmelpa32.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Chjmmnnb.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Nhjpkq32.dll	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Kdgfnh32.dll	Aphehidc.exe
File opened for modification	C:\Windows\SysWOW64\Bhjpnj32.exe	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcnhk32.exe	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Beggec32.exe	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Aicfgn32.exe	Aiqjao32.exe
File created	C:\Windows\SysWOW64\Hdjgff32.dll	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfjnkne.exe	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Cggcofkf.exe	Bpmkbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cenmfbml.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Bchmahjj.dll	Pmqffonj.exe
File opened for modification	C:\Windows\SysWOW64\Aphehidc.exe	Abdeoe32.exe
File opened for modification	C:\Windows\SysWOW64\Aicfgn32.exe	Aiqjao32.exe
File created	C:\Windows\SysWOW64\Bdcnhk32.exe	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Hlggmcob.dll	Beggec32.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Nilacmgb.dll	25fe0395d6f991bde2f0292197f74cc0N.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Kbmamh32.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Cggcofkf.exe	Bpmkbl32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Ipgfpp32.dll	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Bpmkbl32.exe	Biccfalm.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Hlilhb32.dll	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Biccfalm.exe	Beggec32.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Ajipkb32.exe	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Aankkqfl.exe	Aicfgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmelpa32.exe	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Qamnbhdj.dll	Bhjpnj32.exe
File created	C:\Windows\SysWOW64\Podpaa32.dll	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdcnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ccnddg32.exe	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Capdpcge.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Pmqffonj.exe	25fe0395d6f991bde2f0292197f74cc0N.exe
File opened for modification	C:\Windows\SysWOW64\Qcjoci32.exe	Pmqffonj.exe
File opened for modification	C:\Windows\SysWOW64\Qfkgdd32.exe	Qcjoci32.exe
File opened for modification	C:\Windows\SysWOW64\Clclhmin.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Madcho32.dll	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Pmqffonj.exe	25fe0395d6f991bde2f0292197f74cc0N.exe
File opened for modification	C:\Windows\SysWOW64\Abdeoe32.exe	Ajipkb32.exe
File opened for modification	C:\Windows\SysWOW64\Aankkqfl.exe	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Bhhjdb32.dll	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Bmelpa32.exe	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdcnhk32.exe
File created	C:\Windows\SysWOW64\Ceickb32.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Cmfjgc32.dll	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Capdpcge.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiqjao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25fe0395d6f991bde2f0292197f74cc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcjoci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicfgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmelpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcnhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajipkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biccfalm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmqffonj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkgdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aankkqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjpnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggcofkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdeoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphehidc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beggec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpmkbl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aankkqfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll"	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnhlm32.dll"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll"	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	25fe0395d6f991bde2f0292197f74cc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdodo32.dll"	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpmkbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll"	Pmqffonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaqkn32.dll"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilacmgb.dll"	25fe0395d6f991bde2f0292197f74cc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	25fe0395d6f991bde2f0292197f74cc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podpaa32.dll"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmqffonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll"	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll"	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	25fe0395d6f991bde2f0292197f74cc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccnddg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2216	2748	25fe0395d6f991bde2f0292197f74cc0N.exe	30
PID 2748 wrote to memory of 2216	2748	25fe0395d6f991bde2f0292197f74cc0N.exe	30
PID 2748 wrote to memory of 2216	2748	25fe0395d6f991bde2f0292197f74cc0N.exe	30
PID 2748 wrote to memory of 2216	2748	25fe0395d6f991bde2f0292197f74cc0N.exe	30
PID 2216 wrote to memory of 2820	2216	Pmqffonj.exe	31
PID 2216 wrote to memory of 2820	2216	Pmqffonj.exe	31
PID 2216 wrote to memory of 2820	2216	Pmqffonj.exe	31
PID 2216 wrote to memory of 2820	2216	Pmqffonj.exe	31
PID 2820 wrote to memory of 2788	2820	Qcjoci32.exe	32
PID 2820 wrote to memory of 2788	2820	Qcjoci32.exe	32
PID 2820 wrote to memory of 2788	2820	Qcjoci32.exe	32
PID 2820 wrote to memory of 2788	2820	Qcjoci32.exe	32
PID 2788 wrote to memory of 2696	2788	Qfkgdd32.exe	33
PID 2788 wrote to memory of 2696	2788	Qfkgdd32.exe	33
PID 2788 wrote to memory of 2696	2788	Qfkgdd32.exe	33
PID 2788 wrote to memory of 2696	2788	Qfkgdd32.exe	33
PID 2696 wrote to memory of 2708	2696	Ajipkb32.exe	34
PID 2696 wrote to memory of 2708	2696	Ajipkb32.exe	34
PID 2696 wrote to memory of 2708	2696	Ajipkb32.exe	34
PID 2696 wrote to memory of 2708	2696	Ajipkb32.exe	34
PID 2708 wrote to memory of 2740	2708	Abdeoe32.exe	35
PID 2708 wrote to memory of 2740	2708	Abdeoe32.exe	35
PID 2708 wrote to memory of 2740	2708	Abdeoe32.exe	35
PID 2708 wrote to memory of 2740	2708	Abdeoe32.exe	35
PID 2740 wrote to memory of 2988	2740	Aphehidc.exe	36
PID 2740 wrote to memory of 2988	2740	Aphehidc.exe	36
PID 2740 wrote to memory of 2988	2740	Aphehidc.exe	36
PID 2740 wrote to memory of 2988	2740	Aphehidc.exe	36
PID 2988 wrote to memory of 2116	2988	Aiqjao32.exe	37
PID 2988 wrote to memory of 2116	2988	Aiqjao32.exe	37
PID 2988 wrote to memory of 2116	2988	Aiqjao32.exe	37
PID 2988 wrote to memory of 2116	2988	Aiqjao32.exe	37
PID 2116 wrote to memory of 2320	2116	Aicfgn32.exe	38
PID 2116 wrote to memory of 2320	2116	Aicfgn32.exe	38
PID 2116 wrote to memory of 2320	2116	Aicfgn32.exe	38
PID 2116 wrote to memory of 2320	2116	Aicfgn32.exe	38
PID 2320 wrote to memory of 2984	2320	Aankkqfl.exe	39
PID 2320 wrote to memory of 2984	2320	Aankkqfl.exe	39
PID 2320 wrote to memory of 2984	2320	Aankkqfl.exe	39
PID 2320 wrote to memory of 2984	2320	Aankkqfl.exe	39
PID 2984 wrote to memory of 348	2984	Bmelpa32.exe	40
PID 2984 wrote to memory of 348	2984	Bmelpa32.exe	40
PID 2984 wrote to memory of 348	2984	Bmelpa32.exe	40
PID 2984 wrote to memory of 348	2984	Bmelpa32.exe	40
PID 348 wrote to memory of 2404	348	Bhjpnj32.exe	41
PID 348 wrote to memory of 2404	348	Bhjpnj32.exe	41
PID 348 wrote to memory of 2404	348	Bhjpnj32.exe	41
PID 348 wrote to memory of 2404	348	Bhjpnj32.exe	41
PID 2404 wrote to memory of 568	2404	Bmjekahk.exe	42
PID 2404 wrote to memory of 568	2404	Bmjekahk.exe	42
PID 2404 wrote to memory of 568	2404	Bmjekahk.exe	42
PID 2404 wrote to memory of 568	2404	Bmjekahk.exe	42
PID 568 wrote to memory of 320	568	Bdcnhk32.exe	43
PID 568 wrote to memory of 320	568	Bdcnhk32.exe	43
PID 568 wrote to memory of 320	568	Bdcnhk32.exe	43
PID 568 wrote to memory of 320	568	Bdcnhk32.exe	43
PID 320 wrote to memory of 2060	320	Bmlbaqfh.exe	44
PID 320 wrote to memory of 2060	320	Bmlbaqfh.exe	44
PID 320 wrote to memory of 2060	320	Bmlbaqfh.exe	44
PID 320 wrote to memory of 2060	320	Bmlbaqfh.exe	44
PID 2060 wrote to memory of 1872	2060	Bdfjnkne.exe	45
PID 2060 wrote to memory of 1872	2060	Bdfjnkne.exe	45
PID 2060 wrote to memory of 1872	2060	Bdfjnkne.exe	45
PID 2060 wrote to memory of 1872	2060	Bdfjnkne.exe	45

C:\Users\Admin\AppData\Local\Temp\25fe0395d6f991bde2f0292197f74cc0N.exe
"C:\Users\Admin\AppData\Local\Temp\25fe0395d6f991bde2f0292197f74cc0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Pmqffonj.exe
  C:\Windows\system32\Pmqffonj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Qcjoci32.exe
    C:\Windows\system32\Qcjoci32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Qfkgdd32.exe
      C:\Windows\system32\Qfkgdd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Ajipkb32.exe
        
        C:\Windows\system32\Ajipkb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Abdeoe32.exe
        
        C:\Windows\system32\Abdeoe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Aphehidc.exe
        
        C:\Windows\system32\Aphehidc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Aiqjao32.exe
        
        C:\Windows\system32\Aiqjao32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Aicfgn32.exe
        
        C:\Windows\system32\Aicfgn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Aankkqfl.exe
        
        C:\Windows\system32\Aankkqfl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Bmelpa32.exe
        
        C:\Windows\system32\Bmelpa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bhjpnj32.exe
        
        C:\Windows\system32\Bhjpnj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Bmjekahk.exe
        
        C:\Windows\system32\Bmjekahk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Bdcnhk32.exe
        
        C:\Windows\system32\Bdcnhk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Beggec32.exe
        
        C:\Windows\system32\Beggec32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Biccfalm.exe
        
        C:\Windows\system32\Biccfalm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bpmkbl32.exe
        
        C:\Windows\system32\Bpmkbl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Cggcofkf.exe
        
        C:\Windows\system32\Cggcofkf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiqjao32.exe

Filesize
337KB

MD5
779a9f53d7d6d9a9e14ce83c456b4089

SHA1
8bf111009bc97a7b7a0e52d76c704349e46f6815

SHA256
f992832a71da2829f109a205d08fbd21217722e8e7cbc69348c4684bc344321b

SHA512
d3867708fdae0f22081a59c93e50d888c5976d710cad9e9611287fc9dce4140392a00a50eb841c240d5d816f9fac01edaf502c98f075b0f918a30bdd7a12c32f

Download Submit
C:\Windows\SysWOW64\Bdfjnkne.exe

Filesize
337KB

MD5
fa9b7aada053aa56d9e657ba4f7db4e1

SHA1
a31aec55334c7519fea0b5da11a933499ad20b5b

SHA256
fd48273e9b775dc0b84848a54657827807d4af7037e7796da97bf203e10ec76a

SHA512
dd942d6797f5e17b45489107c929d790f6ffba38ffa18f8bacd2006f6d9a5cbd5b344887a91dac1b5a3f051d1632ce78656c4b6ddd87973279f2a1c2e9446e7d

Download Submit
C:\Windows\SysWOW64\Bhjpnj32.exe

Filesize
337KB

MD5
d896237c59e7d4f2275e71ad716575f4

SHA1
ec187dd68b4efcf6f73541857fa3fe1520531446

SHA256
6e6c286fc88d03ff2d895eeb52a63b217ae546cc4608b905ae00d43d4117cb4b

SHA512
01d7477211458e2dc2da8b1fadb2dd7d11e0fd73e73c8b67b5a2ab997ec07d39c6e7ae16c2e159fce4e14b787b75685248598bb6d485719ece7113d29088e0fa

Download Submit
C:\Windows\SysWOW64\Biccfalm.exe

Filesize
337KB

MD5
7a423b5652cface98821eb348e3bae76

SHA1
7b7ce05f4c262619ca6be8d3b9c7b468d9d93a38

SHA256
0f2b4e43c8c91497420e8f55ddf49f575c6d492718624d687e632f6d10cb3aba

SHA512
1aca2b431fac5593eb0891f37053a199361ca767dde078e531439544b46f9d015aae04c3e93dfc516134c6a670af7a515a8b2c21707e88dc38d9be489483caf9

Download Submit
C:\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
337KB

MD5
eccee192ec6285ab6e331b6afffa69df

SHA1
49736848a07681ca072ad953cee2d092f9a5eddc

SHA256
d491061cb681252d3a249337a75aa7db24e6da3f20d4b41c2a2a5fafabb1045e

SHA512
07e3be43b00dbb07131cf164d92bb91551aeffa0917547a49edf2af91e8b6ce2fb416f9e6f3641a229e9d0643f218ad0f9efe2e3eb2288e844f137ad1a73fa0b

Download Submit
C:\Windows\SysWOW64\Bpmkbl32.exe

Filesize
337KB

MD5
bd2aea57888e63e1b84e6b7c2c7be0a4

SHA1
93ccc64379cabcffc212a61fb9b40be095822bdf

SHA256
9c13a6345d101181c09355cc710f38580fcd1036571a48bc107d529ae02c6b59

SHA512
5214d50afd1c0c34cd34ff0cf114c4b26ac36533aed2c50b14a4d6a81a679cc968ebf32c71537e935cdfb08e955e60cc672d16cc4ba05ccd607a263dda4f9c9e

Download Submit
C:\Windows\SysWOW64\Capdpcge.exe

Filesize
337KB

MD5
6b68bd18a388a38f24c679e2b7e561d3

SHA1
5ba5908666cb8eb5fd9d420c6d4f95f43d7ae48e

SHA256
9fd30a6a517f99e630678b3dea5fbc399a65f99087839b17143ef514f2978ea3

SHA512
183812914d95ded92c2f2b57e19786348e2b755d7adb616f6076251c3ff0af645660da10abac80afb28c088039c2cf67eb07590a1ee584cfb1840dc4ef755042

Download Submit
C:\Windows\SysWOW64\Ccnddg32.exe

Filesize
337KB

MD5
4b3b687568c11cae3f04d465c3093090

SHA1
5d35d4b325514ec42e66502d5c70bfbe31642dde

SHA256
f9bfb1324ccd8ed0966bb19865971e87c3455aeba325b58b4e6aad02aeabfdb6

SHA512
32b5f1f0df3d7a6cb81f950c991e7fba8fcfb0e709ae746bd52dcf66b02d1fdccf452bc3d58342ae40797eb0ac9b1d6455ca4938ddfb5bf3641e24a818abc9b5

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
337KB

MD5
8ad12b805d7e253f6248e7ce0d853b9d

SHA1
5d98a536af7003e0efc4279767f0858ce1295d4a

SHA256
48d0791c7b6a7a240ac41ec7cc46eea62cf3686918a7a376204bb381362af74a

SHA512
a0ecdffd85fc1bbd83a91e5552d186b525d7948fc20673804a262414aeb12ab58e4be2e27bbd3459701be34ce94b88cf68d86e6a5915f2c76d9282d6de81629e

Download Submit
C:\Windows\SysWOW64\Cenmfbml.exe

Filesize
337KB

MD5
d412587f894192f5aa662183ed67a0fd

SHA1
6110cbc4b842e4ac6b68911c0ea0773c37d7d4ee

SHA256
ca2cfc537e06dcc0575735ac38309029daf2e9e5da2b8dba51ea6aa1a0d1c482

SHA512
1449e98a50706c616f90edf9b67f0dc805d18aecef9dc4bd6e0af266f35111c3e5b75f912b3e825eca2b8e75ad83b48d146e36f794f753907c46d2ef07db7571

Download Submit
C:\Windows\SysWOW64\Cggcofkf.exe

Filesize
337KB

MD5
782c1eb55c9ff236c04593623369388f

SHA1
1d016b148e413034e4d89cc3c1d6640a1a070870

SHA256
183c8077a7f8f1a7eb953165a3d0328d1edb567f536738f07faca0d471adfdff

SHA512
1926c0666f3f063e2a6191ba0d7772932d00551a798d72ce2e3941afe290eb0e9a9de73d6401e21acb87943dc7f87e2cf4db4952c1ab03f6f0e87c2c3aada739

Download Submit
C:\Windows\SysWOW64\Chjmmnnb.exe

Filesize
337KB

MD5
7f427680806aaee036f00909652f1beb

SHA1
58254f7479ab44fb3364af1672b3f1fe7e369a79

SHA256
525ad93e3142ed4a117e42ddf43b53d30ba0a1019b38c7cedd90986118b17f07

SHA512
4658bdce767d68d19845902928b79ad9d0707413856b8ec7187c9de2f599f866ba2a1787fdd4958782875f8beb43f9bd533683f79521800a6ac52b3f92463fb4

Download Submit
C:\Windows\SysWOW64\Clclhmin.exe

Filesize
337KB

MD5
875f37a8362018e7d332f49c7d8efec6

SHA1
5156b09bb04e329c993b55aa14149f88e41bd2d1

SHA256
2a7a46147f87efcd9a0366751c87983b8c4f0e942bdd231f9dc4d91f99020d10

SHA512
fa8ffe96a162a49656da17b3f9502d92628239efe74617f17bc17ec04f216cc6faf74ec06c9a90a6f6278ee4820b178bfb06a6271e69fd400364faa115fd56e5

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
337KB

MD5
6a145adc5a234819436ef8753ec29b42

SHA1
f84d7fe6dd5ff290b292e4bd798e0e28d9551272

SHA256
98371c8358acc0f4a8a2cb0287a875d23b718f06f49a8d1c6c005602be098869

SHA512
ae39ce15d29a5436f2aad602731ee3540475443a9f35701b0c44b18e1a478fff6ea984344f758736dbb262476cda93acc919cdfc479d0d1f5b939c728db0747c

Download Submit
C:\Windows\SysWOW64\Qcjoci32.exe

Filesize
337KB

MD5
42716598d66bcaa2fc5c8aa3c66aa8be

SHA1
31a823641dde5e916b28681f73f0eec52a6e8b07

SHA256
5f85d5cd5b61ab5937e85efc9a4dbe369e2b344331fe9c51857b96693cb8ef47

SHA512
d06495b2adfa336f01ced4d3638d1a1b34a22858906fc6c066c331edaa0a71ca2e35b12f7db31678c3474fa76b1f1dd7ca04412b0c5acc9340377b5fbab1fbe7

Download Submit
\Windows\SysWOW64\Aankkqfl.exe

Filesize
337KB

MD5
c76bf04105400afe593f6975235cc4e8

SHA1
cee9fd61116ea6932d81e5a605866c3dd3c3a2f0

SHA256
2f1ccdd0b3b4d409e98aee42e8061400a2ec564dfb21ade83d857bff585084b0

SHA512
e94a0e196385b43ce9e2e90b8f2711be0248ba8640266f13c15138a55d626646dc87582b2806343c7ffbbc4508ddf8ab86e7a0f4df4a5802e99773df38efd505

Download Submit
\Windows\SysWOW64\Abdeoe32.exe

Filesize
337KB

MD5
5bc6fa5ec3c96c656a56f03303f8ed12

SHA1
355c2751eef99828c659aebde011e495091372f8

SHA256
1291bce3981cd0b59156e35e0426b08b54102c343039698382bce9082bb2ca17

SHA512
a30db7276a3d23b790bb6bfd0cd6f7abc6c63cae404003cd696ad0c21d3bd045b747fed72a3a3e7142af185a95c3ab87483aa384592dfa6ef633df0d7e161945

Download Submit
\Windows\SysWOW64\Aicfgn32.exe

Filesize
337KB

MD5
3fa4fe05ae66554407d04741b53659cd

SHA1
29dfe19772f278c12a71b33c999a024d55115673

SHA256
058d31fe3d54abd711254f7d42ead87a5294339e698382a8395588774efceabe

SHA512
f06daeb9ea032a33b74a886bf34d355cc1c7d542662770e7ce33e68a92eec10a0cf6279bead76de406dcff5e85063460d40d15341e7b2dad96fbf3c320109739

Download Submit
\Windows\SysWOW64\Ajipkb32.exe

Filesize
337KB

MD5
6ce4e0a021a2723a51ff362372fbf843

SHA1
940ea1f809b85137aafe516db9f44cc894497be5

SHA256
df18fbcaebf50354a30786d3ff9a1d0bb9a16296069488e0481ba6887e8c2695

SHA512
1bf268f49c339d8e2a915e97d4a0f0919d99d32ec8497bfb8dfdc4fd54fb9cd14e8a2baadbde99a713c17bc190725abaeee98433ff776eae7f57c4a9414120ad

Download Submit
\Windows\SysWOW64\Aphehidc.exe

Filesize
337KB

MD5
dc9f15609fdd9db1b671f0e893ad6c3f

SHA1
a582735e1b0ab55660fb51f7f9d8be6a78128d8a

SHA256
b07b2ee54a899a409a8aa400a0dce8cba099f60cbdfab5b075b6e986281c8099

SHA512
9443cd3903b92ea4b9ff8c64e53c661bc4349bc2246d7e59de4272f7c19cf4bc339e465d6af1b3bf03cdd3e73bd6ec49d493d74f1eeac5ad072be46637564c53

Download Submit
\Windows\SysWOW64\Bdcnhk32.exe

Filesize
337KB

MD5
3fed8b1ab358a7d6b606f670276ff9c1

SHA1
08733ae11916370fe150d55cde629f5c49c6d668

SHA256
637e7568a0cf78d4626edfc49c1810ac23313a24e3cc21c5709bb4dc96c05c97

SHA512
be3b80bd5694e055f526c639403fcd294ba98be78cf4bf6f090afbe2932c71938607b4cd3122ceccc44a1e2e17f07a0a8f872e46086a53f1423170d607848bde

Download Submit
\Windows\SysWOW64\Beggec32.exe

Filesize
337KB

MD5
122323cd3ab1c8b53243e460f91092e6

SHA1
7780d47580d339307f11b1a71434655951c803c3

SHA256
5e85b85603db898661d52b5ccd63eb16bb49fdad4f6dfabc1c19cb8762edd31a

SHA512
f495738e042a88efc5091854c1c5b8d9d52a433022ca8a47f4d3cf139f6a8600fb712017dca38bb009419b17d5caa84bf0322d8184ad8b173ee8426bbbe43e49

Download Submit
\Windows\SysWOW64\Bmelpa32.exe

Filesize
337KB

MD5
cc1de6304e75b4560395d57219d305b6

SHA1
caea4277e83536aeaca879585e43b21d6a7f7ac2

SHA256
dc9930d2d92ff2adbb3451667080ea559be51440e6efe9f3cf921cfa68be37d5

SHA512
3830b0805c628148600e7e30666e97a54112ce8aff87ae01fe584d4b5710bcf5564f1f737e0cc194282135ac86f84e5d0bc94c79e9da60f33ec29cb4b136e02b

Download Submit
\Windows\SysWOW64\Bmjekahk.exe

Filesize
337KB

MD5
6ba07db614f9321ad4e3a87f19940533

SHA1
b5b8d42d7266252f9bcaa4d8d25a66f1db1b0ca0

SHA256
58c4eac3d3d54b7f5f1e1297749ad174bcc44ba097d7336a74e84ac71c5600f3

SHA512
4ff833216dacd96039c80809365c145e5acdaa415834e5fdaf0c89a7b0d77e1bb211b60b10a2ac421a2d8abb2d572fc48af7d47e270db705d07feef93e835d66

Download Submit
\Windows\SysWOW64\Pmqffonj.exe

Filesize
337KB

MD5
1665969f46cd5047ebb1821a827b3835

SHA1
1a8a9941d8dfbffaa294d478e35f69ea360fa5a6

SHA256
5afafd31a0cde64cde3ebf10ebed5f33353a4b2a78e6ba5341d09c367ba35dc0

SHA512
880fdb6a4d6a272f3f0a5f567aa91148d42d567caabfd9b21e3242af1119da11d9f353240236408a691eee0901841988e8c54aa1bc66e897246b61231d2e4c46

Download Submit
\Windows\SysWOW64\Qfkgdd32.exe

Filesize
337KB

MD5
e777f354a932958f28e8c1c53660fd4b

SHA1
d44d4fc15dc2003f9b0498a9d2c78c59a41c3bdf

SHA256
6b985729f0fd192bae1bdddd0508ed8fbb8417a5b8dcbd21798fa41a099f44a2

SHA512
f056b9d5e7d3c89bde5865aaf1f0cc4d70ac21b62d245d29d93339ad80b81dcab398965a05a1e4eedc4a9341ef69369e222fe4762447488a4aa68cba1f400734

Download Submit
memory/320-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-285-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1616-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-306-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1700-305-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1800-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-297-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1948-298-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1948-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-122-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2124-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-287-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2212-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-137-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2404-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2404-271-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2404-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-67-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2696-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-75-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2708-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-81-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2740-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-96-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2748-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-11-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2756-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-48-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2820-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-38-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-151-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2984-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-105-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads