berbew | d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Size

337KB
MD5

aa337d85ddd2339febb600d0782631f0
SHA1

10b1750d4438f39731b06b146ab5c63b584b2bdb
SHA256

d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56
SHA512

bdd56130e1be4895230e7943733526754aa131add66745afbadad5e6fb3af5d0144947c41d042dc7704b7caefba60295c4693d03795db7d99cff64802b64ead7
SSDEEP

3072:/7z4VO4qzvOHf1FXAgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:/7cVO4qjOHf1FXA1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 24 IoCs

pid	Process
3016	Abmgjo32.exe
2316	Aficjnpm.exe
2692	Agjobffl.exe
2704	Aoagccfn.exe
2668	Bdqlajbb.exe
2348	Bjmeiq32.exe
2608	Bceibfgj.exe
2992	Bjpaop32.exe
1712	Bchfhfeh.exe
1064	Bcjcme32.exe
2076	Bjdkjpkb.exe
2280	Cbppnbhm.exe
1800	Cocphf32.exe
2736	Cnfqccna.exe
2104	Cnimiblo.exe
2212	Cinafkkd.exe
1008	Cjonncab.exe
1280	Caifjn32.exe
1852	Cgcnghpl.exe
2332	Cnmfdb32.exe
372	Cegoqlof.exe
2256	Djdgic32.exe
1560	Danpemej.exe
3040	Dpapaj32.exe

Loads dropped DLL 51 IoCs

pid	Process
3020	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
3020	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
3016	Abmgjo32.exe
3016	Abmgjo32.exe
2316	Aficjnpm.exe
2316	Aficjnpm.exe
2692	Agjobffl.exe
2692	Agjobffl.exe
2704	Aoagccfn.exe
2704	Aoagccfn.exe
2668	Bdqlajbb.exe
2668	Bdqlajbb.exe
2348	Bjmeiq32.exe
2348	Bjmeiq32.exe
2608	Bceibfgj.exe
2608	Bceibfgj.exe
2992	Bjpaop32.exe
2992	Bjpaop32.exe
1712	Bchfhfeh.exe
1712	Bchfhfeh.exe
1064	Bcjcme32.exe
1064	Bcjcme32.exe
2076	Bjdkjpkb.exe
2076	Bjdkjpkb.exe
2280	Cbppnbhm.exe
2280	Cbppnbhm.exe
1800	Cocphf32.exe
1800	Cocphf32.exe
2736	Cnfqccna.exe
2736	Cnfqccna.exe
2104	Cnimiblo.exe
2104	Cnimiblo.exe
2212	Cinafkkd.exe
2212	Cinafkkd.exe
1008	Cjonncab.exe
1008	Cjonncab.exe
1280	Caifjn32.exe
1280	Caifjn32.exe
1852	Cgcnghpl.exe
1852	Cgcnghpl.exe
2332	Cnmfdb32.exe
2332	Cnmfdb32.exe
372	Cegoqlof.exe
372	Cegoqlof.exe
2256	Djdgic32.exe
2256	Djdgic32.exe
1560	Danpemej.exe
1560	Danpemej.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bjdkjpkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	3040	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3016	3020	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe	31
PID 3020 wrote to memory of 3016	3020	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe	31
PID 3020 wrote to memory of 3016	3020	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe	31
PID 3020 wrote to memory of 3016	3020	d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe	31
PID 3016 wrote to memory of 2316	3016	Abmgjo32.exe	32
PID 3016 wrote to memory of 2316	3016	Abmgjo32.exe	32
PID 3016 wrote to memory of 2316	3016	Abmgjo32.exe	32
PID 3016 wrote to memory of 2316	3016	Abmgjo32.exe	32
PID 2316 wrote to memory of 2692	2316	Aficjnpm.exe	33
PID 2316 wrote to memory of 2692	2316	Aficjnpm.exe	33
PID 2316 wrote to memory of 2692	2316	Aficjnpm.exe	33
PID 2316 wrote to memory of 2692	2316	Aficjnpm.exe	33
PID 2692 wrote to memory of 2704	2692	Agjobffl.exe	34
PID 2692 wrote to memory of 2704	2692	Agjobffl.exe	34
PID 2692 wrote to memory of 2704	2692	Agjobffl.exe	34
PID 2692 wrote to memory of 2704	2692	Agjobffl.exe	34
PID 2704 wrote to memory of 2668	2704	Aoagccfn.exe	35
PID 2704 wrote to memory of 2668	2704	Aoagccfn.exe	35
PID 2704 wrote to memory of 2668	2704	Aoagccfn.exe	35
PID 2704 wrote to memory of 2668	2704	Aoagccfn.exe	35
PID 2668 wrote to memory of 2348	2668	Bdqlajbb.exe	36
PID 2668 wrote to memory of 2348	2668	Bdqlajbb.exe	36
PID 2668 wrote to memory of 2348	2668	Bdqlajbb.exe	36
PID 2668 wrote to memory of 2348	2668	Bdqlajbb.exe	36
PID 2348 wrote to memory of 2608	2348	Bjmeiq32.exe	37
PID 2348 wrote to memory of 2608	2348	Bjmeiq32.exe	37
PID 2348 wrote to memory of 2608	2348	Bjmeiq32.exe	37
PID 2348 wrote to memory of 2608	2348	Bjmeiq32.exe	37
PID 2608 wrote to memory of 2992	2608	Bceibfgj.exe	38
PID 2608 wrote to memory of 2992	2608	Bceibfgj.exe	38
PID 2608 wrote to memory of 2992	2608	Bceibfgj.exe	38
PID 2608 wrote to memory of 2992	2608	Bceibfgj.exe	38
PID 2992 wrote to memory of 1712	2992	Bjpaop32.exe	39
PID 2992 wrote to memory of 1712	2992	Bjpaop32.exe	39
PID 2992 wrote to memory of 1712	2992	Bjpaop32.exe	39
PID 2992 wrote to memory of 1712	2992	Bjpaop32.exe	39
PID 1712 wrote to memory of 1064	1712	Bchfhfeh.exe	40
PID 1712 wrote to memory of 1064	1712	Bchfhfeh.exe	40
PID 1712 wrote to memory of 1064	1712	Bchfhfeh.exe	40
PID 1712 wrote to memory of 1064	1712	Bchfhfeh.exe	40
PID 1064 wrote to memory of 2076	1064	Bcjcme32.exe	41
PID 1064 wrote to memory of 2076	1064	Bcjcme32.exe	41
PID 1064 wrote to memory of 2076	1064	Bcjcme32.exe	41
PID 1064 wrote to memory of 2076	1064	Bcjcme32.exe	41
PID 2076 wrote to memory of 2280	2076	Bjdkjpkb.exe	42
PID 2076 wrote to memory of 2280	2076	Bjdkjpkb.exe	42
PID 2076 wrote to memory of 2280	2076	Bjdkjpkb.exe	42
PID 2076 wrote to memory of 2280	2076	Bjdkjpkb.exe	42
PID 2280 wrote to memory of 1800	2280	Cbppnbhm.exe	43
PID 2280 wrote to memory of 1800	2280	Cbppnbhm.exe	43
PID 2280 wrote to memory of 1800	2280	Cbppnbhm.exe	43
PID 2280 wrote to memory of 1800	2280	Cbppnbhm.exe	43
PID 1800 wrote to memory of 2736	1800	Cocphf32.exe	44
PID 1800 wrote to memory of 2736	1800	Cocphf32.exe	44
PID 1800 wrote to memory of 2736	1800	Cocphf32.exe	44
PID 1800 wrote to memory of 2736	1800	Cocphf32.exe	44
PID 2736 wrote to memory of 2104	2736	Cnfqccna.exe	45
PID 2736 wrote to memory of 2104	2736	Cnfqccna.exe	45
PID 2736 wrote to memory of 2104	2736	Cnfqccna.exe	45
PID 2736 wrote to memory of 2104	2736	Cnfqccna.exe	45
PID 2104 wrote to memory of 2212	2104	Cnimiblo.exe	46
PID 2104 wrote to memory of 2212	2104	Cnimiblo.exe	46
PID 2104 wrote to memory of 2212	2104	Cnimiblo.exe	46
PID 2104 wrote to memory of 2212	2104	Cnimiblo.exe	46

C:\Users\Admin\AppData\Local\Temp\d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe
"C:\Users\Admin\AppData\Local\Temp\d836d55d25bdaf25ebb1af85cd9bb8e5c1d03df7f1581ae8b6d602808bdd9c56N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\Abmgjo32.exe
  C:\Windows\system32\Abmgjo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\Aficjnpm.exe
    C:\Windows\system32\Aficjnpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Agjobffl.exe
      C:\Windows\system32\Agjobffl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 144
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
337KB

MD5
1ed38e4663cdb758f5949b9f4be131d4

SHA1
4aa44dcedd77afe14e7071a7fe12e032abc6269e

SHA256
3691ce72599b7b71c7ecb81f9069430544548ae2b9025577bef0675d13f3006b

SHA512
689c2c4528fe94ddb9e06bd708c6abd08ac17b75b0d5b9ce7269f20a9f334b19effc2b585acf2b6752069cee097da1f5a01888e9c32c5e8ccb098b73ba2c2a78

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
337KB

MD5
7357208fd0ea5d2e85d32ca647915899

SHA1
8c81fddab403e9db6c10fc54e248f0ede21ab570

SHA256
1c69decd621a288d80a1f837d82b4c5094051acff39c45473a78989decd67fc6

SHA512
6e62053be54c281aacf70e913719a9938866489c915baace5ceaa8097130898a328030447a0a9b1000475d6122b6bf69384834cf550a401b01582d8d29faa473

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
337KB

MD5
afedcc468336accf5488fca2fd817b16

SHA1
7dd2749afaf8272ce5f2602c2042cd80922c870e

SHA256
572ec45d6dfdd7fa9977097d6b5738ad64231c5e0c3beb41a7f2151877937fcc

SHA512
51dc37096bf06a81b8880a6886dc54469513627976b55861a24364c55c00c93b26507db945b5dee2d6dcb9156ece2ee36e4d36714bc5f8c65edacb7ac9b64db7

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
337KB

MD5
a59a125541f69970b6b8d1511e78ad71

SHA1
1546bca38555c9d3280e3577bb629d6db8b39d81

SHA256
7931a5c41df827a540eedf2c1b55a52a1df5019ec77794c93422adcdfa5bccca

SHA512
0f814393ef4ed9ed8c31dd55f3eeab3549b34b6ee2d64425a37aec122c7a0a97b790e313821f23f9b9c833c57379af97cec4b1be648aa38d25d82a50c7cfb300

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
337KB

MD5
4249fada616c6d0b1c4d413e911d1611

SHA1
e2774975abda86382b1db9acbf4dbd8afa521a3f

SHA256
0ff03648a02245cb9108b57c8f642e2987b4abef5f908bdb745d90f6c4f10544

SHA512
640278c6b4e0e6ab924b795c6d11cf38108d035f198ab0cd8163c333cc7c4b7f2dd6c37787baeee62d1d10761842050b4bd93957d372847437599925c42fdfd4

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
337KB

MD5
d2505c2b020347c9b3d6859199bb37fa

SHA1
b1255bde809c772684f1cddf0c7c683b056f61a4

SHA256
c1f005a5567aebbcb2cec7d594d1da9424adc5626058ebf381f47e2a29814272

SHA512
78df44dffc232752ad3e4f4c47dd5a12eb41e1fcda21215c81c5f9b0c5d0615f9fed0e808dd9ed8d1c6d6cfc15f1f1232536b7a1b78141bca901d527fd05514f

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
337KB

MD5
764b4760e32cd69cbbae2464d7bdb796

SHA1
268368fd8bf3bcf2395ffd64edecf9670532b1f1

SHA256
f28ea8abd1b0e885d3cb0a3929c4639ea896a286b6fa669f35cb8c35d7838b30

SHA512
f233de5366bd05c53044551e726e5de774a7a182c878842d1b2b36b15bef91bc49764b7525d8b362a8414c690fe7d1de48e8644c4eefb6d914006b72c18ae98a

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
337KB

MD5
6d3c2b90816cc35cfd833fe702bb2ce4

SHA1
e7ae080852e132e7d90e920bf04940dba452960e

SHA256
992439dc7e9b344a763cde0098e98cec81b3f80dc902dabd234743876504538d

SHA512
1aff243b98ca7aa961d4e9060eb0a83514d4dfce000999a2791f70a0835e382659649a505aa27cf1fb839f2d0ac7c6eb09aa098e8df9bd4a0bfb6f1d75b1d1b4

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
337KB

MD5
3a8aa33b685862f4f3ae74b3a808c43e

SHA1
dc739216a2a61d2fda33c2f18ec60d918cbf2290

SHA256
b32d5dd1cfc3ff4a6599c5380d41a136d7e9d9f0aec508cdd078264ba8b3f140

SHA512
a7b2b31ce734fd92563c3f9888ef4a3fe5c8f57f5ff797dbe23870348c447a12569e3b6c9cc25b718c0a6ecc7435da3acd57b1575d683bb84221fe3db166fee2

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
337KB

MD5
507b70564a4b30c6d2b6b1558e9e5371

SHA1
eeaacb1a0287b32654b8e55e90f4b89bf20c7d87

SHA256
9d2a64cb9167983b1605b42295d61401374abd201deb07e8cede8ae47ea6dc08

SHA512
2e730f8360a631ce16eedb9d5ee64a72319e8601e96239e9f68b51e9f10539a48a83bdbe2319b9120eae43802e86d3fa5f7611d247d5a86efa0863a7a4d64ff9

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
337KB

MD5
1700099df83a9f450cc9d56795706ede

SHA1
3969ca81f6445a8110d60b72da1b962a4a2a2b6d

SHA256
7d6cefa153974e5b9bdbf231f4d3d829b0008f471afbeeb22c50627dd8699726

SHA512
5f697acfd8ebea849de7de2fe995c027ac5ef76df87fdbdd10cf563e551ae1b512408ecf858a3720ad1a766de1a5cf27924bcbef3a2650bb35accf33d11655d6

Download Submit
\Windows\SysWOW64\Aoagccfn.exe

Filesize
337KB

MD5
ee26180aec164572d45b2986c4687189

SHA1
d93283ec66e9fe2e120e88c57cc6984fd6135325

SHA256
c770147b8dda5488bdeb18c4a628227d864422cfa81d19116e9575687437b6ab

SHA512
51d68b9e46904c87549c66c4d2d25594d4335c27d967b92fbdc531216dc922a24b25fd5b14c3a384fc16f132bf97cdc15098f94f55da29b0cd42f372eda39505

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
337KB

MD5
ac0eb30a5bab74dde8d99f698195d253

SHA1
743c682d7e8807ec0366de3225e952598e7a2a00

SHA256
11b1689f8f7aa7dd9d6ad6e1e167dbe94ff7479b2dcc74b8d14411b22b15be16

SHA512
cbd6a761ef67efb7362f203c3f94eaaf85ed13ff45af52c287824843b1ddaa7ce0b23185a81c991361d316bf54cef48dccfbf72d41cf8ca8f835d3fc12557215

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
337KB

MD5
b7a70925c225816eef7a347f00471e06

SHA1
1a4f892ab2be426b8c438828004ea46ad1ea7ab8

SHA256
25011313f45aa92addd59a123925cc7626e233355b2cf40fe446195885bf56a7

SHA512
382532da0c7e8e5d0e17b02d1fe2d1c1b061932452fe2bc0119735a783c02fd6aaad2158b2ea01d157c8f7db0d3b4e3d992246e5348df4131e9c71ea033fdec3

Download Submit
\Windows\SysWOW64\Bcjcme32.exe

Filesize
337KB

MD5
434269874420997d1d9d15916eb36176

SHA1
655a8895a6933926f38daf5ff321c2f5d16bfc69

SHA256
fdd2db8524255439a26e9f29d57cc34d0ac734659ac372f28cc34a02d741927a

SHA512
182f19ef9d688d667f382f2979ff10cb88995a14a7ab2ccfcd6d3df8d12404138572b080e18830e600436e8e2c86790ac885cb7c7765bfe9eca40fbe0eba19ed

Download Submit
\Windows\SysWOW64\Bdqlajbb.exe

Filesize
337KB

MD5
034f72f6a7403608e82c8ac8296e2a0b

SHA1
3339bfdc833dd5d50303e1c042343627f1d0f404

SHA256
e0b791261033a36a3b2dbae869e16f1d1b1fe5fa613bc2f178d193f19477f745

SHA512
89d26d12c6d372c4cd0bcf89a6e927f8b2f537b8d788e1b7cf2f8d82915dccc577f422c747c4dfc0a1c6a073992930d0297847c392bf3eb5fde9609db74bfed0

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
337KB

MD5
4f8a04ef5b8434edecc69659c6d239e8

SHA1
c0c939cf05ba9926d295bc8a2ace009615bc3940

SHA256
87114fb266206cd1fc2281336b3529b40bf5b421327a02d9fed8520ae560dbe5

SHA512
5360e6d69f54813bd50a8df0015549df9ca710319e7550300e447472b57a6d896b8e0839ec2b5951b626fda0043fff4be842a7d79d6e7eb466e4c8c5daadd0ef

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
337KB

MD5
f1adc1171626b77d8ae846cdf6ae3e7f

SHA1
e3d12dc93fd1ed7f7c3c69eebe26ea58486dd507

SHA256
ee36c86f15ea97c258f4d3a4b36be1ec4d26c334b5c3bb14815d5bafd517080e

SHA512
ab79424f67bd70ad7d7ccc7df2205e7eb7c5994d44cd2c96779183db9cdc3eee8d4197cf0e3c0f7bbb264eab17153787e242401b996a7143af3fc22c6bb1a345

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
337KB

MD5
74f14a2654b6cb97c7f878721eb84915

SHA1
c1ff89ea93a042cae988f03ac3f2ac62f8492fed

SHA256
bcce5e02ac0a4c614e8ee6832fbbd0feab6a6973f5c5a841ec023d380cd0fcb0

SHA512
6e0bad211b033de518014d2a8f1c7fef1b234d6737328367a74eb8156379d05401b35ada68c05cf9e626e9e720a1f7351355190614daab9da2f13287d0372897

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
337KB

MD5
618d70bf36aa3ef7974dde1f38035ee5

SHA1
f8a43b0cd227fc79ce7852149b27d7854a530d4a

SHA256
2c7d218c08b05e9601f2c182f7f8166527bb6d594f80385f55c39a5626f8f017

SHA512
2cd93c74fa4f6223c2a7578cd60c44a5e7b9e9973d7f6266bb3bed47178cf96c2976cc3f532e2349b479cf0fbac101f3cf29402e0c7d67a2a8cd804d8bb6a702

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
337KB

MD5
09e816875c0cae84e8d9ac0623934f3f

SHA1
e526c61f5962ae2c577bd09e0491345bc4336882

SHA256
25752f89a84df05d356d00c242dd1003c20f54b5be16bf1ac25d447f8702362e

SHA512
1860c2a3d925cfe5ecc951d4d6f67aa1f1516373482a7471dc55503b147d6e0102bf372a4980e03546a41d227a7b7033b2386271ee6f77c07d99def0463dcb58

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
337KB

MD5
a94a7b88237dc7e44e1da47f3e52e0d8

SHA1
27b7e6186696727e091ce4d8a6620fbd341ffa0b

SHA256
5454c9a2ada4e2608b82be312a93a95cbf98b774e1425ba7326ad23e9881dec4

SHA512
1ef75c7aed41d08ce9b11be20336011ff3d52f77b353b19d5751d0af9da7f008105a7a8cd0612a741fd6b62d27052ce74b5e6c84d707fdcf7000c87c543006bb

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
337KB

MD5
e6f59df2d7ae658cb0b93841f2e006a2

SHA1
450e4ee894e602e73e381f26cc43c188e9eb35ec

SHA256
e3ea8c3784044364c407e510cb0d18085709429e95afa1305ad2e9c43f7e572d

SHA512
efb96a4ff0e61ba376172b7b34e6547b19253646f1d913ccd1446ea639c091fb00e0c9d2548d55275eb6de96a265fc8475acc8ae36029cfa2a38053899b51d57

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
337KB

MD5
832aea72225037bc4f50bbf6b82ceea4

SHA1
410e3dc32e4d3df11222b9e18aa5792e6e732e73

SHA256
881435aefd961d771e924f6af7b5a461002bab02d617a1e03249ab2d6fabd9e0

SHA512
2d560e28941a924869deb8fc685d74944f6e0890d9db53a49d8462f93409e916dc5b9f3a1d8db8c339335ddd85ed6cf74b4a764df32fd9c551061aaecbd9a3fc

Download Submit
memory/372-276-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/372-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-238-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1064-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-298-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1560-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-292-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1560-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-128-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1800-189-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1800-188-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1800-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-254-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1852-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-157-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2076-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-231-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-212-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-175-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2316-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-264-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2332-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-102-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2608-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-80-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2692-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-48-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2692-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-67-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2704-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3020-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3020-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3040-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads