berbew | f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fc

Analysis

max time kernel
83s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Size

77KB
MD5

54b4c3a3141e09c22d94af07f1a089b0
SHA1

6c5848e1d34e401e5f0fd063a5ba47779c810db8
SHA256

f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fc
SHA512

bf7937e6dd2219b388f6c2011dc1342b824b2adfe21cb411ea8a355f573e1be42673e5a1b1853edf0e24b506af0963c63071a9de63b69cb19b0549c7acc9dee4
SSDEEP

1536:2gsYOmp0JMmIbLSjj6mDniX12LtWwfi+TjRC/D:2ej4hniWYwf1TjYD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 25 IoCs

pid	Process
2720	Pihgic32.exe
2940	Pndpajgd.exe
2648	Qkhpkoen.exe
2716	Qeaedd32.exe
380	Qjnmlk32.exe
940	Aecaidjl.exe
2284	Aajbne32.exe
1288	Agdjkogm.exe
756	Amqccfed.exe
1716	Agfgqo32.exe
2796	Amcpie32.exe
1912	Abphal32.exe
2972	Alhmjbhj.exe
2120	Afnagk32.exe
2004	Bpfeppop.exe
2036	Bnielm32.exe
828	Bphbeplm.exe
2372	Bajomhbl.exe
1696	Blobjaba.exe
1636	Behgcf32.exe
2260	Bjdplm32.exe
1904	Baohhgnf.exe
1732	Bkglameg.exe
2836	Baadng32.exe
2840	Cacacg32.exe

Loads dropped DLL 54 IoCs

pid	Process
2900	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
2900	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
2720	Pihgic32.exe
2720	Pihgic32.exe
2940	Pndpajgd.exe
2940	Pndpajgd.exe
2648	Qkhpkoen.exe
2648	Qkhpkoen.exe
2716	Qeaedd32.exe
2716	Qeaedd32.exe
380	Qjnmlk32.exe
380	Qjnmlk32.exe
940	Aecaidjl.exe
940	Aecaidjl.exe
2284	Aajbne32.exe
2284	Aajbne32.exe
1288	Agdjkogm.exe
1288	Agdjkogm.exe
756	Amqccfed.exe
756	Amqccfed.exe
1716	Agfgqo32.exe
1716	Agfgqo32.exe
2796	Amcpie32.exe
2796	Amcpie32.exe
1912	Abphal32.exe
1912	Abphal32.exe
2972	Alhmjbhj.exe
2972	Alhmjbhj.exe
2120	Afnagk32.exe
2120	Afnagk32.exe
2004	Bpfeppop.exe
2004	Bpfeppop.exe
2036	Bnielm32.exe
2036	Bnielm32.exe
828	Bphbeplm.exe
828	Bphbeplm.exe
2372	Bajomhbl.exe
2372	Bajomhbl.exe
1696	Blobjaba.exe
1696	Blobjaba.exe
1636	Behgcf32.exe
1636	Behgcf32.exe
2260	Bjdplm32.exe
2260	Bjdplm32.exe
1904	Baohhgnf.exe
1904	Baohhgnf.exe
1732	Bkglameg.exe
1732	Bkglameg.exe
2836	Baadng32.exe
2836	Baadng32.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Afnagk32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2176	2840	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2720	2900	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe	30
PID 2900 wrote to memory of 2720	2900	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe	30
PID 2900 wrote to memory of 2720	2900	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe	30
PID 2900 wrote to memory of 2720	2900	f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe	30
PID 2720 wrote to memory of 2940	2720	Pihgic32.exe	31
PID 2720 wrote to memory of 2940	2720	Pihgic32.exe	31
PID 2720 wrote to memory of 2940	2720	Pihgic32.exe	31
PID 2720 wrote to memory of 2940	2720	Pihgic32.exe	31
PID 2940 wrote to memory of 2648	2940	Pndpajgd.exe	32
PID 2940 wrote to memory of 2648	2940	Pndpajgd.exe	32
PID 2940 wrote to memory of 2648	2940	Pndpajgd.exe	32
PID 2940 wrote to memory of 2648	2940	Pndpajgd.exe	32
PID 2648 wrote to memory of 2716	2648	Qkhpkoen.exe	33
PID 2648 wrote to memory of 2716	2648	Qkhpkoen.exe	33
PID 2648 wrote to memory of 2716	2648	Qkhpkoen.exe	33
PID 2648 wrote to memory of 2716	2648	Qkhpkoen.exe	33
PID 2716 wrote to memory of 380	2716	Qeaedd32.exe	34
PID 2716 wrote to memory of 380	2716	Qeaedd32.exe	34
PID 2716 wrote to memory of 380	2716	Qeaedd32.exe	34
PID 2716 wrote to memory of 380	2716	Qeaedd32.exe	34
PID 380 wrote to memory of 940	380	Qjnmlk32.exe	35
PID 380 wrote to memory of 940	380	Qjnmlk32.exe	35
PID 380 wrote to memory of 940	380	Qjnmlk32.exe	35
PID 380 wrote to memory of 940	380	Qjnmlk32.exe	35
PID 940 wrote to memory of 2284	940	Aecaidjl.exe	36
PID 940 wrote to memory of 2284	940	Aecaidjl.exe	36
PID 940 wrote to memory of 2284	940	Aecaidjl.exe	36
PID 940 wrote to memory of 2284	940	Aecaidjl.exe	36
PID 2284 wrote to memory of 1288	2284	Aajbne32.exe	37
PID 2284 wrote to memory of 1288	2284	Aajbne32.exe	37
PID 2284 wrote to memory of 1288	2284	Aajbne32.exe	37
PID 2284 wrote to memory of 1288	2284	Aajbne32.exe	37
PID 1288 wrote to memory of 756	1288	Agdjkogm.exe	38
PID 1288 wrote to memory of 756	1288	Agdjkogm.exe	38
PID 1288 wrote to memory of 756	1288	Agdjkogm.exe	38
PID 1288 wrote to memory of 756	1288	Agdjkogm.exe	38
PID 756 wrote to memory of 1716	756	Amqccfed.exe	39
PID 756 wrote to memory of 1716	756	Amqccfed.exe	39
PID 756 wrote to memory of 1716	756	Amqccfed.exe	39
PID 756 wrote to memory of 1716	756	Amqccfed.exe	39
PID 1716 wrote to memory of 2796	1716	Agfgqo32.exe	40
PID 1716 wrote to memory of 2796	1716	Agfgqo32.exe	40
PID 1716 wrote to memory of 2796	1716	Agfgqo32.exe	40
PID 1716 wrote to memory of 2796	1716	Agfgqo32.exe	40
PID 2796 wrote to memory of 1912	2796	Amcpie32.exe	41
PID 2796 wrote to memory of 1912	2796	Amcpie32.exe	41
PID 2796 wrote to memory of 1912	2796	Amcpie32.exe	41
PID 2796 wrote to memory of 1912	2796	Amcpie32.exe	41
PID 1912 wrote to memory of 2972	1912	Abphal32.exe	42
PID 1912 wrote to memory of 2972	1912	Abphal32.exe	42
PID 1912 wrote to memory of 2972	1912	Abphal32.exe	42
PID 1912 wrote to memory of 2972	1912	Abphal32.exe	42
PID 2972 wrote to memory of 2120	2972	Alhmjbhj.exe	43
PID 2972 wrote to memory of 2120	2972	Alhmjbhj.exe	43
PID 2972 wrote to memory of 2120	2972	Alhmjbhj.exe	43
PID 2972 wrote to memory of 2120	2972	Alhmjbhj.exe	43
PID 2120 wrote to memory of 2004	2120	Afnagk32.exe	44
PID 2120 wrote to memory of 2004	2120	Afnagk32.exe	44
PID 2120 wrote to memory of 2004	2120	Afnagk32.exe	44
PID 2120 wrote to memory of 2004	2120	Afnagk32.exe	44
PID 2004 wrote to memory of 2036	2004	Bpfeppop.exe	45
PID 2004 wrote to memory of 2036	2004	Bpfeppop.exe	45
PID 2004 wrote to memory of 2036	2004	Bpfeppop.exe	45
PID 2004 wrote to memory of 2036	2004	Bpfeppop.exe	45

C:\Users\Admin\AppData\Local\Temp\f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe
"C:\Users\Admin\AppData\Local\Temp\f6247cc753c56ba31fd6e887b6dedb456eec838ac23cee2cde877e5c63cd12fcN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\Pihgic32.exe
  C:\Windows\system32\Pihgic32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Pndpajgd.exe
    C:\Windows\system32\Pndpajgd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Qkhpkoen.exe
      C:\Windows\system32\Qkhpkoen.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baadng32.exe

Filesize
77KB

MD5
ee97bd48c847b9df3aaed2ee209346cf

SHA1
be62f36ea989d288c3d9d316cf61ed483c783bb9

SHA256
6d93464a40d4948212bd0db5ada6d018fbfe4e0ff3e799a8c3c42035c71e31d6

SHA512
d89c3f0ce8c1fa5e22a35d9bdea35325ccbf0373cd963190683ea65aa1b2fff569c2fa0da4074575bab1b5c2179a715ed6ef11c5a8d0cd52e05bd39dbd7dcb49

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
77KB

MD5
4b38709d16fd0aeb2fb375659bf9b9bf

SHA1
c8defd95e523cd20537d9ddb346c2e43179c3d75

SHA256
d4985b57cd5f210c52b4340e845fcf83571d7bc38610f91dff3c2044b8111f35

SHA512
d9bf13d9faa208fa0900a990b4f40dbbdcf709a46dc6945953884bfd466f11fde2ed57d9084afdb35a5b44bfe03ad35a70b3b331d8b1d7dcb02a7a4c3b733804

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
77KB

MD5
810dce541715b0abe485ba89c269c0c6

SHA1
38121f7bd29c753a9389e8def549e3cca365615e

SHA256
8c2c2e07c6d091603c79688fcdda5b372e980b3a4509512a199abc21de05c5fc

SHA512
40aafdd52e71d901ea929499b0429df20b53f7dbc1de5aa0fa75c08eafe9958b75b83f7d36482a46176d97138cd6b1786b7f1b6e7ccde712ebd49150dd645501

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
77KB

MD5
6927447711cc289d0cb33e5b4da42ade

SHA1
3dcf2456c43578db89a1b969bf0fab26294b53dc

SHA256
712261de87d53788e281d43a34443dbfedcade898edc9bfa5e131db4b17c0eb7

SHA512
c91626265b75175832bd2c9db88932004db226a64d43434c9196c086eefec13352f04117d8934c84d2ad273e2a4eb53df9d0417e2f5460ed94fbe73ae8547ecb

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
77KB

MD5
e4b5c1305691b7febd6c9085e972ca45

SHA1
3c0b839ac9ac19555d2d5522e20f2b0d88c10ca7

SHA256
eeca859ae55535f0d4e5e9121658304d12b280cb2c256253a8510f4d3deea280

SHA512
04163d86ede0c2c08588bc2e392a5adf30b2c627b76f5d2070c891f718f89b790560948d1802c807ba27ebd97d1b5e3b78bcb51da9ddb8f6118d78ed61e24674

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
77KB

MD5
e80f1b1128171fd95ac69863ccf130ec

SHA1
137c63fa25c591ffe9403870d8e878b6c33fa067

SHA256
f46174fe929ec5b7283a1af68761a52534e937a5687096f0f6d6db6668e9690d

SHA512
4f6ee35bed6d25bace1767c7e6aff44b96592f678cfe7f72a8cf404477ff87b0e04ceb86d11da757da3e0aee34a086505f39515e5d89bc28e13526cee8c936a2

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
77KB

MD5
c318d10156664f2f42ad72bc873e77bd

SHA1
6ba09362829b7adaf08947b8f73a465730754b06

SHA256
81377247dae263b992f61e460312458120e0425edd3982997d9c240c99fcb0a9

SHA512
3b4adb49c357240af3f810aa0f74a66d8d5e184dc3ab1bd803a20f2f0bf02be77ccab848401de5c4b10f286ec3e9bc5a59f1eaeaa7b31d71ae2fbc7a29a70f70

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
77KB

MD5
7af5c633ba69730d813ee51245fe901c

SHA1
89afc47c5dbe8ae0cfd99a29f4b33dd65fe5a449

SHA256
b69cdf7196978ad44b80deb6c7f472d5072619ef17783dcc97ceefc4171174d2

SHA512
ef3df6a572fa6fa5cb8ea84a4f197ee377f0a8061cb2f9c00825e83f30a3ead277884f2dac84db08e4f92c946cc785a00b623e76faa4e356f5f8212e2acbb668

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
77KB

MD5
5fcee6bb9b33d17a5fc0f1edb027031c

SHA1
0c4b17cb9fe55b6dc504ce533552e1d4c24ef6a2

SHA256
62f6a648089eb1b721dcfd80027fbc39eb8f0378143b30273a956992373a3a78

SHA512
2574255782a216b7aa9e070aa60a2f64b5c714b29878907567a9819138ff60fcaa72989a67f895ed5243fce4e9faaccbfbd8e2058982d76fd326f0a2e584c28f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
77KB

MD5
85b06600df4f5eaf1753f782dbcde195

SHA1
869f9c2d080c11de3a7044183d2727598516d3a1

SHA256
a3c93c8d26a084b6f2af7a1f12fba05c171fd3d5d5d8f3419d53f0545236d8d0

SHA512
af13875ebfbc749eb15e98efee1aa53ad92fbca5482bf875bdad65cabf6d521a1d18163abc4aa7e71347927f2658c35469150a2d0881c34a0e9246aad4415cc5

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
77KB

MD5
d38dc761690cf5cb23c96e0f03d459e5

SHA1
ea5a45c8dd6b2d927031ba00b0cf145768f9de2c

SHA256
95ad8db6ecb4ccd12f1c984a300fb84700e328634f167b80f149e832df54f195

SHA512
64d792b24f2b192e96e3cff0e4dea54744dea014fe7d3dfc28820a981b5b284a02133890160b888d5ba5c151e76a4395282549ab30eb19a0bdf2893d4da2f166

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
77KB

MD5
dd23a0c34e19e54cbe469342d0c58beb

SHA1
28785ab59f46adf19f25591cc6978b5a2f4bee40

SHA256
2a9acb5412ea516a76ff103185c230504a782deb3f17a47f2ed6b299270f3ce1

SHA512
b2544a8032c371d73d697c48a058ebd6866fda2dd2542a48f618148d44000c6ac0f1bcf1d3bfe35e9442b664b4e7db857465175515910cf4296c8a8a9f9eb5a0

Download Submit
\Windows\SysWOW64\Abphal32.exe

Filesize
77KB

MD5
aaaa3e01f7432bdbd642eb5e9aa953da

SHA1
22dc5a81398f2f17a3e209b203562b0c55595266

SHA256
8593c347992d40996e3b4b7c32661b7dd7a62d5991fba44cf00290c83ed5fee6

SHA512
169d26025fdf786f56cef4dc3800cc1dfc3f2d6559e358163f4c4a7c88d6794856052b2978de21901d439f447e6fd842253a434fc34268d38766e57480b34dd1

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
77KB

MD5
d5a4c416dbd8da26f14065eb2f0c6d68

SHA1
d326f950f12383e90387bdee281c13c722b80e6d

SHA256
fb8b79e2135e3aa173d552a51a39b61de82b3743d12ae6a60960741821dcc5f7

SHA512
121572719590cb06ae547ea2638082b20efa65e0fcc7ca25829c429dc9dd49f75ed5c558aeb5d922cf41120cd51c53c99c35596cdb7fcf7330cba86f3b2f4ada

Download Submit
\Windows\SysWOW64\Afnagk32.exe

Filesize
77KB

MD5
333cfb3ea4d2cc0338f16e2925a88c88

SHA1
a854ec172f1630e500a7a2b0851b93641b614fc7

SHA256
fb12121469f60b6e889d522e3d46e86d8c214dd18b04b0c0ce40670c729fc373

SHA512
0e9bbbea7aba00336ea8e2ccb352b4fb1d035481635b256f2c3fe1d35a02c97891a1366871295c266b6c9c3d8a5a26248a7282df5670e0891c1cf0ea7bfe1a5a

Download Submit
\Windows\SysWOW64\Agdjkogm.exe

Filesize
77KB

MD5
64876c1d2df102ca560fc895c851b244

SHA1
51c30c9c2e94de78908e585ebf0ce949851b1eab

SHA256
dcbda7fc2c6f13dc4090079169dfd44ee9423499cbc5cd50d418d269485c5419

SHA512
0f19ae1b2bcc75dea2ecd277a22a6a565a1325766ba5035ba406f1c2ad3acc4a1a8518ba2c03ae0a59d081afb8c3d82a9d9c0b21777a67f9f2d2d972c8594d76

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
77KB

MD5
db18546075f0b874e5cdd4f29062c450

SHA1
64c4151f7f4c47c6e02928d22563491eadadecb3

SHA256
d54ccd0325f2959458375c1e92a31e13a84528d003ff14c80a7e6bb054597860

SHA512
753a2c9b45d22534741145551e64dfd3564bb7c7ad3fe22350b3da9ca5babb64c97567df693c28709dbc92282fbc641a29c6f3290bac1bde0538cc858d33d2b6

Download Submit
\Windows\SysWOW64\Alhmjbhj.exe

Filesize
77KB

MD5
fc2dd2b44e16e004c5f683bae4a0a3c4

SHA1
3fab0d4a04e5e1271f9c2878b2faefebe69b017b

SHA256
40928aec404d5a2708a09794f591360af77781be2b48605365c58003345ec2d8

SHA512
5e359ed6233105dad6a97163d42d0f7fc146fd93a0d63d4f114159cbde78a613eec94c0208e7cc41982a62d3f3201babd02ced949a32dd1332e2ad21044992dc

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
77KB

MD5
82883b5dfa73f25ab5de03f4d2b74f6e

SHA1
a00dc60f5cd1d71d6e887f52dc8fb0740e87e58b

SHA256
9d7ae0819874e2ff005a2c1ac21871a2c19ae4fc50beab95857f09aab3b0d1fb

SHA512
8d6eb6d4bc6fa57e892a7823b0fa5c6579215424bdd0b6d583a48d6122d35cdb350fb464ddb5c11acbf6f33ac5bf0290125ff80df245cc411b9b989e56bf389e

Download Submit
\Windows\SysWOW64\Amqccfed.exe

Filesize
77KB

MD5
de899cbfd9c62e2e3e4a0d749a1001c0

SHA1
1d1133b4dfe88e21d364eac5266c747cc40acd3e

SHA256
703445080141ec5b2e3cd07836bb4200a7c3cec307c4265dcbcf27146adea7af

SHA512
1ce1ad0c3dca0c8ce90b0cac1010e876e25d56b71c8b24dd97ffdb187d5411d71872c900347d64fe6a9b654d7c6145c0ee74494f1e690304da20984818afa5bb

Download Submit
\Windows\SysWOW64\Bnielm32.exe

Filesize
77KB

MD5
c9c65fcbd89c4d043a92f49d7e4b6e34

SHA1
4c188c7e6a75554ea79bdd04fa55d96244512dc6

SHA256
fdb91568484a6286c57e691c66a3d9f33dccca1fed58a9c8419cb484b1cac2d7

SHA512
c7e03e946fbd7edd761aff395d0e5ba474816046007cd6f3cb3aeb3a1012c8e8b673287eba3864a83e882f01751a9280cc4f0eb11df4d87d22d1eedab379d304

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
77KB

MD5
e7ad57d508bddec981fc663db61e61e4

SHA1
fe7d924a996998a4f704c73d3b87fd749ce34e32

SHA256
da5c54a32ed1b1ba61edbe2b38b90c3562a0e7482812840c2cc7cd6d4702572f

SHA512
265ae61164f65a204ec7c8ca17ecf9588b644381f59be7e4aa008e0fec979d1b20a9fc6af3292d3ae7af0cb3cc8f145c65e22ddbd30420d9d7046c17c2c9fc79

Download Submit
\Windows\SysWOW64\Qeaedd32.exe

Filesize
77KB

MD5
d8da371f43cade0780dcdce88167bf06

SHA1
6961339b15ba7960d6e2d364a22c867716dffbbe

SHA256
2a624d1fe05121ee9cc0de4bd486ad0d8bcc15bd9e3bf1e8e60f10865ebabf6e

SHA512
7a1863cfd02a8d473b49857d8de68081c1461aeaa70e212699678362d053a18558b468db0821d4ce48a47f018e1d61c79384beb97127e5976ea40f8b2fc65da4

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
77KB

MD5
eb8383d1cf95e506ed9e4e84fc7c6fb8

SHA1
8b28fef4d985021ea1bddc5c5786e4b47cf475b8

SHA256
0f3b043deae3e551cce15f7b979e05245842d10d7ac2890e44b22bf13d5cfad2

SHA512
f0edd1009ff445f68b203955a08cfa5d63e4106686697b385cd04e7c33bb682c38a2fea2f9cca0e0a00a61e8153b372f161cca69af7a1f57bfafd0ac7fec80c7

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
77KB

MD5
6ca3a58f1513b0603dd72f56b86a39a2

SHA1
24959785178a9f3e6b05ff78aafb4bb4ce3cfdc9

SHA256
ef2c5971e0843b6fdad7bf453d47d06ae11db70a56a668c81d0656dd59ff0d8e

SHA512
5589721771e9dbe5c1d61f264d18b1024d5b17098746fec02c72899f4080730e5526941d69f7335e2c5842df20c3b1aa194bdaf45a8cc4be11dda0729be976f9

Download Submit
memory/380-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/380-74-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/380-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-230-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/940-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-87-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1288-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-261-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1636-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-260-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1636-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-250-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1696-249-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1696-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-293-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1732-294-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1732-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-283-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1904-282-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1912-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-165-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2004-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-210-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2004-204-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2036-218-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2036-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-195-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2120-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-271-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2260-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-272-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2284-104-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2284-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-240-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2372-239-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2648-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-59-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2716-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-152-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2836-305-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2836-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-304-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2840-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-11-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2940-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-34-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2940-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads