berbew | 31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37e

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Size

337KB
MD5

e7448aa2efc42e5dc2e617d772fa55e0
SHA1

fa706faa1330f706891da40df4d81e89f6c19b4e
SHA256

31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37e
SHA512

739380dbd83bca4eaaffc9f29ff5baf7856806f769e09f1c10e6ba9a551dd2ad359ec4c1fedea2a1c599ba9683117c681dae292eb4761c784a7f0b226770d931
SSDEEP

3072:5J6GODMkT36YgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:L/OjT36Y1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aejglo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobleeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgaeddg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmqffonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmqffonj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpaohjkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqlbmbn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgaeddg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobleeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpaohjkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpapcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpapcnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apkbnibq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 22 IoCs

pid	Process
2852	Pmqffonj.exe
2904	Qpaohjkk.exe
2864	Qaqlbmbn.exe
2688	Ailqfooi.exe
2956	Afpapcnc.exe
1680	Abgaeddg.exe
552	Apkbnibq.exe
2488	Ahfgbkpl.exe
2596	Aejglo32.exe
2856	Bobleeef.exe
2732	Bhjpnj32.exe
2396	Binikb32.exe
772	Bknfeege.exe
2156	Bmlbaqfh.exe
2144	Bopknhjd.exe
2536	Clclhmin.exe
2200	Ccnddg32.exe
332	Codeih32.exe
2376	Chmibmlo.exe
3036	Cofaog32.exe
1852	Chofhm32.exe
1644	Coindgbi.exe

Loads dropped DLL 44 IoCs

pid	Process
2744	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
2744	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
2852	Pmqffonj.exe
2852	Pmqffonj.exe
2904	Qpaohjkk.exe
2904	Qpaohjkk.exe
2864	Qaqlbmbn.exe
2864	Qaqlbmbn.exe
2688	Ailqfooi.exe
2688	Ailqfooi.exe
2956	Afpapcnc.exe
2956	Afpapcnc.exe
1680	Abgaeddg.exe
1680	Abgaeddg.exe
552	Apkbnibq.exe
552	Apkbnibq.exe
2488	Ahfgbkpl.exe
2488	Ahfgbkpl.exe
2596	Aejglo32.exe
2596	Aejglo32.exe
2856	Bobleeef.exe
2856	Bobleeef.exe
2732	Bhjpnj32.exe
2732	Bhjpnj32.exe
2396	Binikb32.exe
2396	Binikb32.exe
772	Bknfeege.exe
772	Bknfeege.exe
2156	Bmlbaqfh.exe
2156	Bmlbaqfh.exe
2144	Bopknhjd.exe
2144	Bopknhjd.exe
2536	Clclhmin.exe
2536	Clclhmin.exe
2200	Ccnddg32.exe
2200	Ccnddg32.exe
332	Codeih32.exe
332	Codeih32.exe
2376	Chmibmlo.exe
2376	Chmibmlo.exe
3036	Cofaog32.exe
3036	Cofaog32.exe
1852	Chofhm32.exe
1852	Chofhm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bobleeef.exe	Aejglo32.exe
File opened for modification	C:\Windows\SysWOW64\Bobleeef.exe	Aejglo32.exe
File created	C:\Windows\SysWOW64\Chofhm32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Lecaooal.dll	Afpapcnc.exe
File created	C:\Windows\SysWOW64\Aejglo32.exe	Ahfgbkpl.exe
File opened for modification	C:\Windows\SysWOW64\Qaqlbmbn.exe	Qpaohjkk.exe
File opened for modification	C:\Windows\SysWOW64\Bopknhjd.exe	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Codeih32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Pmqffonj.exe	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
File created	C:\Windows\SysWOW64\Nilacmgb.dll	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
File opened for modification	C:\Windows\SysWOW64\Ahfgbkpl.exe	Apkbnibq.exe
File created	C:\Windows\SysWOW64\Codeih32.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chofhm32.exe
File created	C:\Windows\SysWOW64\Bhjpnj32.exe	Bobleeef.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Afpapcnc.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Dafikqcd.dll	Apkbnibq.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Binikb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmqffonj.exe	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
File created	C:\Windows\SysWOW64\Fngooj32.dll	Qpaohjkk.exe
File opened for modification	C:\Windows\SysWOW64\Bhjpnj32.exe	Bobleeef.exe
File opened for modification	C:\Windows\SysWOW64\Binikb32.exe	Bhjpnj32.exe
File created	C:\Windows\SysWOW64\Kpfdhgca.dll	Bhjpnj32.exe
File created	C:\Windows\SysWOW64\Idcnlffk.dll	Binikb32.exe
File created	C:\Windows\SysWOW64\Cbiphidl.dll	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Ailqfooi.exe	Qaqlbmbn.exe
File opened for modification	C:\Windows\SysWOW64\Apkbnibq.exe	Abgaeddg.exe
File opened for modification	C:\Windows\SysWOW64\Clclhmin.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Abgaeddg.exe	Afpapcnc.exe
File opened for modification	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Binikb32.exe	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bknfeege.exe	Binikb32.exe
File opened for modification	C:\Windows\SysWOW64\Codeih32.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Ailqfooi.exe	Qaqlbmbn.exe
File opened for modification	C:\Windows\SysWOW64\Ccnddg32.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Hdjgff32.dll	Bobleeef.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Bknfeege.exe
File created	C:\Windows\SysWOW64\Amljgema.dll	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Codeih32.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Chmibmlo.exe
File opened for modification	C:\Windows\SysWOW64\Qpaohjkk.exe	Pmqffonj.exe
File created	C:\Windows\SysWOW64\Afpapcnc.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Pkknia32.dll	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Aejglo32.exe	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Befima32.dll	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Jalnli32.dll	Abgaeddg.exe
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Apkbnibq.exe	Abgaeddg.exe
File created	C:\Windows\SysWOW64\Ahfgbkpl.exe	Apkbnibq.exe
File created	C:\Windows\SysWOW64\Mkhanokh.dll	Aejglo32.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Madcho32.dll	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Chofhm32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Gpfecckm.dll	Qaqlbmbn.exe
File created	C:\Windows\SysWOW64\Kljmfe32.dll	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Codeih32.exe
File created	C:\Windows\SysWOW64\Okfimp32.dll	Pmqffonj.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Abgaeddg.exe	Afpapcnc.exe
File created	C:\Windows\SysWOW64\Bopknhjd.exe	Bmlbaqfh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqlbmbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkbnibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfgbkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjpnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Codeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpapcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgaeddg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aejglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmqffonj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailqfooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobleeef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpaohjkk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfimp32.dll"	Pmqffonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll"	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmqffonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhanokh.dll"	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilacmgb.dll"	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apkbnibq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befima32.dll"	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll"	Bobleeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngooj32.dll"	Qpaohjkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmfe32.dll"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll"	Afpapcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpaohjkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpapcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalnli32.dll"	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll"	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafikqcd.dll"	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aejglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobleeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll"	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgaeddg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amljgema.dll"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpaohjkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkknia32.dll"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmqffonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobleeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpapcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Binikb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2852	2744	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe	30
PID 2744 wrote to memory of 2852	2744	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe	30
PID 2744 wrote to memory of 2852	2744	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe	30
PID 2744 wrote to memory of 2852	2744	31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe	30
PID 2852 wrote to memory of 2904	2852	Pmqffonj.exe	31
PID 2852 wrote to memory of 2904	2852	Pmqffonj.exe	31
PID 2852 wrote to memory of 2904	2852	Pmqffonj.exe	31
PID 2852 wrote to memory of 2904	2852	Pmqffonj.exe	31
PID 2904 wrote to memory of 2864	2904	Qpaohjkk.exe	32
PID 2904 wrote to memory of 2864	2904	Qpaohjkk.exe	32
PID 2904 wrote to memory of 2864	2904	Qpaohjkk.exe	32
PID 2904 wrote to memory of 2864	2904	Qpaohjkk.exe	32
PID 2864 wrote to memory of 2688	2864	Qaqlbmbn.exe	33
PID 2864 wrote to memory of 2688	2864	Qaqlbmbn.exe	33
PID 2864 wrote to memory of 2688	2864	Qaqlbmbn.exe	33
PID 2864 wrote to memory of 2688	2864	Qaqlbmbn.exe	33
PID 2688 wrote to memory of 2956	2688	Ailqfooi.exe	34
PID 2688 wrote to memory of 2956	2688	Ailqfooi.exe	34
PID 2688 wrote to memory of 2956	2688	Ailqfooi.exe	34
PID 2688 wrote to memory of 2956	2688	Ailqfooi.exe	34
PID 2956 wrote to memory of 1680	2956	Afpapcnc.exe	35
PID 2956 wrote to memory of 1680	2956	Afpapcnc.exe	35
PID 2956 wrote to memory of 1680	2956	Afpapcnc.exe	35
PID 2956 wrote to memory of 1680	2956	Afpapcnc.exe	35
PID 1680 wrote to memory of 552	1680	Abgaeddg.exe	36
PID 1680 wrote to memory of 552	1680	Abgaeddg.exe	36
PID 1680 wrote to memory of 552	1680	Abgaeddg.exe	36
PID 1680 wrote to memory of 552	1680	Abgaeddg.exe	36
PID 552 wrote to memory of 2488	552	Apkbnibq.exe	37
PID 552 wrote to memory of 2488	552	Apkbnibq.exe	37
PID 552 wrote to memory of 2488	552	Apkbnibq.exe	37
PID 552 wrote to memory of 2488	552	Apkbnibq.exe	37
PID 2488 wrote to memory of 2596	2488	Ahfgbkpl.exe	38
PID 2488 wrote to memory of 2596	2488	Ahfgbkpl.exe	38
PID 2488 wrote to memory of 2596	2488	Ahfgbkpl.exe	38
PID 2488 wrote to memory of 2596	2488	Ahfgbkpl.exe	38
PID 2596 wrote to memory of 2856	2596	Aejglo32.exe	39
PID 2596 wrote to memory of 2856	2596	Aejglo32.exe	39
PID 2596 wrote to memory of 2856	2596	Aejglo32.exe	39
PID 2596 wrote to memory of 2856	2596	Aejglo32.exe	39
PID 2856 wrote to memory of 2732	2856	Bobleeef.exe	40
PID 2856 wrote to memory of 2732	2856	Bobleeef.exe	40
PID 2856 wrote to memory of 2732	2856	Bobleeef.exe	40
PID 2856 wrote to memory of 2732	2856	Bobleeef.exe	40
PID 2732 wrote to memory of 2396	2732	Bhjpnj32.exe	41
PID 2732 wrote to memory of 2396	2732	Bhjpnj32.exe	41
PID 2732 wrote to memory of 2396	2732	Bhjpnj32.exe	41
PID 2732 wrote to memory of 2396	2732	Bhjpnj32.exe	41
PID 2396 wrote to memory of 772	2396	Binikb32.exe	42
PID 2396 wrote to memory of 772	2396	Binikb32.exe	42
PID 2396 wrote to memory of 772	2396	Binikb32.exe	42
PID 2396 wrote to memory of 772	2396	Binikb32.exe	42
PID 772 wrote to memory of 2156	772	Bknfeege.exe	43
PID 772 wrote to memory of 2156	772	Bknfeege.exe	43
PID 772 wrote to memory of 2156	772	Bknfeege.exe	43
PID 772 wrote to memory of 2156	772	Bknfeege.exe	43
PID 2156 wrote to memory of 2144	2156	Bmlbaqfh.exe	44
PID 2156 wrote to memory of 2144	2156	Bmlbaqfh.exe	44
PID 2156 wrote to memory of 2144	2156	Bmlbaqfh.exe	44
PID 2156 wrote to memory of 2144	2156	Bmlbaqfh.exe	44
PID 2144 wrote to memory of 2536	2144	Bopknhjd.exe	45
PID 2144 wrote to memory of 2536	2144	Bopknhjd.exe	45
PID 2144 wrote to memory of 2536	2144	Bopknhjd.exe	45
PID 2144 wrote to memory of 2536	2144	Bopknhjd.exe	45

C:\Users\Admin\AppData\Local\Temp\31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe
"C:\Users\Admin\AppData\Local\Temp\31a7efeae320d56506e5683db19eb1b5a41e63628c54d266b80462f509d4f37eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\Pmqffonj.exe
  C:\Windows\system32\Pmqffonj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Qpaohjkk.exe
    C:\Windows\system32\Qpaohjkk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\Qaqlbmbn.exe
      C:\Windows\system32\Qaqlbmbn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Ailqfooi.exe
        
        C:\Windows\system32\Ailqfooi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Afpapcnc.exe
        
        C:\Windows\system32\Afpapcnc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Abgaeddg.exe
        
        C:\Windows\system32\Abgaeddg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Apkbnibq.exe
        
        C:\Windows\system32\Apkbnibq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Ahfgbkpl.exe
        
        C:\Windows\system32\Ahfgbkpl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Aejglo32.exe
        
        C:\Windows\system32\Aejglo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bobleeef.exe
        
        C:\Windows\system32\Bobleeef.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Bhjpnj32.exe
        
        C:\Windows\system32\Bhjpnj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Binikb32.exe
        
        C:\Windows\system32\Binikb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Bknfeege.exe
        
        C:\Windows\system32\Bknfeege.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Bopknhjd.exe
        
        C:\Windows\system32\Bopknhjd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Codeih32.exe
        
        C:\Windows\system32\Codeih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ailqfooi.exe

Filesize
337KB

MD5
95585549d0bddb25ab3ffe4e60f8569d

SHA1
69f1f7dc5342337bc83556da36e69f3f437e7fb5

SHA256
64dd5c9dc7a6d5dbbc156948a8c7fed628da1b80044d4d21e9e7060993d74774

SHA512
6f6316b1c79c4e0b1239a8f20ca5f88b98e89824851b0ba45c124569fafa48d19b2ef688bff816d6f16af6b60beafb3f97325e5014fa78b628528933952207dc

Download Submit
C:\Windows\SysWOW64\Bhjpnj32.exe

Filesize
337KB

MD5
78778c7fb00e90dceedc2dce73b9c92a

SHA1
7dd3edda95057283d7e12ba8c7dc918ef3400d9a

SHA256
778cefc6c443c494648644e4d4e98a9f781f286c8921f0156bb841250492878c

SHA512
9cee766e3d569f26167148973e4da8c5c1d11069186efc7a88ec15c1ba35c1a4e365da73e3d2fbd9e858b22aeb272153522c67fc0712e55f2c8ff837299d7e78

Download Submit
C:\Windows\SysWOW64\Ccnddg32.exe

Filesize
337KB

MD5
4b3b687568c11cae3f04d465c3093090

SHA1
5d35d4b325514ec42e66502d5c70bfbe31642dde

SHA256
f9bfb1324ccd8ed0966bb19865971e87c3455aeba325b58b4e6aad02aeabfdb6

SHA512
32b5f1f0df3d7a6cb81f950c991e7fba8fcfb0e709ae746bd52dcf66b02d1fdccf452bc3d58342ae40797eb0ac9b1d6455ca4938ddfb5bf3641e24a818abc9b5

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
337KB

MD5
992e7fd491ce9730e392eb9e02f1d7aa

SHA1
2022c1957f5d1b92c2a473cef3f99cb7c5e4b3c5

SHA256
aaf7cf887b7feb0c830b43ecd9affcf10b49eaba240f1b35e4d8c4a92ec00a21

SHA512
166530e96b841102e833f38b19cc434eb60563c0b02793d2dad921255c989fa550ed71785d556512cd066f623742ffa6d6d0b36afc22b61d5554537bc81ab7a5

Download Submit
C:\Windows\SysWOW64\Chofhm32.exe

Filesize
337KB

MD5
55864d4b49a64dfad0c1eb4b2f855158

SHA1
242b80d5400388a0c955dd9bb8ae713ad183c2a1

SHA256
9d4be967723881b87e66956dd9f53a093992d640481acf4bb56200167cdd2165

SHA512
1cbd6cede13dafeec8d50dcc22b2f4d0681aa539f03c1450a99cc5c580e4a1fef0370c0315d27321da2156602c6531eef08ef97a30a36662a4358c9b47f2ba99

Download Submit
C:\Windows\SysWOW64\Codeih32.exe

Filesize
337KB

MD5
74df3ee22fceb3dcde96c981feab8220

SHA1
c3e4bec62e1e9f1d46cc371a3a1457ff8ab6d92c

SHA256
53993cd46bbf7fb95bedfd566702eed176fa761e708fc4c12a610b759f1938bb

SHA512
398e19d86bdc8ed84ba0355233c03c3e01a335bb70050fd521a125dca2ceaf9f2f185fc0a791bf43b831cc17454c12458d1b51e23176e6233ff51fb947573b14

Download Submit
C:\Windows\SysWOW64\Cofaog32.exe

Filesize
337KB

MD5
e879c355adaee9e6ae36ad2341ddb002

SHA1
12cfd930ccaaf29692973ab702572695680c834e

SHA256
8971921ddb9a6f17e8d8bc4f7e461f77b44949a3291065532344739ebb159163

SHA512
05b8ebff957a2db7a4cf224179ec09cda46760d2ba515f766ebc9c9477ccb908af371e267d8efe5c17d963ff235cb96eefb5e81c55907d9b71caa347f16e0649

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
337KB

MD5
7ff26fd3cfe6b03dd3d6d54d360129a8

SHA1
ba6a83859b7caeb81de63b394f1fad06e5304d61

SHA256
94ea5347a558464d2349f3f7fde7683fe27a99761312e3ceb7fd977b321295c4

SHA512
9754dda1befb5ad41e8552e7edf992c0bfb972591687b6fa4913bcf54b1aa35650cb565a1bbf510b70939cf3b47e5342b0dff4c96779ae3ad32d03338832aa98

Download Submit
\Windows\SysWOW64\Abgaeddg.exe

Filesize
337KB

MD5
4bf96a50d4a0a0825003003d937db493

SHA1
3f364ddf359852fecbd193e5fdbde81d36afb2e3

SHA256
9b6333a97c86791a1facf7b5373e12661e96394e8460ebb4a355e895704dec0e

SHA512
6d7961e4a825ad0a02c662b280b00042e869db489f101edc1035a6cfe593d929483aa70c67fafa61b562d6eb2fc598caa1ba63e29a11e5381144150a1fac2c40

Download Submit
\Windows\SysWOW64\Aejglo32.exe

Filesize
337KB

MD5
e1e58c76bf1b8061319b2c52b04a6bea

SHA1
d440ef1a1efe72afcb4a37b064156d49d9148669

SHA256
a445e9c23917cd1256bb1bc17cb8831685ed8ad97f4e0953b7c94efc71c7cdd1

SHA512
569abcc1cd36e2b60736e7130ca48bd854b41c90b03f996b68855ad21b2b1dc77f947666707b269729e3b1fbedbc40e04826fb86d7522b6cf1e2180f746b1fa3

Download Submit
\Windows\SysWOW64\Afpapcnc.exe

Filesize
337KB

MD5
2ad4db93716c437e6c6eed568b83c66c

SHA1
78595f794f5a0e19864a19ce5a14f774af9f60c3

SHA256
09dd4935333f0d865ff306a36a5373f2d6c6585f365287ed4a8a84a6b2d27706

SHA512
bf1e3100f5c198ae3c62b8c75d041e3656f6c42c29c8d6c0aba8e2cfeab764e7a5eec16e69421b4f7b938feaf43f192521acd70f7ed43b310ee0cbd82c2bbae3

Download Submit
\Windows\SysWOW64\Ahfgbkpl.exe

Filesize
337KB

MD5
073021c98eef35da59cfafeadca8c13c

SHA1
56098fba262cb34497571457864abcbcd3b73008

SHA256
86415d4835f4b3ec898ec1990c0b6a377ce8a94890fe3e1093abe3c457691716

SHA512
9995e22e99816b9aba119f009d39f91944d59a49782070040bc47c495c09eb71eb223497014b30fcd44ccda4db5dc23bcf7fab07833b7a1d3796ecf918f17686

Download Submit
\Windows\SysWOW64\Apkbnibq.exe

Filesize
337KB

MD5
46a7c249754369257731cf448d5399fc

SHA1
9a2b6fd937a9c75ea6d67423c1610f9ffc332ef0

SHA256
6dc70d398caf275278800a32fa94177ec16c38b83d19971a68c7b39f97a8c820

SHA512
2a4e87eba8882ae8b01cb32f7a4e2c570232f7816e6a55a68befc89ea9f110609b94c8b9144e8b6f5bd092bd3a8fabf4d2acd35c7eb8d8ead3dbb5cff28f4694

Download Submit
\Windows\SysWOW64\Binikb32.exe

Filesize
337KB

MD5
dce6665841a373ed80c8c3992903db8e

SHA1
3e26a0021f18e39ef83cf0864db9861c607e8ad0

SHA256
b3cdb7b78f98bb06c2c34bed1f6625b6bf9ab5e72ce01a351d6cd84749574348

SHA512
ac585b1550e1b09535dc9f0996fcf5484f759cd9bbcf3241345a1293a7def38276e3b48fbe0b44b5abeab6cdddb600bf1521c51626f50e6ebbd86d4058e999bb

Download Submit
\Windows\SysWOW64\Bknfeege.exe

Filesize
337KB

MD5
b494865d7d6cf2e380e850d1e5c2a97c

SHA1
0e797b5d0c0bcbb057d252551f5dcd9eac565f2a

SHA256
f9727f044c25df4dd39fd2f0d1e002d12557b4dd30df2c4787cb6581ca6d4cac

SHA512
c83ab792ce687cd390b9572b3ddc637422a5f24eadd25939c3df04ef5cd19295ab38499d770dd9895a18f0f861e04145876a0fb7d0c18cb0fe89b770bbf0e1f3

Download Submit
\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
337KB

MD5
afd412e7d07a19e1435102ea4a86c782

SHA1
102039320b7cb0f9c3b57aaa56f54fe4290a3359

SHA256
ba82008a19d0349390a59c0f5e944b961dd7dad60c0a4ddd7e79ceadfd28b492

SHA512
38a84a39f17a7802b89fa5013c4d46e36ec0b9aab78191eec7ce7d825fd0b96adf46244b6d4cfa4d3f8dd735c61cdad2053fb0163c8ddf9cfba573e5dc3053a6

Download Submit
\Windows\SysWOW64\Bobleeef.exe

Filesize
337KB

MD5
4c2d5487bee8783395936f44ec78f529

SHA1
c2b4ef959ee19312edf850a52a311f29cee35aea

SHA256
04ed20a9012507c1c585bb186456e7f1e5422d57da1f90a35befd27c2cd00ab2

SHA512
b6b6487bb6c9083c3d7e552d93b3973f92edf979c66f763235e83b205f0a9d3ee833088643dcce0ac700bbf08059576e9cc4d2639f7fa8385a15260bcaf92790

Download Submit
\Windows\SysWOW64\Bopknhjd.exe

Filesize
337KB

MD5
33d5ea568f47f71a2ccfb407e1379b3c

SHA1
d32c64c784e3420e2c072a17e02298aa8eb9f571

SHA256
9fcd4887d523fdeaaf4926f9418ba5964b56cb6b1b52887fa44fea141f2cf565

SHA512
b8eb6804836e625bfe68cfbaf018597687d7006a65a99f62b092f58883cdb1f46e50c1f5b86c67d48f3b0eb44cd8f5bdb17d2aae9565ab0722635559e91d0786

Download Submit
\Windows\SysWOW64\Clclhmin.exe

Filesize
337KB

MD5
875f37a8362018e7d332f49c7d8efec6

SHA1
5156b09bb04e329c993b55aa14149f88e41bd2d1

SHA256
2a7a46147f87efcd9a0366751c87983b8c4f0e942bdd231f9dc4d91f99020d10

SHA512
fa8ffe96a162a49656da17b3f9502d92628239efe74617f17bc17ec04f216cc6faf74ec06c9a90a6f6278ee4820b178bfb06a6271e69fd400364faa115fd56e5

Download Submit
\Windows\SysWOW64\Pmqffonj.exe

Filesize
337KB

MD5
1665969f46cd5047ebb1821a827b3835

SHA1
1a8a9941d8dfbffaa294d478e35f69ea360fa5a6

SHA256
5afafd31a0cde64cde3ebf10ebed5f33353a4b2a78e6ba5341d09c367ba35dc0

SHA512
880fdb6a4d6a272f3f0a5f567aa91148d42d567caabfd9b21e3242af1119da11d9f353240236408a691eee0901841988e8c54aa1bc66e897246b61231d2e4c46

Download Submit
\Windows\SysWOW64\Qaqlbmbn.exe

Filesize
337KB

MD5
2c63eac8706d8533c4d34ea1fd011321

SHA1
1a3c19f9c4345f62abea4646cc4d016e075d27a4

SHA256
62a5bab25516004e3b52b517bc1dc701f098ed5e3f0d3a37c928c4eb4f5d8a1d

SHA512
05003e85ba346bc4bd1e1c988c6eecc85afde5e34957ba5d8118a076ea7e28cf18bcc868d51033120a9155767e47b62cff5538e7d1d8d39a8b2d1922758edaec

Download Submit
\Windows\SysWOW64\Qpaohjkk.exe

Filesize
337KB

MD5
503e01d043d440e78896e587ecd9a631

SHA1
dbeaed1c9d05970ebc24dbf1b24584513b4c57d5

SHA256
e307262f98e4f924762b882ed612e23f52ec7d8e3f24a83544c17598b54b3407

SHA512
420428013cdb529ebe38c0ca6a4184b458c1b4201370433a78020ce638e2d2fc9c258e11fbb600bbd6c47eb364bc68d8f19b220378563b36cf2f04039c6c372c

Download Submit
memory/332-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-250-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/552-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-107-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/552-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-188-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/772-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-97-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1680-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-219-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2156-205-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2156-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-260-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2396-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-124-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2488-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-231-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2596-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-134-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2596-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-70-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2688-69-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2732-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-160-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2744-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2744-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2744-326-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2852-332-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-51-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2904-36-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2904-41-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2904-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-78-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2956-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-270-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads