berbew | 7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Size

96KB
MD5

e3f0e3e277c20dc052d0f9e19cedd970
SHA1

29a471d03957630dcebfbc34a14419f972bba19b
SHA256

7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934
SHA512

c6538d8780e47efceb34b4b5fbb40859185740199d2591255788e1392f7770802742befa7eb0b04bce3e0d4fe14651dc99c2fc9b67ba856138e01258d08fac1d
SSDEEP

1536:tWSd1c4ZNgpHc+wnv76fu+VkI72Yej97m2Lbt7RZObZUUWaegPYA:tG48pk6fbVkvYwLbtClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nccmng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkkepio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdigakic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfadc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olehbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqgngk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqgngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oenmkngi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhakp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2088	Mbkkepio.exe
2224	Mdigakic.exe
2916	Mnakjaoc.exe
2284	Mdkcgk32.exe
2788	Nbodpo32.exe
2628	Ndnplk32.exe
2668	Nbaafocg.exe
880	Nccmng32.exe
276	Nnhakp32.exe
2948	Nqgngk32.exe
1304	Njobpa32.exe
2872	Nqijmkfm.exe
2116	Nffcebdd.exe
820	Nmpkal32.exe
1748	Ncjcnfcn.exe
2236	Nfhpjaba.exe
2268	Olehbh32.exe
1384	Oclpdf32.exe
2108	Oenmkngi.exe
1468	Omddmkhl.exe
940	Onfadc32.exe
1108	Ofmiea32.exe
2000	Ohnemidj.exe

Loads dropped DLL 50 IoCs

pid	Process
2552	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
2552	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
2088	Mbkkepio.exe
2088	Mbkkepio.exe
2224	Mdigakic.exe
2224	Mdigakic.exe
2916	Mnakjaoc.exe
2916	Mnakjaoc.exe
2284	Mdkcgk32.exe
2284	Mdkcgk32.exe
2788	Nbodpo32.exe
2788	Nbodpo32.exe
2628	Ndnplk32.exe
2628	Ndnplk32.exe
2668	Nbaafocg.exe
2668	Nbaafocg.exe
880	Nccmng32.exe
880	Nccmng32.exe
276	Nnhakp32.exe
276	Nnhakp32.exe
2948	Nqgngk32.exe
2948	Nqgngk32.exe
1304	Njobpa32.exe
1304	Njobpa32.exe
2872	Nqijmkfm.exe
2872	Nqijmkfm.exe
2116	Nffcebdd.exe
2116	Nffcebdd.exe
820	Nmpkal32.exe
820	Nmpkal32.exe
1748	Ncjcnfcn.exe
1748	Ncjcnfcn.exe
2236	Nfhpjaba.exe
2236	Nfhpjaba.exe
2268	Olehbh32.exe
2268	Olehbh32.exe
1384	Oclpdf32.exe
1384	Oclpdf32.exe
2108	Oenmkngi.exe
2108	Oenmkngi.exe
1468	Omddmkhl.exe
1468	Omddmkhl.exe
940	Onfadc32.exe
940	Onfadc32.exe
1108	Ofmiea32.exe
1108	Ofmiea32.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nnhakp32.exe	Nccmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhakp32.exe	Nccmng32.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Onfadc32.exe	Omddmkhl.exe
File created	C:\Windows\SysWOW64\Mbkkepio.exe	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
File created	C:\Windows\SysWOW64\Bghlof32.dll	Mbkkepio.exe
File opened for modification	C:\Windows\SysWOW64\Mnakjaoc.exe	Mdigakic.exe
File created	C:\Windows\SysWOW64\Khggofme.dll	Njobpa32.exe
File created	C:\Windows\SysWOW64\Hpamlo32.dll	Olehbh32.exe
File created	C:\Windows\SysWOW64\Gobhkhgi.dll	Oenmkngi.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Ofmiea32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Ofmiea32.exe
File created	C:\Windows\SysWOW64\Ihfmfdjf.dll	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
File created	C:\Windows\SysWOW64\Nccmng32.exe	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Gnhfacfn.dll	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Idomll32.dll	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Pfiffp32.dll	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Dgcdjk32.dll	Mdigakic.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Nbodpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Imfkindn.dll	Nfhpjaba.exe
File opened for modification	C:\Windows\SysWOW64\Oclpdf32.exe	Olehbh32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnplk32.exe	Nbodpo32.exe
File created	C:\Windows\SysWOW64\Gkmkilcj.dll	Nbodpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpkal32.exe	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Nffcebdd.exe	Nqijmkfm.exe
File opened for modification	C:\Windows\SysWOW64\Nffcebdd.exe	Nqijmkfm.exe
File opened for modification	C:\Windows\SysWOW64\Oenmkngi.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Ofmiea32.exe	Onfadc32.exe
File created	C:\Windows\SysWOW64\Hdfjnimm.dll	Onfadc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdigakic.exe	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Mnakjaoc.exe	Mdigakic.exe
File created	C:\Windows\SysWOW64\Nmjkbjpm.dll	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkcgk32.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Jceahq32.dll	Nqgngk32.exe
File created	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Lpjgehii.dll	Nccmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nqgngk32.exe	Nnhakp32.exe
File created	C:\Windows\SysWOW64\Njobpa32.exe	Nqgngk32.exe
File created	C:\Windows\SysWOW64\Nfhpjaba.exe	Ncjcnfcn.exe
File opened for modification	C:\Windows\SysWOW64\Olehbh32.exe	Nfhpjaba.exe
File created	C:\Windows\SysWOW64\Jligibpk.dll	Oclpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbodpo32.exe	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Nqgngk32.exe	Nnhakp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Nbodpo32.exe	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Depojmnb.dll	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Nmpkal32.exe	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Nbaafocg.exe	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbaafocg.exe	Ndnplk32.exe
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Jgjgfacn.dll	Omddmkhl.exe
File opened for modification	C:\Windows\SysWOW64\Mbkkepio.exe	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
File opened for modification	C:\Windows\SysWOW64\Njobpa32.exe	Nqgngk32.exe
File opened for modification	C:\Windows\SysWOW64\Onfadc32.exe	Omddmkhl.exe
File created	C:\Windows\SysWOW64\Olehbh32.exe	Nfhpjaba.exe
File created	C:\Windows\SysWOW64\Oclpdf32.exe	Olehbh32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Ofmiea32.exe
File created	C:\Windows\SysWOW64\Mdigakic.exe	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Jbkicgjf.dll	Mnakjaoc.exe
File opened for modification	C:\Windows\SysWOW64\Nccmng32.exe	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Omddmkhl.exe	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Mdkcgk32.exe	Mnakjaoc.exe
File opened for modification	C:\Windows\SysWOW64\Nfhpjaba.exe	Ncjcnfcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	2000	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbaafocg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omddmkhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdkcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nccmng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oenmkngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdigakic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbodpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfhpjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olehbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfadc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkkepio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqgngk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffcebdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmiea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpamlo32.dll"	Olehbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfkindn.dll"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oenmkngi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll"	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkicgjf.dll"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqgngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghlof32.dll"	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onfadc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll"	Nccmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll"	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobhkhgi.dll"	Oenmkngi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaijph32.dll"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjgfacn.dll"	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depojmnb.dll"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olehbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqgngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfmfdjf.dll"	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfjnimm.dll"	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfiffp32.dll"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhfacfn.dll"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjcnfcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2088	2552	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe	29
PID 2552 wrote to memory of 2088	2552	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe	29
PID 2552 wrote to memory of 2088	2552	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe	29
PID 2552 wrote to memory of 2088	2552	7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe	29
PID 2088 wrote to memory of 2224	2088	Mbkkepio.exe	30
PID 2088 wrote to memory of 2224	2088	Mbkkepio.exe	30
PID 2088 wrote to memory of 2224	2088	Mbkkepio.exe	30
PID 2088 wrote to memory of 2224	2088	Mbkkepio.exe	30
PID 2224 wrote to memory of 2916	2224	Mdigakic.exe	31
PID 2224 wrote to memory of 2916	2224	Mdigakic.exe	31
PID 2224 wrote to memory of 2916	2224	Mdigakic.exe	31
PID 2224 wrote to memory of 2916	2224	Mdigakic.exe	31
PID 2916 wrote to memory of 2284	2916	Mnakjaoc.exe	32
PID 2916 wrote to memory of 2284	2916	Mnakjaoc.exe	32
PID 2916 wrote to memory of 2284	2916	Mnakjaoc.exe	32
PID 2916 wrote to memory of 2284	2916	Mnakjaoc.exe	32
PID 2284 wrote to memory of 2788	2284	Mdkcgk32.exe	33
PID 2284 wrote to memory of 2788	2284	Mdkcgk32.exe	33
PID 2284 wrote to memory of 2788	2284	Mdkcgk32.exe	33
PID 2284 wrote to memory of 2788	2284	Mdkcgk32.exe	33
PID 2788 wrote to memory of 2628	2788	Nbodpo32.exe	34
PID 2788 wrote to memory of 2628	2788	Nbodpo32.exe	34
PID 2788 wrote to memory of 2628	2788	Nbodpo32.exe	34
PID 2788 wrote to memory of 2628	2788	Nbodpo32.exe	34
PID 2628 wrote to memory of 2668	2628	Ndnplk32.exe	35
PID 2628 wrote to memory of 2668	2628	Ndnplk32.exe	35
PID 2628 wrote to memory of 2668	2628	Ndnplk32.exe	35
PID 2628 wrote to memory of 2668	2628	Ndnplk32.exe	35
PID 2668 wrote to memory of 880	2668	Nbaafocg.exe	36
PID 2668 wrote to memory of 880	2668	Nbaafocg.exe	36
PID 2668 wrote to memory of 880	2668	Nbaafocg.exe	36
PID 2668 wrote to memory of 880	2668	Nbaafocg.exe	36
PID 880 wrote to memory of 276	880	Nccmng32.exe	37
PID 880 wrote to memory of 276	880	Nccmng32.exe	37
PID 880 wrote to memory of 276	880	Nccmng32.exe	37
PID 880 wrote to memory of 276	880	Nccmng32.exe	37
PID 276 wrote to memory of 2948	276	Nnhakp32.exe	38
PID 276 wrote to memory of 2948	276	Nnhakp32.exe	38
PID 276 wrote to memory of 2948	276	Nnhakp32.exe	38
PID 276 wrote to memory of 2948	276	Nnhakp32.exe	38
PID 2948 wrote to memory of 1304	2948	Nqgngk32.exe	39
PID 2948 wrote to memory of 1304	2948	Nqgngk32.exe	39
PID 2948 wrote to memory of 1304	2948	Nqgngk32.exe	39
PID 2948 wrote to memory of 1304	2948	Nqgngk32.exe	39
PID 1304 wrote to memory of 2872	1304	Njobpa32.exe	40
PID 1304 wrote to memory of 2872	1304	Njobpa32.exe	40
PID 1304 wrote to memory of 2872	1304	Njobpa32.exe	40
PID 1304 wrote to memory of 2872	1304	Njobpa32.exe	40
PID 2872 wrote to memory of 2116	2872	Nqijmkfm.exe	41
PID 2872 wrote to memory of 2116	2872	Nqijmkfm.exe	41
PID 2872 wrote to memory of 2116	2872	Nqijmkfm.exe	41
PID 2872 wrote to memory of 2116	2872	Nqijmkfm.exe	41
PID 2116 wrote to memory of 820	2116	Nffcebdd.exe	42
PID 2116 wrote to memory of 820	2116	Nffcebdd.exe	42
PID 2116 wrote to memory of 820	2116	Nffcebdd.exe	42
PID 2116 wrote to memory of 820	2116	Nffcebdd.exe	42
PID 820 wrote to memory of 1748	820	Nmpkal32.exe	43
PID 820 wrote to memory of 1748	820	Nmpkal32.exe	43
PID 820 wrote to memory of 1748	820	Nmpkal32.exe	43
PID 820 wrote to memory of 1748	820	Nmpkal32.exe	43
PID 1748 wrote to memory of 2236	1748	Ncjcnfcn.exe	44
PID 1748 wrote to memory of 2236	1748	Ncjcnfcn.exe	44
PID 1748 wrote to memory of 2236	1748	Ncjcnfcn.exe	44
PID 1748 wrote to memory of 2236	1748	Ncjcnfcn.exe	44

C:\Users\Admin\AppData\Local\Temp\7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe
"C:\Users\Admin\AppData\Local\Temp\7da9107e7a9ee77f59b66516a10f998c2b9732fb95dc45554c7af06b74dd0934N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Mbkkepio.exe
  C:\Windows\system32\Mbkkepio.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Mdigakic.exe
    C:\Windows\system32\Mdigakic.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\Mnakjaoc.exe
      C:\Windows\system32\Mnakjaoc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Mdkcgk32.exe
        
        C:\Windows\system32\Mdkcgk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Nbodpo32.exe
        
        C:\Windows\system32\Nbodpo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Ndnplk32.exe
        
        C:\Windows\system32\Ndnplk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Nbaafocg.exe
        
        C:\Windows\system32\Nbaafocg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Nccmng32.exe
        
        C:\Windows\system32\Nccmng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Nnhakp32.exe
        
        C:\Windows\system32\Nnhakp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\Nqgngk32.exe
        
        C:\Windows\system32\Nqgngk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Nffcebdd.exe
        
        C:\Windows\system32\Nffcebdd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Nfhpjaba.exe
        
        C:\Windows\system32\Nfhpjaba.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Olehbh32.exe
        
        C:\Windows\system32\Olehbh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Oclpdf32.exe
        
        C:\Windows\system32\Oclpdf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Oenmkngi.exe
        
        C:\Windows\system32\Oenmkngi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Omddmkhl.exe
        
        C:\Windows\system32\Omddmkhl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Onfadc32.exe
        
        C:\Windows\system32\Onfadc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Ofmiea32.exe
        
        C:\Windows\system32\Ofmiea32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mbkkepio.exe

Filesize
96KB

MD5
4f0c641cc8317636c5e3b2a3d8b2202f

SHA1
131eddb7306c9f789f6f86df63683423cd81f8ed

SHA256
740c609f466b2c73f02cf74cd6a8436147cba6cde2f93add12a0b4a00bf4db76

SHA512
8d02a740e15eff4d790a99ad3524e4735710fc3f0b5722c66225d37bfcc4244b4aa6409faa86b610203589a7fcb4d6ddf77c943cb02dcc49ea7a077c0930d637

Download Submit
C:\Windows\SysWOW64\Mdkcgk32.exe

Filesize
96KB

MD5
cd27d74573219e3daf1dab2938456b7f

SHA1
8a46339e19328c099f4e4c31f80c8444051bb8b2

SHA256
719072f1ff4dc493547d66234283dc2d8b1a0b8e601bc3a6dc583c701818a957

SHA512
2dbcfffcc16e6f508f1571ecd81ce2898c18b157aacd465c84ffc7c276462cb51953f17a58a03156fada8c71063339547533de53a6d05f6a174652106d2b1b16

Download Submit
C:\Windows\SysWOW64\Nccmng32.exe

Filesize
96KB

MD5
61bcb6ae477a968b35013ed07a979426

SHA1
c98980577d61d7b35940f813f6b8d1d2874315fd

SHA256
54237ed82f5a75b9b5486903a2841f066bb4b3872a2d331966fdfd23cfeafe87

SHA512
bb8a1e655d8f3cb96aafe53756645d3a17be51381d3e7a838430bd4097763e1eb034cda577a432bdacd8288983684a7600c39dd80ccbda6368990cd193b2e4d4

Download Submit
C:\Windows\SysWOW64\Ndnplk32.exe

Filesize
96KB

MD5
a1e5e77ca8a6ba46b8f2445163b1bb6f

SHA1
f999d0d5a86a32dd5bf90cfd34a3a98bee5847f8

SHA256
6b103a270acdb2abefe6bfe30f2d917cd62e4560d076fb5a93a9db0a65f619e8

SHA512
f060a2f737418de4dcb327c3ff017c4299b0904c542f7715a5ba15c5e33ff46d0e1b5074678233e33804870806e7dbce1df397719d52acf448cfb39130a94454

Download Submit
C:\Windows\SysWOW64\Oclpdf32.exe

Filesize
96KB

MD5
ab803184e19651f3830327c6355d45ec

SHA1
ab46f9418ca46bb43e040e9a8cf27e64ccb1db3b

SHA256
27414849536ecb288f1b6631cec2a21108fbcbac8eba43a8c03e0e988219467b

SHA512
c41aa8464e208c46b28fc322a07206bbdc8fb15edd7c7d6e5b0ff22b66943a4150c06ccfec958bee1399d5c0bcede09ddd4a674458f3b69b9cd063b34e82bf3e

Download Submit
C:\Windows\SysWOW64\Oenmkngi.exe

Filesize
96KB

MD5
b20d4988267f376bb5121b98f5519fc0

SHA1
8b42c98f18edc76cd760de487a2be0048c5b648d

SHA256
62fdf217c2a2153ae682fc7546f4cd18053e8148aabb363f6261e4519b018932

SHA512
7d588be5a6fd6ea67808bb2f3179d436659869f1e7acc57c02ac140b4245a80bf7e8ccc02ff61ea68981dc903cef843b8e8c10cd4318a2d148ca500716114b18

Download Submit
C:\Windows\SysWOW64\Ofmiea32.exe

Filesize
96KB

MD5
fe98db9527e6993b6ad9d83f269b1caf

SHA1
217c4ebe16aea57dec6c51a0ffbc3ce94248a001

SHA256
d879d7bd578c1362ed355e6ad3c224b2f600339d1260080413243f93a2ece651

SHA512
a4bca04fb85d7a3db61af43327f34ecf0e23f8d509a768995d6c023fb709d4ecb9d71302bd9080018d9ca4df627da060e07932c6959d20f3be1d3fd44124c384

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
96KB

MD5
bdebd3c511e8f2fbd43f6d93c62fc095

SHA1
914f44f6daaff8b9e717a845457c56dddc6713cd

SHA256
b756b7a1d8e29fb0c7737ce780d38989d70847a28de790efe1329015f4fe3704

SHA512
bf446ca9834f0516f137f1c7c0bed7a34fe63d56ea247aec03f038a810eeb29ab5bf64e3b9ef7c0b7c8c5e7a1ef376453a65aef9f4c451dd1f085ede7b79d24b

Download Submit
C:\Windows\SysWOW64\Olehbh32.exe

Filesize
96KB

MD5
fdcd8ad64fcf626d5e5757e7072c2b36

SHA1
621e34c587798964b1803c178e9340a467ac07c9

SHA256
7d65638817f7c3a4c8b25a198dca0a7f2daf22c6ee5a9e9132cc21e764e77e18

SHA512
b6d6df04a7471bf5a9e17e22516cc2ea8ad4afd4a91177f4f82f69979e592c9abc9f68c34e400f129fc8dcda86e0c529a8bee503b79a3303370b5934240374d7

Download Submit
C:\Windows\SysWOW64\Omddmkhl.exe

Filesize
96KB

MD5
689d525059aeffd1d92f87f7ac127e25

SHA1
63097e64fc10f07618cdaab017c8f06112527918

SHA256
34775f85d24ee6f8e59cba030a6058ca0032183bb4b55a9732a0964af48a9449

SHA512
bf3d1814656f0d998d7db59aa431502ef50a8b946857b177163f6c1d698d85f2a592aa41f78f2010651cc5a2555f124e61cb917757570b05e1efc4d72589844b

Download Submit
C:\Windows\SysWOW64\Onfadc32.exe

Filesize
96KB

MD5
9a712043217ed08dd9e471d8f195939a

SHA1
72efb45b4ec18c116347c8772403fa52af5c0564

SHA256
4c0b209f6ba7589c5735d592abbe06afd353048a7a6b2eb9693a494991a2afe1

SHA512
37683b935f892cc417e081dfad962c5d0e80fca8a28353a46fb57808e2b3f050abd75eeb95b20429782ce6e54000008ea0f0f5cc164d312c8a90f09c664407d1

Download Submit
\Windows\SysWOW64\Mdigakic.exe

Filesize
96KB

MD5
82f2f3567d7ffa27b405a76f8740ac87

SHA1
ea17c5d1f42ca63ca6fac821ca7f4619ab1f6673

SHA256
fc1685d79180cb42c68a2967137522bcc2caa2336e850e29afcc9e02b53875ea

SHA512
43b7d18b7e0dc1ba484c4e3991413efd9c95eef977cfb1225fadf0995f9099a413e0a896d12b832e9cf2b5f2c8edfb542991cbf3eb32536e934eae129ce5d9ac

Download Submit
\Windows\SysWOW64\Mnakjaoc.exe

Filesize
96KB

MD5
d34774d6aa114a8f5e9f77afd1931e8d

SHA1
a9b0b0ee20afb851823d11488b317b7fd05f82f4

SHA256
9a061af57e945bc54f75325fa78734750fb6d45d504c02dcfe422132255ba065

SHA512
65b2cc3aa6193e75576d46d975b3963b6ae4b6883e1a5932d01a433c378bdc4eb0305617fc62d704859e5224637cec6bf7ea7426cc25bd6f6655c85d68a3c6fb

Download Submit
\Windows\SysWOW64\Nbaafocg.exe

Filesize
96KB

MD5
2a17b1036cab2f718ff3ff456516389e

SHA1
b0244737bb50ff5abbcf5273a90a68eba47a8cf7

SHA256
0283148afc0e903746b01b8073cc666ec178b771653a09604c376f27c0887501

SHA512
ef07b16397b0abc1d911293c8c03c7e774568bff28424576fd0e4bde27e70053a776a06fa64812ab200cd710aa5bbd09287d650219291a301de3c4079ed8b8ea

Download Submit
\Windows\SysWOW64\Nbodpo32.exe

Filesize
96KB

MD5
336239142dd82490e5d869c7078a01c1

SHA1
26b2b419e6109745a3619156a9258b3988bee9dc

SHA256
59908f1a8024b77f5c6310424deee96c1426e5fb2f81957b756f64935a1df5ec

SHA512
f45e8e654caec0dcca63bdea1e200b34f660ee3fa162e9fe33c006b338001c56fdcbefe4cbbb2269fc68e74814dfa71e243f3b058ce3fc73ae75191a746975f4

Download Submit
\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
96KB

MD5
7249a8f9c232cac9a3494637a2a7348b

SHA1
10dd317b67673a10414ffb4b95d6c2596a0eb505

SHA256
a19ebc3762756db355254c71171189b54710cc58ac4d1331d33c06f87227c888

SHA512
8a71b8f09a5041c58d3ca700f1f9e6e47ef97bd01e891130bb0d4bdc444a36c481972929f2d8dbf0b49c50095e41f399dc9e188b63584ef42711b535422e9740

Download Submit
\Windows\SysWOW64\Nffcebdd.exe

Filesize
96KB

MD5
7f1ba26224fafa63dfcb3edcfdfaca67

SHA1
e297c9681c8bde7fe8ea49759584549031f77d95

SHA256
9b6bcc53bc8a7baaf39f7a80b5a55ccf2f8467542129dab5aa8c03223a680c7d

SHA512
f42a7158e2b5d7eff6cc3685ec919dbdc8da11a1250f18c9591ff0e2b88356e4ffbd790fc914bfaad7999effccdad0148e13cdae10ae2a97da6ed45cd57c76e5

Download Submit
\Windows\SysWOW64\Nfhpjaba.exe

Filesize
96KB

MD5
348c409bea9649049c1b5a29b5e14d97

SHA1
7414cb4f3d2db84653b7ab3554ae957cabb8af2e

SHA256
67b078b1eed895f5585b9dbef65ccdcd1825aa52761dd42b1514cb786c8fc768

SHA512
6f5b38684e96d8811d01fdbdd4ddba5d2cd7fa88bb2c740430f966f1ec135ed5921ad82485f2834112a9bb58800776018cab47f19750a51309a8fcc09666f4fe

Download Submit
\Windows\SysWOW64\Njobpa32.exe

Filesize
96KB

MD5
df652a59cd61326438920d9fe0097548

SHA1
ff2edad8e668e3e82820daac2f96ba0b1f7e5670

SHA256
d6d575f15c9642ce22aa259471927057d5413a58a8ceac6220e85038c91ac933

SHA512
ea9a288598835a385d3a732f4248c57dae415d4e04f82fcdf2c6a0deb3f1ef779483ecd3a3b9bab39cdbe3fd638b9bb659095c10931ae5b212f3d4dc1f74f0c6

Download Submit
\Windows\SysWOW64\Nmpkal32.exe

Filesize
96KB

MD5
d7943647b6e7b12da7cf892672c98883

SHA1
0b92536854612a803dfe17c9aa8002b6c4c98637

SHA256
9098a30bd5204007d9a5ca88fa0e9718824af142bf729ec8903038f274e2cdd3

SHA512
1c58a30f06d49b73955b3333946c15ddeed974d21c53eae807d9a4d2e94af54a641cef0b93a43078f221fffb8cb0a63d71b87b4e3aac54fceecf2075fc068c34

Download Submit
\Windows\SysWOW64\Nnhakp32.exe

Filesize
96KB

MD5
d65587b2de580102cbb5a8f1e1ff45a2

SHA1
d9b0771319bdb51dae15d957e88c9521771930cb

SHA256
152b952de3d9ce578083e667045d05971d59db0973dcc55922ee27b6a31f45f0

SHA512
67c63459dfdc22e1fc6ab220d1d1e72c13cd2c53713bf09a345e74ab819f9b99d6327d6f5c9c00e1d4d1b3937dc3c54dc7cb74a8044f880b5a5e779335a11664

Download Submit
\Windows\SysWOW64\Nqgngk32.exe

Filesize
96KB

MD5
505f20960557693571314e10f4334421

SHA1
df7f7bca7de1462759e12f5cb44f8279c9955015

SHA256
dbe5f0a1c752adcf0d5ce3104364d5eca119b3353a7c4cde0aeb7657d93bde76

SHA512
0deaa2677cd597eca8a076113b67f8d7d023b4c882cf877b3b414e6ab43ea87baa46bfce0dcb6d05d5f205e87a20324d5ab95a59811c0473d13a334469b1fef6

Download Submit
\Windows\SysWOW64\Nqijmkfm.exe

Filesize
96KB

MD5
ff6b5db201146c68b9a501e917cec858

SHA1
b9438ff91b30a4177386aca666c5fb8689296448

SHA256
751fa38ff5b5e59ab7d022d423d13cae1149d0a62c0c004139fb8061bb83aca6

SHA512
d40131a006ffdede523a711b77baf49ba0ab09892f2991681dfde223db4628f0e033ebed4a7ef5b7ef7717597d8060559eb838697da8bfa3f55ecb0f620bed43

Download Submit
memory/276-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-191-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/820-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-114-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/880-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1468-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-258-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1468-254-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1748-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-32-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2088-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-40-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2224-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-217-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2236-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-12-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2552-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-13-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2628-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-87-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2668-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-166-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2872-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-140-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads