berbew | 305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Size

337KB
MD5

d9c89afa6f32c2b7f746917527da2049
SHA1

1067839ed2898b32fbb1221ef5af5538fd013c76
SHA256

305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40
SHA512

8029340d44af5e77326dadd32090386a325d953ebfacae2894cd8ac7764dca86deaca8a2070716ed77e5efdf340ff92d8e9d988cca60acfe5e8ed2263b75f5aa
SSDEEP

3072:u7gbggW4fNxa9Is8igYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:u7UggW4lsH8i1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhpejbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camnge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dochelmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjhckg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcmlg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbdagg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 24 IoCs

pid	Process
2804	Bojipjcj.exe
2552	Bdfahaaa.exe
2440	Camnge32.exe
2588	Cjhckg32.exe
1508	Ckhpejbf.exe
2904	Cgnpjkhj.exe
1228	Cfcmlg32.exe
2636	Ccgnelll.exe
2896	Donojm32.exe
2856	Dhgccbhp.exe
2312	Dhiphb32.exe
792	Dochelmj.exe
1780	Dbdagg32.exe
1776	Dnjalhpp.exe
932	Ecgjdong.exe
2188	Eqkjmcmq.exe
2136	Ejcofica.exe
1644	Epqgopbi.exe
2928	Eepmlf32.exe
1564	Elieipej.exe
2352	Einebddd.exe
1328	Fllaopcg.exe
872	Fipbhd32.exe
2696	Flnndp32.exe

Loads dropped DLL 52 IoCs

pid	Process
2652	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
2652	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
2804	Bojipjcj.exe
2804	Bojipjcj.exe
2552	Bdfahaaa.exe
2552	Bdfahaaa.exe
2440	Camnge32.exe
2440	Camnge32.exe
2588	Cjhckg32.exe
2588	Cjhckg32.exe
1508	Ckhpejbf.exe
1508	Ckhpejbf.exe
2904	Cgnpjkhj.exe
2904	Cgnpjkhj.exe
1228	Cfcmlg32.exe
1228	Cfcmlg32.exe
2636	Ccgnelll.exe
2636	Ccgnelll.exe
2896	Donojm32.exe
2896	Donojm32.exe
2856	Dhgccbhp.exe
2856	Dhgccbhp.exe
2312	Dhiphb32.exe
2312	Dhiphb32.exe
792	Dochelmj.exe
792	Dochelmj.exe
1780	Dbdagg32.exe
1780	Dbdagg32.exe
1776	Dnjalhpp.exe
1776	Dnjalhpp.exe
932	Ecgjdong.exe
932	Ecgjdong.exe
2188	Eqkjmcmq.exe
2188	Eqkjmcmq.exe
2136	Ejcofica.exe
2136	Ejcofica.exe
1644	Epqgopbi.exe
1644	Epqgopbi.exe
2928	Eepmlf32.exe
2928	Eepmlf32.exe
1564	Elieipej.exe
1564	Elieipej.exe
2352	Einebddd.exe
2352	Einebddd.exe
1328	Fllaopcg.exe
1328	Fllaopcg.exe
872	Fipbhd32.exe
872	Fipbhd32.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckinbali.dll	Cjhckg32.exe
File created	C:\Windows\SysWOW64\Dochelmj.exe	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Dnjalhpp.exe	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqkjmcmq.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Bdfahaaa.exe	Bojipjcj.exe
File opened for modification	C:\Windows\SysWOW64\Cfcmlg32.exe	Cgnpjkhj.exe
File created	C:\Windows\SysWOW64\Ojdlmb32.dll	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhpejbf.exe	Cjhckg32.exe
File created	C:\Windows\SysWOW64\Jlpfci32.dll	Dhgccbhp.exe
File opened for modification	C:\Windows\SysWOW64\Dochelmj.exe	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Fllaopcg.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Camnge32.exe	Bdfahaaa.exe
File opened for modification	C:\Windows\SysWOW64\Dbdagg32.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Ejcofica.exe	Eqkjmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Einebddd.exe	Elieipej.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Fllaopcg.exe
File opened for modification	C:\Windows\SysWOW64\Ccgnelll.exe	Cfcmlg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhgccbhp.exe	Donojm32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bojipjcj.exe	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
File created	C:\Windows\SysWOW64\Akpcdopi.dll	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
File created	C:\Windows\SysWOW64\Ckhpejbf.exe	Cjhckg32.exe
File created	C:\Windows\SysWOW64\Qaemlqhb.dll	Cgnpjkhj.exe
File opened for modification	C:\Windows\SysWOW64\Dhiphb32.exe	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Cgnpjkhj.exe	Ckhpejbf.exe
File created	C:\Windows\SysWOW64\Egbigm32.dll	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Dhgccbhp.exe	Donojm32.exe
File created	C:\Windows\SysWOW64\Dbdagg32.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Diaalggp.dll	Dnjalhpp.exe
File created	C:\Windows\SysWOW64\Cfcmlg32.exe	Cgnpjkhj.exe
File opened for modification	C:\Windows\SysWOW64\Dnjalhpp.exe	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgnpjkhj.exe	Ckhpejbf.exe
File opened for modification	C:\Windows\SysWOW64\Donojm32.exe	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Einebddd.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Fllaopcg.exe	Einebddd.exe
File created	C:\Windows\SysWOW64\Camnge32.exe	Bdfahaaa.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Nmkmnp32.dll	Elieipej.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dnjalhpp.exe
File created	C:\Windows\SysWOW64\Eepmlf32.exe	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Eepmlf32.exe	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Bdfahaaa.exe	Bojipjcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjhckg32.exe	Camnge32.exe
File created	C:\Windows\SysWOW64\Dnknlm32.dll	Camnge32.exe
File created	C:\Windows\SysWOW64\Ikggmnae.dll	Donojm32.exe
File created	C:\Windows\SysWOW64\Jjghbbmo.dll	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	Einebddd.exe
File created	C:\Windows\SysWOW64\Lgdojnle.dll	Bojipjcj.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dnjalhpp.exe
File created	C:\Windows\SysWOW64\Eqkjmcmq.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Jacgio32.dll	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Fhoedaep.dll	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Oamcoejo.dll	Dochelmj.exe
File created	C:\Windows\SysWOW64\Gkbokl32.dll	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fllaopcg.exe
File opened for modification	C:\Windows\SysWOW64\Ejcofica.exe	Eqkjmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Epqgopbi.exe	Ejcofica.exe
File created	C:\Windows\SysWOW64\Mqpkpl32.dll	Ejcofica.exe
File created	C:\Windows\SysWOW64\Nelafe32.dll	Bdfahaaa.exe
File created	C:\Windows\SysWOW64\Ccgnelll.exe	Cfcmlg32.exe
File created	C:\Windows\SysWOW64\Ihbldk32.dll	Cfcmlg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	2696	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dochelmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camnge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcmlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bojipjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhckg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhpejbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelafe32.dll"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbigm32.dll"	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckinbali.dll"	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll"	Ejcofica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjhckg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdlmb32.dll"	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaemlqhb.dll"	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikggmnae.dll"	Donojm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejcofica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdojnle.dll"	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll"	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhpejbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjghbbmo.dll"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll"	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dochelmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpcdopi.dll"	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Elieipej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2804	2652	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe	30
PID 2652 wrote to memory of 2804	2652	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe	30
PID 2652 wrote to memory of 2804	2652	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe	30
PID 2652 wrote to memory of 2804	2652	305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe	30
PID 2804 wrote to memory of 2552	2804	Bojipjcj.exe	31
PID 2804 wrote to memory of 2552	2804	Bojipjcj.exe	31
PID 2804 wrote to memory of 2552	2804	Bojipjcj.exe	31
PID 2804 wrote to memory of 2552	2804	Bojipjcj.exe	31
PID 2552 wrote to memory of 2440	2552	Bdfahaaa.exe	32
PID 2552 wrote to memory of 2440	2552	Bdfahaaa.exe	32
PID 2552 wrote to memory of 2440	2552	Bdfahaaa.exe	32
PID 2552 wrote to memory of 2440	2552	Bdfahaaa.exe	32
PID 2440 wrote to memory of 2588	2440	Camnge32.exe	33
PID 2440 wrote to memory of 2588	2440	Camnge32.exe	33
PID 2440 wrote to memory of 2588	2440	Camnge32.exe	33
PID 2440 wrote to memory of 2588	2440	Camnge32.exe	33
PID 2588 wrote to memory of 1508	2588	Cjhckg32.exe	34
PID 2588 wrote to memory of 1508	2588	Cjhckg32.exe	34
PID 2588 wrote to memory of 1508	2588	Cjhckg32.exe	34
PID 2588 wrote to memory of 1508	2588	Cjhckg32.exe	34
PID 1508 wrote to memory of 2904	1508	Ckhpejbf.exe	35
PID 1508 wrote to memory of 2904	1508	Ckhpejbf.exe	35
PID 1508 wrote to memory of 2904	1508	Ckhpejbf.exe	35
PID 1508 wrote to memory of 2904	1508	Ckhpejbf.exe	35
PID 2904 wrote to memory of 1228	2904	Cgnpjkhj.exe	36
PID 2904 wrote to memory of 1228	2904	Cgnpjkhj.exe	36
PID 2904 wrote to memory of 1228	2904	Cgnpjkhj.exe	36
PID 2904 wrote to memory of 1228	2904	Cgnpjkhj.exe	36
PID 1228 wrote to memory of 2636	1228	Cfcmlg32.exe	37
PID 1228 wrote to memory of 2636	1228	Cfcmlg32.exe	37
PID 1228 wrote to memory of 2636	1228	Cfcmlg32.exe	37
PID 1228 wrote to memory of 2636	1228	Cfcmlg32.exe	37
PID 2636 wrote to memory of 2896	2636	Ccgnelll.exe	38
PID 2636 wrote to memory of 2896	2636	Ccgnelll.exe	38
PID 2636 wrote to memory of 2896	2636	Ccgnelll.exe	38
PID 2636 wrote to memory of 2896	2636	Ccgnelll.exe	38
PID 2896 wrote to memory of 2856	2896	Donojm32.exe	39
PID 2896 wrote to memory of 2856	2896	Donojm32.exe	39
PID 2896 wrote to memory of 2856	2896	Donojm32.exe	39
PID 2896 wrote to memory of 2856	2896	Donojm32.exe	39
PID 2856 wrote to memory of 2312	2856	Dhgccbhp.exe	40
PID 2856 wrote to memory of 2312	2856	Dhgccbhp.exe	40
PID 2856 wrote to memory of 2312	2856	Dhgccbhp.exe	40
PID 2856 wrote to memory of 2312	2856	Dhgccbhp.exe	40
PID 2312 wrote to memory of 792	2312	Dhiphb32.exe	41
PID 2312 wrote to memory of 792	2312	Dhiphb32.exe	41
PID 2312 wrote to memory of 792	2312	Dhiphb32.exe	41
PID 2312 wrote to memory of 792	2312	Dhiphb32.exe	41
PID 792 wrote to memory of 1780	792	Dochelmj.exe	42
PID 792 wrote to memory of 1780	792	Dochelmj.exe	42
PID 792 wrote to memory of 1780	792	Dochelmj.exe	42
PID 792 wrote to memory of 1780	792	Dochelmj.exe	42
PID 1780 wrote to memory of 1776	1780	Dbdagg32.exe	43
PID 1780 wrote to memory of 1776	1780	Dbdagg32.exe	43
PID 1780 wrote to memory of 1776	1780	Dbdagg32.exe	43
PID 1780 wrote to memory of 1776	1780	Dbdagg32.exe	43
PID 1776 wrote to memory of 932	1776	Dnjalhpp.exe	44
PID 1776 wrote to memory of 932	1776	Dnjalhpp.exe	44
PID 1776 wrote to memory of 932	1776	Dnjalhpp.exe	44
PID 1776 wrote to memory of 932	1776	Dnjalhpp.exe	44
PID 932 wrote to memory of 2188	932	Ecgjdong.exe	45
PID 932 wrote to memory of 2188	932	Ecgjdong.exe	45
PID 932 wrote to memory of 2188	932	Ecgjdong.exe	45
PID 932 wrote to memory of 2188	932	Ecgjdong.exe	45

C:\Users\Admin\AppData\Local\Temp\305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe
"C:\Users\Admin\AppData\Local\Temp\305f055ba5510b503dbb010efca22d08b479e847f089f9da969f33f24660ef40.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\Bojipjcj.exe
  C:\Windows\system32\Bojipjcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Bdfahaaa.exe
    C:\Windows\system32\Bdfahaaa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\Camnge32.exe
      C:\Windows\system32\Camnge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\Cjhckg32.exe
        
        C:\Windows\system32\Cjhckg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\Ckhpejbf.exe
        
        C:\Windows\system32\Ckhpejbf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Cfcmlg32.exe
        
        C:\Windows\system32\Cfcmlg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Dochelmj.exe
        
        C:\Windows\system32\Dochelmj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bojipjcj.exe

Filesize
337KB

MD5
eb3417a3726c6a2394828aff12bc4be9

SHA1
bc0419b466fc686e1a73bf6b06976a6e9b7c3cf7

SHA256
5a1c45da7b86b131dc53fe9182a520d9834be09c624699753ac85b0d2ba7d882

SHA512
3820cba10e40924fe85bc28cd23a11c8e9226f2dbb18ea1cbda39cab5346db43af65b596052c7aa9b990821cf4cc3bd4a46d06bcc986340c373f395c25a7da71

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
337KB

MD5
b6926766e4c38207f2846c664f698fab

SHA1
6c84ede562275853bd514a531efec9765077d3af

SHA256
ff67a5a6129a82641b15cba2d6e68245d12f60ae0224541895a23de19e55731f

SHA512
3172fc6335859f62506745af2eab41d737e8d3fa6333b55bf68dcc96d917ef1b994a22ec19058ede73302616fc1afe6a3ffcb2d1f57d65ac39f7e4c9b1b98cf8

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
337KB

MD5
b704ab3a2d1a8e1364402d9512370b93

SHA1
c7b8a1f40348812b68f0b78bc0295c997ecd88a6

SHA256
bc4bdd6fcf7f9f846997d6f5996c518af8b07e4b92ad338886febd39260f2751

SHA512
063ae32f96a22178ca83c63dd2aebadd6886ec9b854ed818dc4085008c840dcf23ee448abe6ed7c6cb75a6da8f0f751cb0ba052f73c75fbd3284d7130ccda491

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
337KB

MD5
15acce25df29122a87dd185510523ccb

SHA1
bf7fcd2ee5adad24e623b9962572a00710a1c175

SHA256
8427cc9f52a81f789c4512245c98ad63a523edd6e161bc7c1465cb8a1ad405d8

SHA512
1009c7e622961c5e3dc10a13f8323c2627a173747a6c1d83e43bff973eba7ec22b85ab7a90fe4715f09ddb12ba8f9e0ae40c47049124b5586a41870f7f7c4980

Download Submit
C:\Windows\SysWOW64\Dochelmj.exe

Filesize
337KB

MD5
5cff51117d87460d1adf5d48146b7dc7

SHA1
3c17e10fb99e05186975a38b7a7578fceac517e7

SHA256
ef579f29696378ab8f1a4ab1cecd43841c358ceb74c624e117c7776e21ab3994

SHA512
4a6b219db047bcbf8a75c043e116484d20c8a7ef618c1b9d28155f20efcb5385d71eb0e69cfcb829ec19f57e078d201d38e14edbc742c9489c82c4e8b7af3138

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
337KB

MD5
8e1dfa1f421347ba8efa95d44e786b9a

SHA1
e66908e447d8cafef83d30e32fdcae791515e76e

SHA256
1531cee8be5c5013de7e9fff80d0a65cedd5f08e88a59404dd7a63d162506603

SHA512
f70771ae739ada328354c3ab7cd523da21c32b7e6cf752dbdd8e2811469d56856b2b6c21f45ae80df73cf39812e9b842a7821f88ff039a2c092b6a32b356e306

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
337KB

MD5
0281b35bbbacddb2024fb64a444603e0

SHA1
3b9c82421c0c6bdccf8695a0f73e276555cf3a23

SHA256
f387923859ae24e32fa97fbd1ebd62e011127a3688fb34124f6b315b0926ddd7

SHA512
80e0d7a288598035b0174c4495f3802996c6b19b79fad239cf0165db9b31efa315134a2be578783eba3922f48d711eab162ae28a3375535b0154ce9c394b8607

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
337KB

MD5
21729682c36556aa0ddffd4b2eebf8e9

SHA1
9f2363611b65e37213df473d052c899125a78fbc

SHA256
c0dcd301e61de41315feec8f94fde48a6e94e0438949f3df08060449c98172d4

SHA512
2cdb6c62bc44ec4d4a3fac776cebf0c6fc24aaba5509b5b4ef60a1e99fd02e6a40c52738d2cc4a9342bed6ddcd5a20427f1e981e060c5e1228a6ee612e066082

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
337KB

MD5
9160dc354a28282763c9f38e3c3aa50a

SHA1
c0c2f6d26715380826f4ede7a76d67cd22dce378

SHA256
edf5c31b008dee330ee908db79723b2f9a95583f021787be5081e8bb55d3f05f

SHA512
3b8b5e1e53ed2d24bd4835173ca615982abd6bce0654836367ae8e967ead337593e0326f7fd953de5024a511b8cb7219be011f5d9987e58a67bb0c410fe4d98a

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
337KB

MD5
be846732bc930396b2418e730eb4a017

SHA1
a05c54ee57e1508de7ed0a1959f983d2baa122a3

SHA256
79b91a767ee453b93c80bd67057c2b6a093dcde6a18852cb7f9de6ba7455571e

SHA512
326490e319057e245b3765bce4ff68a2d5ca894db5cdd8eb4b6ec1530831f9d2e9bd4568c018dd1482587daab9c458a7b3417f26fa698a6001e21de262f24541

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
337KB

MD5
ae6749e6ed762cdb2d20d6dd815a4d38

SHA1
57656edd8744cd9f80be62039ca095729f33b786

SHA256
a92e11b1b89b9cb4b9eeaeb8d3f7cf828ebc66cddd09ffaac7876fe9d219f5f7

SHA512
b8b1ff1f925c43bc220408fbcdfd9f406d8c0e7219762d8e87b4052d300950f0a78395b585cebb586823e35d3289bdc6f140b8b9e48cec033211ae01c123837f

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
337KB

MD5
8b6b205ce9eca81d47f0769152878e82

SHA1
81dd22837772d70c1e7c4f4133c3492b81c54a4c

SHA256
0a3d99ae2e161317805a9688e4ae1da43e086856ff2ec708d2a68474229d43a4

SHA512
ee21fb9b4accca47bb973f61c7a74737f442df3911ca33d295048fbbd3ef16c84cfa0cb864d3043c425bf6d8e8d7c9b4753b5816c5ad384eb0e99b9a03732210

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
337KB

MD5
0c0370da3ccda39a0cada636122c68e2

SHA1
5a38ec3c10b2041979a4b6dc9e52088c59e7b741

SHA256
1aca291bda9d76739981e8dd090417266d66036d0199b8fd0d0a1baf58233912

SHA512
b2fb0145e4fc9fdb17181fbacd88a7124e4b936f3bec4179f1f46990c974df874706b820fe9683c289bc35eb870c8aaefa6345d39524d0fd22194a1349bc34a0

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
337KB

MD5
2ea349524a1452088c1484c6494aeb1f

SHA1
acf20b41fef98c003f057a6c497ab4991b4812e2

SHA256
99b7ea9cc4789c95cde7263687466cde2b00714b8955d4797667e6f7e34da3f9

SHA512
12f6134d4b5b39fbae308721d0bc8932b9b4c08c542ef0b3ee4215d820cd7eb69d6accdbf8b18eb4a9db08b3118de319e5d3576b9e51af5b72e5575676ffeaff

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
337KB

MD5
b6e85e790974a3eedb8de838ed7a3a20

SHA1
734bfa7952a20154b24135471ae55dff9fc74e8b

SHA256
66e4ac008163c11427dabbff8dd58b2bbaafb33ce86012a4870aa1ad77f377f1

SHA512
2785266c9bda4013446e780227ee90ea9d5a52f682581bf161c03918eb23f9629dca97f271cff94890942ba1d74207e513b3d3dc38537f7307d9e3ba941760d4

Download Submit
\Windows\SysWOW64\Bdfahaaa.exe

Filesize
337KB

MD5
0b386b14830c72298caf23320ab57387

SHA1
6f8cbe7255774f0a854520bce711e52af723a84c

SHA256
ab8187a4a565de3178b3b58b42d29977f203eb8780511f56f289c0f7a6e0e0b2

SHA512
2892f1ffa613e0a664705db8c1aac7ea433925152101ea2d70589c2fc68d1688799927dc83baf1cd10e05bb48d769c2b83444242c34ffc30a33bae5f051f95df

Download Submit
\Windows\SysWOW64\Camnge32.exe

Filesize
337KB

MD5
033c17d37e6299c758e2781b98fe3920

SHA1
669fb8c396e9545cca356cc1e5c62abf76846c3d

SHA256
16c0181e864d0958a7b5cb5d13f89c3d409138a7d420be444f661c1c84741d8e

SHA512
11a615bae772da500e626d6d4d9a492097982155021889896605fe3f9a048b9d24af78f5395d3df739eea0e2c7465de12bf518fd077671ad76d443e67279005b

Download Submit
\Windows\SysWOW64\Cfcmlg32.exe

Filesize
337KB

MD5
1540a15781ce07c45b95c3eeb6c490c0

SHA1
89105426fd252cb98884ecc2930ffdb576e09a6a

SHA256
7f3ab0de91cafe088e64fc32cafc03dd15d913b9e42d3b3c183ff9f208536648

SHA512
a2ec35b6bba8fde2cf7b993895a5d6edc599734faf16389cac48fa038b8444263127f06bd75327be940afa27ca328a5b19efec16328982476debea0bb8eb7cfb

Download Submit
\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
337KB

MD5
1015f61d5cdf5956ad2bee673eef06e1

SHA1
1f71a8b2f37554130d48cceee87b0ff0f1314288

SHA256
7af93839cce4a9c468f4dc175e0ba85d3a0184a2a1db6c0f9947c5aa3542fbbb

SHA512
85a40101d39335f072a848aa7b60df3045ec1ebce09d979a5b1533f54257d434432774519796e6c115d22385536c5d2994753d8aa1dae36638779b2d1fb6e669

Download Submit
\Windows\SysWOW64\Cjhckg32.exe

Filesize
337KB

MD5
98618679a2f415a0838b20ce6a72f5c8

SHA1
a9cb7e7984180f0d8270e4b2161058ed77a68c66

SHA256
833ba76bb2d04a8d926cc05d472b25fddc7feb3e2bb3b3f9c118c5b8c3490445

SHA512
7f44d350d1c60b4000ef1fb918b748c246d9a2a7cf6ffbddf95129b99ed947841b15c035f7800b90931c893f9b6ea2b88c1ea9d5903ae01b9389ba306f974d54

Download Submit
\Windows\SysWOW64\Ckhpejbf.exe

Filesize
337KB

MD5
989d15b7d6817cd55ec6e167c43f1a3e

SHA1
e99d48cf95bdd454207d6995e21bd32293095a12

SHA256
6cdae8653a98876efe70cd07b99a088640c8c017a5feb715768de4480b05d13d

SHA512
d940a12d82cc76767aca3b189a464ea2c527fa23bbf1ed0c240b00e0a18f3662189bd81d8f11b8fa3b6112030dbbf3c6035b42412199ce189e68fa313c8425f5

Download Submit
\Windows\SysWOW64\Dbdagg32.exe

Filesize
337KB

MD5
6f826c651b3cf97951e422cfee45b0ed

SHA1
457998be3ede59404cc1b2dd25ed7c101f4114fd

SHA256
0ce3ad657daaef53d1d1521108bd3ead0439b2b75a7c334e911ea659228cc714

SHA512
3193ff40d84a2f9b9dd573c40b576d126d8e3bcad1d69b20d6e5d14ff2eb84c2008e0bc083291673f1bb13b175b1a2fa61c6127cc364ef7dcf30a2a9f9761294

Download Submit
\Windows\SysWOW64\Dhiphb32.exe

Filesize
337KB

MD5
a49701e495e7f87640ede5a7a60a309c

SHA1
ca8c25b53e98a3170850af5d6cc60220acec342d

SHA256
8f7fe30e28817a46d6d604fca2c7bc22f875064767b89118604d06867fa0e640

SHA512
3e20f0cae309eaec57cdc64990cab56cb9b3854d97e9ae075bffd7a45bc6682146fb09ab20f401506cb0d2451cd996b670a3000a7e7a4541bf5670f0a6e81516

Download Submit
\Windows\SysWOW64\Donojm32.exe

Filesize
337KB

MD5
1557af92f6ef72bdb620f7b3b8a29fa8

SHA1
4b2568c60cb6e7bfec1e31b80f084f297ade2a61

SHA256
5d0efc48400cb35c52adce3d3ff11717cc41d0b2d3d4944575c8a5e78c40b962

SHA512
419d5197f854a6b817126780d251d7f2d1d377f50a48a8aad9e153a03bf0767e1e65a19b9474353eeab2592164ee8517ad71470cc5fd3f69b65a27f835528b70

Download Submit
memory/792-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-174-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/872-301-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/872-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-302-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/932-221-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/932-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-216-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/1228-109-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1228-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-291-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1328-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-81-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1564-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-271-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1644-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-252-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1776-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-202-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1776-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-193-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1780-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-242-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2136-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-168-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2352-281-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2352-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-49-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2552-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-36-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2552-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-65-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2588-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-119-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2636-124-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2652-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2652-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2652-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-27-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2804-26-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2804-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-151-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2896-137-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2896-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-91-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2904-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-262-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2928-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads