berbew | 6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990

Analysis

max time kernel
117s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Size

512KB
MD5

c01990f9b82a7bf88e3b8ac764902bd0
SHA1

e63ac620bb3fdd3b0fd470ccdd0a3168261a19e1
SHA256

6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990
SHA512

713945fbc9896def8515c0e06584302ee35f7f6b4e4bf75c62a27fbd9bd69c4cb5e730762fec38f5c9be228591614a52b9c5acb1663abe15051f9d4375094fc9
SSDEEP

6144:VDJAW8y1e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZO5f7wj7vK/uW:VDJAFkY660fIaDZkY660f8jTK/Xhdz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kimjhnnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgbcfdmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Appbcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalhgogb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahpddmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oknhdjko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalhgogb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjgjpi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baclaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcpbik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfqlkfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keoabo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keoabo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimjhnnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgbcfdmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miclhpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooggpiek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oknhdjko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Appbcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpddmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baclaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nladco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooggpiek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nladco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfqlkfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjgjpi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mecglbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mecglbfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miclhpjp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 24 IoCs

pid	Process
908	Keoabo32.exe
2756	Kimjhnnl.exe
2104	Lalhgogb.exe
3032	Mecglbfl.exe
2996	Mgbcfdmo.exe
1796	Miclhpjp.exe
1268	Nladco32.exe
2952	Ooggpiek.exe
564	Oknhdjko.exe
2028	Pcpbik32.exe
2564	Pfqlkfoc.exe
1896	Qjgjpi32.exe
1476	Ahpddmia.exe
1728	Appbcn32.exe
1464	Baclaf32.exe
1944	Chbihc32.exe
652	Dkbbinig.exe
2444	Dcemnopj.exe
1352	Ecgjdong.exe
1548	Eqngcc32.exe
1528	Efjpkj32.exe
2100	Efmlqigc.exe
1848	Eebibf32.exe
860	Flnndp32.exe

Loads dropped DLL 52 IoCs

pid	Process
2992	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
2992	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
908	Keoabo32.exe
908	Keoabo32.exe
2756	Kimjhnnl.exe
2756	Kimjhnnl.exe
2104	Lalhgogb.exe
2104	Lalhgogb.exe
3032	Mecglbfl.exe
3032	Mecglbfl.exe
2996	Mgbcfdmo.exe
2996	Mgbcfdmo.exe
1796	Miclhpjp.exe
1796	Miclhpjp.exe
1268	Nladco32.exe
1268	Nladco32.exe
2952	Ooggpiek.exe
2952	Ooggpiek.exe
564	Oknhdjko.exe
564	Oknhdjko.exe
2028	Pcpbik32.exe
2028	Pcpbik32.exe
2564	Pfqlkfoc.exe
2564	Pfqlkfoc.exe
1896	Qjgjpi32.exe
1896	Qjgjpi32.exe
1476	Ahpddmia.exe
1476	Ahpddmia.exe
1728	Appbcn32.exe
1728	Appbcn32.exe
1464	Baclaf32.exe
1464	Baclaf32.exe
1944	Chbihc32.exe
1944	Chbihc32.exe
652	Dkbbinig.exe
652	Dkbbinig.exe
2444	Dcemnopj.exe
2444	Dcemnopj.exe
1352	Ecgjdong.exe
1352	Ecgjdong.exe
1548	Eqngcc32.exe
1548	Eqngcc32.exe
1528	Efjpkj32.exe
1528	Efjpkj32.exe
2100	Efmlqigc.exe
2100	Efmlqigc.exe
1848	Eebibf32.exe
1848	Eebibf32.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mecglbfl.exe	Lalhgogb.exe
File created	C:\Windows\SysWOW64\Qplbjk32.dll	Oknhdjko.exe
File opened for modification	C:\Windows\SysWOW64\Pfqlkfoc.exe	Pcpbik32.exe
File created	C:\Windows\SysWOW64\Fkfcmj32.dll	Pcpbik32.exe
File opened for modification	C:\Windows\SysWOW64\Baclaf32.exe	Appbcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dcemnopj.exe
File created	C:\Windows\SysWOW64\Efjpkj32.exe	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Dhlmpmai.dll	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
File opened for modification	C:\Windows\SysWOW64\Ahpddmia.exe	Qjgjpi32.exe
File created	C:\Windows\SysWOW64\Oknhdjko.exe	Ooggpiek.exe
File created	C:\Windows\SysWOW64\Chbihc32.exe	Baclaf32.exe
File created	C:\Windows\SysWOW64\Eqngcc32.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Baclaf32.exe	Appbcn32.exe
File opened for modification	C:\Windows\SysWOW64\Keoabo32.exe	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
File created	C:\Windows\SysWOW64\Aolgka32.dll	Ooggpiek.exe
File created	C:\Windows\SysWOW64\Igooceih.dll	Pfqlkfoc.exe
File created	C:\Windows\SysWOW64\Dkbbinig.exe	Chbihc32.exe
File created	C:\Windows\SysWOW64\Diaalggp.dll	Dcemnopj.exe
File opened for modification	C:\Windows\SysWOW64\Efjpkj32.exe	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Glmbma32.dll	Lalhgogb.exe
File created	C:\Windows\SysWOW64\Enkcccnb.dll	Qjgjpi32.exe
File opened for modification	C:\Windows\SysWOW64\Appbcn32.exe	Ahpddmia.exe
File created	C:\Windows\SysWOW64\Efmlqigc.exe	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Eebibf32.exe
File opened for modification	C:\Windows\SysWOW64\Kimjhnnl.exe	Keoabo32.exe
File opened for modification	C:\Windows\SysWOW64\Mecglbfl.exe	Lalhgogb.exe
File created	C:\Windows\SysWOW64\Gogckopd.dll	Mgbcfdmo.exe
File created	C:\Windows\SysWOW64\Qkekbn32.dll	Nladco32.exe
File created	C:\Windows\SysWOW64\Pcpbik32.exe	Oknhdjko.exe
File created	C:\Windows\SysWOW64\Mgbcfdmo.exe	Mecglbfl.exe
File opened for modification	C:\Windows\SysWOW64\Mgbcfdmo.exe	Mecglbfl.exe
File opened for modification	C:\Windows\SysWOW64\Miclhpjp.exe	Mgbcfdmo.exe
File created	C:\Windows\SysWOW64\Hcdkmafl.dll	Miclhpjp.exe
File created	C:\Windows\SysWOW64\Ooggpiek.exe	Nladco32.exe
File opened for modification	C:\Windows\SysWOW64\Ooggpiek.exe	Nladco32.exe
File opened for modification	C:\Windows\SysWOW64\Oknhdjko.exe	Ooggpiek.exe
File created	C:\Windows\SysWOW64\Appbcn32.exe	Ahpddmia.exe
File created	C:\Windows\SysWOW64\Npabemib.dll	Appbcn32.exe
File opened for modification	C:\Windows\SysWOW64\Chbihc32.exe	Baclaf32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpbik32.exe	Oknhdjko.exe
File created	C:\Windows\SysWOW64\Ahpddmia.exe	Qjgjpi32.exe
File opened for modification	C:\Windows\SysWOW64\Efmlqigc.exe	Efjpkj32.exe
File opened for modification	C:\Windows\SysWOW64\Eebibf32.exe	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Lalhgogb.exe	Kimjhnnl.exe
File created	C:\Windows\SysWOW64\Kpcmnaip.dll	Baclaf32.exe
File opened for modification	C:\Windows\SysWOW64\Eqngcc32.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Mnmcojmg.dll	Efmlqigc.exe
File created	C:\Windows\SysWOW64\Inhcgajk.dll	Chbihc32.exe
File opened for modification	C:\Windows\SysWOW64\Dcemnopj.exe	Dkbbinig.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Eebibf32.exe
File created	C:\Windows\SysWOW64\Hiepfnbn.dll	Keoabo32.exe
File created	C:\Windows\SysWOW64\Nladco32.exe	Miclhpjp.exe
File created	C:\Windows\SysWOW64\Pfqlkfoc.exe	Pcpbik32.exe
File created	C:\Windows\SysWOW64\Qjgjpi32.exe	Pfqlkfoc.exe
File opened for modification	C:\Windows\SysWOW64\Dkbbinig.exe	Chbihc32.exe
File created	C:\Windows\SysWOW64\Hclemh32.dll	Dkbbinig.exe
File created	C:\Windows\SysWOW64\Eebibf32.exe	Efmlqigc.exe
File created	C:\Windows\SysWOW64\Kimjhnnl.exe	Keoabo32.exe
File opened for modification	C:\Windows\SysWOW64\Nladco32.exe	Miclhpjp.exe
File created	C:\Windows\SysWOW64\Gdbgmkqd.dll	Mecglbfl.exe
File opened for modification	C:\Windows\SysWOW64\Qjgjpi32.exe	Pfqlkfoc.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dcemnopj.exe
File created	C:\Windows\SysWOW64\Hdpbking.dll	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Bnfoepmg.dll	Eqngcc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	860	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpbik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keoabo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mecglbfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miclhpjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oknhdjko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfqlkfoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baclaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbihc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lalhgogb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpddmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appbcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcemnopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimjhnnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbcfdmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nladco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooggpiek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjgjpi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miclhpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkcccnb.dll"	Qjgjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjgjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qplbjk32.dll"	Oknhdjko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oknhdjko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Keoabo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ooggpiek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdfbbbn.dll"	Kimjhnnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miclhpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhcgajk.dll"	Chbihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Appbcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Keoabo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalhgogb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mecglbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolgka32.dll"	Ooggpiek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baclaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdkmafl.dll"	Miclhpjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oknhdjko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfcmj32.dll"	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll"	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mecglbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nladco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baclaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll"	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nladco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiepfnbn.dll"	Keoabo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkcdb32.dll"	Ahpddmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalhgogb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahpddmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbgmkqd.dll"	Mecglbfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekbn32.dll"	Nladco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igooceih.dll"	Pfqlkfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahpddmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chbihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ooggpiek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfqlkfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npabemib.dll"	Appbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Appbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcmnaip.dll"	Baclaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kimjhnnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgbcfdmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogckopd.dll"	Mgbcfdmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgbcfdmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll"	Efjpkj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 908	2992	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe	30
PID 2992 wrote to memory of 908	2992	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe	30
PID 2992 wrote to memory of 908	2992	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe	30
PID 2992 wrote to memory of 908	2992	6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe	30
PID 908 wrote to memory of 2756	908	Keoabo32.exe	31
PID 908 wrote to memory of 2756	908	Keoabo32.exe	31
PID 908 wrote to memory of 2756	908	Keoabo32.exe	31
PID 908 wrote to memory of 2756	908	Keoabo32.exe	31
PID 2756 wrote to memory of 2104	2756	Kimjhnnl.exe	32
PID 2756 wrote to memory of 2104	2756	Kimjhnnl.exe	32
PID 2756 wrote to memory of 2104	2756	Kimjhnnl.exe	32
PID 2756 wrote to memory of 2104	2756	Kimjhnnl.exe	32
PID 2104 wrote to memory of 3032	2104	Lalhgogb.exe	33
PID 2104 wrote to memory of 3032	2104	Lalhgogb.exe	33
PID 2104 wrote to memory of 3032	2104	Lalhgogb.exe	33
PID 2104 wrote to memory of 3032	2104	Lalhgogb.exe	33
PID 3032 wrote to memory of 2996	3032	Mecglbfl.exe	34
PID 3032 wrote to memory of 2996	3032	Mecglbfl.exe	34
PID 3032 wrote to memory of 2996	3032	Mecglbfl.exe	34
PID 3032 wrote to memory of 2996	3032	Mecglbfl.exe	34
PID 2996 wrote to memory of 1796	2996	Mgbcfdmo.exe	35
PID 2996 wrote to memory of 1796	2996	Mgbcfdmo.exe	35
PID 2996 wrote to memory of 1796	2996	Mgbcfdmo.exe	35
PID 2996 wrote to memory of 1796	2996	Mgbcfdmo.exe	35
PID 1796 wrote to memory of 1268	1796	Miclhpjp.exe	36
PID 1796 wrote to memory of 1268	1796	Miclhpjp.exe	36
PID 1796 wrote to memory of 1268	1796	Miclhpjp.exe	36
PID 1796 wrote to memory of 1268	1796	Miclhpjp.exe	36
PID 1268 wrote to memory of 2952	1268	Nladco32.exe	37
PID 1268 wrote to memory of 2952	1268	Nladco32.exe	37
PID 1268 wrote to memory of 2952	1268	Nladco32.exe	37
PID 1268 wrote to memory of 2952	1268	Nladco32.exe	37
PID 2952 wrote to memory of 564	2952	Ooggpiek.exe	38
PID 2952 wrote to memory of 564	2952	Ooggpiek.exe	38
PID 2952 wrote to memory of 564	2952	Ooggpiek.exe	38
PID 2952 wrote to memory of 564	2952	Ooggpiek.exe	38
PID 564 wrote to memory of 2028	564	Oknhdjko.exe	39
PID 564 wrote to memory of 2028	564	Oknhdjko.exe	39
PID 564 wrote to memory of 2028	564	Oknhdjko.exe	39
PID 564 wrote to memory of 2028	564	Oknhdjko.exe	39
PID 2028 wrote to memory of 2564	2028	Pcpbik32.exe	40
PID 2028 wrote to memory of 2564	2028	Pcpbik32.exe	40
PID 2028 wrote to memory of 2564	2028	Pcpbik32.exe	40
PID 2028 wrote to memory of 2564	2028	Pcpbik32.exe	40
PID 2564 wrote to memory of 1896	2564	Pfqlkfoc.exe	41
PID 2564 wrote to memory of 1896	2564	Pfqlkfoc.exe	41
PID 2564 wrote to memory of 1896	2564	Pfqlkfoc.exe	41
PID 2564 wrote to memory of 1896	2564	Pfqlkfoc.exe	41
PID 1896 wrote to memory of 1476	1896	Qjgjpi32.exe	42
PID 1896 wrote to memory of 1476	1896	Qjgjpi32.exe	42
PID 1896 wrote to memory of 1476	1896	Qjgjpi32.exe	42
PID 1896 wrote to memory of 1476	1896	Qjgjpi32.exe	42
PID 1476 wrote to memory of 1728	1476	Ahpddmia.exe	43
PID 1476 wrote to memory of 1728	1476	Ahpddmia.exe	43
PID 1476 wrote to memory of 1728	1476	Ahpddmia.exe	43
PID 1476 wrote to memory of 1728	1476	Ahpddmia.exe	43
PID 1728 wrote to memory of 1464	1728	Appbcn32.exe	44
PID 1728 wrote to memory of 1464	1728	Appbcn32.exe	44
PID 1728 wrote to memory of 1464	1728	Appbcn32.exe	44
PID 1728 wrote to memory of 1464	1728	Appbcn32.exe	44
PID 1464 wrote to memory of 1944	1464	Baclaf32.exe	45
PID 1464 wrote to memory of 1944	1464	Baclaf32.exe	45
PID 1464 wrote to memory of 1944	1464	Baclaf32.exe	45
PID 1464 wrote to memory of 1944	1464	Baclaf32.exe	45

C:\Users\Admin\AppData\Local\Temp\6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe
"C:\Users\Admin\AppData\Local\Temp\6448e27520623b32c291f4fbd820b6854b4bd5db683541c6704930ba2f8c9990N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Keoabo32.exe
  C:\Windows\system32\Keoabo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\Kimjhnnl.exe
    C:\Windows\system32\Kimjhnnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Lalhgogb.exe
      C:\Windows\system32\Lalhgogb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\Mecglbfl.exe
        
        C:\Windows\system32\Mecglbfl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Mgbcfdmo.exe
        
        C:\Windows\system32\Mgbcfdmo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Miclhpjp.exe
        
        C:\Windows\system32\Miclhpjp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Nladco32.exe
        
        C:\Windows\system32\Nladco32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Ooggpiek.exe
        
        C:\Windows\system32\Ooggpiek.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Oknhdjko.exe
        
        C:\Windows\system32\Oknhdjko.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Pcpbik32.exe
        
        C:\Windows\system32\Pcpbik32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Pfqlkfoc.exe
        
        C:\Windows\system32\Pfqlkfoc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Qjgjpi32.exe
        
        C:\Windows\system32\Qjgjpi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ahpddmia.exe
        
        C:\Windows\system32\Ahpddmia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Appbcn32.exe
        
        C:\Windows\system32\Appbcn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Baclaf32.exe
        
        C:\Windows\system32\Baclaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Chbihc32.exe
        
        C:\Windows\system32\Chbihc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Dcemnopj.exe
        
        C:\Windows\system32\Dcemnopj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcemnopj.exe

Filesize
512KB

MD5
3f627f022dc28398205a57816dfe89f0

SHA1
eff940277b3635a082514db1e1ed71064c96dcc3

SHA256
39ac408b0e1ece6214beba19eb5bf5f673558bc766bd25e5b4e884250a51a4c9

SHA512
8f71e90178c85e40984550c9a09fa2664c709a70eb8014c24404d9d1a0283bb83e8e4b22e916580489e011178bebb83e849a6b7ef3afbdf14a52a650416cad5c

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
512KB

MD5
f6bd36874c55cfd76f1cda44333c5bc9

SHA1
a8d41fcfb2d447350f40f36a86fca23d18bab4b7

SHA256
1c4daedc571b1350ac7cf742b9762f32930acc7eb22797957b16dea4950175a9

SHA512
85c85f34464cff1d815150697d8946914cd9655d67333cb6ffc62f70c3af073e96fc1b487ad0e7ac45289069219461245840c48932790ba6b968083b26b00ef2

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
512KB

MD5
2e74fc562a5e1822ad9e2cdad1092b89

SHA1
9cad1ce5563ea6a1b672e766b553cf8c9cac29e3

SHA256
fab826938a91e5e635c8cec1ea97fbe8814a7b52efbd5a7d4c4cf29c8621c4e9

SHA512
384012e88335cb54d411b8811a446147129cdc98cacbcceaabbef9e7aefd9a6fa36fd16a19856cc2cd23b44a22c6c8d55cf80658514b28953753c67822cc2d28

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
512KB

MD5
41c7a9978c6f537ccba17a780c86b3b3

SHA1
7273d9ff94494297ebcd409102733aa4d501ad56

SHA256
442817ace46185d00f447fc1067e46e441345f9b415735a7d7f7b2171e940b6f

SHA512
a638df07cfed8c930cf4c59c1e0150f9b34141a8120eddc02eae386e5e5f700f6aceb2e65f3492082a44ada56ef1900861d497834226cc92af550e8fb6f615ef

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
512KB

MD5
d5e07ce0d502352b8dc998ac02c42359

SHA1
42e4d475da555b614840c4aac0409135f89f8691

SHA256
390dcea17c81587686d3363bd81c1a15f15a3aa10e832871fea8bd9b3e442425

SHA512
5e850f95b830b308d46f7da26e9fbe889fbf1b4f09a6abb3838e5d351ada35ca175a861ae0b1e97c0ab1096b1000ba78f68437975ebfa735165e6972daa86194

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
512KB

MD5
bb445d6cc1eaea61197d38cdbd53246b

SHA1
359fbd06eee2fb961fbdbcd350ccd93a83c60394

SHA256
73bda44abce91d17a4e4fb4fa00d387c3736fb5aedad58a343936b4fcd48956a

SHA512
5483cc14d99808fc73430cd3684cf0a3e98b7649d4777117cb674c2a00eb2cad75a1eb4e8b90357970fec7fc8354ef8a8fe6193dc0c51434a6ce5bdc9d790d49

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
512KB

MD5
a7e2f6432e61560dd7be3d9149a2df5c

SHA1
43de3c9fe3f0d984e5d5fb5ef6181600767f81f0

SHA256
23318cbd894d0cff03f8648849d38e58868f41c0dfad81444f35e6853961ee5f

SHA512
97e2018e2b4f7246684714b22c89ea4606e4edbf36f27b3f4e765ddb64d8bbdc9cd8842fb2f9647a3340e2fa1c93dd5e00c46ffaab9f6fb7ff251e3a3c07fd47

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
512KB

MD5
d7a97ceeb4eae596a2fc0b7d46868a86

SHA1
bf0d1b034a47636ca4fcf44f50aab45bb1341953

SHA256
39dfbfd8c4e8d5692cd28020db7f799f33c1b5558a7965589b44f3ff8026f478

SHA512
f25bf5471938743d23f9c8024d5090f8a82514d257e1a5908cbdf1b1d9b03688b67113088fc7615b5fa79fc66938aef036a4154b9b43662da69aff359ef9b35e

Download Submit
C:\Windows\SysWOW64\Gdbgmkqd.dll

Filesize
7KB

MD5
c72ebdbc32599d1e610ec6f2ff917123

SHA1
b5493d6e1982d4912de4bd8bdebe2a29f942c58c

SHA256
dc62fd9ff137fa69b2dafd0515002c64c99b081757d9f15ea544f06b9e403aab

SHA512
ba654440e26130c8c45292e4f71c571846b159199c06db61f506c55c7ba59f349d8948ffdbb65b638c25dc11a5e4ddb0a998abd522d41b66ecad44c997a488e5

Download Submit
C:\Windows\SysWOW64\Lalhgogb.exe

Filesize
512KB

MD5
e3bbe687d011ff5438a2431fada38bba

SHA1
74ba4bd240eeab8a4f7b2f22855ac240fd33836d

SHA256
f7cd4dc56f51a35ff190c803cf218e62fe2a246a924d8cd88e8d48b38ca46afa

SHA512
1fb9f7240a58a57246e35f904eb1aae58c957435cd898212efd5028e9dfa64a43c1df2ecdbea339c844ae615c09378e1e57b65e047720e0c1e3af9577ffafeda

Download Submit
C:\Windows\SysWOW64\Mecglbfl.exe

Filesize
512KB

MD5
17a0f993117dcd871eb39fd945840599

SHA1
c3e8b2aac8934f0e535f62abef7552a4a7364f85

SHA256
40835194c67c91af61f5a63e0a0b8eae8a8344914b8496f00a4f88313bee3b5e

SHA512
75abedd7b418cc4500b9fac1689536536222d52a7de9139ec0c1e21e68ef945d08e76a0f08746d161940df8ab6c08f7cb438e77e2a748493376d70741028018c

Download Submit
C:\Windows\SysWOW64\Mgbcfdmo.exe

Filesize
512KB

MD5
15cd40ae7619a260fb6095bd3499f9a6

SHA1
a4e32f94e52e2a952885d1f448aa0bd1cd3405cd

SHA256
3bcc2fe458493a5ee0131f4d03f4cfaa012a99a122a39c9941c25cca69b6bfe3

SHA512
7102e3e24cc9a03d5cb80116d91a321216e301be083737d0b6ed5028dede5f74351b8cdcf52f2e9e7234295af968aa365cfefb0c5d9951e05b33abf8b6d78bb8

Download Submit
C:\Windows\SysWOW64\Oknhdjko.exe

Filesize
512KB

MD5
b600c19628366050b1ffd532d6b79156

SHA1
125fba8192d28cf20332bbe9a915108896c80e1d

SHA256
bb9b8e5fbcc0fa4a6af63014d884a7b829ab72236675ccaff87a0dc158b102f0

SHA512
9b641fb2d834ac5ad2253689f5de14b14aa22976d8516b537479e09c9108d94d4e097de975f05b38f4e4155964f0412f3c20060d20f88aedb61ac90fb336d284

Download Submit
\Windows\SysWOW64\Ahpddmia.exe

Filesize
512KB

MD5
c8f80b0a11f59f22d2240c168f500d8b

SHA1
a7be7be857ad30ab10902d984d3307c68f2106e1

SHA256
ca6a7ec7a44e802c82395abe4770d775323e2aef24e338296d159bd84d5bac35

SHA512
ffb54b99efd75206fbd0b14086dd5ea6ee2ab5b864dc0d7f62836d19988406bd6c8eae81622033bc745c05a452f479adcfe5ad67629542daddb0fd5f04378e9d

Download Submit
\Windows\SysWOW64\Appbcn32.exe

Filesize
512KB

MD5
c5e906952a4d9ad56bf12d052116ef52

SHA1
4810e8f36c11c31abfd717dc00810a50d3cdda1f

SHA256
dbdd6787ad68885951b4dc4e2d95c65ccf8000610ada97ae78c790e36cbaa1ae

SHA512
d284aefe57169ad3861646df90993e596b6a8d81ecb1841d126d1022be523d500e3a2b5c4921c37342f6197497a8d67f8a57ec83a9d16e182cfd5f8f897c926e

Download Submit
\Windows\SysWOW64\Baclaf32.exe

Filesize
512KB

MD5
e32c45d17b7e523b72a62c73752e828a

SHA1
e415e85c5a5b7ca77e075883f1d137bce5eec510

SHA256
3a377b8f33cf98ca780bdf075923359a4abb7413fee3acffbaf1b4f0dc0f5cfb

SHA512
5811ec011e531f74e82be35515cfb12f9ee0f3436e6cddcf1055c3a4042abde988cd74b06fa84d60785e7d23c96b52e392d89b47e6785351510d48aa7bcd0790

Download Submit
\Windows\SysWOW64\Chbihc32.exe

Filesize
512KB

MD5
c5769cbd94a564f06a55aa64a559b185

SHA1
4173088fb4f844d79c986bc4d40be9401b871d44

SHA256
726eb2ae4e1578925e72e421f706da9b2ecffc1525ff19a3a7713eb441e0b188

SHA512
78f82355794fd21308b088b09804df291cb9e793e07bd3291379eb3f346c97c1c391af453c8d31bf9d6b75ca66b67fc0a688bcdea9459eefd60aed4109e78fe9

Download Submit
\Windows\SysWOW64\Keoabo32.exe

Filesize
512KB

MD5
298a0bdbe01c61bdfbb6fe03a4d48169

SHA1
5a8a8eda3dac56cc144e8f1b1ed2c02eeceebc71

SHA256
16e82458749510d0f9f7430f349b49816a994d46539019ef4fc3a6dbab89a8be

SHA512
ce8657b0a782619eba0ed183470079459c07f18729572e22f638503a99b4b92e0e6ec4a4d7bf196c5deb5be92f8a9b7008aaf32bd383637d101e5efd6ca6cae9

Download Submit
\Windows\SysWOW64\Kimjhnnl.exe

Filesize
512KB

MD5
ee1bc44e16ae851a35a7f390fc9683a4

SHA1
f0db372ea6804a20f8b84f636f70a3891477d474

SHA256
aa75cd9f11cb98afa1d6bc3a85aa127c8b2894a29266dcf9496cd8adb9286b9d

SHA512
2a007fb67bc53c23dc71affa374bd4cb3f402738e49fe90ad712673649be9c2f002c9c27efcd761d31ffe2c1937de063bc4ef33c23c9eb1cb9b09f8d839a9c84

Download Submit
\Windows\SysWOW64\Miclhpjp.exe

Filesize
512KB

MD5
8d1e764aedd3b2aa646ea86a7b02d720

SHA1
07f4f5ae1e1e3bf65d4dbc5ece142b26d0bd54c3

SHA256
568dfe71ebefe5f839138fb440c968e9cc7b00011999465f840d6978c6cd2875

SHA512
9fa5b62995e602038715aa21aeef9ae963c906674856cf0cbe439c922a16e9b27c785935957670e58de824e4e4a9b6738e30154339099fb855da29de3f642ffd

Download Submit
\Windows\SysWOW64\Nladco32.exe

Filesize
512KB

MD5
da3c5581fe33c6a572223e23acd150f8

SHA1
886581c31325010bc50bee618b5bd63491505de2

SHA256
f378f30b4a39f2bd7a45e4373087d2d65b2cf3acd9a7013744f84c25dc6bd36c

SHA512
41b7f906006cec441468883a99c53803635f3101cc262bbed89ace7957035b161b1b2bddfcf1f2943c2a4549b6e67006fbcb76607065f39acf3f082d7cdc3121

Download Submit
\Windows\SysWOW64\Ooggpiek.exe

Filesize
512KB

MD5
eefcb795588bca948b127f73e3a861f7

SHA1
a797a0cc4f2cda93eabe670f8eee8a5c980a323d

SHA256
8dd389d74d655b405519e47d64d0f2640b373f71b3a4497f060aff3b261799e5

SHA512
54f786032b761e963d3c946c18a51020cd322e1c7daccbfb7995275b021467fec618e5de68f6d85996f7a04e76b24ca508d91dc6eaac3cb1af0ec88df0765205

Download Submit
\Windows\SysWOW64\Pcpbik32.exe

Filesize
512KB

MD5
370712c8a9760206abb8a88af4c70dcd

SHA1
ae04980f378fbf4bb839ecfca628c4dc3692090a

SHA256
7a4bddaafc5a057fca4f1e5388d78eaf74df9800a8d4906cfea3943f68d1d357

SHA512
3053b4c1c2040d40c4242cce793903408b65665b0613e2d4a8fd4c0dd05929bb3a795fbfc5cf98c3a190bf9fd0b424e08ddfbcd45eb988b61260e14f47a35a95

Download Submit
\Windows\SysWOW64\Pfqlkfoc.exe

Filesize
512KB

MD5
33aec15ec094063184e61a1801044eb4

SHA1
d2e514b0ca26cf4d33d07a62097f0dfa308d9f94

SHA256
8892079985ec2693681352152456e9863f2741c6ad5609563dc33c97fed7afc2

SHA512
0ff79c99aa29df543b0c21e3d7a158f03ed987dc3844bc74d66bfcb7283822d6efff3f1f9f008dbb9d6258d8592eb8b471f7138171bc41b94d62b9a14cc02e39

Download Submit
\Windows\SysWOW64\Qjgjpi32.exe

Filesize
512KB

MD5
3732263292dd7db7cfa94462f550d736

SHA1
913fdc8c65831258323d9ab1c0146feec40ff0ba

SHA256
e23b3eb4e103d83ec54fc1308a34463913ce0605ca7b64720bb57695e5fc3859

SHA512
24c04013414b71ff3071c7740d94fb2cc6ed99ead68d09f60784d83b7fd5b9521ceb1fe5a6860c355585939c205c6869d9bfee581c56ee8fb9f49a170a66f81d

Download Submit
memory/564-137-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/564-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-249-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/652-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-358-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/908-27-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/908-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-112-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1268-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-269-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1352-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-226-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1464-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-199-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1476-193-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1476-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-290-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1528-286-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1548-279-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1548-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-212-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1728-211-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1728-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-98-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1796-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-311-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1848-310-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1848-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-183-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1896-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-238-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1944-239-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2028-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-156-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2028-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-300-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2100-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-56-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2104-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-259-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2444-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-165-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2564-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-366-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2756-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-42-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2756-41-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2952-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-127-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2952-128-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2992-348-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2992-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2992-349-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2992-11-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2996-84-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2996-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-79-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3032-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-71-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads