berbew | 79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Size

1024KB
MD5

c7d033cce29ec681f70bfb5f2ec867c0
SHA1

91b13955ad9e9c77d8310f10ab92146ad09525b3
SHA256

34157d74d915d474a6c888fc9de5441d0b08e39b5a24eda20988139100ad7703
SHA512

7c623a430ec44501d190a298fbe5f2d8e90245e5549fe6d7d89f6d8d75f3200b19d0793c4a7ca286c68d3fe234d88068b6ee32f21a63f9e6e667e3cf48e159e3
SSDEEP

24576:fym0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL8v8WQ:eiTWVDBzcjgBNXcolMZ5nNxvM0oLoQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 25 IoCs

pid	Process
1768	Ojjolnaq.exe
2036	Ognpebpj.exe
2120	Oqhacgdh.exe
2076	Ojaelm32.exe
5024	Pdfjifjo.exe
2068	Pqmjog32.exe
3212	Pfjcgn32.exe
2476	Pdkcde32.exe
3720	Pjhlml32.exe
916	Pnfdcjkg.exe
672	Adgbpc32.exe
2792	Amgapeea.exe
464	Aglemn32.exe
4328	Aminee32.exe
3844	Bfabnjjp.exe
1220	Bgehcmmm.exe
632	Chjaol32.exe
1232	Cagobalc.exe
4680	Cajlhqjp.exe
2924	Dhfajjoj.exe
4012	Dhhnpjmh.exe
2860	Dmgbnq32.exe
3552	Dogogcpo.exe
1524	Dddhpjof.exe
756	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chjaol32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
924	756	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjhlml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 1768	3488	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe	85
PID 3488 wrote to memory of 1768	3488	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe	85
PID 3488 wrote to memory of 1768	3488	virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe	85
PID 1768 wrote to memory of 2036	1768	Ojjolnaq.exe	86
PID 1768 wrote to memory of 2036	1768	Ojjolnaq.exe	86
PID 1768 wrote to memory of 2036	1768	Ojjolnaq.exe	86
PID 2036 wrote to memory of 2120	2036	Ognpebpj.exe	87
PID 2036 wrote to memory of 2120	2036	Ognpebpj.exe	87
PID 2036 wrote to memory of 2120	2036	Ognpebpj.exe	87
PID 2120 wrote to memory of 2076	2120	Oqhacgdh.exe	88
PID 2120 wrote to memory of 2076	2120	Oqhacgdh.exe	88
PID 2120 wrote to memory of 2076	2120	Oqhacgdh.exe	88
PID 2076 wrote to memory of 5024	2076	Ojaelm32.exe	89
PID 2076 wrote to memory of 5024	2076	Ojaelm32.exe	89
PID 2076 wrote to memory of 5024	2076	Ojaelm32.exe	89
PID 5024 wrote to memory of 2068	5024	Pdfjifjo.exe	90
PID 5024 wrote to memory of 2068	5024	Pdfjifjo.exe	90
PID 5024 wrote to memory of 2068	5024	Pdfjifjo.exe	90
PID 2068 wrote to memory of 3212	2068	Pqmjog32.exe	91
PID 2068 wrote to memory of 3212	2068	Pqmjog32.exe	91
PID 2068 wrote to memory of 3212	2068	Pqmjog32.exe	91
PID 3212 wrote to memory of 2476	3212	Pfjcgn32.exe	92
PID 3212 wrote to memory of 2476	3212	Pfjcgn32.exe	92
PID 3212 wrote to memory of 2476	3212	Pfjcgn32.exe	92
PID 2476 wrote to memory of 3720	2476	Pdkcde32.exe	93
PID 2476 wrote to memory of 3720	2476	Pdkcde32.exe	93
PID 2476 wrote to memory of 3720	2476	Pdkcde32.exe	93
PID 3720 wrote to memory of 916	3720	Pjhlml32.exe	94
PID 3720 wrote to memory of 916	3720	Pjhlml32.exe	94
PID 3720 wrote to memory of 916	3720	Pjhlml32.exe	94
PID 916 wrote to memory of 672	916	Pnfdcjkg.exe	95
PID 916 wrote to memory of 672	916	Pnfdcjkg.exe	95
PID 916 wrote to memory of 672	916	Pnfdcjkg.exe	95
PID 672 wrote to memory of 2792	672	Adgbpc32.exe	96
PID 672 wrote to memory of 2792	672	Adgbpc32.exe	96
PID 672 wrote to memory of 2792	672	Adgbpc32.exe	96
PID 2792 wrote to memory of 464	2792	Amgapeea.exe	97
PID 2792 wrote to memory of 464	2792	Amgapeea.exe	97
PID 2792 wrote to memory of 464	2792	Amgapeea.exe	97
PID 464 wrote to memory of 4328	464	Aglemn32.exe	98
PID 464 wrote to memory of 4328	464	Aglemn32.exe	98
PID 464 wrote to memory of 4328	464	Aglemn32.exe	98
PID 4328 wrote to memory of 3844	4328	Aminee32.exe	99
PID 4328 wrote to memory of 3844	4328	Aminee32.exe	99
PID 4328 wrote to memory of 3844	4328	Aminee32.exe	99
PID 3844 wrote to memory of 1220	3844	Bfabnjjp.exe	100
PID 3844 wrote to memory of 1220	3844	Bfabnjjp.exe	100
PID 3844 wrote to memory of 1220	3844	Bfabnjjp.exe	100
PID 1220 wrote to memory of 632	1220	Bgehcmmm.exe	101
PID 1220 wrote to memory of 632	1220	Bgehcmmm.exe	101
PID 1220 wrote to memory of 632	1220	Bgehcmmm.exe	101
PID 632 wrote to memory of 1232	632	Chjaol32.exe	102
PID 632 wrote to memory of 1232	632	Chjaol32.exe	102
PID 632 wrote to memory of 1232	632	Chjaol32.exe	102
PID 1232 wrote to memory of 4680	1232	Cagobalc.exe	103
PID 1232 wrote to memory of 4680	1232	Cagobalc.exe	103
PID 1232 wrote to memory of 4680	1232	Cagobalc.exe	103
PID 4680 wrote to memory of 2924	4680	Cajlhqjp.exe	104
PID 4680 wrote to memory of 2924	4680	Cajlhqjp.exe	104
PID 4680 wrote to memory of 2924	4680	Cajlhqjp.exe	104
PID 2924 wrote to memory of 4012	2924	Dhfajjoj.exe	105
PID 2924 wrote to memory of 4012	2924	Dhfajjoj.exe	105
PID 2924 wrote to memory of 4012	2924	Dhfajjoj.exe	105
PID 4012 wrote to memory of 2860	4012	Dhhnpjmh.exe	106

C:\Users\Admin\AppData\Local\Temp\virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\Ojjolnaq.exe
  C:\Windows\system32\Ojjolnaq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\Ognpebpj.exe
    C:\Windows\system32\Ognpebpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\Oqhacgdh.exe
      C:\Windows\system32\Oqhacgdh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 408
        27⤵
        Program crash
        
        PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 756 -ip 756
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
1024KB

MD5
e71e590385c35110bc92dc2dfe91ae59

SHA1
aacc3991440190dea0582d8983066d5557302742

SHA256
edb1223564b27b30b084736d85ea3330971f67c7eb528dbec37b1a0b20fcfcac

SHA512
ca6b5aad01c168fec929f0fdc16978a1e293fae1cc50f5dfa8a35079aa99b3191db6ebcc4c477e1daac762a0ee286d983fbc2a26b5f608bd8e02efd1026f0fd8

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
1024KB

MD5
36de78f089bec56371b11923d557737c

SHA1
49229ddcc2c30178bf7a9947792279ee630694f3

SHA256
90df5381c6fd437239fa829d4c42fcba9bdc69809f8350b5fce680c12de7f4e8

SHA512
3f3367068813c6d99186d10e4cd60f011e92a930d4b514986a742c95f83f93cb6a06126851588a3782aca886e7ad8cbd885cf71fc7cd4ca98e59bdc4703272b1

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
1024KB

MD5
46e0861fdb73b7cf480c919eaaa1cdd9

SHA1
d9d9e671da0be05806dae0c2a09617f6b7e80e13

SHA256
221523077e82a524f70db382d4ae5ed004b3a2b236fd593aa7f59cb7701c4dbd

SHA512
33cc5a4b248487555f885819619bcbdfd3903dec5b6b03fd2723310788d8286ed3809d65fab6d4c0084d959aae2332ae508e99dc6bdadb93cbd3a57f685404c0

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
1024KB

MD5
ee9eed1364ea74e2a3498456bda45f27

SHA1
1434c5466989e910591c50e9df61060d3552a130

SHA256
b197bdbbbced263d123e577de0faf70ec0fb583219d76d1b344a233f95c792ab

SHA512
f0c77ad8dbb3996ae64fa54fc8359a40296c346944d44c20abee071ab092d17ff9caec39d2ba28d2ac937c9a591c38bfec4077c6ea3a3e86adf9bc0114a7b764

Download Submit
C:\Windows\SysWOW64\Bdjinlko.dll

Filesize
7KB

MD5
329135b43230c5ed3e4c06329e0d9100

SHA1
45d74e4c1da7ec5793df606ece801d571be8315f

SHA256
5d380235a485393c1da01878dfbce8b3e1cb1a909284b0a3791d499988057e95

SHA512
3527501c138108def7ef4fc1ade61a876a146cba280194108d2e03fe3b496022c4b5f3ce844d17aba77a92738bd1e0ee705178700c011f4eae5f598341d4f586

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
1024KB

MD5
4d5e77010b869e66b412178bc1e28e2a

SHA1
a3efdfa71b416b50f1225ccc7d7c886093b2d193

SHA256
6a8f3b4b5bfab872c96b1389dbc1bb8c3a0495b19eab8f3a678e2d47663ecd0d

SHA512
df1931670fd45138331b4bcf717c99ebd595f28779f49da7d16c2ea87a88fe55000b2dbcd8640258fe45f97cb6c62fbd31067d09f9f2fac03de05135efd33e5c

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
1024KB

MD5
778dae29871f42856c78c578f2690575

SHA1
ffd5e789cb1d40573d9e846bc5cc5951d31ada5b

SHA256
f2661da45ae83ad25ce3971cfbdb2e317233672c7148c087056b77198b2b590d

SHA512
ffa936ac0239236f6c075d79bf387f69b7ec0b86c7f5a16a2e60e8688eab79a189e5d531bce14e1f4419379c5bd779ab05497b04c43ef5b4bbb8f886d6b43ba4

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
1024KB

MD5
0d4d8360808cfda9ac6b44b5eeb78335

SHA1
816237b09afe031ebc47f695afcc975b010be867

SHA256
30911bd38e9658eb1b06c3de0658ba2985307833ae0a30b731882776aaf64769

SHA512
d84075e7c8bcee5f01d781452eb7f12588454d067fdd1ce57e55d043e6f6da69eb6e7d8572b3faa47ee2a5915a32b584539724be2b36f1e02b5e85dde111ee0b

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
1024KB

MD5
2c2ec6766c190d76e80267408d32b0d2

SHA1
73f3ae05a6a00e0ba3060e03f6f8eb3279105c8f

SHA256
c6d03788bb9e2dcc754987df0d9c804c0e535db66024b9ef7339b3217a48e98b

SHA512
edd162e0fa01f6cfa13aba661f8dd728afe41c5ca637c3649ae54e72644f6441d77d9189eb1df21919b000bf93392f0b1adda03578dd02b1cff4ff93ab6a0ee6

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
1024KB

MD5
bad5264a1d27a6b141c5598e8ed4c195

SHA1
66c55f713090b9e542410421a86ffb4378417118

SHA256
d97ce80c1c6cc49ffe1ed2fa2adb2c41816d7c03f40376c86132ccc5239ca1fc

SHA512
63726be374358f6a06f02a802867372f0969f2222f17e835245364e6f9beaa040adce6af47eec7832e7f3ae4d82cd29afc7f42ef6a3bf78ae9e6207a76a854ee

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
1024KB

MD5
4ac8de960f5f3d21808157edbd4fc740

SHA1
04ca9b3a8d2c9f5c75dcc9d72ec487309bf5e524

SHA256
2d50c7a7942a4f0eea515a9110ec5a102c49d147ab64e7dffc6aa760bb720de9

SHA512
3a1b2a4b2883ad79452dc9f4f7c75a217b631a5a79b404c27505379e229ee5476fc6ec4145f2a762d960256479a95f866de514f9ecb260f6b0bb110d6be45cb3

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
1024KB

MD5
c6b53e77095acdaf2d2dde229b4c0f25

SHA1
ad4de9b28c582223d3ddbfb0a044375301b6c9b2

SHA256
495160fc06127b69fd09884390af30e1d0e03d3ecb410f2781f3f47ddf9992d2

SHA512
f9dc1b262b53871982116099d8460f73bff3b4db3b326a6193ff060fa6abce3349a96b3f17d4ea35a170d7c22e380042177b31fa6be56c111aa5e87a8cd201d5

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
1024KB

MD5
4f7c822b4514da4af192c0d020701e05

SHA1
e5222ed873eac4f344e05b767921c05b1ea8efe2

SHA256
419946b5986c1a737be1b2e8401899aba7d06012d2b73b3a9e93badd5a503d5e

SHA512
c16fa080c8d41b2cb822892afb003153919ee78f2a924161c731f43a4805825e8bcaeeafb5f0501be4d3c54ed3a03dcea1ca6bb96c51163385120e5dd95dc974

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
1024KB

MD5
65a56945ad430779e16b53a3d2aa320c

SHA1
4125bae7374a1263217605c8e7f5e88326adf5eb

SHA256
95358d24c8167f63e6f8e2262eaf279ef4aef4ce118b1de781dfd5b662c9dcd3

SHA512
1ef77cd1c735d109495ba249d98d637258d78acb85cda8122e4a25c5f7b364aec5d8faff5dceecc3f99db0ee6401526ff7c1620f0c64493ecb238e1a27251f3b

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
1024KB

MD5
32607653518509c070789a1bdc84cdc9

SHA1
4e89c8bbc869b1d74f9de3810197a29e754f287f

SHA256
d19735cbc81462b733d9d39255268d3d1c4b27ac4ab1acb85bd7667cdd905df5

SHA512
1d6c2c24c43c87e9d2da89f5d8f141299f3253dc4dcfea0ead095cfeab82d2babdeea94818737b2657a58c20a40fccc2577bb1891d9c91380427c0c644bf563d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
1024KB

MD5
17dcb6ce6c1e5d039f7f2f88c740e8d7

SHA1
4f1263b497cde5854fcaf62dfe3c8c3953500369

SHA256
78c1f2bdd6bc8fd321c9b5b64ba44d15213669899ef43a26170e0c25d04f6821

SHA512
c8e391a0ab2bc2c77f90e2c6465d3ada6c29fdd6cf5cd9395de7877caae3defd4c7397f783e3da7a71465c5aad037a6ad6b6b8b1ef842501760bf14f46e29eac

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1024KB

MD5
6637deb66b0c45a3670461f127f7ffc1

SHA1
5b4ecef9d118f398f9fe4a1e751e3f3b5a6ee4cd

SHA256
c7dee37f5d96da79b0f4968e7cbfdd8ac86c6ac21a6d604624764b525db12a43

SHA512
6737c49f7bf2c465301b111613b150b93d07b86101c8480eaf94d852227f16aea61a65c0460903b0e0edef8141a9a444ce7781ac5272ecadc3d901b39327a7bb

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
1024KB

MD5
4163223a824da30b402e433a4b6a65da

SHA1
b9f8ad7e66686655b68eb2b301ed196e47025de5

SHA256
11fa01d05c907f4a07b5cf016be3f93a41e94f87ee0dfb5a3a4b703bfa4086b2

SHA512
20dee6666d75c2667d1ed437ee48e285012c0801e78e29085c3e3039ed126b90f4666c0d9a6c7dfee82ae6712a124e3774c65a61050f3dd323dff0fc3c57fe70

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
1024KB

MD5
5f0524a9ff1683f5216ac4f13f1312d2

SHA1
e370e0516ee7fb1ab45e64b05eadbf5183bd85d7

SHA256
443fdd0efedd18712e83e50db2b1bea07443f39b9436bab37280c5eea26f3d74

SHA512
cb9b46647b6a9494c05393027970685500b5565978697aaeb87477bd815da3e0a560e1be0dca82710734782218766180bf0fa913a62ee991ded33acca580b0ce

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
1024KB

MD5
b617268445adf29fe04c04f20592fbb4

SHA1
b3ff46d1c825c5f32a5798914b0df014c395680c

SHA256
734c5f23e492dcaf43436b8587cffbc4c709765618e01c7317903601a4ffb0a4

SHA512
0378998768cbdd9c4ae960d3ad6a373659ad442b5f980a13b3c61a06f674b020e61cc71435194be747c1b14eb2e684692f150e8a41dfce63525e7bea45e967f5

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
1024KB

MD5
60541bf263cc3fffd27dc43d4aee2fe2

SHA1
e7ddf1d392c6c718c03cb744f21b7adc52749abd

SHA256
077ffb665c9f6df198aeb062e650f6a56e2152cd3c49eb156deb19ef1aa581cc

SHA512
90ebbcc0942e2e3ec6f045e12e281458a5ea933f7b6367f6924ee6441945064e4e4145efc32ffbdd9d50ccfef6d8dd47f9ae1cc4ad5710afada327e9c8358836

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
1024KB

MD5
c49550e54c33ca1c822d6d56ff84f297

SHA1
a6e7061ffe05f936ed6298dbcef4083e9bf9a329

SHA256
10821079edfa0af91e777fc91b6ed15e47b1dc3a633cc75c18f475639a291536

SHA512
e2de76fdc8ba7f6f612397ee628f19c84d5a8310fbfeb82083691a9683a085efe7ff84e72d3a32e37b714b167cb5f12b6bfe4b380d07908f51ff99af900d8ae0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
1024KB

MD5
28a1c5640dcdb867731ddae3669b687e

SHA1
e60095424701ff825e7686b00963ff2c3ef4b3c1

SHA256
e591edeb1d077151153d08065ad93d69efe686678d94399cceefc218d6b1bda4

SHA512
74576f0e0929fd098af24c5f558c3543a7786e961091fefc8c16629c4baabd6382fd35bd1865be1311ca5f46684f5f02a3d89d0ce5f094be72676288edfa3a8e

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
1024KB

MD5
26f897034d7b6af34e81bb805f526543

SHA1
7c5e1e0450c6a8a85c1755c40769b8a6b3b621c9

SHA256
4ccf87184dfa28dc547f46c69a79b58c1b7117a44f0b487fb1274073604cc780

SHA512
1a218f19b7ffb9c617adfce03cd7d397542a2e6c795438d1b1c3252f77b2c8dbcf264e78ef143cae92cfe26a53ddb236859e823d76f9b96c0abe816a12d99796

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
1024KB

MD5
0ed5adaec7ac50eb5f78079fda3420a3

SHA1
60c7e1ef2907105095482bba895be6eff101e7d2

SHA256
15ac6cb08719378affa750470d54938ad00692c098b1c42de388034f77bc04b7

SHA512
3776f8f732bd9c1f43760678803ba411b10a7f0a1994734bdfc1c90cee3fb714e4fd8082fbe8b3c03520dd5f0ae3bee67e20ba2eb53924dec5a987b3fbca4bea

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
1024KB

MD5
fa4d478010644be5df455e169d60062e

SHA1
50b336a81ecbd0b7f4a69952238fc12538f97721

SHA256
a7fef9a7ebd16e2ccfc3bf698d5bbb89a9070d22ee41712d026209f4100ee73a

SHA512
4916bc95c99bda0e04750bc5508ff0c162ebb470041427681eac0b4f84e6fb3f5faa1ed9207408b8cebeeb5a54d183d518ed879ccea1e6fff433456a1bd0748d

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
1024KB

MD5
e22f178ddc2b87dff8072e8257567d83

SHA1
378fb41777d6191c086648431d43ef0400b6a614

SHA256
e07930bb062fe7cb2c0f9c2bc9bffb29b09577b6e3801033f30d68783c1564e3

SHA512
267ab3f708cdc0c54fdd073fab919354586b5a7f525776bf957fe0bba9bea13ea972bfa86ab5ab4fd9d6db5f3b7b3002fe6ef879b576feba17e77511c8ad9235

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
1024KB

MD5
5597a0a27d69eab409ae32afdaf273b3

SHA1
6240774590e75edbfaa25b0dcd3c241bcb780bdb

SHA256
a5da6e164b328241180fc5faa89ffc7f7d70f048ba8c43c350e8c3351db9088b

SHA512
c8d71967336ffd303568050b0caf8a79700a17e05b21d5e164739a0d3e1a7ddf9ac25bd2d68faf3e53b431940800c88d31deb4f5c2d32ee94fdf902f7635e61a

Download Submit
memory/464-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/672-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/672-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/756-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3844-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3844-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads