berbew | 797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521

Analysis

max time kernel
83s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Size

324KB
MD5

d450ecc376f0d686076b50926ea3aed3
SHA1

8133838cfdcd1b30f3670aefd88628e5bc4c10f6
SHA256

797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521
SHA512

7e74aeacb87489f4aeb50ac3bd2b75d80081cddab8c09aba2a540115bbc5040f5279acc4474989781774bf33a73b670cae617c76a8dea15385f06bbc27775a2d
SSDEEP

6144:IBj2w0nuQayNb+zd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8wU:IBKw0PayNqp5IFy5BcVPINRFYpfZvTmd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
2832	Pljlbf32.exe
1436	Pgcmbcih.exe
2660	Phcilf32.exe
2656	Pidfdofi.exe
2840	Qndkpmkm.exe
2644	Qdncmgbj.exe
2980	Allefimb.exe
1848	Alnalh32.exe
2064	Alqnah32.exe
1652	Ahgofi32.exe
2864	Bkhhhd32.exe
2880	Bgoime32.exe
2124	Bgaebe32.exe
2192	Bjpaop32.exe
2868	Bjdkjpkb.exe
1452	Ccmpce32.exe
2148	Cpfmmf32.exe
1008	Cinafkkd.exe
1552	Cbffoabe.exe
1260	Ceebklai.exe
2964	Cnmfdb32.exe
2424	Calcpm32.exe
876	Ccjoli32.exe
900	Dpapaj32.exe

Loads dropped DLL 51 IoCs

pid	Process
1648	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
1648	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
2832	Pljlbf32.exe
2832	Pljlbf32.exe
1436	Pgcmbcih.exe
1436	Pgcmbcih.exe
2660	Phcilf32.exe
2660	Phcilf32.exe
2656	Pidfdofi.exe
2656	Pidfdofi.exe
2840	Qndkpmkm.exe
2840	Qndkpmkm.exe
2644	Qdncmgbj.exe
2644	Qdncmgbj.exe
2980	Allefimb.exe
2980	Allefimb.exe
1848	Alnalh32.exe
1848	Alnalh32.exe
2064	Alqnah32.exe
2064	Alqnah32.exe
1652	Ahgofi32.exe
1652	Ahgofi32.exe
2864	Bkhhhd32.exe
2864	Bkhhhd32.exe
2880	Bgoime32.exe
2880	Bgoime32.exe
2124	Bgaebe32.exe
2124	Bgaebe32.exe
2192	Bjpaop32.exe
2192	Bjpaop32.exe
2868	Bjdkjpkb.exe
2868	Bjdkjpkb.exe
1452	Ccmpce32.exe
1452	Ccmpce32.exe
2148	Cpfmmf32.exe
2148	Cpfmmf32.exe
1008	Cinafkkd.exe
1008	Cinafkkd.exe
1552	Cbffoabe.exe
1552	Cbffoabe.exe
1260	Ceebklai.exe
1260	Ceebklai.exe
2964	Cnmfdb32.exe
2964	Cnmfdb32.exe
2424	Calcpm32.exe
2424	Calcpm32.exe
876	Ccjoli32.exe
876	Ccjoli32.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pgcmbcih.exe
File opened for modification	C:\Windows\SysWOW64\Phcilf32.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Phcilf32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Pgcmbcih.exe	Pljlbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Pidfdofi.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Pljlbf32.exe	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
File created	C:\Windows\SysWOW64\Ibkhnd32.dll	Pljlbf32.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pfqgfg32.dll	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Pljlbf32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pgcmbcih.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Allefimb.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Pljlbf32.exe	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Iidobe32.dll	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	900	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll"	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bgaebe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2832	1648	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe	31
PID 1648 wrote to memory of 2832	1648	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe	31
PID 1648 wrote to memory of 2832	1648	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe	31
PID 1648 wrote to memory of 2832	1648	797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe	31
PID 2832 wrote to memory of 1436	2832	Pljlbf32.exe	32
PID 2832 wrote to memory of 1436	2832	Pljlbf32.exe	32
PID 2832 wrote to memory of 1436	2832	Pljlbf32.exe	32
PID 2832 wrote to memory of 1436	2832	Pljlbf32.exe	32
PID 1436 wrote to memory of 2660	1436	Pgcmbcih.exe	33
PID 1436 wrote to memory of 2660	1436	Pgcmbcih.exe	33
PID 1436 wrote to memory of 2660	1436	Pgcmbcih.exe	33
PID 1436 wrote to memory of 2660	1436	Pgcmbcih.exe	33
PID 2660 wrote to memory of 2656	2660	Phcilf32.exe	34
PID 2660 wrote to memory of 2656	2660	Phcilf32.exe	34
PID 2660 wrote to memory of 2656	2660	Phcilf32.exe	34
PID 2660 wrote to memory of 2656	2660	Phcilf32.exe	34
PID 2656 wrote to memory of 2840	2656	Pidfdofi.exe	35
PID 2656 wrote to memory of 2840	2656	Pidfdofi.exe	35
PID 2656 wrote to memory of 2840	2656	Pidfdofi.exe	35
PID 2656 wrote to memory of 2840	2656	Pidfdofi.exe	35
PID 2840 wrote to memory of 2644	2840	Qndkpmkm.exe	36
PID 2840 wrote to memory of 2644	2840	Qndkpmkm.exe	36
PID 2840 wrote to memory of 2644	2840	Qndkpmkm.exe	36
PID 2840 wrote to memory of 2644	2840	Qndkpmkm.exe	36
PID 2644 wrote to memory of 2980	2644	Qdncmgbj.exe	37
PID 2644 wrote to memory of 2980	2644	Qdncmgbj.exe	37
PID 2644 wrote to memory of 2980	2644	Qdncmgbj.exe	37
PID 2644 wrote to memory of 2980	2644	Qdncmgbj.exe	37
PID 2980 wrote to memory of 1848	2980	Allefimb.exe	38
PID 2980 wrote to memory of 1848	2980	Allefimb.exe	38
PID 2980 wrote to memory of 1848	2980	Allefimb.exe	38
PID 2980 wrote to memory of 1848	2980	Allefimb.exe	38
PID 1848 wrote to memory of 2064	1848	Alnalh32.exe	39
PID 1848 wrote to memory of 2064	1848	Alnalh32.exe	39
PID 1848 wrote to memory of 2064	1848	Alnalh32.exe	39
PID 1848 wrote to memory of 2064	1848	Alnalh32.exe	39
PID 2064 wrote to memory of 1652	2064	Alqnah32.exe	40
PID 2064 wrote to memory of 1652	2064	Alqnah32.exe	40
PID 2064 wrote to memory of 1652	2064	Alqnah32.exe	40
PID 2064 wrote to memory of 1652	2064	Alqnah32.exe	40
PID 1652 wrote to memory of 2864	1652	Ahgofi32.exe	41
PID 1652 wrote to memory of 2864	1652	Ahgofi32.exe	41
PID 1652 wrote to memory of 2864	1652	Ahgofi32.exe	41
PID 1652 wrote to memory of 2864	1652	Ahgofi32.exe	41
PID 2864 wrote to memory of 2880	2864	Bkhhhd32.exe	42
PID 2864 wrote to memory of 2880	2864	Bkhhhd32.exe	42
PID 2864 wrote to memory of 2880	2864	Bkhhhd32.exe	42
PID 2864 wrote to memory of 2880	2864	Bkhhhd32.exe	42
PID 2880 wrote to memory of 2124	2880	Bgoime32.exe	43
PID 2880 wrote to memory of 2124	2880	Bgoime32.exe	43
PID 2880 wrote to memory of 2124	2880	Bgoime32.exe	43
PID 2880 wrote to memory of 2124	2880	Bgoime32.exe	43
PID 2124 wrote to memory of 2192	2124	Bgaebe32.exe	44
PID 2124 wrote to memory of 2192	2124	Bgaebe32.exe	44
PID 2124 wrote to memory of 2192	2124	Bgaebe32.exe	44
PID 2124 wrote to memory of 2192	2124	Bgaebe32.exe	44
PID 2192 wrote to memory of 2868	2192	Bjpaop32.exe	45
PID 2192 wrote to memory of 2868	2192	Bjpaop32.exe	45
PID 2192 wrote to memory of 2868	2192	Bjpaop32.exe	45
PID 2192 wrote to memory of 2868	2192	Bjpaop32.exe	45
PID 2868 wrote to memory of 1452	2868	Bjdkjpkb.exe	46
PID 2868 wrote to memory of 1452	2868	Bjdkjpkb.exe	46
PID 2868 wrote to memory of 1452	2868	Bjdkjpkb.exe	46
PID 2868 wrote to memory of 1452	2868	Bjdkjpkb.exe	46

C:\Users\Admin\AppData\Local\Temp\797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe
"C:\Users\Admin\AppData\Local\Temp\797b6184bf7b70ea9eaf9309a361ef3f093bea661a26344b0c23d532254c8521.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Pljlbf32.exe
  C:\Windows\system32\Pljlbf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Pgcmbcih.exe
    C:\Windows\system32\Pgcmbcih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\Phcilf32.exe
      C:\Windows\system32\Phcilf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 144
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alnalh32.exe

Filesize
324KB

MD5
849ae0f9c6117cf0002ee877e192c7c4

SHA1
81827f37b78bf431ab240c2fe9c320c01c1f3eb9

SHA256
faebd01ef21d5608796504b20ab400ef02d007f74a239ed6176fce743d71d346

SHA512
19c4c6540f04ab2440f77119247ed527cd2bfb42f4af1e27cfa0a6dc710fe5c360c5b49db5216a7563f010acde102e4d5ea972f29c5829411f61d413273e9d6c

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
324KB

MD5
33255e0ca51778155fb4ea08d1dc1583

SHA1
4bd4a62eb2c294c150934a1545115cf388159d57

SHA256
ee231f230859ced31e2942a98b0ec119c88eecfc1799ef56420e9d95d2efe4ba

SHA512
bee8a83e4f9c24692370b5b15ac12dceb48dde49e3e54759139fb1e73272b5ed16d5e5f707bd00ec718cd217a0da5d05041fd883f4f46d4eb167ef902c1356f9

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
324KB

MD5
6270c6ac3e623437a0415f87903432bf

SHA1
bd1000ae68dec0b0648121b3556ef825b7803140

SHA256
a6e94f2026f8bbe1bf038ea3a4558924e81130c37fb4e872c38696d5e9f86bca

SHA512
df5f1c87aa8211422d597f228b2500298904f18507ed1f9e3cdfd0160d5c11864b430a4ffb19b55027601681c53b52132b6110a510f7a99bfed886b676dae121

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
324KB

MD5
1a9732a4bef5f271ad218183f6b6cf7d

SHA1
33e6f3b3544a0b8ceddd2ddecfcf52d9f17124d9

SHA256
e392bfec4d63414af2424b18cfe25370f2f98b0ec7a1f15a4806ee0b0a791804

SHA512
c5e54b336049626fc21863a72690e5cc8127ddbecca17c436378103d2d995ed0e2982136e2dfe316a11899aca8784098db6e59069f5ac617cbbd138291463b33

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
324KB

MD5
423a523ed83b968ffb8b5010db949da7

SHA1
03af884cff0340dbc0421e2cbe77be3e788804be

SHA256
f0a026e8d1d661dd4559e30c288493d00fe55f7c3b4754efca5488427b6ec09f

SHA512
5e2d390215ad6ee8f00303f342dbe07524eeac7e2d63e8ecb3247ed964312505efe0f5eb70278275b919b5b291fc65c99f14d293a2814eef8c40ec12af4b2cc0

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
324KB

MD5
a70cefd85373a550db50b47d48e344ed

SHA1
2a1a7a7d2a7d13b587f39148cd889d60f96c6d9f

SHA256
b3275bd19ea14e74d2c9299dbb2bcae2de1c068e65cef67eb4328b0a89056f3d

SHA512
75e3a58a7167cb6ed302cdb53e9765bf4c7095396c253d27f0f1d57b70ec856e2a54daa8ca49cbd418079e4f36155cb53ad29668482085991e017e9d2d8bca8f

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
324KB

MD5
e03e8234a232d7bf8b98cb595d02ef0b

SHA1
7a3a92d1dd1eff40ea91a4370bd08b75d6f131d4

SHA256
e3e882eadc671d3bd6711052a8e996000423e55b7fda924f2e5adaa8556d1d8f

SHA512
95f2d6aea6ac2fc93f9a350d0ab0b3427f618068b15fadf48e8534b23750106c80d4f19e562ad9e1fdb0fc0d0afe46a4dc1bb74da0480cf7eea8347a1b533fc9

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
324KB

MD5
e6adeb5f999fdaa06473f588677ec4ca

SHA1
b3309900f4b73b6d097bc808393c862f6f068f8f

SHA256
3c555bd2c7997377e017497fb75fb93b6d095273161c17b6ad70410fed8238cd

SHA512
c1732a67177d6c147c68b94df45465106e52b2880f9541201c64d1bd663ad17fa41a1f565de1a6bdc5b82a25e9463186f20000a7890dc3369576a5d5fb0f18f8

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
324KB

MD5
a71e13418fcde5cf0bcfe0403df3e21f

SHA1
587e1fda158fdceef375b7f97173a5dc003bcc44

SHA256
6e14a1ecbb4eb7b5170e011bf1322ff9d88029649fc55319cce49ab2fbe35dab

SHA512
c7fc8049c37f609641802b7c3b593506bfeb49078ef2e820bfd5707ea3e47bbcca7f9f7d4f51ddd3bb1f93625eaf4ec6c22eda3a1e4fc230916c7a56a2b03bb2

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
324KB

MD5
dbd8ebdb49b3ed70ba78207b747568e6

SHA1
819af4fcdb548f52cc5a8e2089e705a5edf39a3d

SHA256
135f3318efc45a0bd0cbf802b304853a0a21e982b067767cf6ea8efeb9ad53ca

SHA512
3adf3077776a32a2a2e13e99a8e40d34f174573dc1e30e79593a4f57374175504fbd00af24ad4a81650eaf4b0f28274740094c43b863d0e4e258404f51ac85ab

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
324KB

MD5
b111aa373d8208e9b0600bce6f21e4a2

SHA1
67de84f397a4daf642306a40f5a4d29f97e68cf5

SHA256
307e2eaa8cd692acb1b5186f0b6aab954ce58286b131c2727aaa174f30683427

SHA512
e43ed35169d1bcb74ed44746b8b0d564ddd59324af30e957df6cd4519a01c0c3a0f675be8b3e8740a66d9dec4b3117f3689fef87550dcf5e5fc199a1807f0ff9

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
324KB

MD5
46c810151c2066956c0023c2b4594a4a

SHA1
d7a315d51c458b5dba2f05efa19fc7d95d1ea707

SHA256
dd1690f5e356b17835bee8b497752c81de199bc626bd69d29f2b2402832c657d

SHA512
c39c0e2b3a3ac331892883d4ddd46896e035939d7c641fd4aedadf7542e2eb64e387737bbb92dbe54a813a0e80db85ccae6864179ccaa5ea86ddd01e42f81e7c

Download Submit
C:\Windows\SysWOW64\Pfqgfg32.dll

Filesize
7KB

MD5
a12aebea0aeda255f98007ab4922e65a

SHA1
17e92d522b690eaec9dd21e570ac694645693cd0

SHA256
4b73b3191d05e7d86a92f2e0fe77415b9a6c1d09c0a527944ab2eb01134a3fa1

SHA512
6a000441850366e6a970152254be48b597e58d653fbccc9cb6b0988a9143a16e98d26417e6c1f3ab876e6bbeec5f794855c0ff7a1bea411ae3ded56cd4e82ad6

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
324KB

MD5
be5c45deed39626299b92115716ce10e

SHA1
186b28a36ad344f21f54e98e9880793a79617606

SHA256
1cc738fa8c239560d0d1c0d42ea9f7778d418329194575701d47cf109a85eb3c

SHA512
d4f5da1b2e73e4b570813bfc13e47c30cc23357510a2cfb09d252890e378966ba16dd913a2ff3c776a23e90fdfca9b815b2eb563dddafa523b902ffa96a99ab9

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
324KB

MD5
c664607a5a1a22ef5fbd14eda56e7e5a

SHA1
fbda9b12b4ca895de68ca8af02454c368920340b

SHA256
ef98bdf54fe3c8dcb91ccb4b6b88cf48bda2292ad6079152a575fc22cc0626ba

SHA512
3526995bb1c216c6b7e6a53c1d4bdd0b0429155372ef6b87665a1a5bb9f4c9a25fb4f1d5d5e0414f1c2eb02a9e8b5e1259a6ee9ee307043908d8d5fbb5159911

Download Submit
\Windows\SysWOW64\Ahgofi32.exe

Filesize
324KB

MD5
1e86a340a9e33ba805c7b597dcf7d294

SHA1
46bf808bd2deae1c274a2551b35dbd9d77c7e27e

SHA256
a67dde9248bf17d390a1aab8925fc9bdc918c723bf68d6a1630e6fe3351fba4f

SHA512
4e62b8110a872776a7efca52bce26f108883e15446099bcdf3a285fed547c34c3055bdef0ee1d077042a1364e8d505a5afd7174153e0f84ea33e1b348317fd41

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
324KB

MD5
6c96cfb265c5b35f303433dc87681834

SHA1
b4620ba4f3d0cb93570ffca923f9dcce78a5b80f

SHA256
00b0bcf8f3d1e3172ab44755096eea23dfa417547c4d239a1a1e28e1026ac142

SHA512
706eb7cf67f6a84080f35d9cd4a543e840c3a19befa2cda713a1e342d98614592010f7f1d77b8b11fd56b739b4e154686859fefebb64fc6b4b9e9fc84a50bf75

Download Submit
\Windows\SysWOW64\Alqnah32.exe

Filesize
324KB

MD5
cae414329cb90577b930b658d9034698

SHA1
112cf4c7a4721a205a595f7de84aaf2d41a6da8d

SHA256
09cd643677807aed9a5862e5cb6529cbb758662b1268d839ce74331a521424b2

SHA512
dc03d8e08bc45b1bdc13f8a223b9ad37565f33239af01dae6cf60d212254926779f2d58f203b57d8ac8f4e570c839b218123fa50d608c977169d1794d363327a

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
324KB

MD5
2c8a6b464be9a53a7b69ce3686f3889e

SHA1
c60b03ed25c0efd03ad7366930564d1c3b58a911

SHA256
e389137bbf9809d44c9e849d3000be89492d6d7159ae5cf9201a0444c85aface

SHA512
b27497aa09769d793ffc37313388aa07cc62ca8bbcf2ae2629a816cd7ca26e0370e398fbb50d912164c7b9c4eaa91e06cde2cd396ea946a0ef5833ed9a646c7f

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
324KB

MD5
68786f428c703060b06ba9fdc231fc90

SHA1
6bdf881fdf94f481870a40fb23bdf677a25188ed

SHA256
208a0a036206eae3f24418b9b67508b1dfab78f669926f016054c577a330034a

SHA512
c9a6daa810ab86c989f0cd4d3ab2d5edb249ed6627c9e0942446aeded06f817f4b4d4eb123242aa826638985f717cd2fc8c94d742e61c823d28096f2aa2bc047

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
324KB

MD5
091ba4bde121bd47198916c07f319f24

SHA1
4916a319bccccb6de01502262a1d767fbec02d92

SHA256
3c3246ff3a23f8b53c0a96a706fddf003ade17252f1ae34490a542799f4db25b

SHA512
16a83dca264e58eab69f0d4b2a71b4c53ada610c44229395cefcfe9cdef25b88f2c6c08959384d76fae6360ff350cfedcc78546875be46089c49538cea270800

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
324KB

MD5
2b275b5ca1f58828efbe0a7460621fc8

SHA1
f555cc2f495fe4fc08d281fbc5fc6dc97375fb58

SHA256
65297dd68776b08e51417d0a9d453632e82472a70719de5ce00be07138ccf870

SHA512
530a2d850bdc8eb2290c9051aee4a898dfdf9fbd471eaf74a0bec08ea78706dbedaf46bbe856e0e336a4c8d6e1ff565d849915e99516ce94dece3f330cd3ba0d

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
324KB

MD5
856d337e46f90c3d557103396618bffd

SHA1
791c2597eb16313b8f324f1e7fbf0c7d6cb226d3

SHA256
25aed28dcb5c1d3db6c8e57f3d220c39dc7122b5e5f4d38ab613cd52daf98be4

SHA512
ab78f4fe7466f5924a51741228723b527bf20739d59ea097a8f43c20238ce6f9387ec0d8b830fd21be81e6569ca83e9be58ea1723829eb3fb03e53185b8058fc

Download Submit
\Windows\SysWOW64\Pljlbf32.exe

Filesize
324KB

MD5
77417075401d12007ae1666c44737e23

SHA1
107bdc8a4841aa4af07f2afaf643185f8a22d96f

SHA256
d4825362ce48693089729e023ac0dd5d0a8960d97507c01caa6fb10671f085a9

SHA512
355d92642becc4a6b20f57d5380c98d68a3f7656b1c1d0e588d2abb6b58b43fa38ce40607863af0d98243ce1d88e5469e6118bfb6e5f1b81d19b4ea2d1f3c8b5

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
324KB

MD5
fa942208ba4f47a31e9af091a7e7cb50

SHA1
1c35a45e3b2400d80c8a581bbb40705d7a8cab92

SHA256
9c3fb52f1cf8fad3fe943a59ef737170c72fce1a205f3a8d8793bdad2be328c1

SHA512
293d929138d23c79217e0702e64d14a05b49af11b79e393a6879c87b52bf263188b5b5b56c0a2269e502ead9bb50db8930c0e637b6bf42ebe2f7037fa77ca9fc

Download Submit
memory/876-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-296-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/876-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-297-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/900-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-246-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1260-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-40-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1436-39-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1436-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-6-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/1648-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-13-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/1652-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-149-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1848-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-121-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1848-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-139-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2124-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-202-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2192-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-286-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2424-285-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2424-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-96-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2644-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-97-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2644-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-64-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2656-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-54-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2660-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-25-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2832-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-82-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2864-166-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2864-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-111-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2980-112-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2980-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads