berbew | 6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Size

55KB
MD5

e51a0a8ff41fa14307f810db3303c79d
SHA1

f3328ac54427bc778b86a2d297c1427b3be123cd
SHA256

6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7
SHA512

d705d93f6c06ece90ca46bebb7206b403e2186168303fdcaecc9fe990cdef7a792ce2ec8d092ecc76c44a5993803df2b3159f0580d0cbbd06a92e73432d01b6e
SSDEEP

1536:1Gc0rvkElu/XexYhoX8Yh6koT8or2iOaGyeqWCu6mS+K2iOaGyWCu6mK2iOaGyeY:1h0rvdufexYCa2iOaGyeqWCu6mS+K2iF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijgbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pijgbl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnbpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palbgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baealp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caenkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Almihjlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqlbmbn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgaahh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palbgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caenkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almihjlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfnhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2940	Obnbpb32.exe
2780	Pijgbl32.exe
2932	Pfnhkq32.exe
3004	Pgaahh32.exe
2704	Pchbmigj.exe
2724	Palbgn32.exe
1032	Qgfkchmp.exe
2228	Qaqlbmbn.exe
1524	Ailqfooi.exe
2840	Almihjlj.exe
1148	Ahcjmkbo.exe
2104	Aicfgn32.exe
2324	Anpooe32.exe
2032	Bjiljf32.exe
952	Bpfebmia.exe
1124	Baealp32.exe
2604	Bgdfjfmi.exe
1316	Ciepkajj.exe
1412	Cpohhk32.exe
372	Ckiiiine.exe
1680	Cdamao32.exe
1628	Caenkc32.exe
1336	Coindgbi.exe

Loads dropped DLL 46 IoCs

pid	Process
2272	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
2272	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
2940	Obnbpb32.exe
2940	Obnbpb32.exe
2780	Pijgbl32.exe
2780	Pijgbl32.exe
2932	Pfnhkq32.exe
2932	Pfnhkq32.exe
3004	Pgaahh32.exe
3004	Pgaahh32.exe
2704	Pchbmigj.exe
2704	Pchbmigj.exe
2724	Palbgn32.exe
2724	Palbgn32.exe
1032	Qgfkchmp.exe
1032	Qgfkchmp.exe
2228	Qaqlbmbn.exe
2228	Qaqlbmbn.exe
1524	Ailqfooi.exe
1524	Ailqfooi.exe
2840	Almihjlj.exe
2840	Almihjlj.exe
1148	Ahcjmkbo.exe
1148	Ahcjmkbo.exe
2104	Aicfgn32.exe
2104	Aicfgn32.exe
2324	Anpooe32.exe
2324	Anpooe32.exe
2032	Bjiljf32.exe
2032	Bjiljf32.exe
952	Bpfebmia.exe
952	Bpfebmia.exe
1124	Baealp32.exe
1124	Baealp32.exe
2604	Bgdfjfmi.exe
2604	Bgdfjfmi.exe
1316	Ciepkajj.exe
1316	Ciepkajj.exe
1412	Cpohhk32.exe
1412	Cpohhk32.exe
372	Ckiiiine.exe
372	Ckiiiine.exe
1680	Cdamao32.exe
1680	Cdamao32.exe
1628	Caenkc32.exe
1628	Caenkc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ailqfooi.exe	Qaqlbmbn.exe
File created	C:\Windows\SysWOW64\Anpooe32.exe	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	Anpooe32.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Baealp32.exe
File created	C:\Windows\SysWOW64\Cpohhk32.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Fngooj32.dll	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Pgaahh32.exe	Pfnhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Almihjlj.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Hmecge32.dll	Ahcjmkbo.exe
File created	C:\Windows\SysWOW64\Hakhbifq.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Pijgbl32.exe	Obnbpb32.exe
File created	C:\Windows\SysWOW64\Ahcjmkbo.exe	Almihjlj.exe
File created	C:\Windows\SysWOW64\Iibogmjf.dll	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Caenkc32.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Palbgn32.exe
File created	C:\Windows\SysWOW64\Cnfnahkp.dll	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Qgfkchmp.exe	Palbgn32.exe
File created	C:\Windows\SysWOW64\Mncmib32.dll	Almihjlj.exe
File opened for modification	C:\Windows\SysWOW64\Aicfgn32.exe	Ahcjmkbo.exe
File opened for modification	C:\Windows\SysWOW64\Ailqfooi.exe	Qaqlbmbn.exe
File created	C:\Windows\SysWOW64\Facqnfnm.dll	Obnbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Baealp32.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Cdamao32.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Pijgbl32.exe	Obnbpb32.exe
File created	C:\Windows\SysWOW64\Caenkc32.exe	Cdamao32.exe
File opened for modification	C:\Windows\SysWOW64\Ahcjmkbo.exe	Almihjlj.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Niienepq.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Lpjqnpjb.dll	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
File opened for modification	C:\Windows\SysWOW64\Palbgn32.exe	Pchbmigj.exe
File created	C:\Windows\SysWOW64\Npjkgala.dll	Pchbmigj.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	Anpooe32.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	Anpooe32.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Mjhdbb32.dll	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Jcfddmhe.dll	Pijgbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qaqlbmbn.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Gpfecckm.dll	Qaqlbmbn.exe
File created	C:\Windows\SysWOW64\Comjjjlc.dll	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Ciepkajj.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Qaqlbmbn.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	Palbgn32.exe
File created	C:\Windows\SysWOW64\Lflppehm.dll	Ailqfooi.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Caenkc32.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Obnbpb32.exe	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
File created	C:\Windows\SysWOW64\Ikicmc32.dll	Pfnhkq32.exe
File created	C:\Windows\SysWOW64\Jpopml32.dll	Pgaahh32.exe
File created	C:\Windows\SysWOW64\Almihjlj.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Aicfgn32.exe	Ahcjmkbo.exe
File opened for modification	C:\Windows\SysWOW64\Pgaahh32.exe	Pfnhkq32.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Pfnhkq32.exe	Pijgbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Ciepkajj.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Cpohhk32.exe
File created	C:\Windows\SysWOW64\Pfnhkq32.exe	Pijgbl32.exe
File created	C:\Windows\SysWOW64\Pchbmigj.exe	Pgaahh32.exe
File created	C:\Windows\SysWOW64\Baealp32.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Cpohhk32.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Caenkc32.exe
File opened for modification	C:\Windows\SysWOW64\Obnbpb32.exe	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqlbmbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahcjmkbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caenkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnhkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailqfooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciepkajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgaahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pchbmigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palbgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almihjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijgbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicfgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpohhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngooj32.dll"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll"	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjjjlc.dll"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfddmhe.dll"	Pijgbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll"	Palbgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikicmc32.dll"	Pfnhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palbgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caenkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjkgala.dll"	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll"	Qaqlbmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqlbmbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pijgbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anpooe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Baealp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Almihjlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pijgbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caenkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baealp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjqnpjb.dll"	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2940	2272	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe	30
PID 2272 wrote to memory of 2940	2272	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe	30
PID 2272 wrote to memory of 2940	2272	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe	30
PID 2272 wrote to memory of 2940	2272	6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe	30
PID 2940 wrote to memory of 2780	2940	Obnbpb32.exe	31
PID 2940 wrote to memory of 2780	2940	Obnbpb32.exe	31
PID 2940 wrote to memory of 2780	2940	Obnbpb32.exe	31
PID 2940 wrote to memory of 2780	2940	Obnbpb32.exe	31
PID 2780 wrote to memory of 2932	2780	Pijgbl32.exe	32
PID 2780 wrote to memory of 2932	2780	Pijgbl32.exe	32
PID 2780 wrote to memory of 2932	2780	Pijgbl32.exe	32
PID 2780 wrote to memory of 2932	2780	Pijgbl32.exe	32
PID 2932 wrote to memory of 3004	2932	Pfnhkq32.exe	33
PID 2932 wrote to memory of 3004	2932	Pfnhkq32.exe	33
PID 2932 wrote to memory of 3004	2932	Pfnhkq32.exe	33
PID 2932 wrote to memory of 3004	2932	Pfnhkq32.exe	33
PID 3004 wrote to memory of 2704	3004	Pgaahh32.exe	34
PID 3004 wrote to memory of 2704	3004	Pgaahh32.exe	34
PID 3004 wrote to memory of 2704	3004	Pgaahh32.exe	34
PID 3004 wrote to memory of 2704	3004	Pgaahh32.exe	34
PID 2704 wrote to memory of 2724	2704	Pchbmigj.exe	35
PID 2704 wrote to memory of 2724	2704	Pchbmigj.exe	35
PID 2704 wrote to memory of 2724	2704	Pchbmigj.exe	35
PID 2704 wrote to memory of 2724	2704	Pchbmigj.exe	35
PID 2724 wrote to memory of 1032	2724	Palbgn32.exe	36
PID 2724 wrote to memory of 1032	2724	Palbgn32.exe	36
PID 2724 wrote to memory of 1032	2724	Palbgn32.exe	36
PID 2724 wrote to memory of 1032	2724	Palbgn32.exe	36
PID 1032 wrote to memory of 2228	1032	Qgfkchmp.exe	37
PID 1032 wrote to memory of 2228	1032	Qgfkchmp.exe	37
PID 1032 wrote to memory of 2228	1032	Qgfkchmp.exe	37
PID 1032 wrote to memory of 2228	1032	Qgfkchmp.exe	37
PID 2228 wrote to memory of 1524	2228	Qaqlbmbn.exe	38
PID 2228 wrote to memory of 1524	2228	Qaqlbmbn.exe	38
PID 2228 wrote to memory of 1524	2228	Qaqlbmbn.exe	38
PID 2228 wrote to memory of 1524	2228	Qaqlbmbn.exe	38
PID 1524 wrote to memory of 2840	1524	Ailqfooi.exe	39
PID 1524 wrote to memory of 2840	1524	Ailqfooi.exe	39
PID 1524 wrote to memory of 2840	1524	Ailqfooi.exe	39
PID 1524 wrote to memory of 2840	1524	Ailqfooi.exe	39
PID 2840 wrote to memory of 1148	2840	Almihjlj.exe	40
PID 2840 wrote to memory of 1148	2840	Almihjlj.exe	40
PID 2840 wrote to memory of 1148	2840	Almihjlj.exe	40
PID 2840 wrote to memory of 1148	2840	Almihjlj.exe	40
PID 1148 wrote to memory of 2104	1148	Ahcjmkbo.exe	41
PID 1148 wrote to memory of 2104	1148	Ahcjmkbo.exe	41
PID 1148 wrote to memory of 2104	1148	Ahcjmkbo.exe	41
PID 1148 wrote to memory of 2104	1148	Ahcjmkbo.exe	41
PID 2104 wrote to memory of 2324	2104	Aicfgn32.exe	42
PID 2104 wrote to memory of 2324	2104	Aicfgn32.exe	42
PID 2104 wrote to memory of 2324	2104	Aicfgn32.exe	42
PID 2104 wrote to memory of 2324	2104	Aicfgn32.exe	42
PID 2324 wrote to memory of 2032	2324	Anpooe32.exe	43
PID 2324 wrote to memory of 2032	2324	Anpooe32.exe	43
PID 2324 wrote to memory of 2032	2324	Anpooe32.exe	43
PID 2324 wrote to memory of 2032	2324	Anpooe32.exe	43
PID 2032 wrote to memory of 952	2032	Bjiljf32.exe	44
PID 2032 wrote to memory of 952	2032	Bjiljf32.exe	44
PID 2032 wrote to memory of 952	2032	Bjiljf32.exe	44
PID 2032 wrote to memory of 952	2032	Bjiljf32.exe	44
PID 952 wrote to memory of 1124	952	Bpfebmia.exe	45
PID 952 wrote to memory of 1124	952	Bpfebmia.exe	45
PID 952 wrote to memory of 1124	952	Bpfebmia.exe	45
PID 952 wrote to memory of 1124	952	Bpfebmia.exe	45

C:\Users\Admin\AppData\Local\Temp\6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe
"C:\Users\Admin\AppData\Local\Temp\6d981fb4ea55a0ca5d35108f0f69adbaf02089879807fb82157e8e62acbcb7b7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Obnbpb32.exe
  C:\Windows\system32\Obnbpb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\Pijgbl32.exe
    C:\Windows\system32\Pijgbl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Pfnhkq32.exe
      C:\Windows\system32\Pfnhkq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\Pgaahh32.exe
        
        C:\Windows\system32\Pgaahh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\SysWOW64\Pchbmigj.exe
        
        C:\Windows\system32\Pchbmigj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Palbgn32.exe
        
        C:\Windows\system32\Palbgn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Qgfkchmp.exe
        
        C:\Windows\system32\Qgfkchmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Qaqlbmbn.exe
        
        C:\Windows\system32\Qaqlbmbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ailqfooi.exe
        
        C:\Windows\system32\Ailqfooi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Almihjlj.exe
        
        C:\Windows\system32\Almihjlj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ahcjmkbo.exe
        
        C:\Windows\system32\Ahcjmkbo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Aicfgn32.exe
        
        C:\Windows\system32\Aicfgn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Anpooe32.exe
        
        C:\Windows\system32\Anpooe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Bjiljf32.exe
        
        C:\Windows\system32\Bjiljf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Bpfebmia.exe
        
        C:\Windows\system32\Bpfebmia.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Baealp32.exe
        
        C:\Windows\system32\Baealp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Ciepkajj.exe
        
        C:\Windows\system32\Ciepkajj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Cpohhk32.exe
        
        C:\Windows\system32\Cpohhk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Caenkc32.exe
        
        C:\Windows\system32\Caenkc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aicfgn32.exe

Filesize
55KB

MD5
2226ae5ea36076f878f543aff245acd7

SHA1
f0d9518f106032c40258f35bce48ab3f37446ef2

SHA256
e358f5c9b88a9fc5a2a48338990769609e48a9f5388edce836ce2ea59afcc30f

SHA512
3e2fc061cdb155641599e2494d53a411ba261015f068bd266c35a93d6cc1c457cdc360d933434d3b89275810573f32d74f1456332b20e74ddbb7b5d0510e9242

Download Submit
C:\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
55KB

MD5
beddf2d81040a9fcd8d82d5c0a421316

SHA1
31caaa805c2b6bab88eb08a70f3812ceb498763f

SHA256
63cf1738193d75c241c7f7bef9c5f3ea726d5f4a956d7cc6faf0f878377ed752

SHA512
074c3b93ef07413710a791662fb6fea0ea01545de7bab6c68211088759e967fdd919beca93cc30f08b80e6aa3a79d2e9478afb72e2a41723c5c9047f5b25789d

Download Submit
C:\Windows\SysWOW64\Caenkc32.exe

Filesize
55KB

MD5
c5c44df9f28c3f5adef2e5a49fff2f33

SHA1
2ee01fb50b77704bc9b6695a8e9f8e4dc76d661a

SHA256
1e8f39bd91379158ad456e1b36deefc5b3e1695cae6000be4bab9ad4ad65ac38

SHA512
617875cf8fa7840ef236f3cdfede55048a9d5c512112ef0200c5ea312de1b0c097083612dc9d8dc949f2a49a440780e04e49fe359d5d48beca4e885c53fdf89c

Download Submit
C:\Windows\SysWOW64\Cdamao32.exe

Filesize
55KB

MD5
ff29e197d9fe70bbc3d3b4f3632b7626

SHA1
bb64df59c59ef57fb42d639bae1b7ca4d4684765

SHA256
36d86eb86f5ea8955119338ae9858135b259e826a329f6db2c53a3e0a42e1f4e

SHA512
3138b7f2390dad2bc86a90a31bfe23c56829ac704ebc33a836a71a26f48ecbf267d89abe5175dbbf34ab4a90942f4f4b1d6c9877f47896bd2605b6301e2c4890

Download Submit
C:\Windows\SysWOW64\Ciepkajj.exe

Filesize
55KB

MD5
80911bcde700ab8d48c8b159afd92844

SHA1
d265a96ec36e006cd3b5d088344bb263b475aecc

SHA256
7fec37976296e8003ea8f65584c22716dfd4d0327eccdee7e51f24868c541ebe

SHA512
10e2b36b76cca919a3f99e0397c7892b6cbe5978159f9a029553ee9d97fd49beacedb0e6c3950013365faf9bc52a749deb97e277c521017e6c12f93663db1ccd

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
55KB

MD5
d5372ba5627281d02851ea8b0378d7b2

SHA1
6a847493bfc3afae930917c4303f819bb2547edd

SHA256
8c1e2e2ea4d604ec905456578cd606140739dca1b3056344cafd791c445bb6eb

SHA512
bbc3bb1732cc3b1f493445f91cc604061b9a2194e369f3e2ab045ecc123a7697237a55b2b8a583f54402080797ee17661e50b7acdd6b4020f4b6c0fbc79063a3

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
55KB

MD5
d4df4a1cb9ffc420e4553371f3d9521a

SHA1
a3c62304c84a4e61f6067f07d69c3aa26fc1f5d0

SHA256
540aed1069e870383659521560ef780e521889ae8c039a32146505b266ff201a

SHA512
e9537bb44866c852a80d6281df70e1d8b35e862e15f8a912318e5b1da5dfd5d99555b083aaeb197984dfe2ace38edbc03ffb48086999417c4b05261ecdcc7897

Download Submit
C:\Windows\SysWOW64\Cpohhk32.exe

Filesize
55KB

MD5
3bc00127a3c4c9361e0015968ffd262b

SHA1
c43d4e0b0d0fe04551fca1eb99c86a68af058320

SHA256
b08111dc77b48236572228c60371c1c000cbff332b370fce99f77d3966253232

SHA512
cd2ad96e8463aca7dd06f2369b15389f8d9039f6d41e6d2a3ce5cc7c1ca3e5eb18a400684a366cf53f27febb65bf97fc62a3efc37b77533c8cc21458198e831c

Download Submit
C:\Windows\SysWOW64\Obnbpb32.exe

Filesize
55KB

MD5
e684609a026b27f6787452b1037f7e8d

SHA1
7e28531f87a5d83931d2fb950be689224f556aef

SHA256
4e9edbc8be60f91fa74498dc9c0efadbf49bd495fbd9d67cba977bcd2f60013a

SHA512
13b118546569449b867727b6c22ed330846fb435b4664d6740c00810b2d72954192b5ca2a975b30f8fe4c2501e22d6817b4a08024b1ea250335799025fe776e0

Download Submit
C:\Windows\SysWOW64\Pijgbl32.exe

Filesize
55KB

MD5
37f927cbbd82ab7c2da3942dec68af1d

SHA1
938ad2cd2b58acd2c7cea1b5a55708516138c072

SHA256
72709cb6c6460369894a5e3c752d086a5aa32c6c1f739186536ce2c25c32c868

SHA512
770553f8e60fd65f4790c537dfdf175c1249dea3ccdf52bbb84d9e78c5abeb4a3334a9f36c763c412579f398982d8c4aea4054539c0977735ea1db606cd472fd

Download Submit
\Windows\SysWOW64\Ahcjmkbo.exe

Filesize
55KB

MD5
9bb3d0e4669512dd8336da23a2cfe2d9

SHA1
29f25ec3d0a7f727553a38961edeb5dd94294230

SHA256
623b056243477257451bbd73b99fe8d2a03a8e77c1ade0896f456587e4296f00

SHA512
c209a2b1ea30f0388a5188a416e946b5cf91d51d3a8d1925438076fd0007a18949ab3bddbdb0d47edd37be1297504dd6acef64106b1abce351c7a462d4475054

Download Submit
\Windows\SysWOW64\Ailqfooi.exe

Filesize
55KB

MD5
6aa37222f0f9e1f172315cbc0a62a6c0

SHA1
76599061138e60fc492d68d092ccda05393914ae

SHA256
9b5a6d8648bf69e302cb6f435d4f8828bcc4edff0bce5558ed2cb29c4e8a7acc

SHA512
cb1bef7a1359fd7e6a276e02adb241c9a0382f12ae25fb4c0aec1fcb72e6bf705fa349d56eeb14771995cc20a806f811c679568771886be6759e44ebe26cec66

Download Submit
\Windows\SysWOW64\Almihjlj.exe

Filesize
55KB

MD5
545c94d03b3693f85fc5cf882ba54486

SHA1
00d3f66e9d9fa20b6c7c75d8f6571bfb26a9816b

SHA256
e1412b463979b01a1ad447c2f5fc638d8e0f448796070fc6f85fe0242be197d7

SHA512
7e29447c73d71dd62e25d1269435b7b65b4017892e0864dbfa2dd3a7abcc3944756ebfce41f82f0172af40d2b760ef24f18f1f76a231520a169291e5c4e590ed

Download Submit
\Windows\SysWOW64\Anpooe32.exe

Filesize
55KB

MD5
fd104c6ccb2a92d400788fe1dadd7248

SHA1
3e2249f4a8c113ba91d3d8bf319eb242a7f135db

SHA256
76997c425bc3f302f467bf7ece8f4c826b52925b74ac43867ea74fa1f2778544

SHA512
ad7c93bfb21e4487e46305ceb8f6364c6cc4b4e4aedb587bdf9c175bd74959d899e87007050b95e9ec13c50aa08171602c63ab15811daef6f2a734b4046c5faa

Download Submit
\Windows\SysWOW64\Baealp32.exe

Filesize
55KB

MD5
7efdc07682c672d6686560a118a845e6

SHA1
c4c0f1b035f1ffadadcacede6f1153ce8767b509

SHA256
89e2bdc7660323a1b14cf112dcb3eb8a644afc39855c5c3849723c8c03e7f28f

SHA512
894a47d0339833b2867725a3b7a16a52f1adf5e0ab2b946793cf6a4ccf792c95590029060ff60f280c3eac3f8568522c7563cb8f26482d00ea563beffcaf40ab

Download Submit
\Windows\SysWOW64\Bjiljf32.exe

Filesize
55KB

MD5
7b16ea3bac4e2b8914f12071f169e2c0

SHA1
dce4144b7b9f2b8e492ea2744079ac4dbed1180a

SHA256
48d9d8522a0c27849cc820874f404055d6f84bf35217617cba585faf23115f58

SHA512
0a2c0d12fcafa121e392306673af13afab229f25b85c54d5f6f5d2d7782d274a4223cf73745582e1afae75e81b3eafec94de6183ffdc95ac260ef1f9790940d1

Download Submit
\Windows\SysWOW64\Bpfebmia.exe

Filesize
55KB

MD5
f7a1be66237c6b72d46ee1e25707ddf3

SHA1
980913f3f8140a9467c040d35d6819bac372d61c

SHA256
9fe84d6974655c04d2ad3a5b7c4e045f5e2f0421226700d5befd0f8c73373b36

SHA512
b2b2462f13b06660b292b6dfbbb84153831514d760a3a0b0497126cb72914c6717963f1049d1619606c627b82746b6bff53d0b15a1f02b31d7642d9a1ae7873b

Download Submit
\Windows\SysWOW64\Palbgn32.exe

Filesize
55KB

MD5
66aee4f4d736395cf5ad864a02153f19

SHA1
59589ecefbc93d203d9bb79b48a41af60d868418

SHA256
04539a008356637b1045deb2b5ff2262418233f3eec84a75f1c2f37ebac0676c

SHA512
a7dd63512ca5f39317726633a107ff5c7e03b8917461c16d4a8c8fccec2b54dcef1a2bc41f723f2083ddf3d9695852e623b0d30871ae0dfc3e3d427c30fcabc7

Download Submit
\Windows\SysWOW64\Pchbmigj.exe

Filesize
55KB

MD5
af0d5d92530406687790f0ca38c3e7b1

SHA1
b39fd8edfd08f33af3957bb39d1bd116bab9f954

SHA256
9396c7597e9896fa8d4d550ca150246c0ad2281bcf98888b13d59b585a7765f2

SHA512
7252caffb2a875e23a6398770d1ffb2e69b31ec7e87332dd44f0c84b1bf434e30859fe69612033354300329087a91b1bb186b0ff063eec9db3bcc8f03660032e

Download Submit
\Windows\SysWOW64\Pfnhkq32.exe

Filesize
55KB

MD5
427ab72541d0a2040e0d2d72f8a4e4de

SHA1
2fa6f04d10824623ebbc881d452bedcd4242c2b4

SHA256
df621c85baea912feea8258dadeed040a8241df80c2b93024592fec948ee2a7f

SHA512
11ad945ad9afecf6ade4b3d456a37fd1927c393d8f28fbf2f4e627c6898d5d75096929c9ea27205afde35b85d4c61a1e15e972fd6f042ec784e2d1749df455af

Download Submit
\Windows\SysWOW64\Pgaahh32.exe

Filesize
55KB

MD5
87c46432cb4296113527aa79f01b6896

SHA1
8cd0a59d3cc2eb047f466217e4f7016109294d84

SHA256
8e0e534efc12ee92dce275ce04abdee520cba1899633bd0764c1cd950b5bda2d

SHA512
07d412504dc093dfa3703f965eb2b90823f65852544319720aa777a620ef8739ba62ed76665cdef6053a9491e0c50fcc784977837f059eec16c7182061fc8830

Download Submit
\Windows\SysWOW64\Qaqlbmbn.exe

Filesize
55KB

MD5
c14c16fe78983417dda650a9ea35cb4e

SHA1
065f437bc2f3dab0daf7e0311b39feb181b60186

SHA256
55003918c3ec285b83b7d35154e99afada0bacf2582c987b95953fdf194422f1

SHA512
a06c93bafd6f9428f138e6fa949415f330df56f3bc895285df2f13c01b32298d0300204b6c976f715162d9c8bdf90fcae4290ed3793bb1a0b8d4b60a21ec0ad7

Download Submit
\Windows\SysWOW64\Qgfkchmp.exe

Filesize
55KB

MD5
ac678d14c705487de25f27de78851e65

SHA1
75fb5f4edb16907f87c1c8a8e368f19518babfd9

SHA256
3bbd0634bef72f5a8db4e9fa233d36b2bc85fe6abfa15588fa90f5a772f42c5b

SHA512
8495dfccaf8811ee208fb93f6511ff5a34b3e9be41f802d558fe93c3c4b785c336ef284a8c17d96dcaa26360315134d854608c2bb5aa59acf8d47308cf2968d6

Download Submit
memory/372-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-211-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/952-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-103-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1032-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-224-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1124-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-166-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1148-165-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1148-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-243-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1316-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-129-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1628-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-270-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1680-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-197-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2104-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-169-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2228-116-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/2228-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-13-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2272-308-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2272-307-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2272-12-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2272-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-187-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2324-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-236-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2604-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-80-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/2704-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-90-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2780-40-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2780-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-39-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2780-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-50-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2940-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-319-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/3004-63-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3004-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads