berbew | 21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Size

224KB
MD5

9ae6b755b0082f4302354a08a5c52dd0
SHA1

d06d5b2a0497ea42ecdf253208865037d2941349
SHA256

21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803
SHA512

ed18cd7356b8efe72516ec5245a6ca8e17f375067eda78cb1c176835b1c19490b7d8ab3ffa2d2fee4b702f1c1d92f2dff4bed130e7c7bde2cdb53966a52907c9
SSDEEP

6144:uCELf41aXrFE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:uCGf1OaAD6RrI1+lDML

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgiibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbpnlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akphfbbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anndbnao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oibpdico.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pngbcldl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeccdila.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akphfbbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgiibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anpahn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlpag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paghojip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkplgoop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oibpdico.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngbcldl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paghojip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkplgoop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogddhmdl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
1724	Ogddhmdl.exe
2192	Oibpdico.exe
2964	Oophlpag.exe
2936	Pkfiaqgk.exe
3032	Papank32.exe
2652	Pngbcldl.exe
1948	Pkkblp32.exe
2024	Pgacaaij.exe
2420	Paghojip.exe
2868	Pkplgoop.exe
2952	Qdhqpe32.exe
1596	Qmcedg32.exe
2752	Qgiibp32.exe
1732	Aqanke32.exe
2180	Afnfcl32.exe
2032	Acbglq32.exe
1692	Aeccdila.exe
740	Afbpnlcd.exe
2580	Akphfbbl.exe
2884	Anndbnao.exe
2600	Aehmoh32.exe
1656	Anpahn32.exe
1620	Ablmilgf.exe
1628	Bmenijcd.exe

Loads dropped DLL 52 IoCs

pid	Process
2300	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
2300	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
1724	Ogddhmdl.exe
1724	Ogddhmdl.exe
2192	Oibpdico.exe
2192	Oibpdico.exe
2964	Oophlpag.exe
2964	Oophlpag.exe
2936	Pkfiaqgk.exe
2936	Pkfiaqgk.exe
3032	Papank32.exe
3032	Papank32.exe
2652	Pngbcldl.exe
2652	Pngbcldl.exe
1948	Pkkblp32.exe
1948	Pkkblp32.exe
2024	Pgacaaij.exe
2024	Pgacaaij.exe
2420	Paghojip.exe
2420	Paghojip.exe
2868	Pkplgoop.exe
2868	Pkplgoop.exe
2952	Qdhqpe32.exe
2952	Qdhqpe32.exe
1596	Qmcedg32.exe
1596	Qmcedg32.exe
2752	Qgiibp32.exe
2752	Qgiibp32.exe
1732	Aqanke32.exe
1732	Aqanke32.exe
2180	Afnfcl32.exe
2180	Afnfcl32.exe
2032	Acbglq32.exe
2032	Acbglq32.exe
1692	Aeccdila.exe
1692	Aeccdila.exe
740	Afbpnlcd.exe
740	Afbpnlcd.exe
2580	Akphfbbl.exe
2580	Akphfbbl.exe
2884	Anndbnao.exe
2884	Anndbnao.exe
2600	Aehmoh32.exe
2600	Aehmoh32.exe
1656	Anpahn32.exe
1656	Anpahn32.exe
1620	Ablmilgf.exe
1620	Ablmilgf.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjmgop32.dll	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Ablmilgf.exe	Anpahn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Ogddhmdl.exe	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
File created	C:\Windows\SysWOW64\Oophlpag.exe	Oibpdico.exe
File created	C:\Windows\SysWOW64\Pkfiaqgk.exe	Oophlpag.exe
File opened for modification	C:\Windows\SysWOW64\Papank32.exe	Pkfiaqgk.exe
File created	C:\Windows\SysWOW64\Maneecda.dll	Paghojip.exe
File opened for modification	C:\Windows\SysWOW64\Oibpdico.exe	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Paghojip.exe	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Pkplgoop.exe	Paghojip.exe
File created	C:\Windows\SysWOW64\Qmcedg32.exe	Qdhqpe32.exe
File created	C:\Windows\SysWOW64\Afnfcl32.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Akphfbbl.exe	Afbpnlcd.exe
File created	C:\Windows\SysWOW64\Abgqlf32.dll	Afbpnlcd.exe
File created	C:\Windows\SysWOW64\Lphdbl32.dll	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Ablmilgf.exe
File opened for modification	C:\Windows\SysWOW64\Ogddhmdl.exe	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
File created	C:\Windows\SysWOW64\Ebakdbbk.dll	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
File created	C:\Windows\SysWOW64\Qebepc32.dll	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Aeccdila.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Iibjbgbg.dll	Anpahn32.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Qgiibp32.exe
File opened for modification	C:\Windows\SysWOW64\Acbglq32.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Anhaglgp.dll	Aeccdila.exe
File created	C:\Windows\SysWOW64\Jgelak32.dll	Anndbnao.exe
File created	C:\Windows\SysWOW64\Pgacaaij.exe	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Iindag32.dll	Qmcedg32.exe
File created	C:\Windows\SysWOW64\Akphfbbl.exe	Afbpnlcd.exe
File opened for modification	C:\Windows\SysWOW64\Pgacaaij.exe	Pkkblp32.exe
File opened for modification	C:\Windows\SysWOW64\Pkplgoop.exe	Paghojip.exe
File created	C:\Windows\SysWOW64\Hegfajbc.dll	Qdhqpe32.exe
File opened for modification	C:\Windows\SysWOW64\Afnfcl32.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Aeccdila.exe	Acbglq32.exe
File opened for modification	C:\Windows\SysWOW64\Afbpnlcd.exe	Aeccdila.exe
File opened for modification	C:\Windows\SysWOW64\Pkfiaqgk.exe	Oophlpag.exe
File created	C:\Windows\SysWOW64\Ckfhogfe.dll	Oophlpag.exe
File opened for modification	C:\Windows\SysWOW64\Pngbcldl.exe	Papank32.exe
File created	C:\Windows\SysWOW64\Nmbjkm32.dll	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Qgiibp32.exe
File opened for modification	C:\Windows\SysWOW64\Aehmoh32.exe	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Ablmilgf.exe	Anpahn32.exe
File created	C:\Windows\SysWOW64\Jegphc32.dll	Akphfbbl.exe
File opened for modification	C:\Windows\SysWOW64\Qdhqpe32.exe	Pkplgoop.exe
File created	C:\Windows\SysWOW64\Ihdhmkjd.dll	Pkplgoop.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Qgiibp32.exe
File created	C:\Windows\SysWOW64\Afbpnlcd.exe	Aeccdila.exe
File created	C:\Windows\SysWOW64\Anndbnao.exe	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Oibpdico.exe	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Papank32.exe	Pkfiaqgk.exe
File created	C:\Windows\SysWOW64\Klhejn32.dll	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Pkkblp32.exe	Pngbcldl.exe
File opened for modification	C:\Windows\SysWOW64\Paghojip.exe	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Khilfg32.dll	Acbglq32.exe
File created	C:\Windows\SysWOW64\Aehmoh32.exe	Anndbnao.exe
File created	C:\Windows\SysWOW64\Anpahn32.exe	Aehmoh32.exe
File opened for modification	C:\Windows\SysWOW64\Anpahn32.exe	Aehmoh32.exe
File opened for modification	C:\Windows\SysWOW64\Oophlpag.exe	Oibpdico.exe
File created	C:\Windows\SysWOW64\Eodinj32.dll	Oibpdico.exe
File created	C:\Windows\SysWOW64\Cimjoaod.dll	Pkfiaqgk.exe
File created	C:\Windows\SysWOW64\Fhgmpohp.dll	Papank32.exe
File opened for modification	C:\Windows\SysWOW64\Qmcedg32.exe	Qdhqpe32.exe
File created	C:\Windows\SysWOW64\Pngbcldl.exe	Papank32.exe
File opened for modification	C:\Windows\SysWOW64\Qgiibp32.exe	Qmcedg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	1628	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibpdico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngbcldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkkblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdhqpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmcedg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbglq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehmoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Papank32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkplgoop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbpnlcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpahn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfiaqgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgacaaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgiibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akphfbbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablmilgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogddhmdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paghojip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeccdila.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anndbnao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afbpnlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegphc32.dll"	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfhogfe.dll"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgiibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll"	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll"	Pkplgoop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anpahn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paghojip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkplgoop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindag32.dll"	Qmcedg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acbglq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkplgoop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgiibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmgop32.dll"	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oibpdico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pngbcldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khilfg32.dll"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll"	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegfajbc.dll"	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmpohp.dll"	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll"	Pngbcldl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgqlf32.dll"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maneecda.dll"	Paghojip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmgcagc.dll"	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pngbcldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebakdbbk.dll"	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodinj32.dll"	Oibpdico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afbpnlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaglgp.dll"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anndbnao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbjkm32.dll"	Pgacaaij.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1724	2300	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe	30
PID 2300 wrote to memory of 1724	2300	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe	30
PID 2300 wrote to memory of 1724	2300	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe	30
PID 2300 wrote to memory of 1724	2300	21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe	30
PID 1724 wrote to memory of 2192	1724	Ogddhmdl.exe	31
PID 1724 wrote to memory of 2192	1724	Ogddhmdl.exe	31
PID 1724 wrote to memory of 2192	1724	Ogddhmdl.exe	31
PID 1724 wrote to memory of 2192	1724	Ogddhmdl.exe	31
PID 2192 wrote to memory of 2964	2192	Oibpdico.exe	32
PID 2192 wrote to memory of 2964	2192	Oibpdico.exe	32
PID 2192 wrote to memory of 2964	2192	Oibpdico.exe	32
PID 2192 wrote to memory of 2964	2192	Oibpdico.exe	32
PID 2964 wrote to memory of 2936	2964	Oophlpag.exe	33
PID 2964 wrote to memory of 2936	2964	Oophlpag.exe	33
PID 2964 wrote to memory of 2936	2964	Oophlpag.exe	33
PID 2964 wrote to memory of 2936	2964	Oophlpag.exe	33
PID 2936 wrote to memory of 3032	2936	Pkfiaqgk.exe	34
PID 2936 wrote to memory of 3032	2936	Pkfiaqgk.exe	34
PID 2936 wrote to memory of 3032	2936	Pkfiaqgk.exe	34
PID 2936 wrote to memory of 3032	2936	Pkfiaqgk.exe	34
PID 3032 wrote to memory of 2652	3032	Papank32.exe	35
PID 3032 wrote to memory of 2652	3032	Papank32.exe	35
PID 3032 wrote to memory of 2652	3032	Papank32.exe	35
PID 3032 wrote to memory of 2652	3032	Papank32.exe	35
PID 2652 wrote to memory of 1948	2652	Pngbcldl.exe	36
PID 2652 wrote to memory of 1948	2652	Pngbcldl.exe	36
PID 2652 wrote to memory of 1948	2652	Pngbcldl.exe	36
PID 2652 wrote to memory of 1948	2652	Pngbcldl.exe	36
PID 1948 wrote to memory of 2024	1948	Pkkblp32.exe	37
PID 1948 wrote to memory of 2024	1948	Pkkblp32.exe	37
PID 1948 wrote to memory of 2024	1948	Pkkblp32.exe	37
PID 1948 wrote to memory of 2024	1948	Pkkblp32.exe	37
PID 2024 wrote to memory of 2420	2024	Pgacaaij.exe	38
PID 2024 wrote to memory of 2420	2024	Pgacaaij.exe	38
PID 2024 wrote to memory of 2420	2024	Pgacaaij.exe	38
PID 2024 wrote to memory of 2420	2024	Pgacaaij.exe	38
PID 2420 wrote to memory of 2868	2420	Paghojip.exe	39
PID 2420 wrote to memory of 2868	2420	Paghojip.exe	39
PID 2420 wrote to memory of 2868	2420	Paghojip.exe	39
PID 2420 wrote to memory of 2868	2420	Paghojip.exe	39
PID 2868 wrote to memory of 2952	2868	Pkplgoop.exe	40
PID 2868 wrote to memory of 2952	2868	Pkplgoop.exe	40
PID 2868 wrote to memory of 2952	2868	Pkplgoop.exe	40
PID 2868 wrote to memory of 2952	2868	Pkplgoop.exe	40
PID 2952 wrote to memory of 1596	2952	Qdhqpe32.exe	41
PID 2952 wrote to memory of 1596	2952	Qdhqpe32.exe	41
PID 2952 wrote to memory of 1596	2952	Qdhqpe32.exe	41
PID 2952 wrote to memory of 1596	2952	Qdhqpe32.exe	41
PID 1596 wrote to memory of 2752	1596	Qmcedg32.exe	42
PID 1596 wrote to memory of 2752	1596	Qmcedg32.exe	42
PID 1596 wrote to memory of 2752	1596	Qmcedg32.exe	42
PID 1596 wrote to memory of 2752	1596	Qmcedg32.exe	42
PID 2752 wrote to memory of 1732	2752	Qgiibp32.exe	43
PID 2752 wrote to memory of 1732	2752	Qgiibp32.exe	43
PID 2752 wrote to memory of 1732	2752	Qgiibp32.exe	43
PID 2752 wrote to memory of 1732	2752	Qgiibp32.exe	43
PID 1732 wrote to memory of 2180	1732	Aqanke32.exe	44
PID 1732 wrote to memory of 2180	1732	Aqanke32.exe	44
PID 1732 wrote to memory of 2180	1732	Aqanke32.exe	44
PID 1732 wrote to memory of 2180	1732	Aqanke32.exe	44
PID 2180 wrote to memory of 2032	2180	Afnfcl32.exe	45
PID 2180 wrote to memory of 2032	2180	Afnfcl32.exe	45
PID 2180 wrote to memory of 2032	2180	Afnfcl32.exe	45
PID 2180 wrote to memory of 2032	2180	Afnfcl32.exe	45

C:\Users\Admin\AppData\Local\Temp\21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe
"C:\Users\Admin\AppData\Local\Temp\21799004ce1409cb0b36fac1a1b4437ea2a825b1fa8eda0d09ee4f64c13e3803N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Ogddhmdl.exe
  C:\Windows\system32\Ogddhmdl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\Oibpdico.exe
    C:\Windows\system32\Oibpdico.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\Oophlpag.exe
      C:\Windows\system32\Oophlpag.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Pkfiaqgk.exe
        
        C:\Windows\system32\Pkfiaqgk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\Papank32.exe
        
        C:\Windows\system32\Papank32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Pngbcldl.exe
        
        C:\Windows\system32\Pngbcldl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pkkblp32.exe
        
        C:\Windows\system32\Pkkblp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pgacaaij.exe
        
        C:\Windows\system32\Pgacaaij.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Paghojip.exe
        
        C:\Windows\system32\Paghojip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Pkplgoop.exe
        
        C:\Windows\system32\Pkplgoop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Qdhqpe32.exe
        
        C:\Windows\system32\Qdhqpe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Qmcedg32.exe
        
        C:\Windows\system32\Qmcedg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Qgiibp32.exe
        
        C:\Windows\system32\Qgiibp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Afnfcl32.exe
        
        C:\Windows\system32\Afnfcl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Acbglq32.exe
        
        C:\Windows\system32\Acbglq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Aeccdila.exe
        
        C:\Windows\system32\Aeccdila.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Afbpnlcd.exe
        
        C:\Windows\system32\Afbpnlcd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Akphfbbl.exe
        
        C:\Windows\system32\Akphfbbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Anndbnao.exe
        
        C:\Windows\system32\Anndbnao.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Aehmoh32.exe
        
        C:\Windows\system32\Aehmoh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Anpahn32.exe
        
        C:\Windows\system32\Anpahn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Ablmilgf.exe
        
        C:\Windows\system32\Ablmilgf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablmilgf.exe

Filesize
224KB

MD5
3463cc2b8b67e636c2c74e8b12095394

SHA1
be822aeb13cf07ab71f07702057a391c8a14bdcb

SHA256
a07d2783af7d3a7f3875d447f0fb8e9075552a0965da0162e478dfe19b73dd1f

SHA512
cdc603d124dd91621c25d35dc585a59a609ffd909f5b89cb83217bcacbf5f3820dddb5062c04cf5982df72a3d563dc8bb2d4e34bdb79b37f7673d2e8a501a05c

Download Submit
C:\Windows\SysWOW64\Aeccdila.exe

Filesize
224KB

MD5
bdb710ec9ab560a3fa1c6960d6e040b8

SHA1
05d1080e465fd7a4e877d08aab54f027e6f2b794

SHA256
f9ecc2172c3364b74828b76fc7951828e516e8c14b99af84cf20ade6eb6b67c2

SHA512
5b35378dde4fd6374cd71e82e5e1a52674b09c380c66af88a64539baed5b3ed1437ef17d92b9b8cc2909938059bba3fd4febe4c22ff310de845a242c0fcac6d0

Download Submit
C:\Windows\SysWOW64\Aehmoh32.exe

Filesize
224KB

MD5
9013fc3243bd0def3fb688ee156ae5fd

SHA1
d477b3b5e25e93eb5f837ed018e4023caf9289d2

SHA256
a1ec5808e46a34eb95dd59afe28c16b251ce885050b9620f13ba67fb13d676b3

SHA512
9f79ed287e699305782fce2a6afe9d28f12a2ee4ab108d0ab4242a8060a9102faa0ead1021788691968190595332900c64371a7b4c9c1ecd90a2240b2653fc0f

Download Submit
C:\Windows\SysWOW64\Afbpnlcd.exe

Filesize
224KB

MD5
97e3a2de242ae031b58cc81b0e697ee8

SHA1
f9a7b54717089e15dc60be5996f481cdaf644781

SHA256
5c71eca17ddac8d3affb3e28ced5d69e317bd13edbecd3e26f5873e367fba820

SHA512
3d0a1267cdc33e22a07e9b776d7879a328c2efc4dd1c7eca346e2261173046374312277c1b8c15a48391e5d5151ed1eaddb62096c02b8091594ac69d02c50add

Download Submit
C:\Windows\SysWOW64\Akphfbbl.exe

Filesize
224KB

MD5
addb9bef5b74a81d605a59b3fe568289

SHA1
6359694872b477f3b5ded5e807f05301f57e6d7e

SHA256
099a27451e3d82a7a4a9e1038a55c8e55d05defb15a7f26bf4385030664fbb36

SHA512
e115c6beedb741bca2c92fd509232d79a4ac42c657eb569bb08ce565f87d57d067e27c047b1f5551b705278d37075fc0cbce45ed01e63801c07c6fdf2fb4d760

Download Submit
C:\Windows\SysWOW64\Anndbnao.exe

Filesize
224KB

MD5
9a6e265f169ce29beaff37c658c4e770

SHA1
a2f8a6563c69e92bf837883d68b34eb25729f4eb

SHA256
59317910cca7a205642cca04a973b2ebd0e0a19feee1679b73c3ec43e496a862

SHA512
4946b566ac43f9fb455cfb2637d8bbd6e2259cd02b1bfbacb9d0c556efaa5db254bff907cba0c3d6552aa6c647c0ee27703033b152b65e902f8421619315350c

Download Submit
C:\Windows\SysWOW64\Anpahn32.exe

Filesize
224KB

MD5
870ff64398f1449615326577012327d8

SHA1
ef8203bce3d39ceb0e6b618bdc627122b2d7a235

SHA256
79a2d15c9a22d1157cbe1b8636cbaf8aee18a8c40eef27a2799f2c4bdf093a23

SHA512
87c10091456cd2603992e938262463131520afdace14b43a372a0708fdbea425f6d68d074f8be4343cf5cd472e4bf3736358bae4289283029cc13d2b9c3e0869

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
224KB

MD5
2b04573e6400be02ab5ed7bc2f197c72

SHA1
c15e845d8a57187b3a77bfeeac1b534290c62762

SHA256
8cb017a16d7c0d37a6b2b571423f56f7192f67bc52b41156eb45e1b6d23bbfa5

SHA512
88f206268619e0c041ebb44eae23fc04acb3629369b768857328990e23e67c8177ec4b413279d83ac5bcf011dd1c31e1139df98ddff7cd424ad714731c6c483b

Download Submit
C:\Windows\SysWOW64\Cimjoaod.dll

Filesize
7KB

MD5
92a9180b33dbf386cced7b4c9deba516

SHA1
02e5ca9acf36221cb89fd59827d3398e256565bb

SHA256
da8d7decc94f5dc1f05922f06784bc04aff7e4a6636f671a12cbb5be69c757ab

SHA512
2c42849e112101835a5b8ed595b4435900bd1036cf807e4a4f66b6d1ca0da8222785b67fee83ef005cfb25788988401d55daaf64be315b06645a8283ac3851e4

Download Submit
C:\Windows\SysWOW64\Oibpdico.exe

Filesize
224KB

MD5
0e5c594076f50f4e4d61ff5de9f0cf96

SHA1
29772d806c1cfec587bd173c97dccb5b58757772

SHA256
fff6f3a1fad3b105de98dbfda71f0cd6ad6b8ae531e726152b26660f52e5a8f6

SHA512
ae295b95cb25c5adf62f21102dce97f9f94d4f73f568545a6c80b1a07ffd2d07ddedeb6c5899442dc6d9cd9f4a01d2b167d49825896f756a080ec8dc0c60f5fe

Download Submit
C:\Windows\SysWOW64\Oophlpag.exe

Filesize
224KB

MD5
2da1f0d655313545896162a92e5b689c

SHA1
21255c8d0b9ee6d860085bf428e258f8b225d22d

SHA256
4329ea4d4be6a04eab4db286f46355202950ede5805f5766f0c8f81a3406946e

SHA512
0e6dbea7936b20686e1edff8809b23a4609778544bf53c18dafa464c814af78d90fbd1482b0781478c1382333833356620273afe0329ebfdfd2fa09933807b1e

Download Submit
\Windows\SysWOW64\Acbglq32.exe

Filesize
224KB

MD5
8d30738491b220b77e45c680b749c7a4

SHA1
7a917a19df990808f99323f67a5507544352f67f

SHA256
136412aa2eba992d7aecc883e77d7db1a4242d179ea99cb223d41d94591ce787

SHA512
13883bd611987131444a19cfa9eac192bd5561e864ba675f8a8819a7fa796ff9a2a42800a0004b57a9b77ff3a8f44dd12557b11f145ba745c40cd5a4daf4baed

Download Submit
\Windows\SysWOW64\Afnfcl32.exe

Filesize
224KB

MD5
7799c41fb80db040464f140937e46ba9

SHA1
894d07d6dfc7e3754fa4e61def90ea20c9f0d4d7

SHA256
cbc156f758650074265c71484ee225b3e339898d272bbbc88716410bc85492ed

SHA512
64d1192385f4aa745fcf5d6bd7b199162bd9d77263c5b40a572942f36a2be139c229f4018c68dc98251f7f3942534dc5595203d969c04f124417e3a9df499306

Download Submit
\Windows\SysWOW64\Aqanke32.exe

Filesize
224KB

MD5
99adba20c8f82b28ab75bce91eb64e50

SHA1
e2a8691fc36e4ca40b98f5bb4676193e81bd968b

SHA256
ae9ef48bdd20aacc840893ff3ad4f07b9dbd885fc45dbbd2b1a685e56e9c92d0

SHA512
cd71660df9ef709ca3e487390b21611ef2127ad7037eebf78843b239cbc3436df8c8d9c3019d66bd4ea89a7a03bd2fc8b4bcc6ffd1e83660362faa3be7ec3a8a

Download Submit
\Windows\SysWOW64\Ogddhmdl.exe

Filesize
224KB

MD5
b6a6f8dbacdf6b00b698e99f6491b8f2

SHA1
44726b03bdc0481b7fd4b57b8ae3c5da7fca3f84

SHA256
f3458dfdfd0ba261c941051de511a16d870bc817ea19f3f602b0d876d1b5e7d9

SHA512
82f2d7488b53a712b5f37b705547279fd1500acf2f7398708e44015e4f2596661ce03ecf47b6e4d955ede9d1ddbda10401781bfb7e720ca2aed473d1dbc48411

Download Submit
\Windows\SysWOW64\Paghojip.exe

Filesize
224KB

MD5
8a273dfae69d64011b24a16a43a9fcfc

SHA1
45793f7b84aeebb11f3ab767815da5d0d65502a9

SHA256
5f9b83e7d4df455eb8f17eeb509443ce30604e628e415ec6513550c470ca4c41

SHA512
a404b709f9df392fa3110b3b6a7d23be5a210689c09a9d273f29e68508bccb71bfa0ac266203b7807ecbe83f86420d4454e2d155f391777f248de0b9870cc916

Download Submit
\Windows\SysWOW64\Papank32.exe

Filesize
224KB

MD5
7c754c8ff4b2cf4addf8d75fbffc7161

SHA1
1c69c98ce57c9aeba490d423f256e88eb5e7b790

SHA256
b0568e510f2599058df747a8f01430bb3a6a1a01903b9a23fcf67545345bb71c

SHA512
f4baf489da060897563a80432cbb6fb9ea9fc856ccff72018c331634a6d9c7b36fdaa024a3360a5318c233d3775c0f3b6ecb2cefceb773dec5043b3746c30ef2

Download Submit
\Windows\SysWOW64\Pgacaaij.exe

Filesize
224KB

MD5
d1177a12e5b0c2bc8644f18bd4a89ef3

SHA1
a7e2fea96e66ec643c1a5c4b25a3c12e828d6e5c

SHA256
c759a8bb7a3ed84f4ef69dad201b794a2b1c4b473d1561c80323cdc8a54fc6e7

SHA512
49672b77f233e81cb67754fb4b52eb26c01667a8770c2b4b90da235403d6e5e262343d1f72b6d5d418dd8ad898a153c8c4016c46d97afd28a058dae9eeedd064

Download Submit
\Windows\SysWOW64\Pkfiaqgk.exe

Filesize
224KB

MD5
c1b848edf3e3f3efa3789667351fd868

SHA1
570f4585a31a726acc8912434abfe9e5b5d9970b

SHA256
c15ae0d7c25d776d2a262fa84e3c31281aef4839e29de508d821b60174e650fd

SHA512
58f124126a1236660941b4ee0fb6152786da6a61f9b0cfc7e51dcfde6e771d5c4d1b12bdbd8b4fc5e17f1a17c9c3c0144c193c017a54d05466ca56e8c81c09cc

Download Submit
\Windows\SysWOW64\Pkkblp32.exe

Filesize
224KB

MD5
0bc234f060452b3ce63fd1a9440545d2

SHA1
b284d400da0d3332cf1dfc59abe5301b403f7ba7

SHA256
a84e42f60215ef5e5c4d6904f96d6b28ee7b364e011908653e4eb86b648dc7f4

SHA512
5e1f6a0292a53c429a0107030c891f684def313f515ca5c6cf328c73e62a6915f32512cb9c1baab2b4ebb41d4c98d9d41836189e41638aadbd5ab50e5e9046ce

Download Submit
\Windows\SysWOW64\Pkplgoop.exe

Filesize
224KB

MD5
407db7f1068a78361ca7add4f268ea36

SHA1
89254f3e1b1bcff9a0f487dc2c7ccac21b05efc5

SHA256
80372fa3a3163c7106c9b9ee1292a9f3a2635c91be7647cecc1087b342b3a316

SHA512
1fa69a352ac1d527769cad00ce1428301a87eb59093926618c72878eb23dc58c74d78120246fc567057bb94928904fad453fd22c8b7674534c7f4665f581668b

Download Submit
\Windows\SysWOW64\Pngbcldl.exe

Filesize
224KB

MD5
0d5e63c6dd6f5a8decaf70fc557375e8

SHA1
5aafd3afb7b8a37aef15892f3e0ef721b5e7c4d6

SHA256
f7bf4cc32e2f5e3c2ad89dc36fb3fe69a03f7b41f71881b2ec7de058c027d43f

SHA512
2d39a82a6ca167f124189a62edd268ebe58bf5b6ffd63729761df5d71a7a95ca93e7ed1da312c29163c118a295100ea8c0518ddf950393bf35822f1343bea450

Download Submit
\Windows\SysWOW64\Qdhqpe32.exe

Filesize
224KB

MD5
098da9001dbfbf77bec449dd535cd4f3

SHA1
0eb390b5dad3a2669a3718711083c1beed02af02

SHA256
c2e88757f965a227cf7e6aa2db433932c9fa5c2b7732d787639046ee22558354

SHA512
bda045da637926a64da0f704abb372e95fa2066f2259efa8734b3d7eab32876f59e7271a5a02860551c7671af328b94b6d999a37ee0f9d33e7980b27dc03ef89

Download Submit
\Windows\SysWOW64\Qgiibp32.exe

Filesize
224KB

MD5
df95a19a5f4fc57340fba4bcb9875216

SHA1
b3b70fccc666204e386d83243dd812c7fb425e23

SHA256
d3c826d29c6f1ccd7c4d538085473353d5a727a9d92f05cd4a99add7cbfae475

SHA512
2eaafc5d57ed8dffc205fd819e18faeb9b05302a51f86fb6294c483c473f629a92c3776f800d31d5df863e09a429888d3f9f7636b51337d5ca10555177510120

Download Submit
\Windows\SysWOW64\Qmcedg32.exe

Filesize
224KB

MD5
3921e18656f2c04be8461dd136b314fc

SHA1
45d26647b1c21205177ac69358fdbc8a65cb7c59

SHA256
2ce402d2cb00c1f1da884d24fa889d62023271815a490fdbc874566d6088be17

SHA512
4c989d4916875c8a307a9d5d2631d3d6872e721547e4cda0b6cea24b8126b4a4f94a04539b55b8035b8ff6365e5c0f4b39297f993196f7267c805629b4faec96

Download Submit
memory/740-236-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-245-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/740-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-171-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1620-295-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1620-299-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1620-318-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1620-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-287-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1656-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-288-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1692-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-232-0x0000000000330000-0x0000000000369000-memory.dmp

Filesize
228KB

Download
memory/1692-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1732-187-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1732-200-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1732-309-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-312-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-100-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2024-119-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2024-319-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2180-214-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2180-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2180-213-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2180-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-12-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/2300-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-127-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2580-251-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2580-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2600-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2600-276-0x0000000000450000-0x0000000000489000-memory.dmp

Filesize
228KB

Download
memory/2600-277-0x0000000000450000-0x0000000000489000-memory.dmp

Filesize
228KB

Download
memory/2600-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-180-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2752-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2884-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2884-266-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2884-265-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2936-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2936-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-146-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-154-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/2964-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-52-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/3032-74-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3032-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads