berbew | 194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59b

Analysis

max time kernel
112s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Size

182KB
MD5

561c248ea6f24cd057a51f40a4ccb1b0
SHA1

fafe52cb2ab893d608c0c0162a2e7d6a863b6455
SHA256

194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59b
SHA512

7d1e91f833e8df0aced22e6c432c863cc482ef5d9eca80f15ca0dbc7be58e0cc6abc37c08fa809599301e74df6d29e6d6366a2444bafabaceb65e2af2cf48e72
SSDEEP

1536:SEQOcV/Qfxp+vLw2yYNQlZMJP2L97nguPw9uVgA53+RrKJs2zjFS3ldkBOLLaVqk:xQOI+Lmk2BEH97nguPnVgA53+GpOc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apclnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkbnibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalofa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pegnglnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcmkhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pegnglnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenapck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenapck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binikb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpmkbl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celpqbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfcjag.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 25 IoCs

pid	Process
2216	Pegnglnm.exe
2884	Qgfkchmp.exe
3032	Qcmkhi32.exe
3000	Qijdqp32.exe
2956	Apclnj32.exe
1680	Apfici32.exe
1152	Abdeoe32.exe
2492	Aeenapck.exe
3048	Apkbnibq.exe
1088	Aalofa32.exe
1424	Abkkpd32.exe
1176	Bldpiifb.exe
536	Baqhapdj.exe
2328	Bfpmog32.exe
2088	Binikb32.exe
2200	Bmlbaqfh.exe
1632	Bgdfjfmi.exe
1524	Bpmkbl32.exe
1924	Cbkgog32.exe
2460	Celpqbon.exe
2324	Chjmmnnb.exe
2440	Ckiiiine.exe
1688	Chmibmlo.exe
2180	Cgbfcjag.exe
2052	Coindgbi.exe

Loads dropped DLL 50 IoCs

pid	Process
2748	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
2748	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
2216	Pegnglnm.exe
2216	Pegnglnm.exe
2884	Qgfkchmp.exe
2884	Qgfkchmp.exe
3032	Qcmkhi32.exe
3032	Qcmkhi32.exe
3000	Qijdqp32.exe
3000	Qijdqp32.exe
2956	Apclnj32.exe
2956	Apclnj32.exe
1680	Apfici32.exe
1680	Apfici32.exe
1152	Abdeoe32.exe
1152	Abdeoe32.exe
2492	Aeenapck.exe
2492	Aeenapck.exe
3048	Apkbnibq.exe
3048	Apkbnibq.exe
1088	Aalofa32.exe
1088	Aalofa32.exe
1424	Abkkpd32.exe
1424	Abkkpd32.exe
1176	Bldpiifb.exe
1176	Bldpiifb.exe
536	Baqhapdj.exe
536	Baqhapdj.exe
2328	Bfpmog32.exe
2328	Bfpmog32.exe
2088	Binikb32.exe
2088	Binikb32.exe
2200	Bmlbaqfh.exe
2200	Bmlbaqfh.exe
1632	Bgdfjfmi.exe
1632	Bgdfjfmi.exe
1524	Bpmkbl32.exe
1524	Bpmkbl32.exe
1924	Cbkgog32.exe
1924	Cbkgog32.exe
2460	Celpqbon.exe
2460	Celpqbon.exe
2324	Chjmmnnb.exe
2324	Chjmmnnb.exe
2440	Ckiiiine.exe
2440	Ckiiiine.exe
1688	Chmibmlo.exe
1688	Chmibmlo.exe
2180	Cgbfcjag.exe
2180	Cgbfcjag.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qcmkhi32.exe	Qgfkchmp.exe
File opened for modification	C:\Windows\SysWOW64\Aeenapck.exe	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Binikb32.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfcjag.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Jafjpdlm.dll	Aalofa32.exe
File created	C:\Windows\SysWOW64\Bldpiifb.exe	Abkkpd32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Pegnglnm.exe	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
File opened for modification	C:\Windows\SysWOW64\Qijdqp32.exe	Qcmkhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bldpiifb.exe	Abkkpd32.exe
File created	C:\Windows\SysWOW64\Hgioeh32.dll	Abkkpd32.exe
File created	C:\Windows\SysWOW64\Anfdhfiq.dll	Bldpiifb.exe
File created	C:\Windows\SysWOW64\Flhbop32.dll	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Binikb32.exe
File opened for modification	C:\Windows\SysWOW64\Abkkpd32.exe	Aalofa32.exe
File opened for modification	C:\Windows\SysWOW64\Baqhapdj.exe	Bldpiifb.exe
File created	C:\Windows\SysWOW64\Cgbfcjag.exe	Chmibmlo.exe
File opened for modification	C:\Windows\SysWOW64\Pegnglnm.exe	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
File created	C:\Windows\SysWOW64\Ipippm32.dll	Apkbnibq.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Chjmmnnb.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Pegnglnm.exe
File created	C:\Windows\SysWOW64\Qijdqp32.exe	Qcmkhi32.exe
File opened for modification	C:\Windows\SysWOW64\Apkbnibq.exe	Aeenapck.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Bpmkbl32.exe
File created	C:\Windows\SysWOW64\Pfapgnji.dll	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Celpqbon.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Qgfkchmp.exe	Pegnglnm.exe
File created	C:\Windows\SysWOW64\Eejanc32.dll	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Apfici32.exe	Apclnj32.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Aeenapck.exe	Abdeoe32.exe
File opened for modification	C:\Windows\SysWOW64\Bpmkbl32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Hjnhlm32.dll	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Celpqbon.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Befddlni.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Mfhdke32.dll	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
File created	C:\Windows\SysWOW64\Gaklhb32.dll	Qcmkhi32.exe
File created	C:\Windows\SysWOW64\Djcnme32.dll	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Jalnli32.dll	Aeenapck.exe
File opened for modification	C:\Windows\SysWOW64\Aalofa32.exe	Apkbnibq.exe
File opened for modification	C:\Windows\SysWOW64\Bfpmog32.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Bpmkbl32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bpmkbl32.exe
File created	C:\Windows\SysWOW64\Chjmmnnb.exe	Celpqbon.exe
File opened for modification	C:\Windows\SysWOW64\Apclnj32.exe	Qijdqp32.exe
File created	C:\Windows\SysWOW64\Kkggemii.dll	Qijdqp32.exe
File opened for modification	C:\Windows\SysWOW64\Abdeoe32.exe	Apfici32.exe
File opened for modification	C:\Windows\SysWOW64\Binikb32.exe	Bfpmog32.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	Pegnglnm.exe
File created	C:\Windows\SysWOW64\Apkbnibq.exe	Aeenapck.exe
File created	C:\Windows\SysWOW64\Bfpmog32.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Kpfdhgca.dll	Bfpmog32.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Aalofa32.exe	Apkbnibq.exe
File created	C:\Windows\SysWOW64\Abkkpd32.exe	Aalofa32.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Chjmmnnb.exe
File opened for modification	C:\Windows\SysWOW64\Qcmkhi32.exe	Qgfkchmp.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkbnibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldpiifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apclnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpmkbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdeoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celpqbon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcmkhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pegnglnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apfici32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenapck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abkkpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baqhapdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfcjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpmog32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pegnglnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll"	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abkkpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejanc32.dll"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apfici32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbop32.dll"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jafjpdlm.dll"	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Binikb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pegnglnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll"	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnhlm32.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll"	Pegnglnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djcnme32.dll"	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenapck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll"	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll"	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apkbnibq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalnli32.dll"	Aeenapck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lficmm32.dll"	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipippm32.dll"	Apkbnibq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2216	2748	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe	30
PID 2748 wrote to memory of 2216	2748	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe	30
PID 2748 wrote to memory of 2216	2748	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe	30
PID 2748 wrote to memory of 2216	2748	194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe	30
PID 2216 wrote to memory of 2884	2216	Pegnglnm.exe	31
PID 2216 wrote to memory of 2884	2216	Pegnglnm.exe	31
PID 2216 wrote to memory of 2884	2216	Pegnglnm.exe	31
PID 2216 wrote to memory of 2884	2216	Pegnglnm.exe	31
PID 2884 wrote to memory of 3032	2884	Qgfkchmp.exe	32
PID 2884 wrote to memory of 3032	2884	Qgfkchmp.exe	32
PID 2884 wrote to memory of 3032	2884	Qgfkchmp.exe	32
PID 2884 wrote to memory of 3032	2884	Qgfkchmp.exe	32
PID 3032 wrote to memory of 3000	3032	Qcmkhi32.exe	33
PID 3032 wrote to memory of 3000	3032	Qcmkhi32.exe	33
PID 3032 wrote to memory of 3000	3032	Qcmkhi32.exe	33
PID 3032 wrote to memory of 3000	3032	Qcmkhi32.exe	33
PID 3000 wrote to memory of 2956	3000	Qijdqp32.exe	34
PID 3000 wrote to memory of 2956	3000	Qijdqp32.exe	34
PID 3000 wrote to memory of 2956	3000	Qijdqp32.exe	34
PID 3000 wrote to memory of 2956	3000	Qijdqp32.exe	34
PID 2956 wrote to memory of 1680	2956	Apclnj32.exe	35
PID 2956 wrote to memory of 1680	2956	Apclnj32.exe	35
PID 2956 wrote to memory of 1680	2956	Apclnj32.exe	35
PID 2956 wrote to memory of 1680	2956	Apclnj32.exe	35
PID 1680 wrote to memory of 1152	1680	Apfici32.exe	36
PID 1680 wrote to memory of 1152	1680	Apfici32.exe	36
PID 1680 wrote to memory of 1152	1680	Apfici32.exe	36
PID 1680 wrote to memory of 1152	1680	Apfici32.exe	36
PID 1152 wrote to memory of 2492	1152	Abdeoe32.exe	37
PID 1152 wrote to memory of 2492	1152	Abdeoe32.exe	37
PID 1152 wrote to memory of 2492	1152	Abdeoe32.exe	37
PID 1152 wrote to memory of 2492	1152	Abdeoe32.exe	37
PID 2492 wrote to memory of 3048	2492	Aeenapck.exe	38
PID 2492 wrote to memory of 3048	2492	Aeenapck.exe	38
PID 2492 wrote to memory of 3048	2492	Aeenapck.exe	38
PID 2492 wrote to memory of 3048	2492	Aeenapck.exe	38
PID 3048 wrote to memory of 1088	3048	Apkbnibq.exe	39
PID 3048 wrote to memory of 1088	3048	Apkbnibq.exe	39
PID 3048 wrote to memory of 1088	3048	Apkbnibq.exe	39
PID 3048 wrote to memory of 1088	3048	Apkbnibq.exe	39
PID 1088 wrote to memory of 1424	1088	Aalofa32.exe	40
PID 1088 wrote to memory of 1424	1088	Aalofa32.exe	40
PID 1088 wrote to memory of 1424	1088	Aalofa32.exe	40
PID 1088 wrote to memory of 1424	1088	Aalofa32.exe	40
PID 1424 wrote to memory of 1176	1424	Abkkpd32.exe	41
PID 1424 wrote to memory of 1176	1424	Abkkpd32.exe	41
PID 1424 wrote to memory of 1176	1424	Abkkpd32.exe	41
PID 1424 wrote to memory of 1176	1424	Abkkpd32.exe	41
PID 1176 wrote to memory of 536	1176	Bldpiifb.exe	42
PID 1176 wrote to memory of 536	1176	Bldpiifb.exe	42
PID 1176 wrote to memory of 536	1176	Bldpiifb.exe	42
PID 1176 wrote to memory of 536	1176	Bldpiifb.exe	42
PID 536 wrote to memory of 2328	536	Baqhapdj.exe	43
PID 536 wrote to memory of 2328	536	Baqhapdj.exe	43
PID 536 wrote to memory of 2328	536	Baqhapdj.exe	43
PID 536 wrote to memory of 2328	536	Baqhapdj.exe	43
PID 2328 wrote to memory of 2088	2328	Bfpmog32.exe	44
PID 2328 wrote to memory of 2088	2328	Bfpmog32.exe	44
PID 2328 wrote to memory of 2088	2328	Bfpmog32.exe	44
PID 2328 wrote to memory of 2088	2328	Bfpmog32.exe	44
PID 2088 wrote to memory of 2200	2088	Binikb32.exe	45
PID 2088 wrote to memory of 2200	2088	Binikb32.exe	45
PID 2088 wrote to memory of 2200	2088	Binikb32.exe	45
PID 2088 wrote to memory of 2200	2088	Binikb32.exe	45

C:\Users\Admin\AppData\Local\Temp\194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe
"C:\Users\Admin\AppData\Local\Temp\194f18acdb94c07f36a21bf2a80196365e58f758285a0fbcdfafbbbdae89b59bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Pegnglnm.exe
  C:\Windows\system32\Pegnglnm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Qgfkchmp.exe
    C:\Windows\system32\Qgfkchmp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\Qcmkhi32.exe
      C:\Windows\system32\Qcmkhi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\Apclnj32.exe
        
        C:\Windows\system32\Apclnj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Apfici32.exe
        
        C:\Windows\system32\Apfici32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Abdeoe32.exe
        
        C:\Windows\system32\Abdeoe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Aeenapck.exe
        
        C:\Windows\system32\Aeenapck.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Apkbnibq.exe
        
        C:\Windows\system32\Apkbnibq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Aalofa32.exe
        
        C:\Windows\system32\Aalofa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Abkkpd32.exe
        
        C:\Windows\system32\Abkkpd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Bldpiifb.exe
        
        C:\Windows\system32\Bldpiifb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Baqhapdj.exe
        
        C:\Windows\system32\Baqhapdj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Bfpmog32.exe
        
        C:\Windows\system32\Bfpmog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Binikb32.exe
        
        C:\Windows\system32\Binikb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bpmkbl32.exe
        
        C:\Windows\system32\Bpmkbl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Celpqbon.exe
        
        C:\Windows\system32\Celpqbon.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Cgbfcjag.exe
        
        C:\Windows\system32\Cgbfcjag.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abdeoe32.exe

Filesize
182KB

MD5
421452816f05495fdfbd3bb9851dd88f

SHA1
fdfc1cb9631cbe47676f4a4dc4a8f9c3741efea9

SHA256
06e86e1ea8b5707508bc78ee889fc9b843e13df5679cd19e9ffafa02c62b5723

SHA512
76de162a6f5996d79d0d5f4604a04bd9de06869df3def8398e7f95e87d7f9c2b492c847e91c44a414d6558da486a8fa31da0798b806de9ca3c6a723e44ea7d84

Download Submit
C:\Windows\SysWOW64\Abkkpd32.exe

Filesize
182KB

MD5
b6353f86fd40cbc18776accb94e68f49

SHA1
596864cb14d6f31204fb5e25154d63f9d3f4435a

SHA256
f1b0e3b83c09300e31dfea0c06b7d521abd0dfcf95a29bf2807d802824849a60

SHA512
401b752328600b5673d7061684d2958bce50c659334e44695c2dcb3381934e8d791fbeff4b7eb54469136741957e5ea54679f16339c3857b478a1c3ddd647a16

Download Submit
C:\Windows\SysWOW64\Apclnj32.exe

Filesize
182KB

MD5
ac407dab4da6f76842ebed5db0ffe3a9

SHA1
4016e67b3b8d8bbe4b4673531c49e9872086227c

SHA256
60a669aa3c273f7e6f9f9a613efa1a648b5485c3f73a94ded7aad39895cf952a

SHA512
3308110e4da928df42c7ad94e1e3f4bcd6eae90aae6ebbd30d255df5fc00fe38a24b25d4d359cab8959f10fc13db4ca23985fc4017db17eb208b630bc12055c1

Download Submit
C:\Windows\SysWOW64\Apkbnibq.exe

Filesize
182KB

MD5
ff321ed381ad39f0863bd718148c1b32

SHA1
734a96fbc4d42b61fae5aa15e9f66a47511058f6

SHA256
4e5a820539d4c162013f22e6ab37b8c91820894e339e159bf87dfec816c5b344

SHA512
1bd2987a9dfa0eb6afb17cf40624fbc51fc29917ab48fa4bc78e45131873d6f2183aafa226a2b91bfd7eed83547d0a0e45f63d8f848e32a7d3291bcd86ee5df8

Download Submit
C:\Windows\SysWOW64\Baqhapdj.exe

Filesize
182KB

MD5
d94bf21507eb986ebf505a038371a7ea

SHA1
5042b4870416700efccd0df73b49bbff9ba314fd

SHA256
9277022817c83614d54b0be149da7a1274794c66f1c2ec1d0c63935cf66c866e

SHA512
9e1659945ab38b7f7331ed36be461a9455f41f812021b42aebf2777f4d42eabdab374f209665cc51cceaba70ff3f6b4b380299812e64014d350656810ea2944c

Download Submit
C:\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
182KB

MD5
692607402a5b78b46ee8eac110355e57

SHA1
afdb6f7421ba4f56196be07828624f8d1217a8aa

SHA256
a6fe74514881b5414d011e798dd8db75ad2d51c66d8f79f3e07e11de90016f2d

SHA512
7fc416d40a7d700d50c190420ec3ac5af4a5502233233a00f2828089192953b7a0cbef94bde9e9e6e5318e974d39bee89b0729c29c2f93472159e17b52cffc77

Download Submit
C:\Windows\SysWOW64\Binikb32.exe

Filesize
182KB

MD5
cfac8f9bf91f47cf6e67ca033741bf00

SHA1
db24bdba8912c0443e774a1cd6f6594b47835eee

SHA256
25131ea0d2ec70376408df919887eb14f2aa28f96bc7f2a17c89e1ac71118ab2

SHA512
d5edf6b7d5db8c3441bb3ff519342a66cb4286d4bc1a1382a86de19cc55308c89d0f6efbfcdbaf33e3bc7c336c5fc2306421233642bc72927ba7c4effe5fae7c

Download Submit
C:\Windows\SysWOW64\Bpmkbl32.exe

Filesize
182KB

MD5
4b6d409f0541bf9f05702c9c283beac5

SHA1
1d218ae63833be30c4c44e72865f0cdb0f42622b

SHA256
c670f93a32daec708044bb8ec2e5c1ae4e2774f7522a12bd101522f120137a30

SHA512
7305382d1e63b3c2093e4a7ac86bedb2f50e1b68e3c86abeeda35f6b860e2da8cf4174f579373746d2ed5f6d0966c577decf7664b9bdf11f2d5eafbcbfb9275d

Download Submit
C:\Windows\SysWOW64\Cbkgog32.exe

Filesize
182KB

MD5
1092bb66d1384258461e0b837dd59a54

SHA1
ad6e071150b4166b5581e1f90a2500bb171d9029

SHA256
ff4a1b77f6243956c5fe70055d6279b453c0cd830ba65047dcb314d7ef42984d

SHA512
145c5cda26e0fb159e3a2add3ad8e5a101cb3dc55657c61ba811a05ba6a4d019e95a1539b8803d43300dbf822cfe86c4b6f700b823727be00531870eae72eafe

Download Submit
C:\Windows\SysWOW64\Celpqbon.exe

Filesize
182KB

MD5
35c381bba759918e229c8c24dd70e491

SHA1
8c14ed308c02f3615e56d895b3bac429a6ac71db

SHA256
0fbc55324d81280bf269e1bab693b3f82238b6804b8f97fe4fb6a9fe2cae73c4

SHA512
42c34151396909b7541032a3affd0d15e46b6dd3abbbfcb569c65450277b84dc0b8af277bd840fb3762fe8aa25bd90f49855b0b0dfb144b8d82cd9a9d40738e9

Download Submit
C:\Windows\SysWOW64\Cgbfcjag.exe

Filesize
182KB

MD5
b6525120480c043413f1b19b3a4cf0b0

SHA1
794ae2048164886916d7b7b8eeb1fb30900eab4f

SHA256
a2b5aadccdfec9bc9e319e0c803958e563e70ff4f20f51dc61f0ceea4123eee4

SHA512
7d853c1114962ac73f56f86ea4564c30e44b07f696df5b51c6672a2101453523a1ce3e89484d23ca09e0490b887df9ba9ae02b054033f717fa069475869de485

Download Submit
C:\Windows\SysWOW64\Chjmmnnb.exe

Filesize
182KB

MD5
b4921ec4cbf3fcded556917da040bba1

SHA1
dc65a2e0f149fad35af86fbbaf4f813926de2538

SHA256
b6807fdb2894bc38ed903421575e1abd982d2966c2848cc90eb5e4c648d76344

SHA512
8eb69a8d39f9c7554b2a07a8f436142c8b112446ea5b93725d6cb1eb567f187be7085314bcaa5c741d70e244666bbf0eaa0e93122d38d849d12ff23862469b35

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
182KB

MD5
c1a654dadc9b152712897c550c117b1b

SHA1
151b8d1a637aba25098ba295f7d8fafad56db67d

SHA256
ed5d77d4f6c12e632f30ad9e8b09be7bfb04cfa0c61a4185febb26d5dcc7803f

SHA512
b4da9d5b6849375b1e5e7e1a4cf5996a4b48f38dcf972acf72cf623f65c56a60a8ab0afe548fffe65c889dac2bd467f5045b09e844233b7435798f3c37fd2db4

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
182KB

MD5
3f76581acb6d555a85b74b361094e412

SHA1
dc9f35131dec05e453abbdec49affe6edffbaeb6

SHA256
3507bd87c2e628b726139fc890e2435707daa1173cd50110881bb46d79028759

SHA512
a925d85e28bba39eef70ce0bc2a7ffe8c73d140d8ba2262c162244f2b0a307fdab1818073d6510c6aae33e4735d1eab8aa03373eaa70bf5c3eba265a65773be3

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
182KB

MD5
9a4deca8709f9392abd58887e19924b6

SHA1
028150f86597024a5a69d6d5f6f226a4db1845f9

SHA256
d600bf034dda3a651673672749e2f3508297b109964d2ee7171ff40c2749f096

SHA512
f29f5a2c22cbd040d48062b20a6328fee60fd82b3988ce3fc3a293d3f0ca8ed1cc6962d00b2dfeb71d721e8de15f5b832f35a5f173006ad9c9fa6b5023ade87f

Download Submit
\Windows\SysWOW64\Aalofa32.exe

Filesize
182KB

MD5
425136e93d751173b324ba773465f120

SHA1
4270ae37be45fff40967e3ec4ccb06bc89c565d4

SHA256
78f7d42f16e92040527577d655215f6dbcd0b0c4869a813ca75717fc8efb77af

SHA512
8af465b534529e1b499e0598ac6e53ac5d591bb6d9f8807be662b83333403293b948128e7ac67d291466df7f3c689666f263c5a64cddf39b18e9b42c606b28e3

Download Submit
\Windows\SysWOW64\Aeenapck.exe

Filesize
182KB

MD5
975ae5c36aebd3ce44a8e5d59bb720d3

SHA1
825cacefd4fe5ebda2f94a05d8ad4298c209cd30

SHA256
ea2a19dced53502fa7b43a6e32b12cb1943d8b3b8b9254b2cf279c343139a614

SHA512
18cd5c6f09fa255f77b28b666de485e5bdad67ff87c3cc5be44f229d17f84ec2be306d34decee802d31f79cd2bdb59e2a4b100005a6770635d6c63f3c2f95306

Download Submit
\Windows\SysWOW64\Apfici32.exe

Filesize
182KB

MD5
f1fb8c7a9fef161e08bb496c11511ac6

SHA1
1856aea07daabed765be82b0d1c2496444bbe059

SHA256
82d9725b68fb119044aa9d3dfa9cc490ee925c866eba32518fd46bd5fc5cd2e6

SHA512
93cef13b1ff99839c831669cf03539f68c7b2b49375ada8b4f78c5cbf804c187ccf13715974b5b01a4b2f163386c64d490077289e21104fc95138a443f02675f

Download Submit
\Windows\SysWOW64\Bfpmog32.exe

Filesize
182KB

MD5
ac0d34c8ebc1a9dffd0eeeae160a06a7

SHA1
b3266eece8551db2251063415f5b684288de2723

SHA256
9d82b8ca16310275a51f4e4f1a72cdae0ed61a8c18fe3b94b2f94a7f8937781b

SHA512
7af8421e2b02f0e92025c7960cee66793c2c0fab1f95238366096132193e697f91e7d088eb31ecab3d7a3a24ed4cf1ec5b1d7d8866a21fb9de37936064e9fd28

Download Submit
\Windows\SysWOW64\Bldpiifb.exe

Filesize
182KB

MD5
fca91f16526a237dc86617c1b56050cb

SHA1
59e013ca78cfc5a59e3e6318f9791ae1edfff6f5

SHA256
1bd01f300dd2539d38723afb51b38ffdb193c3ddc8364e4bddd9844ec4461912

SHA512
29561ca58b6957cca0741150db0fd8a5b418a29db2000ac4549542c14367a9dd71315e40c413df46be2053aaba1255d39d08edde08d44a2e80947e72feb2b11c

Download Submit
\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
182KB

MD5
dd024939cbaf50c1ae30dcd89829d4f1

SHA1
4ae11b418e80d881b646299becabd51028f08aa6

SHA256
c52854301cff88d3b6c3fdfd80d0617e0bcb84ed7c6333c038fa72a55be63d70

SHA512
5a7d5b4b0f315e737238d0afd10d5dad38cd0fe44198ef8858310387b7c2db4a1b3eb297232115a2f4535793bbc5ff65e4b153a80ca96556e09f4ed22caa0f32

Download Submit
\Windows\SysWOW64\Pegnglnm.exe

Filesize
182KB

MD5
ccf03ebe31c429886794b6d65b169cf7

SHA1
0a659e033536a8ebf4b4cc53969928b528f89b3a

SHA256
ed50926386a72d5a996803e9b0b586da255172e5c704169776e3fa0c8a36dc5d

SHA512
7f521e177828a4968bd8f9646456036d20c45e27dace8fcc478bd2de646ff734176124eef7991692893a39647e45695195b06bfbb9d1c0ca6a37be90b43a1db8

Download Submit
\Windows\SysWOW64\Qcmkhi32.exe

Filesize
182KB

MD5
d5467d381e8ab6edf0040a4fa56ba79c

SHA1
fd7696a07292575b78829fa3c13c45dd071fc4b9

SHA256
7bebf643b30888f1e93e1f557d630ed70bea317459c2fcf2ac161a541f40820c

SHA512
c7fad5e744bc358c898efeeaa27d1428643a7fc7236cd7dd63c53c329522d23abafc9541ca76d1e83092e138a2dd3c557804e4485189da238f4dd8315bd8d128

Download Submit
\Windows\SysWOW64\Qgfkchmp.exe

Filesize
182KB

MD5
7f46307d56d947b02f88b275af9ebb6f

SHA1
ba192a6e7c33644bf948801ea23b8bbb6d6fc41a

SHA256
5ac61cfceb090dbe2400717a5714a27888a7c08208510615166eaacc6e50d9ca

SHA512
45920eff4b7982c5b318385a23b9ae824e135fb392a12b386649be8a0542bebc7d66c487f26183539404c59dcdd0a8a9ff99af49c377431edd2c37fb070397ae

Download Submit
\Windows\SysWOW64\Qijdqp32.exe

Filesize
182KB

MD5
df297dad03731a3b63b53f6abbc5a74d

SHA1
abc89753625ee48e009994bd42d9b16098297d4d

SHA256
210333ae94af55f533982e9e62b1ae913bcc9e78bd25259c1d30a0597639cad2

SHA512
f560861880b3b024384f376c0534bc3f330339b43887d433a0864c7549a94b8d783cce0ab404ca96ca94a88a1cbf678181724b58a530ad4fb24143c41efcb963

Download Submit
memory/536-205-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/536-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/536-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-111-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1152-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-175-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1424-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-274-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1524-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-313-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1524-312-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1524-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-273-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1632-300-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1632-259-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1632-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-260-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1632-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-101-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1688-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-285-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1924-324-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1924-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-276-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2180-366-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2180-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-347-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2180-346-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2200-292-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2200-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-24-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2216-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-309-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2324-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-221-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2328-262-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2328-222-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2440-320-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2440-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-350-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2440-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-339-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2460-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-295-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2460-299-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2492-191-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2492-190-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2492-132-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2492-131-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2492-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2748-57-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2748-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2884-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-40-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2956-84-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2956-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-86-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2956-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-144-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3000-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3000-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-141-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3048-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads