berbew | 48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8

Analysis

max time kernel
84s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Size

93KB
MD5

78dd4e962d88c917526c72946e4b4e80
SHA1

8ab13a6ac295c060d6fd7f3f4d7b0f963b7a770a
SHA256

48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8
SHA512

0352ef7aacd69b17d3c60d01cb8aedf813fdbf54f2972e8ebd3c605f5376fa4d20d285e4ce24417f213b00846106cb254d0f7aef98c61dadf8eea1e37627e2ce
SSDEEP

1536:b+9ixJzac2YuzKfloOhiPwpPG7UyYERQlRRs3cO57OWxXPu4n6yYPLBgI7Ckv:bzxTruYqOAoY7UBEelE9pui6yYPaI7Dv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pecelm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogohdeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beldao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollqllod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afpapcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecelm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apclnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpapcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogdaod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkbnibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogohdeam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogdaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anpooe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ollqllod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apclnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmcgmkil.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beldao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2456	Ogohdeam.exe
2920	Ollqllod.exe
2328	Ogdaod32.exe
1752	Pmcgmkil.exe
2708	Pbblkaea.exe
2656	Pecelm32.exe
2624	Pjbjjc32.exe
2412	Qcjoci32.exe
2992	Apclnj32.exe
2988	Afpapcnc.exe
2312	Apkbnibq.exe
2488	Anpooe32.exe
2384	Beldao32.exe
1220	Bpfebmia.exe
2220	Bdcnhk32.exe
632	Bmlbaqfh.exe
584	Cbkgog32.exe
1748	Clclhmin.exe
1736	Chjmmnnb.exe
592	Clhecl32.exe
3040	Cdcjgnbc.exe
236	Coindgbi.exe

Loads dropped DLL 44 IoCs

pid	Process
564	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
564	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
2456	Ogohdeam.exe
2456	Ogohdeam.exe
2920	Ollqllod.exe
2920	Ollqllod.exe
2328	Ogdaod32.exe
2328	Ogdaod32.exe
1752	Pmcgmkil.exe
1752	Pmcgmkil.exe
2708	Pbblkaea.exe
2708	Pbblkaea.exe
2656	Pecelm32.exe
2656	Pecelm32.exe
2624	Pjbjjc32.exe
2624	Pjbjjc32.exe
2412	Qcjoci32.exe
2412	Qcjoci32.exe
2992	Apclnj32.exe
2992	Apclnj32.exe
2988	Afpapcnc.exe
2988	Afpapcnc.exe
2312	Apkbnibq.exe
2312	Apkbnibq.exe
2488	Anpooe32.exe
2488	Anpooe32.exe
2384	Beldao32.exe
2384	Beldao32.exe
1220	Bpfebmia.exe
1220	Bpfebmia.exe
2220	Bdcnhk32.exe
2220	Bdcnhk32.exe
632	Bmlbaqfh.exe
632	Bmlbaqfh.exe
584	Cbkgog32.exe
584	Cbkgog32.exe
1748	Clclhmin.exe
1748	Clclhmin.exe
1736	Chjmmnnb.exe
1736	Chjmmnnb.exe
592	Clhecl32.exe
592	Clhecl32.exe
3040	Cdcjgnbc.exe
3040	Cdcjgnbc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Apkbnibq.exe	Afpapcnc.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Iafehn32.dll	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Ollqllod.exe	Ogohdeam.exe
File created	C:\Windows\SysWOW64\Aeadqq32.dll	Ogohdeam.exe
File opened for modification	C:\Windows\SysWOW64\Ogdaod32.exe	Ollqllod.exe
File created	C:\Windows\SysWOW64\Mafalppn.dll	Ollqllod.exe
File created	C:\Windows\SysWOW64\Dhkqcl32.dll	Pbblkaea.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Ogohdeam.exe	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
File created	C:\Windows\SysWOW64\Hnbbaj32.dll	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
File created	C:\Windows\SysWOW64\Pecelm32.exe	Pbblkaea.exe
File opened for modification	C:\Windows\SysWOW64\Apclnj32.exe	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Beldao32.exe	Anpooe32.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdcnhk32.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Clhecl32.exe	Chjmmnnb.exe
File opened for modification	C:\Windows\SysWOW64\Pbblkaea.exe	Pmcgmkil.exe
File created	C:\Windows\SysWOW64\Dngdfinb.dll	Pmcgmkil.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Bdcnhk32.exe
File created	C:\Windows\SysWOW64\Pmcgmkil.exe	Ogdaod32.exe
File opened for modification	C:\Windows\SysWOW64\Pmcgmkil.exe	Ogdaod32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjjc32.exe	Pecelm32.exe
File opened for modification	C:\Windows\SysWOW64\Qcjoci32.exe	Pjbjjc32.exe
File created	C:\Windows\SysWOW64\Bchmahjj.dll	Pjbjjc32.exe
File created	C:\Windows\SysWOW64\Apclnj32.exe	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Beldao32.exe
File opened for modification	C:\Windows\SysWOW64\Clhecl32.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Ogohdeam.exe	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
File created	C:\Windows\SysWOW64\Enihha32.dll	Ogdaod32.exe
File created	C:\Windows\SysWOW64\Cdcjgnbc.exe	Clhecl32.exe
File created	C:\Windows\SysWOW64\Podpaa32.dll	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Bdcnhk32.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Clclhmin.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Ollqllod.exe	Ogohdeam.exe
File created	C:\Windows\SysWOW64\Pjbjjc32.exe	Pecelm32.exe
File created	C:\Windows\SysWOW64\Jalnli32.dll	Afpapcnc.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdcnhk32.exe
File created	C:\Windows\SysWOW64\Pbblkaea.exe	Pmcgmkil.exe
File created	C:\Windows\SysWOW64\Comjjjlc.dll	Apkbnibq.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Beldao32.exe
File created	C:\Windows\SysWOW64\Bdcnhk32.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Chjmmnnb.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Lfehem32.dll	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Fglnmheg.dll	Pecelm32.exe
File created	C:\Windows\SysWOW64\Afpapcnc.exe	Apclnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcjgnbc.exe	Clhecl32.exe
File created	C:\Windows\SysWOW64\Qcjoci32.exe	Pjbjjc32.exe
File created	C:\Windows\SysWOW64\Anpooe32.exe	Apkbnibq.exe
File opened for modification	C:\Windows\SysWOW64\Beldao32.exe	Anpooe32.exe
File created	C:\Windows\SysWOW64\Eonkgg32.dll	Anpooe32.exe
File created	C:\Windows\SysWOW64\Kkggemii.dll	Qcjoci32.exe
File opened for modification	C:\Windows\SysWOW64\Afpapcnc.exe	Apclnj32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cdcjgnbc.exe
File opened for modification	C:\Windows\SysWOW64\Pecelm32.exe	Pbblkaea.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Beldao32.exe
File created	C:\Windows\SysWOW64\Apkbnibq.exe	Afpapcnc.exe
File opened for modification	C:\Windows\SysWOW64\Anpooe32.exe	Apkbnibq.exe
File created	C:\Windows\SysWOW64\Kljmfe32.dll	Apclnj32.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogdaod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcjgnbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beldao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmcgmkil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpapcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkbnibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clhecl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollqllod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcjoci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apclnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogohdeam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbblkaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcnhk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbaj32.dll"	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll"	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjjjlc.dll"	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Bdcnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkqcl32.dll"	Pbblkaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogohdeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clhecl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmcgmkil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbblkaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afpapcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafalppn.dll"	Ollqllod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmcgmkil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afpapcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeadqq32.dll"	Ogohdeam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogohdeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdfinb.dll"	Pmcgmkil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anpooe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ollqllod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clclhmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll"	Ogdaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pecelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apkbnibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehem32.dll"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogdaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjbjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apclnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ollqllod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podpaa32.dll"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmfe32.dll"	Apclnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll"	Anpooe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Cbkgog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2456	564	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe	30
PID 564 wrote to memory of 2456	564	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe	30
PID 564 wrote to memory of 2456	564	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe	30
PID 564 wrote to memory of 2456	564	48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe	30
PID 2456 wrote to memory of 2920	2456	Ogohdeam.exe	31
PID 2456 wrote to memory of 2920	2456	Ogohdeam.exe	31
PID 2456 wrote to memory of 2920	2456	Ogohdeam.exe	31
PID 2456 wrote to memory of 2920	2456	Ogohdeam.exe	31
PID 2920 wrote to memory of 2328	2920	Ollqllod.exe	32
PID 2920 wrote to memory of 2328	2920	Ollqllod.exe	32
PID 2920 wrote to memory of 2328	2920	Ollqllod.exe	32
PID 2920 wrote to memory of 2328	2920	Ollqllod.exe	32
PID 2328 wrote to memory of 1752	2328	Ogdaod32.exe	33
PID 2328 wrote to memory of 1752	2328	Ogdaod32.exe	33
PID 2328 wrote to memory of 1752	2328	Ogdaod32.exe	33
PID 2328 wrote to memory of 1752	2328	Ogdaod32.exe	33
PID 1752 wrote to memory of 2708	1752	Pmcgmkil.exe	34
PID 1752 wrote to memory of 2708	1752	Pmcgmkil.exe	34
PID 1752 wrote to memory of 2708	1752	Pmcgmkil.exe	34
PID 1752 wrote to memory of 2708	1752	Pmcgmkil.exe	34
PID 2708 wrote to memory of 2656	2708	Pbblkaea.exe	35
PID 2708 wrote to memory of 2656	2708	Pbblkaea.exe	35
PID 2708 wrote to memory of 2656	2708	Pbblkaea.exe	35
PID 2708 wrote to memory of 2656	2708	Pbblkaea.exe	35
PID 2656 wrote to memory of 2624	2656	Pecelm32.exe	36
PID 2656 wrote to memory of 2624	2656	Pecelm32.exe	36
PID 2656 wrote to memory of 2624	2656	Pecelm32.exe	36
PID 2656 wrote to memory of 2624	2656	Pecelm32.exe	36
PID 2624 wrote to memory of 2412	2624	Pjbjjc32.exe	37
PID 2624 wrote to memory of 2412	2624	Pjbjjc32.exe	37
PID 2624 wrote to memory of 2412	2624	Pjbjjc32.exe	37
PID 2624 wrote to memory of 2412	2624	Pjbjjc32.exe	37
PID 2412 wrote to memory of 2992	2412	Qcjoci32.exe	38
PID 2412 wrote to memory of 2992	2412	Qcjoci32.exe	38
PID 2412 wrote to memory of 2992	2412	Qcjoci32.exe	38
PID 2412 wrote to memory of 2992	2412	Qcjoci32.exe	38
PID 2992 wrote to memory of 2988	2992	Apclnj32.exe	39
PID 2992 wrote to memory of 2988	2992	Apclnj32.exe	39
PID 2992 wrote to memory of 2988	2992	Apclnj32.exe	39
PID 2992 wrote to memory of 2988	2992	Apclnj32.exe	39
PID 2988 wrote to memory of 2312	2988	Afpapcnc.exe	40
PID 2988 wrote to memory of 2312	2988	Afpapcnc.exe	40
PID 2988 wrote to memory of 2312	2988	Afpapcnc.exe	40
PID 2988 wrote to memory of 2312	2988	Afpapcnc.exe	40
PID 2312 wrote to memory of 2488	2312	Apkbnibq.exe	41
PID 2312 wrote to memory of 2488	2312	Apkbnibq.exe	41
PID 2312 wrote to memory of 2488	2312	Apkbnibq.exe	41
PID 2312 wrote to memory of 2488	2312	Apkbnibq.exe	41
PID 2488 wrote to memory of 2384	2488	Anpooe32.exe	42
PID 2488 wrote to memory of 2384	2488	Anpooe32.exe	42
PID 2488 wrote to memory of 2384	2488	Anpooe32.exe	42
PID 2488 wrote to memory of 2384	2488	Anpooe32.exe	42
PID 2384 wrote to memory of 1220	2384	Beldao32.exe	43
PID 2384 wrote to memory of 1220	2384	Beldao32.exe	43
PID 2384 wrote to memory of 1220	2384	Beldao32.exe	43
PID 2384 wrote to memory of 1220	2384	Beldao32.exe	43
PID 1220 wrote to memory of 2220	1220	Bpfebmia.exe	44
PID 1220 wrote to memory of 2220	1220	Bpfebmia.exe	44
PID 1220 wrote to memory of 2220	1220	Bpfebmia.exe	44
PID 1220 wrote to memory of 2220	1220	Bpfebmia.exe	44
PID 2220 wrote to memory of 632	2220	Bdcnhk32.exe	45
PID 2220 wrote to memory of 632	2220	Bdcnhk32.exe	45
PID 2220 wrote to memory of 632	2220	Bdcnhk32.exe	45
PID 2220 wrote to memory of 632	2220	Bdcnhk32.exe	45

C:\Users\Admin\AppData\Local\Temp\48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe
"C:\Users\Admin\AppData\Local\Temp\48e987e192bbe73a39b65b97c07d5a0c06b1c0f8d35345ba1404c3ac48ad74e8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\SysWOW64\Ogohdeam.exe
  C:\Windows\system32\Ogohdeam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\Ollqllod.exe
    C:\Windows\system32\Ollqllod.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Ogdaod32.exe
      C:\Windows\system32\Ogdaod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\Pmcgmkil.exe
        
        C:\Windows\system32\Pmcgmkil.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\Pbblkaea.exe
        
        C:\Windows\system32\Pbblkaea.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Pecelm32.exe
        
        C:\Windows\system32\Pecelm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Pjbjjc32.exe
        
        C:\Windows\system32\Pjbjjc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Qcjoci32.exe
        
        C:\Windows\system32\Qcjoci32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Apclnj32.exe
        
        C:\Windows\system32\Apclnj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Afpapcnc.exe
        
        C:\Windows\system32\Afpapcnc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Apkbnibq.exe
        
        C:\Windows\system32\Apkbnibq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Anpooe32.exe
        
        C:\Windows\system32\Anpooe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Beldao32.exe
        
        C:\Windows\system32\Beldao32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Bpfebmia.exe
        
        C:\Windows\system32\Bpfebmia.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Bdcnhk32.exe
        
        C:\Windows\system32\Bdcnhk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Clhecl32.exe
        
        C:\Windows\system32\Clhecl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Cdcjgnbc.exe
        
        C:\Windows\system32\Cdcjgnbc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbkgog32.exe

Filesize
93KB

MD5
d64bc33d04a5191e0be7e0bf8c062a82

SHA1
9756f82c350b6c9f8318a46561dfe507eb4f5417

SHA256
25116b3b8d1ae2febf1d91eea3baf119f72d4012910f6954e081c935582795d4

SHA512
96640f9ad659f24d7066e39e377886ba86e6e637735b9f79207fb532a4d7bad45e40ab505f58e6101713c4e9b4574c451576f8ad2e70deb1b3da080568b98ff3

Download Submit
C:\Windows\SysWOW64\Cdcjgnbc.exe

Filesize
93KB

MD5
e56b1d3911c68381bcf461bcd5baa9d6

SHA1
2dbd2737299e96ff3ddcacf987f99fee23cdb698

SHA256
c102ff50146e0e2343dbca483a4f78d5a3798360295d7eca42395a43097051a1

SHA512
f69c5122488fca9f9396113b437c34cbeae36e3acf7f1711d0ea85a1a2a15b8c8c2e115b7c4f65282d2c0d842fc58e0f33bc68336a21a42ff4760fe79b8122b1

Download Submit
C:\Windows\SysWOW64\Chjmmnnb.exe

Filesize
93KB

MD5
ec45ff9877bbba07df8340ffef5c1697

SHA1
855e38f5a04ab253bfdab8d22ab10889c4e0ebec

SHA256
135c31ac564edb2bf7b3e547741f108169a6262f263f70f483b5d23fb54ee47e

SHA512
43f93ed36f0c60299e14de98c8240da523c5324a02be490aa4009bd703456864711f800a0f48abd6ac9dc0fbf2ab8c493b84f0f0205e226990888aa6e1be470d

Download Submit
C:\Windows\SysWOW64\Clclhmin.exe

Filesize
93KB

MD5
31735ab97ec2e814325b30c71e9488cf

SHA1
686023e8e7216dd9917ed1bbd57b38adb2b1a16b

SHA256
051f9a9607b841c34422c2cbfe745eb5e28c1b387c1aa32e2e0e92b99db631b7

SHA512
5018197efa1b3e39bc0afed8c2c476fecfc3ff4d0efd9e18d5c50beb250ca803ff5c70fc87ac561d41e1a7d66900be799c56c614b2b207593b530f20b1fa8f08

Download Submit
C:\Windows\SysWOW64\Clhecl32.exe

Filesize
93KB

MD5
bf7d84e141cb4f707feb5c063a9e910e

SHA1
c1ed17b3974fad4c75e6bbeec8b5786b5054b7ce

SHA256
20c3e38313a187e2086f6a62d4f95ccccb4e6d8684214fe8182aae27134a3477

SHA512
0ea4bd178b09329c983f1db7ad0fe63d6c48a068dcfd1296b946ed997213df9a9656cc6483843a59f831322a5e6ae17d0d0d2e571062b13a2b281a3310b6c3d5

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
93KB

MD5
33d40c86b7136a9217359605e4351366

SHA1
99a3a1a2c7316a439300488f1bfa045b3e706bf9

SHA256
98fdc0558c3938b85915b1edda78370617c058f9237dcf8c1d0101db9a0923f0

SHA512
d4c7745494198541a56154c22e95fb4c4f3f65c50a396fd7e2316d93e3c995a095c99b611744f8737def2db0af6d7005c1f05aa949d580af5af33eb81608f17c

Download Submit
C:\Windows\SysWOW64\Dngdfinb.dll

Filesize
7KB

MD5
bc4a6e00e2ec3ab6d11c0d2eec4e1366

SHA1
feeeee7ed668d026c968ee0db83282b486d7ed29

SHA256
f1aa35d662b672972e6bfe78931b6e7f94280e7d2b9fe09179c5390ddf0a0a27

SHA512
74a04c7358747f8700ccbde798de11624ef670979b717481610308df0a10c35cc210107d7beef157723912dfb66f915cf49f295e2c11865395adcd98e822ea00

Download Submit
C:\Windows\SysWOW64\Ollqllod.exe

Filesize
93KB

MD5
fd9f17c4f53e3eca8c6f093efb872f0a

SHA1
8c3982ec41dfc0cdcd860553d81dc51e4a6a8a7e

SHA256
970e4cd9680c44af5c2252fdc2a6534dfb3d69e9e31f58dca1b1ad94bf1e64fd

SHA512
4c8b14297b68ee5657419f7cc9948794597d65be455d12c13132f5eb8e34ac05b6f3f9173f0effea4a5b3e675b2d91fce3ecc2003c840b7d6503fdaf2652fb08

Download Submit
C:\Windows\SysWOW64\Pecelm32.exe

Filesize
93KB

MD5
3e90aa8bf6c876efbb2ab4c4c92a4ae2

SHA1
11357f1835ef997a971193967f24f7e12fe9fe54

SHA256
73c4cbeba92d32c8822765706c697c5e127656e6edef765d87850e0ef13a1f38

SHA512
58b56108a626e57dd968862afaf055fc4a6ae0d02c875dfd4b97a1ad833c9aec6516aa1d5a9db26d648d7d73c65f003af0f6def5716b40a55b057ef516d49dae

Download Submit
C:\Windows\SysWOW64\Pmcgmkil.exe

Filesize
93KB

MD5
a53d04d759d39db08fd3c7818e2828c0

SHA1
ed0434c4cbcdd4b0b83ac10793ab9fcd79a679c7

SHA256
0bd1f774de49a6a181eba9f39772578e816b49c914b761819c17519e25186356

SHA512
a2101683617b8c6086429d7f84006907488b2bdf2f432b7d1a0b74fc27399b532cb6bcc19f61a20d44016b96773d497e422cdc2002b11f6007283239df6d7478

Download Submit
\Windows\SysWOW64\Afpapcnc.exe

Filesize
93KB

MD5
7f54f0c82ee86ea55bcedb2606090ced

SHA1
55a14e7a2a6d4e325fb63dcb78a14134bea08455

SHA256
35651b90e3079975f33386c5030939502a46b9d73c4e534f0be336cb2a3e38f4

SHA512
55bf6d0fb278c1a16f02d13d085f0727d5d8e57f5a074e677dfa1ced5301ab930fc2e9595773e6ff29eaac0a47904c165b0aba5470c3581d1be254f0954b0e92

Download Submit
\Windows\SysWOW64\Anpooe32.exe

Filesize
93KB

MD5
e9a113f93e9a3e20bf8fdf0811ee1190

SHA1
a65ce3942f6a0c3aa9ebe9ea49ff24a9e59ea7df

SHA256
031d2d6e4797f23d29260d7f5668a917684507d7d0edb9562034c1793c19d44a

SHA512
1f22df7a285d7f24a6bbb4511ed5b89607c40f0705e6c374358b41bde992a38ddfd6a792f1fb99999335796f510d98ebd4bbf640dba8a53fc61fe192f4652fbe

Download Submit
\Windows\SysWOW64\Apclnj32.exe

Filesize
93KB

MD5
9e012be25d20720e1151d1ecc462e42d

SHA1
f8a6387e80383681d44f4903fe676e65e6272dcf

SHA256
35b41091e27c5ee50b1d215968de63ce16bdbfe6e8c8a47e2ddfce183fad218a

SHA512
d03b5ef6123ce4e76d1bbc248aefab7329121ceb0056687c49c2498dd8ec65ed0eac350ff19b699c258db7718190847448af1f6d43faeb160fe13872155ae2c8

Download Submit
\Windows\SysWOW64\Apkbnibq.exe

Filesize
93KB

MD5
08def38e6d58c407504df2f1c868b6fc

SHA1
23075e47e19052369a9cf90424ba244375998078

SHA256
aac6434a37bd357e276ef8a3bf72e8f95ae0b7d9a0be81fcfdc2e9c08171ef38

SHA512
fbfc4816b5da0678bf11823c37524c31b510b382641a148f1ac7d0ae911b7e681b9bf81ec3df533fa9475a193e09d9040f8e8e1c2d9b9d67d4ac6a40ce282d87

Download Submit
\Windows\SysWOW64\Bdcnhk32.exe

Filesize
93KB

MD5
9cfe4a14d682355d352cd4ca685c194c

SHA1
091ed2dfea3155ddba3422fb604a6eee3a639d14

SHA256
97c671b2f9ba4a6067e4257f1547d281c1428401d59f8c8f0f21d7babc9d27fc

SHA512
a2f12dcbd8c084dd8ab96f15725b71bea60738209fbe015b7aa38eaf946d0e625ea10d660d254a7775acba8580ce85f39398640a210fe3d6dc3dbaa985f2d45c

Download Submit
\Windows\SysWOW64\Beldao32.exe

Filesize
93KB

MD5
b38deb6803b796ed4660841b6137aa8d

SHA1
8eac2ebff7f2bd2c104d40a7ff063196e7f376fe

SHA256
a3d0bfcdd195b666d370f36597dcd76129028a43e020726a53d875293be440a9

SHA512
f9d21b0a4c9ea1ab0ca3167feec88f5f70d937ec409682682bc49b72d8942cf2317ea37a33c3f9585f87ed110fad145c7c175ee29bf3c3098e382bc32e91803e

Download Submit
\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
93KB

MD5
a6dc32a11eeeded6183c3923ca68283b

SHA1
6e74601d14051f57c3846dc5ad52d3db4bc73828

SHA256
3339ae36de5d6c04968518f92ce6619a4e0d6414484f157c96c088acc228145a

SHA512
b87b93c898f28557d5f02ffc2fdafeef379561f8b00f02554171e0890387ba922c4df333446b79095c921f3df677678c4e67448e6229656b8c2d58fe240a656d

Download Submit
\Windows\SysWOW64\Bpfebmia.exe

Filesize
93KB

MD5
2dc6a3aabf36bf75f8cab82f839f3d4d

SHA1
6f3d240b70f34816cf080fcd54d29f7ccdd796a6

SHA256
2eb1330e62848458cdf22dbdb0472e8bbe859a9f760d08fa5c08f5788782abc9

SHA512
323c652520d87dd73e20efd0ef0fdf0cfb2f0f66de5b05c13410c8312f1df5f4e565622be3558c00dcebf767d34b4c15ec9b020e713112cbd3b89f9e15d0c31c

Download Submit
\Windows\SysWOW64\Ogdaod32.exe

Filesize
93KB

MD5
e59a31abecfdf486cf9f9c5dd2eacc5c

SHA1
2c311bc5a69b72c427edb3fc59f784ab84c8fecc

SHA256
874a9de36761009514316371f8514e5255818fa264b99237e348a7eda20266d6

SHA512
bcd87bf963f4b92e034ec3535b0d8f13c7c7a9987e82acbb41998fbb670ef46f46a0123f96d206757e842d81da5f7ed3e2ffd0c59bccb39332c83cebe2d56c56

Download Submit
\Windows\SysWOW64\Ogohdeam.exe

Filesize
93KB

MD5
0d0b8af07b7b97e5d88b8ab30d90d3c0

SHA1
67da949bf187112611960d6e7b6dd193215b89b4

SHA256
d0fedace2c400c50d87a00255fa05e1ba34ef2f50cbcd435c74adaad55c67c31

SHA512
37ff2123b95a74e8ee4a1c8e35b93aaea1e10d9db49356f0a10afd1fb16f36652b9a82ce03ffeacd383b64e4d030fb74a8f2a8344e4eb789ac6b8e7c122dda3a

Download Submit
\Windows\SysWOW64\Pbblkaea.exe

Filesize
93KB

MD5
34285906f7edd272259079db6c2f3711

SHA1
66f0fff2ee8bb4c1d903485ef1e7ab6b620a7af4

SHA256
7aca126881ea032a0aa6c5669a6876cced5b3c9079aed4c0a0ba15e482f9c2a0

SHA512
9ad11045c15de9df7af44564ed4e2fe926bfde90e93c83ac76ad94357a378e399f4c6ac6c8663ca284057c90c326e53451b1843971a160a48e9e5688c2560cbd

Download Submit
\Windows\SysWOW64\Pjbjjc32.exe

Filesize
93KB

MD5
c66988530613dc6a1ffddf17d2bf9506

SHA1
013ff30906696954a33668b669333998699b6d87

SHA256
b05b753c29527568e8ffb82462d0708f470431c7e629e8a97dc4a0a7fc1f7c86

SHA512
0f1d096584264edbcaa91eaf5cd16a496c34a6e2fdfc58f19f4e2603f082d79b19cb02e6c0a2828c0fb2aff2f8e0548a6fe8551ea17562b12a9cc2cbaaf04ebd

Download Submit
\Windows\SysWOW64\Qcjoci32.exe

Filesize
93KB

MD5
e47f6efb9a8399aa2c12b7c8bb282a2a

SHA1
733bef1efed4c0c6966c411d1ab32f3e67186a12

SHA256
874eeaadd14b407f7e7de68546837ad7c3655cfed5cbb5ac1418b9f0843c71a6

SHA512
ca87b274c8614519a7b18fe8067b7d423dec267933b7be7179aedc40fc666fc3370759928728ac0caddd571006921aa0eba505efdfeb662811608b6dd09ee141

Download Submit
memory/236-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/236-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-276-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/564-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-11-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/564-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/584-233-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/584-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/584-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/592-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/592-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-62-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1752-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-215-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2220-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-52-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2328-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-118-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2456-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-172-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2488-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-94-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2656-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-95-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2656-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-81-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2920-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-34-0x0000000001BF0000-0x0000000001C24000-memory.dmp

Filesize
208KB

Download
memory/2920-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-279-0x0000000001BF0000-0x0000000001C24000-memory.dmp

Filesize
208KB

Download
memory/2988-145-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2988-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-132-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2992-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-273-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads