berbew | b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Size

1.3MB
MD5

7b1489975a184319ee5975fb31fb1eac
SHA1

8354a487e6db97e2004696246c45b63f56d3ca09
SHA256

b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f
SHA512

981400b671548d50733f11e5485052fa0136a92d890cf7fefc12fcc117bddc302c4b2074bbfd15bad80f6a63a493616dcd9d7764d1951051c5c2f4c45f2077f3
SSDEEP

6144:QdipfE5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymL2MT1d:QdiBAbaz22cWfVaw0HBHY8r8ABjMn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ollajp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollajp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfaeq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

pid	Process
2768	Nckjkl32.exe
1808	Niebhf32.exe
2692	Nhohda32.exe
2192	Ollajp32.exe
1500	Oegbheiq.exe
1532	Oghopm32.exe
2312	Pqemdbaj.exe
2952	Pqhijbog.exe
2956	Pfikmh32.exe
2044	Qflhbhgg.exe
1940	Acfaeq32.exe
1544	Annbhi32.exe
2224	Apalea32.exe
488	Afkdakjb.exe
1144	Apdhjq32.exe
1536	Bjbcfn32.exe
1360	Chkmkacq.exe
1980	Cilibi32.exe
892	Cgpjlnhh.exe
2180	Cinfhigl.exe
1380	Ceegmj32.exe

Loads dropped DLL 46 IoCs

pid	Process
3008	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
3008	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
2768	Nckjkl32.exe
2768	Nckjkl32.exe
1808	Niebhf32.exe
1808	Niebhf32.exe
2692	Nhohda32.exe
2692	Nhohda32.exe
2192	Ollajp32.exe
2192	Ollajp32.exe
1500	Oegbheiq.exe
1500	Oegbheiq.exe
1532	Oghopm32.exe
1532	Oghopm32.exe
2312	Pqemdbaj.exe
2312	Pqemdbaj.exe
2952	Pqhijbog.exe
2952	Pqhijbog.exe
2956	Pfikmh32.exe
2956	Pfikmh32.exe
2044	Qflhbhgg.exe
2044	Qflhbhgg.exe
1940	Acfaeq32.exe
1940	Acfaeq32.exe
1544	Annbhi32.exe
1544	Annbhi32.exe
2224	Apalea32.exe
2224	Apalea32.exe
488	Afkdakjb.exe
488	Afkdakjb.exe
1144	Apdhjq32.exe
1144	Apdhjq32.exe
1536	Bjbcfn32.exe
1536	Bjbcfn32.exe
1360	Chkmkacq.exe
1360	Chkmkacq.exe
1980	Cilibi32.exe
1980	Cilibi32.exe
892	Cgpjlnhh.exe
892	Cgpjlnhh.exe
2180	Cinfhigl.exe
2180	Cinfhigl.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
File opened for modification	C:\Windows\SysWOW64\Pqemdbaj.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Lmcmdd32.dll	Ollajp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfikmh32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Oegbheiq.exe	Ollajp32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Hcgdenbm.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Hibeif32.dll	Nhohda32.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Nhohda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Ollajp32.exe	Nhohda32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Fnahcn32.dll	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Oghopm32.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Oghopm32.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Oghopm32.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Ollajp32.exe	Nhohda32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Nhohda32.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Ollajp32.exe
File opened for modification	C:\Windows\SysWOW64\Pqhijbog.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Bpodeegi.dll	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pqhijbog.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Qflhbhgg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	1380	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollajp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhohda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibeif32.dll"	Nhohda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgdenbm.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ollajp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcmdd32.dll"	Ollajp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ollajp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkmkacq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2768	3008	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe	30
PID 3008 wrote to memory of 2768	3008	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe	30
PID 3008 wrote to memory of 2768	3008	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe	30
PID 3008 wrote to memory of 2768	3008	b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe	30
PID 2768 wrote to memory of 1808	2768	Nckjkl32.exe	31
PID 2768 wrote to memory of 1808	2768	Nckjkl32.exe	31
PID 2768 wrote to memory of 1808	2768	Nckjkl32.exe	31
PID 2768 wrote to memory of 1808	2768	Nckjkl32.exe	31
PID 1808 wrote to memory of 2692	1808	Niebhf32.exe	32
PID 1808 wrote to memory of 2692	1808	Niebhf32.exe	32
PID 1808 wrote to memory of 2692	1808	Niebhf32.exe	32
PID 1808 wrote to memory of 2692	1808	Niebhf32.exe	32
PID 2692 wrote to memory of 2192	2692	Nhohda32.exe	33
PID 2692 wrote to memory of 2192	2692	Nhohda32.exe	33
PID 2692 wrote to memory of 2192	2692	Nhohda32.exe	33
PID 2692 wrote to memory of 2192	2692	Nhohda32.exe	33
PID 2192 wrote to memory of 1500	2192	Ollajp32.exe	34
PID 2192 wrote to memory of 1500	2192	Ollajp32.exe	34
PID 2192 wrote to memory of 1500	2192	Ollajp32.exe	34
PID 2192 wrote to memory of 1500	2192	Ollajp32.exe	34
PID 1500 wrote to memory of 1532	1500	Oegbheiq.exe	35
PID 1500 wrote to memory of 1532	1500	Oegbheiq.exe	35
PID 1500 wrote to memory of 1532	1500	Oegbheiq.exe	35
PID 1500 wrote to memory of 1532	1500	Oegbheiq.exe	35
PID 1532 wrote to memory of 2312	1532	Oghopm32.exe	36
PID 1532 wrote to memory of 2312	1532	Oghopm32.exe	36
PID 1532 wrote to memory of 2312	1532	Oghopm32.exe	36
PID 1532 wrote to memory of 2312	1532	Oghopm32.exe	36
PID 2312 wrote to memory of 2952	2312	Pqemdbaj.exe	37
PID 2312 wrote to memory of 2952	2312	Pqemdbaj.exe	37
PID 2312 wrote to memory of 2952	2312	Pqemdbaj.exe	37
PID 2312 wrote to memory of 2952	2312	Pqemdbaj.exe	37
PID 2952 wrote to memory of 2956	2952	Pqhijbog.exe	38
PID 2952 wrote to memory of 2956	2952	Pqhijbog.exe	38
PID 2952 wrote to memory of 2956	2952	Pqhijbog.exe	38
PID 2952 wrote to memory of 2956	2952	Pqhijbog.exe	38
PID 2956 wrote to memory of 2044	2956	Pfikmh32.exe	39
PID 2956 wrote to memory of 2044	2956	Pfikmh32.exe	39
PID 2956 wrote to memory of 2044	2956	Pfikmh32.exe	39
PID 2956 wrote to memory of 2044	2956	Pfikmh32.exe	39
PID 2044 wrote to memory of 1940	2044	Qflhbhgg.exe	40
PID 2044 wrote to memory of 1940	2044	Qflhbhgg.exe	40
PID 2044 wrote to memory of 1940	2044	Qflhbhgg.exe	40
PID 2044 wrote to memory of 1940	2044	Qflhbhgg.exe	40
PID 1940 wrote to memory of 1544	1940	Acfaeq32.exe	41
PID 1940 wrote to memory of 1544	1940	Acfaeq32.exe	41
PID 1940 wrote to memory of 1544	1940	Acfaeq32.exe	41
PID 1940 wrote to memory of 1544	1940	Acfaeq32.exe	41
PID 1544 wrote to memory of 2224	1544	Annbhi32.exe	42
PID 1544 wrote to memory of 2224	1544	Annbhi32.exe	42
PID 1544 wrote to memory of 2224	1544	Annbhi32.exe	42
PID 1544 wrote to memory of 2224	1544	Annbhi32.exe	42
PID 2224 wrote to memory of 488	2224	Apalea32.exe	43
PID 2224 wrote to memory of 488	2224	Apalea32.exe	43
PID 2224 wrote to memory of 488	2224	Apalea32.exe	43
PID 2224 wrote to memory of 488	2224	Apalea32.exe	43
PID 488 wrote to memory of 1144	488	Afkdakjb.exe	44
PID 488 wrote to memory of 1144	488	Afkdakjb.exe	44
PID 488 wrote to memory of 1144	488	Afkdakjb.exe	44
PID 488 wrote to memory of 1144	488	Afkdakjb.exe	44
PID 1144 wrote to memory of 1536	1144	Apdhjq32.exe	45
PID 1144 wrote to memory of 1536	1144	Apdhjq32.exe	45
PID 1144 wrote to memory of 1536	1144	Apdhjq32.exe	45
PID 1144 wrote to memory of 1536	1144	Apdhjq32.exe	45

C:\Users\Admin\AppData\Local\Temp\b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe
"C:\Users\Admin\AppData\Local\Temp\b3f7cdbd96c91cc64bae7af7df60c990688af865a5a063fa15ff15382206184f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\Nckjkl32.exe
  C:\Windows\system32\Nckjkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\Niebhf32.exe
    C:\Windows\system32\Niebhf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\Nhohda32.exe
      C:\Windows\system32\Nhohda32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Ollajp32.exe
        
        C:\Windows\system32\Ollajp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Oghopm32.exe
        
        C:\Windows\system32\Oghopm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
1.3MB

MD5
eca10d7ba2d2f32656ffc10b377fb577

SHA1
ae60d22ca3d4fef90ec104613e842856a9d52152

SHA256
504c42fdb771dbe9c7d1646dde81ee40a8cc2206cfafeb7cb7dd0f485af80104

SHA512
1c3cd73cc3476eee87729bdd24727d87eae0b620d4e675c98949d01772880871a4ca6b60ac1841f202de831240e0850d700c855e6cf9c0c35f0a08d0268ff791

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
1.3MB

MD5
ec75b2491aaf187cd566a906e831b0ce

SHA1
74bc6e7e7bdd891380e1566d72ef9b402ab7da5d

SHA256
d282fd43200d8bd12a73ecd01bb6420bb1dcd85710cb8c49dd88b565642ec1e4

SHA512
bb97185daa34eeaa227d95a7cfd55d64fb01349a40b10b80d3d1d23064e40a7d7b99fe432f418cf21f3e57716ef190484a9d7cc221c1cdebcf6fc5a9a081aa20

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
1.3MB

MD5
70b036b5c33a74dfdaaf9b7b3c916aea

SHA1
a1e95beddb70e1bb5f05145f50daf0ed24940291

SHA256
fd9eb3ebea2fc5ce245b47112f6798e52c92e6650c019c61d1a9b4efcb92a3fa

SHA512
239e0b31361152d73368b772ba10e5f1dddc8635b6bedc70e17a94a35acb6aac555a845d05c72fbfb318cbf3b0d1f5ba24e59a14289957d5e0a96ce7ec53e8e3

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
1.3MB

MD5
3b021dcc5a1b857b61773ce89aafe2bb

SHA1
663dd29536e15f90ad073236920b943a50b9d08d

SHA256
c5231c5dcd06885c077032fd944ec4affd6a632ef5d1a9c2dcf95e9c774fcfb2

SHA512
1c0e87e397e9e6a9d2e8a471de4c2a0e3d896a63fa54e58cebedcbdf6f68b27d75bf069fde9c2f6092ddb9c93851994ba028df499bd637dec3605fb26a9de4d5

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
1.3MB

MD5
dc5a4fbbd66707504acd98be1548370f

SHA1
4519bd0ef675159cbd5d43ad2d86ef6ba58e0eb4

SHA256
e39b95f34c444e2db2320a2e79896db800058ec27b24f22ce5e9b1d574275445

SHA512
0ddfb3aa38c80c42f4412ee49b7fa564dfac246d3d6545f787073564aa3333251c72e064ef65e4ff7797f39d9dbe75e352816a6a6f091643bb0054129ffec95f

Download Submit
C:\Windows\SysWOW64\Lmcmdd32.dll

Filesize
7KB

MD5
7a57d09328890ef2ac3ae78831ac3b0c

SHA1
b288c30056699ff06850c9371e9b54031053732c

SHA256
182b79a559196a579ee29f6d18fbd2bcf3a98657bfe539b7809b1bc821cb7502

SHA512
81bdda46110ccd6bce24245b068538ab334785538a7cc3b9e5bd6ea599fbc574b91ebe5080af14da0b6cee8f79ee899b34b4247b3e86187357b46bcffae387a6

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
1.3MB

MD5
599aadea088b1dae80c7d4fd5ea53d40

SHA1
ea1014c5ab1bf8c490f3c23e09792ab560360e66

SHA256
5629165bde5588990564fc6491920c18f4f33c95ebacf09bf32e5d82244cccb1

SHA512
21c123aeaad90ed911d2306df1895c819536ae170517d27b7ac212fc217c2c80232e7d5c6b7b84f792b38b5675cdcfdc57bd86e3fdc875b065dded5d15ef6e8a

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
1.3MB

MD5
08f2a5ced384b4be028fdd5fda589cc9

SHA1
3336f50c871aa6200def9748ffab0846df6d2759

SHA256
3a5089570e6ce62f6a40cb0750e55d77a8f68139a3561107702e634487d99f55

SHA512
dfab7eb5c91f42d8d32b7ff1a24447572e8d94d8c5a54d442cdf915a87a963b2041e74c4eb3b906ce712ea11bb9e0b3b1219309a6335ace89f924b9146366464

Download Submit
C:\Windows\SysWOW64\Ollajp32.exe

Filesize
1.3MB

MD5
d719954d23fade626b2b0efeef36f466

SHA1
74c452feaf8b1a4ac0ad30dddc3d07a8f7758904

SHA256
bb94679a0050781825e8287d2ac796d4ce48e27ae7b10fb5d5f2381709aa61a1

SHA512
d2bcae07216d4e032b0f19d413f50954ca503ee0ec2a4c834b6d8ae08679b24e3c2656f9552ee55e9d616dc1023a1373d0da0ea85262c5fe82579ff789707bec

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
1.3MB

MD5
8d5423698428a8451a7bbb045c2d9f80

SHA1
661e7ac91088e8f42405f7a4af72cadf0a41e29d

SHA256
d4a28abb6f8df3b1f7a1a3172f92cec32069f9671504e9e7332ad3571a4a5956

SHA512
4d16c3aaccaf0ff75fc766b93b41bd644a1d5b93152dcfccee34dbe20f1f6844d62ea8b6c0d7da1475ff9cfbcde13dd0ead75a095de11a462a808833cb047d75

Download Submit
\Windows\SysWOW64\Acfaeq32.exe

Filesize
1.3MB

MD5
5ec41f3a09bbc58651c97d46a84132c2

SHA1
8f46ed56194017081903e9336dce5a2b39ab81b6

SHA256
192729476d850b490d4d3bf182e9aff42bb812a2df20e5053f72727233801bfe

SHA512
2bf02651422cc4f9b3414ce25ca1064ed7fa68b75397bf2336f87046eff11a4c893d86a23c635f5aefec7d2da4d87cd561042c405d102f4403f493423fc8357b

Download Submit
\Windows\SysWOW64\Afkdakjb.exe

Filesize
1.3MB

MD5
8c0543fe69369d308b0c6b7453d67255

SHA1
353a7f7112faa6b4bc83d070c8fa8189a426c385

SHA256
dad630c59da79107cd02d91e525e6f5dfb51563fcdad01d74dfaced7ef6fad2b

SHA512
d6536c2643ed5d2328d091598356c30a1c598ac87831ab1e042ad535e6ab998bc479c89c3b6dcd5ecc7acdb46c1931fbd30ea26e0ea414b276ff3f0063d9070a

Download Submit
\Windows\SysWOW64\Annbhi32.exe

Filesize
1.3MB

MD5
cc09d4fa09939355ab19c852f195175d

SHA1
b9c747cefa23df4f323f39866aabf9fcbdef2b83

SHA256
606a5a880a0010161d0807cd7721c38e79711dcf9b3bfd4378ab949abc7f290d

SHA512
8dd84ccfa3ee318ead50b197e71f89b1dd482785dde6b98abe4399722afcfc0b64624ef14f408c9cb54de9f7fc0af472b981a48592ac3788eb95db48f32f46a7

Download Submit
\Windows\SysWOW64\Apalea32.exe

Filesize
1.3MB

MD5
974cbb73a9fc6208f5aac1145f5403a6

SHA1
d7635ea45b35806d17dae41a1682a3dadba18234

SHA256
a16b93d9719c28b0e5ccd42814c03bcec2de7720e8393d446b21ed8af3be8894

SHA512
dfbdc3d773aa68b00dc2805845e044c45166d9030d56722e3180d77b71bc39d84d5d3e400047c45295a34d87caf3ef3435045e0524f1119e6950409242a2280e

Download Submit
\Windows\SysWOW64\Apdhjq32.exe

Filesize
1.3MB

MD5
1b9354fa3ca722d8fc7637fa1027be77

SHA1
bdf8796694bfe532b7b12b0bff53ff3d3d8d35d9

SHA256
53ad652d37beea9ca0c2e928571085ed819a35467914bff5efe5e532a62259f2

SHA512
ae3e0d5f10fb88ee5d1dbcffc948cc95d5e3e382751af8113b6a8e5b531c7f57ec2c9d8e35941e62158f952fdfcaca195aa8ddc06c02abaf334dbb14c018d6af

Download Submit
\Windows\SysWOW64\Bjbcfn32.exe

Filesize
1.3MB

MD5
191118dc44b07cbe4a8f89bccc41b4fa

SHA1
8506c14af2723960faa2a065ffdef811f234d08f

SHA256
46e3e2094633f4e4daab48f3e26ac9fc251a4b11062167682c92119dd0af4d45

SHA512
7a6eaa98f0f91774223d33457d5ddfe90698ffe5e5abf432fe92a25bb2016e002bda1aae4da076ce78cda6718c57001aad293872f0b826057f9b967e072368e1

Download Submit
\Windows\SysWOW64\Nhohda32.exe

Filesize
1.3MB

MD5
f3d1654ddc0c48a89960b75a97bdeed8

SHA1
99348aeebe9d5fa576b5462aeb7a74dc07aaddda

SHA256
610228f5d65b8d78ac0b515bbf1acb75453806d873ec6fd995c8fbba65626d7b

SHA512
e90e9d8f2bbf14f476d24654e294c73750dd06ac75f4f271ff2eeb4a2deb79726f4d1a9511209d39030a2b8507fafc5e3a73c2f62cfe5408076d33a7332cbad9

Download Submit
\Windows\SysWOW64\Oegbheiq.exe

Filesize
1.3MB

MD5
57c1d1a04c249634b79fc36f93ff7674

SHA1
fdbce3015f7ea01210cbb0f6417405c3848d1014

SHA256
6406cae9a0e2416fc1ac606b2b079c657d56dfc4ef7e76db03087fdc53131933

SHA512
2150d630361dac06217f986b29ebd2af3f73bc1c1e1b09ec189526cf2ae1bda1a2191963d655f007f7dee47293f289c3fb2d602a227a0ae4106873bd65ab6755

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
1.3MB

MD5
2d1b13bd7a6fc79c32f8b592bf960e38

SHA1
5857e594517d20910e6d72b236c61f50d4fc0c0d

SHA256
6a60a00805c7e4435edf1fcb7882c189e6161f47dbd9adc288c0eceafe51f7a7

SHA512
f3f1c7c2d70fd3576f1f816aed0c3998219a5003e4df05756f5bbeab81a6c492ce7155597120c33c06cdca0e1812dfff34c6274dadaa8b1f51e4f9716456bd5e

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
1.3MB

MD5
d2bdea99092d85deddc65c97c3e3d1ec

SHA1
6f6dc8c95fc6ccad09af9a2dc563794bd766da71

SHA256
9fabfc3b4794404c7aae731a4361ba818f1ddb398e98218e851ade0598975165

SHA512
09e2969a251764705b130bec6e0c9d1fb779060d7940f9d197b4c0d4a5f5c90358740b0f460b93f673b6ef0643ac0a5bb69c8acc674a135bcb8330329be594b8

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
1.3MB

MD5
c6921367cfb583436552d1abf9683d50

SHA1
930a8a24f59ee998fc0e46d2a9406ff255c688af

SHA256
25c51f38f85cb0c1e6f2516b8aad77105ee54ea7a2738956d2dd6ec7c08994c8

SHA512
be3b4668f1cd511b7285ab75b0001e271b774930cfd296ac48da2dc7955cfe41a6a4668e5dfad8b21fa787230334faf30f556adf330b6caa4bc61116e8cd8014

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
1.3MB

MD5
e6aece6643ab00aa8d981057efe5e7b7

SHA1
7198c4083d8d80f9755ab632f397107ad68bae64

SHA256
d438e6158eebe2aa0dcda1fe48226d2a09af72552257b424411f3b54dc97d53f

SHA512
ba95d7e9dd76456e0e9a093d9b28fc9d58d3b5fe6ac999cf1d82a8c2dbb275cfc61d46affda4dd46f13f879162881ab78d2555553155fd3091d9af5db5547cff

Download Submit
memory/488-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/488-208-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/488-210-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/488-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-267-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/892-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-227-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1360-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-93-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1532-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-100-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1536-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-184-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1544-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-179-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1808-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-37-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1940-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-254-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1980-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-152-0x0000000000450000-0x0000000000484000-memory.dmp

Filesize
208KB

Download
memory/2044-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-274-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2192-70-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2192-71-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2192-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-198-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2224-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-113-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2312-114-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2692-56-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-22-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2768-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-27-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2952-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-124-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2952-129-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2952-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-15-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3008-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads