berbew | 9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Size

337KB
MD5

e63c05506c575290992783b66b18c550
SHA1

e6b9ad63ec03ea906020f88cabf2b2145df40ef7
SHA256

9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f
SHA512

e7d9355bfa1bdccf22b4e69fa0dffb80576509011cf9ba085b36ca4fc29f42df5a7f151bcf76f94e2399d9e23b2092286699b9433ce8c050311e51d3eee9fa81
SSDEEP

3072:MzAhHDEWgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:EKHYW1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 24 IoCs

pid	Process
1744	Ajdbac32.exe
4700	Bdlfjh32.exe
4556	Bpcgpihi.exe
4980	Babcil32.exe
3572	Binhnomg.exe
1316	Bkmeha32.exe
2528	Bbhildae.exe
464	Cmnnimak.exe
2236	Cbkfbcpb.exe
676	Cdjblf32.exe
1600	Cmbgdl32.exe
3208	Cgklmacf.exe
724	Caqpkjcl.exe
1844	Ccblbb32.exe
4252	Cgmhcaac.exe
3304	Cdaile32.exe
552	Ccdihbgg.exe
4324	Dkkaiphj.exe
4480	Dmjmekgn.exe
3880	Dphiaffa.exe
4396	Ddcebe32.exe
4908	Dcffnbee.exe
3244	Dknnoofg.exe
3216	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	Binhnomg.exe
File created	C:\Windows\SysWOW64\Adppeapp.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Deiljq32.dll	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Binhnomg.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Bdlfjh32.exe	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfjh32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Bdlfjh32.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe

Program crash 1 IoCs

pid	pid_target	Process
4876	3216	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlfjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdbac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekoe32.dll"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiljq32.dll"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1744	1852	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe	91
PID 1852 wrote to memory of 1744	1852	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe	91
PID 1852 wrote to memory of 1744	1852	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe	91
PID 1744 wrote to memory of 4700	1744	Ajdbac32.exe	92
PID 1744 wrote to memory of 4700	1744	Ajdbac32.exe	92
PID 1744 wrote to memory of 4700	1744	Ajdbac32.exe	92
PID 4700 wrote to memory of 4556	4700	Bdlfjh32.exe	93
PID 4700 wrote to memory of 4556	4700	Bdlfjh32.exe	93
PID 4700 wrote to memory of 4556	4700	Bdlfjh32.exe	93
PID 4556 wrote to memory of 4980	4556	Bpcgpihi.exe	94
PID 4556 wrote to memory of 4980	4556	Bpcgpihi.exe	94
PID 4556 wrote to memory of 4980	4556	Bpcgpihi.exe	94
PID 4980 wrote to memory of 3572	4980	Babcil32.exe	95
PID 4980 wrote to memory of 3572	4980	Babcil32.exe	95
PID 4980 wrote to memory of 3572	4980	Babcil32.exe	95
PID 3572 wrote to memory of 1316	3572	Binhnomg.exe	96
PID 3572 wrote to memory of 1316	3572	Binhnomg.exe	96
PID 3572 wrote to memory of 1316	3572	Binhnomg.exe	96
PID 1316 wrote to memory of 2528	1316	Bkmeha32.exe	97
PID 1316 wrote to memory of 2528	1316	Bkmeha32.exe	97
PID 1316 wrote to memory of 2528	1316	Bkmeha32.exe	97
PID 2528 wrote to memory of 464	2528	Bbhildae.exe	98
PID 2528 wrote to memory of 464	2528	Bbhildae.exe	98
PID 2528 wrote to memory of 464	2528	Bbhildae.exe	98
PID 464 wrote to memory of 2236	464	Cmnnimak.exe	99
PID 464 wrote to memory of 2236	464	Cmnnimak.exe	99
PID 464 wrote to memory of 2236	464	Cmnnimak.exe	99
PID 2236 wrote to memory of 676	2236	Cbkfbcpb.exe	100
PID 2236 wrote to memory of 676	2236	Cbkfbcpb.exe	100
PID 2236 wrote to memory of 676	2236	Cbkfbcpb.exe	100
PID 676 wrote to memory of 1600	676	Cdjblf32.exe	101
PID 676 wrote to memory of 1600	676	Cdjblf32.exe	101
PID 676 wrote to memory of 1600	676	Cdjblf32.exe	101
PID 1600 wrote to memory of 3208	1600	Cmbgdl32.exe	102
PID 1600 wrote to memory of 3208	1600	Cmbgdl32.exe	102
PID 1600 wrote to memory of 3208	1600	Cmbgdl32.exe	102
PID 3208 wrote to memory of 724	3208	Cgklmacf.exe	103
PID 3208 wrote to memory of 724	3208	Cgklmacf.exe	103
PID 3208 wrote to memory of 724	3208	Cgklmacf.exe	103
PID 724 wrote to memory of 1844	724	Caqpkjcl.exe	104
PID 724 wrote to memory of 1844	724	Caqpkjcl.exe	104
PID 724 wrote to memory of 1844	724	Caqpkjcl.exe	104
PID 1844 wrote to memory of 4252	1844	Ccblbb32.exe	105
PID 1844 wrote to memory of 4252	1844	Ccblbb32.exe	105
PID 1844 wrote to memory of 4252	1844	Ccblbb32.exe	105
PID 4252 wrote to memory of 3304	4252	Cgmhcaac.exe	106
PID 4252 wrote to memory of 3304	4252	Cgmhcaac.exe	106
PID 4252 wrote to memory of 3304	4252	Cgmhcaac.exe	106
PID 3304 wrote to memory of 552	3304	Cdaile32.exe	107
PID 3304 wrote to memory of 552	3304	Cdaile32.exe	107
PID 3304 wrote to memory of 552	3304	Cdaile32.exe	107
PID 552 wrote to memory of 4324	552	Ccdihbgg.exe	108
PID 552 wrote to memory of 4324	552	Ccdihbgg.exe	108
PID 552 wrote to memory of 4324	552	Ccdihbgg.exe	108
PID 4324 wrote to memory of 4480	4324	Dkkaiphj.exe	109
PID 4324 wrote to memory of 4480	4324	Dkkaiphj.exe	109
PID 4324 wrote to memory of 4480	4324	Dkkaiphj.exe	109
PID 4480 wrote to memory of 3880	4480	Dmjmekgn.exe	110
PID 4480 wrote to memory of 3880	4480	Dmjmekgn.exe	110
PID 4480 wrote to memory of 3880	4480	Dmjmekgn.exe	110
PID 3880 wrote to memory of 4396	3880	Dphiaffa.exe	111
PID 3880 wrote to memory of 4396	3880	Dphiaffa.exe	111
PID 3880 wrote to memory of 4396	3880	Dphiaffa.exe	111
PID 4396 wrote to memory of 4908	4396	Ddcebe32.exe	112

C:\Users\Admin\AppData\Local\Temp\9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe
"C:\Users\Admin\AppData\Local\Temp\9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\Ajdbac32.exe
  C:\Windows\system32\Ajdbac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Bdlfjh32.exe
    C:\Windows\system32\Bdlfjh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\SysWOW64\Bpcgpihi.exe
      C:\Windows\system32\Bpcgpihi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 400
        26⤵
        Program crash
        
        PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3216 -ip 3216
1⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3932,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
337KB

MD5
f783a29e1b96fcabc589755020bebf92

SHA1
7e2ea1c07a2545ea8181da54ba302bd9e84726a8

SHA256
23a6427f3cc7e531a8018c4df2738b501760cee1ed1e065f3ad7eedc45e9664f

SHA512
af12fd76df36050d73430e8db33ef3c13d3e0cfc9cf1663bf4b2d20e6da283ff26b688f0b4f9bdef75959fbe72c09f44c5e355c1b9217af948b463fc0beb6540

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
337KB

MD5
d1797b108400f9f123b181ba7d370dc9

SHA1
35c6c6f63acde987b378a7656201a45ffd89e455

SHA256
87523612fb0e75241c561ab5dd00f61c1902e9454b46e63111a6a19aa3aaf521

SHA512
dd243778873422a72e134913b427cc4157af8e52ba08f069e23019d6e8d2e169420a99f1840fcb1f6abe073fef7ee45e2b6951960a8fe1da743a5d556c6ff70a

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
337KB

MD5
3f94e469c90f238771602856a1093730

SHA1
d888aaa1af17eca93c20849e4a2011faa3330796

SHA256
afc72cdc290985e74394dc8abe4db7a3a00546b4618dfd5edae0c021b984a12d

SHA512
b72bc134c6b8bf7aedc742e7c9d521e0251c8604b03dc7b2f09a61446c1f3beb1632d45ef8aaf1356c124b3c55799df9a6e5489339f5f87a494a46f0f3cbad55

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
337KB

MD5
440e6bd0af40c7106af5a8dff4a255a2

SHA1
4b79e02f8800c53634bdc3dbd27d7378baae2da0

SHA256
eb2c6a3d13f142594ea5d3e7f0032b7e4e88433365be4a682489a6a5c15684ba

SHA512
c593bf40a8d75aeeef85bc005c4bb45540486b89f9ec9d9701bc92c426edd235a52ba66c773c4c90842427c89c9112076941407dab6c052ab747bd4a30cc248e

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
337KB

MD5
8a48bae6ce794da63d6c0a3fdb3d462f

SHA1
08f88ff5d5b4893beee69fd26737ac6fb64c2f10

SHA256
9e05167f0f34052ff1c33427c170c6f97b575b8e580091a9c75a187e8e0805f9

SHA512
eab31d3fa56fa254f3c8929cfa4849a3f23e614fd76e0187a965df3cb4a27ff603c5d5833e1bed0134a57bb7c161b1d388783930fc30f02b8beec58f6f2958f5

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
337KB

MD5
192d0f70accc6c5fb8c46f100f157f0a

SHA1
5ce9b29adde168002b8ce68c2a0ec103a6af0712

SHA256
71eb31f9afc22868d17bf74dcffedd9e5cea7e0f96ae91bcf57b871a6b77a44a

SHA512
614a5f8bdd55c29d6eb204657989d56065d6ca89dd6251fdda01d80ac8113ca77ba6f1b015e5722e0da46649655c7f2819db24dce3f2e0de6261626fa0ca1c8f

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
337KB

MD5
bd78b152816a6ff1ec0d05eee86e9b7b

SHA1
fad22decb92aef0cbd86fb69833be2ef0fa71d68

SHA256
21c14614a3948f1a4f3a21bfa48a0f075957129f48c9facb73c495cbe24a34de

SHA512
547342725c88c22430ff509299d4056657735c1777cf6390f197435c845c7afc5898ed325fb375aa1bbf1ae9d85880b43944fc36e9b54d19b0749dafc5d27afa

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
337KB

MD5
03aea85e638aafde75a9401b70e555a7

SHA1
f11c2810f03fb242eee30c0b89d0ce13481f2319

SHA256
ab8ac09ef2844422b47def547fa390a483753e46591a4b9e872e61e1fcbe37a9

SHA512
c3e537a6f9e66a675f37219edc77fab21a97a91d886e9425d0f8628a7c31414f42c21aa4d63242e709b451f864834b6aa198635ab841a238a396d70c9133ca59

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
337KB

MD5
b931f618d4a20a7b956f2d525cbd55a2

SHA1
2f097e7b93164454143d8893d78dfc819d05bd49

SHA256
d0e880670bee0de18f6c4c3e2c4d1a4f67d25be0be85e2522b67077982c8d091

SHA512
e41dd2c84179d46dcb8dac73b8e22c84748e5f817a7884d908d0868af3e476d27031f098c48bdd7a5c765c36b77c464bedf84cca33725647973a1edf81e7ad10

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
337KB

MD5
2fa98acbd4a0970523fed894388af53a

SHA1
77163b7bdfe41d5937db7fdc99af9de6fa6f2bd3

SHA256
e46876ae594906adbe0d7b87c58d9795d166a3ace8d1571b961860eac93ae99c

SHA512
1507460a2980abbb69ac8e8a158f9d3accb9cf80354e8049d4a8ad2d0364f1e8b026fa493340c525dba35d97d450a22bf6ad7af715f1d19d874381b7bf9c5318

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
337KB

MD5
9f96d6242f2490c6116797af7f7ce648

SHA1
9b4bf52cd40a2e94abb018cc14a7efa37558a5c1

SHA256
2376fd20c5745bad287598ec708ef5fbd4143670504fd2954e09f27bf966cd7c

SHA512
cc226b2356b9b42990316c0fd1dc28ec0c17fadadf1e5dac3b1d83747142020a17d0dce6ce37e3bfeec9ffcc3a118ac81dd125f091399d2443fba8eda58744e1

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
337KB

MD5
92fff25b522730f2865bd777eda265ba

SHA1
79ecdd1db9bdc301db429ecb69211448c61f3f4a

SHA256
cb1febf5783853f825ac5d662abf6518d58c55763e980d4529e1e79e015f5b0e

SHA512
0163f931f8edc468185471f11d3f9b22d5a8c2530e514149b7be874942610616cb3b9cc4b0d73ff6b5e91cd51e678b8a5ae1da545ad03219c0728905d2d54e24

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
337KB

MD5
49cf9719fd3df59962513f024c680e94

SHA1
ffa285c67909e8e05febe3758bb613e58b952015

SHA256
21850626bd8398c6bd4966dbc10837b26d2dcb1db81fbde9cfa520f9070cfbd1

SHA512
c6a908ed9a16e4b16c9ea5e05c19cfa60ff4cf21f47d74e5a5ca46cb7fd884f2d62a446e7ecafd50f93c87a6a281d577b141d72281bd57fe7baffdc3a3513a02

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
337KB

MD5
fba3b3ce15cfa684a5cdc71a1bf9c554

SHA1
1ee25a04f5ea96f5b8266781cb9100377129fb37

SHA256
39eadbd5bd8216eeac86cc29d59cc5838feaa8b480242da474b43143da58bf2d

SHA512
3d605ecf2361e377db3566cbb076cbc2a651dd0d074a13243ba53c1a06957990810ef3a24992786cf5e11901c65089bb2567a3f5a5f469a43907043257058113

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
337KB

MD5
a9d3374f2cacac9970a9f7fe6a8795f4

SHA1
685a699e61588e779a5bb7ddb299101b5289bd96

SHA256
bc45c457bf600b4c92bcc74315067f9a6e2c4cb0d9626a0ae41dee0267c0606c

SHA512
30e2e4a184d7483e2e41507d3c34689b0d118b54809e360bde2702bfeb241f790223f65e8acabd6d923a321c8a491d2868c99cea8ec4502bf2a65ba296011205

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
337KB

MD5
3bc420b40848cfb1b361a1e774056059

SHA1
554c64e85ef90c3e8ddb928eea1c39add20c5eb3

SHA256
508ee3a257a9a59df67134e900058cea3ed41386ff12788757423e9c151f5c0f

SHA512
bf7757be4b79b0075a5d0098a3fafb400c1c07c629ff34969e10d85e391d9029126d78c7ee2c5640cb7e2f78aa03593fe4b08eaa0904b8d1b4b1896fcd87760d

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
337KB

MD5
80b0c2e479c489d32f4b3ae669d10e55

SHA1
24dff19f523ddb267fbc6d08e5987df6096505ef

SHA256
d073f0c84f6b63f7314a41b09530bede05e05ef07e14246c36b5857a91dd37d7

SHA512
8ea5ddde330ee14eccb3cb2895aa0116317f6aa43fb0bb3b7a81505d8ec8526008453764e489669cfdeb0d87f6014496b5b902be59b4952775368f4df988db77

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
337KB

MD5
c181e21e998904fca1f793650530aa5e

SHA1
20d77ac2375c0e89610d97c5b6b4e7291e2ca5ee

SHA256
4341bdb4914db9828300ec30f0fe394c0f94562fc218e8ca579e8be21484d904

SHA512
eb8fb687d85ee81d3723452d59dc7b1971d92a744427642eff460a74381d18f5129624f419c61c7e563bec8773451c7111061a964d6633e6fbf7cbf69fd5e5b1

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
337KB

MD5
0bb651dfae02f7d4f8eb9baf8a0ba001

SHA1
3c9547d4a32a426a23af90039148743a62d528f0

SHA256
c478d1a63c3cb580a333492c2a27b3db52fa1306d5be18ad481502f6c63989bb

SHA512
ee4adac35b9ad4da0ab302d2258126d2f64825d1f14e12340729633ea33497b1be7d1c083390ca7374e426740270d6e1cb4cffaecb561df82cff7e5a9accf20c

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
337KB

MD5
33e2ddc074481daf296959b60622c324

SHA1
16a8b96585271fc426ba407cd5c065df1ce6ec23

SHA256
390dbcf027a30014769a2e42d79cdbdf830c1b42e93d14fe8545e1a307fa803b

SHA512
9b55d0609f86fe7744ec025afdcfe19bb17ded7a7eae95cf972eea342d6b5101a0ef172d0eeaaf7e60a299c146ff63c2cd8a39ec36c04b0611b19f1dded990b7

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
337KB

MD5
f857a388fc800c1728c7537a9d2b2f14

SHA1
d5bf585ec2aea27bc2783011f265a0b3389fcc61

SHA256
49920964aa70ca530da81ab8bba644e90c6798e7740f27ab673f3c18ad50bf18

SHA512
6c9669238723cb764745d7174f27a29cd366b65fa4777ffd7343cef16709b5bd64a411a394a2b1ff9df59db7dd9a6a4f04e30e1b81012d023f4524473a507661

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
337KB

MD5
61faadc96d98ef0633ad319601867345

SHA1
027d028e5e4c496d72f3813c7e281ab4dea613ff

SHA256
1105ef61a351ffd5c99e86e74d5c0e67d1231f3e2c3a55e2b5d48352656de596

SHA512
0e5d97e78a522bdb89ca572eadffe5c0ae6e9c297e23694ff5349f866dfd4976e99ecee7ad05b545dba823a3610cd193713f23ff7ad82336ff17e1989aa2e172

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
337KB

MD5
a84db130382161e0359dd8df58faad57

SHA1
f65392eca833bd9108bfda4d1534c0b19ae1afe1

SHA256
6444939bb3fb28c424155562d53e0dd1fbbfa053876fcc4d628d80da69920ca2

SHA512
2e7a3f7548b3fddfa848eec00d8fbd489d06ef0c1a002182e8692f0f42b42d4bc21c8a8969b756e1adf4746bfa58f5fd0e5ecfea690dbf60b6140ffe37cb7331

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
337KB

MD5
b096059900496e948a0ac7d34d733a59

SHA1
13a273cf8b65d41189579bdfdb0259ef3379cd2d

SHA256
7aeb34435f4ec041b9aa0016a467fb3a5ad981f76732ac12c538b2da0b52703e

SHA512
434f28eb7e15d229a4bb508fb434bf335420e7ec5e8950b6e167452f9fcaae3cb25950c25e473326fd18d033214c98ff774b6287fb5f7deac37da59fd787d7f8

Download Submit
memory/464-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1852-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads