berbew | d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506d

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Size

163KB
MD5

5785cfd2cde0bbb5962e384b7a005c80
SHA1

6e4c515ede9d5ae45322b8cac39e0ba427f0458a
SHA256

d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506d
SHA512

dd4180796a6ba75ad767bfe9f6e26806962d0794402b22cf2717f6c0afa388985f8d98cf90b71bc24fa3acf47ad8a11239aea8ba5c90d4ba2a0810fc86dde406
SSDEEP

1536:PzJTghRRW6sLeK+V5/NM8dDlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:VToM3+PjNltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 24 IoCs

pid	Process
2500	Bnfddp32.exe
2800	Bkjdndjo.exe
2848	Bqgmfkhg.exe
2768	Bfdenafn.exe
2584	Bmnnkl32.exe
2616	Bchfhfeh.exe
2952	Bjbndpmd.exe
1348	Boogmgkl.exe
2632	Bfioia32.exe
2964	Bjdkjpkb.exe
2880	Coacbfii.exe
1848	Cbppnbhm.exe
1260	Ciihklpj.exe
1988	Cocphf32.exe
2532	Cepipm32.exe
300	Cbdiia32.exe
1256	Cinafkkd.exe
692	Cjonncab.exe
1468	Ceebklai.exe
776	Cmpgpond.exe
984	Cegoqlof.exe
2480	Dnpciaef.exe
1192	Danpemej.exe
2344	Dpapaj32.exe

Loads dropped DLL 51 IoCs

pid	Process
824	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
824	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
2500	Bnfddp32.exe
2500	Bnfddp32.exe
2800	Bkjdndjo.exe
2800	Bkjdndjo.exe
2848	Bqgmfkhg.exe
2848	Bqgmfkhg.exe
2768	Bfdenafn.exe
2768	Bfdenafn.exe
2584	Bmnnkl32.exe
2584	Bmnnkl32.exe
2616	Bchfhfeh.exe
2616	Bchfhfeh.exe
2952	Bjbndpmd.exe
2952	Bjbndpmd.exe
1348	Boogmgkl.exe
1348	Boogmgkl.exe
2632	Bfioia32.exe
2632	Bfioia32.exe
2964	Bjdkjpkb.exe
2964	Bjdkjpkb.exe
2880	Coacbfii.exe
2880	Coacbfii.exe
1848	Cbppnbhm.exe
1848	Cbppnbhm.exe
1260	Ciihklpj.exe
1260	Ciihklpj.exe
1988	Cocphf32.exe
1988	Cocphf32.exe
2532	Cepipm32.exe
2532	Cepipm32.exe
300	Cbdiia32.exe
300	Cbdiia32.exe
1256	Cinafkkd.exe
1256	Cinafkkd.exe
692	Cjonncab.exe
692	Cjonncab.exe
1468	Ceebklai.exe
1468	Ceebklai.exe
776	Cmpgpond.exe
776	Cmpgpond.exe
984	Cegoqlof.exe
984	Cegoqlof.exe
2480	Dnpciaef.exe
2480	Dnpciaef.exe
1192	Danpemej.exe
1192	Danpemej.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bfioia32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1516	2344	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bqgmfkhg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2500	824	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe	31
PID 824 wrote to memory of 2500	824	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe	31
PID 824 wrote to memory of 2500	824	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe	31
PID 824 wrote to memory of 2500	824	d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe	31
PID 2500 wrote to memory of 2800	2500	Bnfddp32.exe	32
PID 2500 wrote to memory of 2800	2500	Bnfddp32.exe	32
PID 2500 wrote to memory of 2800	2500	Bnfddp32.exe	32
PID 2500 wrote to memory of 2800	2500	Bnfddp32.exe	32
PID 2800 wrote to memory of 2848	2800	Bkjdndjo.exe	33
PID 2800 wrote to memory of 2848	2800	Bkjdndjo.exe	33
PID 2800 wrote to memory of 2848	2800	Bkjdndjo.exe	33
PID 2800 wrote to memory of 2848	2800	Bkjdndjo.exe	33
PID 2848 wrote to memory of 2768	2848	Bqgmfkhg.exe	34
PID 2848 wrote to memory of 2768	2848	Bqgmfkhg.exe	34
PID 2848 wrote to memory of 2768	2848	Bqgmfkhg.exe	34
PID 2848 wrote to memory of 2768	2848	Bqgmfkhg.exe	34
PID 2768 wrote to memory of 2584	2768	Bfdenafn.exe	35
PID 2768 wrote to memory of 2584	2768	Bfdenafn.exe	35
PID 2768 wrote to memory of 2584	2768	Bfdenafn.exe	35
PID 2768 wrote to memory of 2584	2768	Bfdenafn.exe	35
PID 2584 wrote to memory of 2616	2584	Bmnnkl32.exe	36
PID 2584 wrote to memory of 2616	2584	Bmnnkl32.exe	36
PID 2584 wrote to memory of 2616	2584	Bmnnkl32.exe	36
PID 2584 wrote to memory of 2616	2584	Bmnnkl32.exe	36
PID 2616 wrote to memory of 2952	2616	Bchfhfeh.exe	37
PID 2616 wrote to memory of 2952	2616	Bchfhfeh.exe	37
PID 2616 wrote to memory of 2952	2616	Bchfhfeh.exe	37
PID 2616 wrote to memory of 2952	2616	Bchfhfeh.exe	37
PID 2952 wrote to memory of 1348	2952	Bjbndpmd.exe	38
PID 2952 wrote to memory of 1348	2952	Bjbndpmd.exe	38
PID 2952 wrote to memory of 1348	2952	Bjbndpmd.exe	38
PID 2952 wrote to memory of 1348	2952	Bjbndpmd.exe	38
PID 1348 wrote to memory of 2632	1348	Boogmgkl.exe	39
PID 1348 wrote to memory of 2632	1348	Boogmgkl.exe	39
PID 1348 wrote to memory of 2632	1348	Boogmgkl.exe	39
PID 1348 wrote to memory of 2632	1348	Boogmgkl.exe	39
PID 2632 wrote to memory of 2964	2632	Bfioia32.exe	40
PID 2632 wrote to memory of 2964	2632	Bfioia32.exe	40
PID 2632 wrote to memory of 2964	2632	Bfioia32.exe	40
PID 2632 wrote to memory of 2964	2632	Bfioia32.exe	40
PID 2964 wrote to memory of 2880	2964	Bjdkjpkb.exe	41
PID 2964 wrote to memory of 2880	2964	Bjdkjpkb.exe	41
PID 2964 wrote to memory of 2880	2964	Bjdkjpkb.exe	41
PID 2964 wrote to memory of 2880	2964	Bjdkjpkb.exe	41
PID 2880 wrote to memory of 1848	2880	Coacbfii.exe	42
PID 2880 wrote to memory of 1848	2880	Coacbfii.exe	42
PID 2880 wrote to memory of 1848	2880	Coacbfii.exe	42
PID 2880 wrote to memory of 1848	2880	Coacbfii.exe	42
PID 1848 wrote to memory of 1260	1848	Cbppnbhm.exe	43
PID 1848 wrote to memory of 1260	1848	Cbppnbhm.exe	43
PID 1848 wrote to memory of 1260	1848	Cbppnbhm.exe	43
PID 1848 wrote to memory of 1260	1848	Cbppnbhm.exe	43
PID 1260 wrote to memory of 1988	1260	Ciihklpj.exe	44
PID 1260 wrote to memory of 1988	1260	Ciihklpj.exe	44
PID 1260 wrote to memory of 1988	1260	Ciihklpj.exe	44
PID 1260 wrote to memory of 1988	1260	Ciihklpj.exe	44
PID 1988 wrote to memory of 2532	1988	Cocphf32.exe	45
PID 1988 wrote to memory of 2532	1988	Cocphf32.exe	45
PID 1988 wrote to memory of 2532	1988	Cocphf32.exe	45
PID 1988 wrote to memory of 2532	1988	Cocphf32.exe	45
PID 2532 wrote to memory of 300	2532	Cepipm32.exe	46
PID 2532 wrote to memory of 300	2532	Cepipm32.exe	46
PID 2532 wrote to memory of 300	2532	Cepipm32.exe	46
PID 2532 wrote to memory of 300	2532	Cepipm32.exe	46

C:\Users\Admin\AppData\Local\Temp\d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe
"C:\Users\Admin\AppData\Local\Temp\d7f729a2626b9a85e29a2f780bec8024021fd9709969b17fe21b43c6484c506dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Bnfddp32.exe
  C:\Windows\system32\Bnfddp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\Bkjdndjo.exe
    C:\Windows\system32\Bkjdndjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Bqgmfkhg.exe
      C:\Windows\system32\Bqgmfkhg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 144
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
163KB

MD5
99b58fa5e2b6a80bb9893629598cf5f6

SHA1
d9fb095ede633c8ad572eed10c883bc29f7edb8c

SHA256
efeeaa0ba1e164ce6857c828a6711d9775c1be9907c4162bb6cea4dadd3a9a4d

SHA512
7ec7eb7282e921b84db4a700a5d947100f781cda2b8b8b922b02bcd7ca1f79b564f99570daf2ee29d8185e802de3be30672e47ebe202b912f94593244d69d464

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
163KB

MD5
19db3f0a8bf0bbce227002f8d5fb28a0

SHA1
d0c9da23b25e26d66d2584b2584a0c27b2cea474

SHA256
032e74385b85099746e209db8ec7fdcc83b69b86965f69b64a6771be9f8d5567

SHA512
280fb52595c602d81afa35cbf1f558929fa0035643f8676b17435582f1ac4cf88bb06e482a657ab1fc1d7abe6dede1156fdd29f16b398b4a0318c2bece39959a

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
163KB

MD5
8a95f6c24f3c8889209cadb0d43d7a49

SHA1
52bad361e22372d13ae3c32b3893e116593cd053

SHA256
3d0f725f17ebd3d51826de399ed0dac93823c86802f1186ac82b854c2355ed4f

SHA512
d76300512a3dea24a9f89596e8a376386c5b153db4236607bd7e7f900da1c7403cb24e30e88c19cf90f5d07e5f6cea865772c3113f303423bc9cfd69902958d7

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
163KB

MD5
194047b806bd2ec6d84f7fbe68631ac9

SHA1
e220113718bfa8784f9ca5a7b9dc2099a8a01cfe

SHA256
2c3d6dfd2be5b28194c5a0cc8a31a3c0d6d53ce6e1ae4db03321faa2d6ae26c5

SHA512
2a02e9a1fca59e59d481c97437bbbb5c6c2649465ddbc7b354f342ab8d6b4305f2e4efe0ee01fcfb51c301cd83ebc65154b941d2be7ff831774e9522da35c60d

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
163KB

MD5
27d36010c24f6e797bde720cc40cbb21

SHA1
b70a615d5939c33c16481b885ab6364bb6404b9f

SHA256
ecfd9939bc3a8594de25212d707a8564196197a525934ad0295d0af0ab0357fb

SHA512
e6b2a2f407bb4b9fecf4d4bf3765d6cfc1017fa22d0e9efb49e67d6e2d7e73b4ebcc345c0825cf560a6609476afa74a6f36421780ec815c051bfe0b12089cbe4

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
163KB

MD5
2dfab55f876ceca540c564fc31faa7ca

SHA1
c4eb2810155d4b8ceb9c69f6559ce2c35cb528c0

SHA256
0359c3ea4ce22a8c21947d55b6820a563879bdaeceb0f4320b8021fe0c998b89

SHA512
22d9da3a5e7876e0b1c402a2d444eeb36094b9b3f03dd96dc32b3fbd246aaf78865eb0e1c56387cf9001ecac3e4e1ba8d7f4984e08d6bb280f05aad3a452c689

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
163KB

MD5
7c5ed9a6e32f352acf2ed06bfb9bade2

SHA1
fc65e1043d9c5ecc317d266f8759f7b010454498

SHA256
c9d119ea587b300937c731efa8bfa5a4d0046399e60cba7ec13763bb44d75692

SHA512
24f1eeed5d2fdf22786a614f0291e779808e5b4eb73377235845b40aa60a407bf8c5ab259edfd1523fc1d44617f9cfd435114b36b703d79099ed4b94b9a56d96

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
163KB

MD5
efc59225cdf698e40bbe5f918c482671

SHA1
692f425317c8fdbc369c0954375a6271be4ccba6

SHA256
cdd2c2c4b0514b9da4f176e4d9be1cbcd9ee79a0eb3886d98a3331c7d7b904a4

SHA512
d255e95f354738f7dbf5c574682c3bc21b688b4a4c45dc1846af5bb81e6199122c77fad4978157c23e5b858ac6d30e756dabd234b632302eb0d2c3fb0fde3c46

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
163KB

MD5
a44a3799c4059cdaf3ad1b1b701d09e9

SHA1
f03c91e775f160cc4a0454f2af13a54aa9de81f1

SHA256
a9bcb6befd415b19260e5b9ed3f9b767f80a2dede45f188047f91cef6cff647d

SHA512
a06bffd31e310d9f192c94efb76afada6caecfc6f9b2650f4207c4f2d1a94604d324404df643fe228da20c880fd8fe956c854ba8f5eda2457f70344c54a67f8a

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
163KB

MD5
2399097874abcfdcea58d91c6b9da52c

SHA1
10c54e0116a7d9afb4764c13ae2d0be31c2cf104

SHA256
681a1b9ea8b7882e217b60f6b9bc0cc40addac650dcb200d5cec1eace8ce9bb7

SHA512
53954ff5955c60e83b632f69a847e85a9bc5d8e75572e5269740eb1e26453f2d9d88bf807406b35e96042021392793a33d26484d4a1572a29c4a57d1267515a7

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
163KB

MD5
9f7c348546a5030f6cfff7f1e349a010

SHA1
dfbef73aa38045c0ed61f3fdd81cad867cedab08

SHA256
2e5faa09ed8f8b5a6c12a1dcce6b96ea6b0fc9e461aed143e951617d3b727120

SHA512
0d411b5ca195e34e266e43e490386414332428da33dd794502d0941b5357d9557286808a5de1e437c42dcc2a9d21459e5b2c68bf627131a10d6e5e8960dd57b6

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
163KB

MD5
69d65a265783313ef16ce5a7d6013caf

SHA1
523934136190bcfa759106c322bc032320662832

SHA256
5b987c38bf8acdc85019392f9c7dfcdfc2a3c9ac5e55fd2efe0cb3f558475f80

SHA512
8e4572ce15e87f06c12ca0d60a1fa5f93c74f5fdd0f25718acb628de0c60f57dbcac5b99589af673057173b6a78c8188da453aa1136a6a1c2de154bfc7a3220a

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
163KB

MD5
2912a57f1c68ecd3d73fcd2f3bf3d704

SHA1
0caef72e6082730afe5fc1b7825e9b0c23c6880c

SHA256
d9c01d8e61630c45445870a0ac9ce4fe990ab205ac4c76fa2aa4b13a7b306596

SHA512
0971ca6498144fcee2c9bb626c6afee76bef3853fdaafed471c7f4cf51123e3b98e5214bb7458fcf803a389d41d5b37e4cb6944ca4caf8065d7d7f4ca76e2ab6

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
163KB

MD5
28442c667a4e155d222fdbb685b800b5

SHA1
9e4dd1f5fdad35bd17e18ee3be75d8100b69ae13

SHA256
bab6cd76a6d8ff45eeedf8faad86b3c63b02a96ea24bbf24e0ada280bbe12a1f

SHA512
ccebb7440b0ea6ee31c96348a5bd784af154d20d86a5835b4c81e9cbd3912eb162c79160447ebf7404e81895c33e1777ecb5e2ce14442ef711e7c5875016fd7b

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
163KB

MD5
88f101bab7b1a18fe10b32d1ad247f57

SHA1
f77a7b347ce35939bf448fa3d0b0140c3cd0eb63

SHA256
7117e0b3c04b90075ad4e0d9cfb53db5af1fade6e936f46b09ebdc6513ea6174

SHA512
5925e95e030eec856e986804be59caa47346dfb0abca76ab46a3b16db416c15293547ac804abc1adb91fe4365368b3ddbaca1faedbecf090fde4528c6a6e0aa6

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
163KB

MD5
742efdb97231c84b56d87bdc0e2804d1

SHA1
77012a25e83e96902e81b35e2264a68efbe7e903

SHA256
17522b1254cbc0350874fe3e79c704ce8e826caaa98417d80cfca0904b417963

SHA512
4dd63438c66f2b774179420712727e3332e620179f3f0239a34fc7eeb7ce488c9b32108aabf43430385a09acdba193610e09015a1b82587ea1c5cb247b2e13bc

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
163KB

MD5
6431f40ec53a40f054e662983b53c420

SHA1
d42a74a15f6024c20efe7b87dd4a5bf564b56e6a

SHA256
8f78b7aa6f821d2103698a6a68dce40c805ec96128b397926cd6c902c872e346

SHA512
708e1b04569f6791d59882c8264f9aa01bff7ea505e285f4b2aec24000be83a5f17b7e74518f9c1b73ccab22d90a4ffe5d1fff49c4fae09ab446e4b3ac2ed329

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
163KB

MD5
6a2d6b7b3ed812e4e0e01acddf9b72a2

SHA1
070a45d4c8f3b4f5c72568b87d8ca5bca638463f

SHA256
5d410274dfd0ab7523ba2b90bacdb7aad2b50e622622d3f9e9c3ad0df0414733

SHA512
df7b915f74a6cc5c4c65dabddb383ed6fa92784035ab9361f1ec66a86c2fdba35e3551e46d63c587d2fdc4b6ec3d876d2bf0fe3452e90fa8caca50448bf01d33

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
163KB

MD5
bf4148911ec5def5d6abc1123e54f873

SHA1
f1bb383166d626761be53c1e43670bf22ac5a1c7

SHA256
3c77aa2a04be1e29b2220f8eab8848935dcea1044d73d1f9627155f4d20e2345

SHA512
7cc5859b9daf8a3013964adf1109d7a1f6718cef3551619b1665143ce080254af46daaaa0335cd6ddbc255670e8d2ec8faa45bb8364fc719365e778e2e283c76

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
163KB

MD5
954c8bd391794976923281a065fe8e90

SHA1
dec4dda4f2e556b4b32db1e5b7f6adb44b403694

SHA256
6ef513d1bb137f7701a33fcbdb5dbc38a9d16bf5095b29d1cdfc532c38b02b85

SHA512
33df96ca598b5832e15a1349787850e55fb1ee587c0822c11ea7ee25aa2452078840fa52690ad942202efeded54cd7b1edf47b8b1ddc1bca45024941655c0f0f

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
163KB

MD5
daaabc0a55acf1091a74e464fa36a8fc

SHA1
927865b79709cc04570b849f28490540fd06d9ea

SHA256
944fcad7a3baf227e9bb47e1aa1b00c70782cde5da4904884b38de2a69e5d6a9

SHA512
92222bcd7bfa0a3471ce6787d3d12d8cba8290e8eee68739abdb3826a83012f3edadd66313eba5489c635c3e2f6428c8f20bf720fcb1071a6a550b99d26674c1

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
163KB

MD5
ccc1e18fcccd7a780690420290ac37dd

SHA1
eaf6a26f24f96f404d34eedef240e6e75dbfdfdf

SHA256
89563829abec8eaeeb4a8a7b073ba8664efe7c1212ccb32899342203f9a3c9f7

SHA512
85969cb5bcbd7e633ce272e0e5b4d68b0f58178168130e0ffe9f755c285a0a9154f3441f56b478f6be2273278020025f0d10fdc9dd74e38a7d19d7db62118c0a

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
163KB

MD5
13c32251ed6447c9900f911968145a59

SHA1
c87b82b6d2d7ffa769dd53b11c1aad6827647649

SHA256
7a2645f78f89bcfb8f74a2bb1165ec6d739369fee5bfa070855741fb12a3664f

SHA512
a0ce7cb56c230b63970024e5aee9f24e950144271945b7faba79d3b42b1d267e2f9e4bb8f1b9942501a999b1f4f294b9a82020efa2271c3987d142adfaa8dbe8

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
163KB

MD5
77628c2273c8ca213513d017f28da544

SHA1
5022cbd53f36d74c364c3ffa90d446bd19952f87

SHA256
c5c7e86f9559c8acf20014863e8518b364872c99dcdd37c91a781b231c320c5a

SHA512
52cb8fb9506b15944975aa773daf78d051e5ec1011345a1b131e186b1c0507350709de151bf5e740003283fcc1e83c653a6b7d2d69610c234aa7c69bfc810ac2

Download Submit
memory/300-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/300-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/300-219-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/692-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/692-244-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/692-240-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/692-238-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/776-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/776-266-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/776-262-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/776-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-11-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/824-12-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/824-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/984-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/984-276-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/984-267-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/984-277-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1192-298-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1192-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-299-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1192-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1256-233-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1256-232-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1256-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1256-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-172-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-314-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-255-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1468-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-254-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1468-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1848-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-195-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2344-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-292-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2480-291-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2480-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-26-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2532-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-210-0x00000000006C0000-0x0000000000713000-memory.dmp

Filesize
332KB

Download
memory/2532-205-0x00000000006C0000-0x0000000000713000-memory.dmp

Filesize
332KB

Download
memory/2584-74-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2584-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2584-67-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-127-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2632-124-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2800-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2800-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-47-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2848-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-157-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2952-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-100-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2964-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads