berbew | 071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Size

93KB
MD5

32abb3281476f98f214dc973146808f0
SHA1

875de1c5182deec762c94c376f2429e5331420cb
SHA256

071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18
SHA512

0f95de64909308b05080d0d6e78d26ac19bf85a47e43c5bded69858027840bc26970796c705639c8c2885a5efb67b8a5a49ac0d6dcf9684f799ffd0a68fa4e2d
SSDEEP

1536:AIYa7rvs1iFJPUHpL+1Faj28+51DaYfMZRWuLsV+1Z:AID8gJsJL+1FZ5gYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 22 IoCs

pid	Process
684	Adlcfjgh.exe
1148	Akfkbd32.exe
740	Bjkhdacm.exe
2888	Bgoime32.exe
3000	Bniajoic.exe
1532	Bceibfgj.exe
2644	Boljgg32.exe
804	Bmpkqklh.exe
1052	Bbmcibjp.exe
1948	Bigkel32.exe
348	Ccmpce32.exe
320	Cocphf32.exe
1988	Cepipm32.exe
2392	Ckjamgmk.exe
1516	Cebeem32.exe
1336	Ckmnbg32.exe
604	Cgcnghpl.exe
2192	Cnmfdb32.exe
1360	Ccjoli32.exe
2292	Cfhkhd32.exe
1796	Dmbcen32.exe
2596	Dpapaj32.exe

Loads dropped DLL 47 IoCs

pid	Process
1668	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
1668	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
684	Adlcfjgh.exe
684	Adlcfjgh.exe
1148	Akfkbd32.exe
1148	Akfkbd32.exe
740	Bjkhdacm.exe
740	Bjkhdacm.exe
2888	Bgoime32.exe
2888	Bgoime32.exe
3000	Bniajoic.exe
3000	Bniajoic.exe
1532	Bceibfgj.exe
1532	Bceibfgj.exe
2644	Boljgg32.exe
2644	Boljgg32.exe
804	Bmpkqklh.exe
804	Bmpkqklh.exe
1052	Bbmcibjp.exe
1052	Bbmcibjp.exe
1948	Bigkel32.exe
1948	Bigkel32.exe
348	Ccmpce32.exe
348	Ccmpce32.exe
320	Cocphf32.exe
320	Cocphf32.exe
1988	Cepipm32.exe
1988	Cepipm32.exe
2392	Ckjamgmk.exe
2392	Ckjamgmk.exe
1516	Cebeem32.exe
1516	Cebeem32.exe
1336	Ckmnbg32.exe
1336	Ckmnbg32.exe
604	Cgcnghpl.exe
604	Cgcnghpl.exe
2192	Cnmfdb32.exe
2192	Cnmfdb32.exe
1360	Ccjoli32.exe
1360	Ccjoli32.exe
2292	Cfhkhd32.exe
2292	Cfhkhd32.exe
1796	Dmbcen32.exe
1796	Dmbcen32.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
992	2596	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 684	1668	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe	31
PID 1668 wrote to memory of 684	1668	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe	31
PID 1668 wrote to memory of 684	1668	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe	31
PID 1668 wrote to memory of 684	1668	071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe	31
PID 684 wrote to memory of 1148	684	Adlcfjgh.exe	32
PID 684 wrote to memory of 1148	684	Adlcfjgh.exe	32
PID 684 wrote to memory of 1148	684	Adlcfjgh.exe	32
PID 684 wrote to memory of 1148	684	Adlcfjgh.exe	32
PID 1148 wrote to memory of 740	1148	Akfkbd32.exe	33
PID 1148 wrote to memory of 740	1148	Akfkbd32.exe	33
PID 1148 wrote to memory of 740	1148	Akfkbd32.exe	33
PID 1148 wrote to memory of 740	1148	Akfkbd32.exe	33
PID 740 wrote to memory of 2888	740	Bjkhdacm.exe	34
PID 740 wrote to memory of 2888	740	Bjkhdacm.exe	34
PID 740 wrote to memory of 2888	740	Bjkhdacm.exe	34
PID 740 wrote to memory of 2888	740	Bjkhdacm.exe	34
PID 2888 wrote to memory of 3000	2888	Bgoime32.exe	35
PID 2888 wrote to memory of 3000	2888	Bgoime32.exe	35
PID 2888 wrote to memory of 3000	2888	Bgoime32.exe	35
PID 2888 wrote to memory of 3000	2888	Bgoime32.exe	35
PID 3000 wrote to memory of 1532	3000	Bniajoic.exe	36
PID 3000 wrote to memory of 1532	3000	Bniajoic.exe	36
PID 3000 wrote to memory of 1532	3000	Bniajoic.exe	36
PID 3000 wrote to memory of 1532	3000	Bniajoic.exe	36
PID 1532 wrote to memory of 2644	1532	Bceibfgj.exe	37
PID 1532 wrote to memory of 2644	1532	Bceibfgj.exe	37
PID 1532 wrote to memory of 2644	1532	Bceibfgj.exe	37
PID 1532 wrote to memory of 2644	1532	Bceibfgj.exe	37
PID 2644 wrote to memory of 804	2644	Boljgg32.exe	38
PID 2644 wrote to memory of 804	2644	Boljgg32.exe	38
PID 2644 wrote to memory of 804	2644	Boljgg32.exe	38
PID 2644 wrote to memory of 804	2644	Boljgg32.exe	38
PID 804 wrote to memory of 1052	804	Bmpkqklh.exe	39
PID 804 wrote to memory of 1052	804	Bmpkqklh.exe	39
PID 804 wrote to memory of 1052	804	Bmpkqklh.exe	39
PID 804 wrote to memory of 1052	804	Bmpkqklh.exe	39
PID 1052 wrote to memory of 1948	1052	Bbmcibjp.exe	40
PID 1052 wrote to memory of 1948	1052	Bbmcibjp.exe	40
PID 1052 wrote to memory of 1948	1052	Bbmcibjp.exe	40
PID 1052 wrote to memory of 1948	1052	Bbmcibjp.exe	40
PID 1948 wrote to memory of 348	1948	Bigkel32.exe	41
PID 1948 wrote to memory of 348	1948	Bigkel32.exe	41
PID 1948 wrote to memory of 348	1948	Bigkel32.exe	41
PID 1948 wrote to memory of 348	1948	Bigkel32.exe	41
PID 348 wrote to memory of 320	348	Ccmpce32.exe	42
PID 348 wrote to memory of 320	348	Ccmpce32.exe	42
PID 348 wrote to memory of 320	348	Ccmpce32.exe	42
PID 348 wrote to memory of 320	348	Ccmpce32.exe	42
PID 320 wrote to memory of 1988	320	Cocphf32.exe	43
PID 320 wrote to memory of 1988	320	Cocphf32.exe	43
PID 320 wrote to memory of 1988	320	Cocphf32.exe	43
PID 320 wrote to memory of 1988	320	Cocphf32.exe	43
PID 1988 wrote to memory of 2392	1988	Cepipm32.exe	44
PID 1988 wrote to memory of 2392	1988	Cepipm32.exe	44
PID 1988 wrote to memory of 2392	1988	Cepipm32.exe	44
PID 1988 wrote to memory of 2392	1988	Cepipm32.exe	44
PID 2392 wrote to memory of 1516	2392	Ckjamgmk.exe	45
PID 2392 wrote to memory of 1516	2392	Ckjamgmk.exe	45
PID 2392 wrote to memory of 1516	2392	Ckjamgmk.exe	45
PID 2392 wrote to memory of 1516	2392	Ckjamgmk.exe	45
PID 1516 wrote to memory of 1336	1516	Cebeem32.exe	46
PID 1516 wrote to memory of 1336	1516	Cebeem32.exe	46
PID 1516 wrote to memory of 1336	1516	Cebeem32.exe	46
PID 1516 wrote to memory of 1336	1516	Cebeem32.exe	46

C:\Users\Admin\AppData\Local\Temp\071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe
"C:\Users\Admin\AppData\Local\Temp\071f404bbf5e1caafb8297b5a0ff9d12b2cbc046832dba53d70716690826ab18N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\Adlcfjgh.exe
  C:\Windows\system32\Adlcfjgh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\Akfkbd32.exe
    C:\Windows\system32\Akfkbd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\Bjkhdacm.exe
      C:\Windows\system32\Bjkhdacm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 144
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
93KB

MD5
34d7953f5d9cc955745ba7cf64e4bc15

SHA1
6ca45d81dd68b095286d88cad93d77132abf8c2a

SHA256
5f4cea004c05c109a4d93273154238e4040c1b618bc59c832fbe5dc0d37c811a

SHA512
0184699b8c5fc4a53ff4b87aaee9d9864fd14f04ec0c359052e143a0c13af06ff578a35898a0a4a3d66e83963bb19b6d354d686c314d219e1d8cc34f9f5e90dc

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
93KB

MD5
86706df6e6cdc2df2a12752eae362dcb

SHA1
f91861b8794d25c34322460d7cc61399ec76a3c6

SHA256
8723896500603c860420643b300081ddd5deab93ecd014550d3686d1a3837771

SHA512
d091cd921dbd550e1f7e0f855100b75b0095eeba506920d2526076937dee042bc57626f5e75cce8965bea78573ee9dba81a71b353a85d4a23b0a7408735395d1

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
93KB

MD5
c2dcf1b3975dae666e2e5b434df8b5e2

SHA1
0c3786a73a432a139edab27e0076bea60f6c88ce

SHA256
39bd4263d067bd0f6932246a5719763936caff1f1a3ac371cad7ade8a9a58a56

SHA512
17995b8db5229dc6b4dc808e57181e62491c14c49a5b0651f83edf0be11b67df3ecb2c537d61ed60802e72cb5640e38e70b07dc6d9b2cf82729bcdf81921334a

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
93KB

MD5
47163beab54dbc1b9d2d0837ceca9a27

SHA1
feb8a92a426f7d18fbf71cc241be63626981c1fd

SHA256
6be575728a91af476321d827820a142e8d86e0a275e0c0713cbe651e8f95ce8b

SHA512
8b3e619871fe1b5bb80896aa3301c99b3bc1dab12c7079f29e631bdae146472a82b9d4b9234988eaddba9246b307861b09f27bb94bf96ba8124a8be2c2ee9446

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
93KB

MD5
7f04ddabe2345bac35a11f564597c49b

SHA1
51198df50109c72aa1cbfddce82b1f5c1f81d550

SHA256
db9f9e7aa5223bede61785de3b9fed00d0b6315dcb36d353d27eabe25349045b

SHA512
a5ba6244a762afb2ab830caa915151cb6166a90e1c44bccafa0cd2833ac2e80726a1507b2e0430043fc6ac4f5af7606ca6221102ecaf8a1c63bc0229882655aa

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
93KB

MD5
e5ce3ec88ed6180b0aee276179a9d5d0

SHA1
20b241524c40fe17f2abce0fbf8acff3ed225ca4

SHA256
cbca86f5ae00ab75f8fe2bfe14ef63bd187724a3b4da5e9dd2c4386e6de1a758

SHA512
e12f777270d50b6a1219ec16265d6861ccda5cb8d58c7923f0e7e2a0080dddaa74f415e90428ef8e9fe4da994417deeaaa8da124406ad9d033e35c54e4124f2a

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
93KB

MD5
5537b0a882f374b7159b3e161dc7c2ea

SHA1
b0d899e708e0b52a77e1c93badd8fa3dfa148704

SHA256
7f1578ad2255666e7c33c9090a16c9d76d8a262fb46f70bd4332747c257f4374

SHA512
a388f10e3af17b3474085d9d41a4f51dfff7aee713f27b6a090f3580d546bdfb1043882c9c03e738a58f15d4db942b9e676d3a20f5830312549603ac7e46821f

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
93KB

MD5
ea76ecc8587586238d3fa5754bf140e4

SHA1
a22b3e2c06fbc216787a920e98d9362941edccc4

SHA256
3e1f16f3a5510170b9efd26b695f5d2da36856941aa9d6361e47233e35635047

SHA512
072c45b505d0d35407ef1ee0c51fae60a7d09e482766db2d51964b65b1ece77c3d55ae680271b3c8bcb0a03d61e3fb551908a1b8374f3a42164e2891133e6872

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
d07770385d3e5311f5c28ad9bc182c48

SHA1
28d79d29d1dfed0801810d717059d7b602b38569

SHA256
478dee3675805c8d9c993af06edd68674641973a2f0108776e195f6ce1c9920e

SHA512
319f130930b21f8219c751c81bf28a1cbbb92839f588fcc920842d9f205f109ed619cc50cc21f8296c869375905b20e54523264b8b6ca4577796b771d82288c1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
328c22ee8de846a3253e22c140c9a20b

SHA1
91c2dc57235907e5f0e77a8b7326ede64039ce47

SHA256
829efdf31e53c50f772fde2db868dce8f7117f751f48eba5dd065fe071f567ec

SHA512
a3456dc609d0993b70436a7095869abf154f91cbdf49d9c72fc28f1c004c51092d95b6ace91805809552c58b1e4c349b6bfa893336bb45d00c009beaf276338b

Download Submit
\Windows\SysWOW64\Akfkbd32.exe

Filesize
93KB

MD5
46a4f07bf907362943d5b40b5c15a7e6

SHA1
54e22ad7cbe3b5f2fe80797bfeb422d9cbaf42eb

SHA256
c3889975357a7bb00c512f5020a483643f5dd44e410a7d9c4d95379a76f35abe

SHA512
ee078bc6fe27d120f51b65a78605164b930e795a17d900f00987cb01a952ff91f03cc425d262bfe0f4ad869d13db977ce1afb93662642a22ba0262e3bc82bf69

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
93KB

MD5
48baf90c9832ac79c68059d6d87cfca8

SHA1
bacb444eba1df9e95e96c0de758ec54c2a868d45

SHA256
44c4ded46f9945f871f6acbaf973e06f5362d219dcb57be6e0af067277b75ccf

SHA512
78625e1649718ed40c893474e2b0b9ae8134248f4dc4860ec23610c0a5f10a4e61213df222de9f04421eacd62d0735fb815467a383f75a568afc2419d41a7441

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
93KB

MD5
8a9c4b8c33cfab66a901ac3d8d6d70ad

SHA1
b7440c3b20f39b3187d0d01df1016269bec77aa5

SHA256
4c6bdf5b3a7d6d5f3e8ce7c93997611823b9c8fd20c8988bd25879e757777d32

SHA512
4e3b55fdf35206f6dc9b21271b66e1fb12f7571ed1cb7ff020722e082768b1f60f1cad2958922642c8786d7aa0e70412508f129a3dd18218350029edf9c37993

Download Submit
\Windows\SysWOW64\Bjkhdacm.exe

Filesize
93KB

MD5
8204bbbc0bd8f6431bcc69cb0732ccf5

SHA1
37fbc9b0037c67d2a289d7272e3542012828a9d1

SHA256
f4b26587c5415a264a7d0f7f386142ffd16977fb2cc5a0e3a3c051b66d1618e2

SHA512
becffec9dc572a48f77e7f2556df567ef61ae80ebb5b13996c709a5f4df75047692b154e2e40ec925177f69a107cdb6a05b2e2d3d67e6d1b5d378aa197aaf78f

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
93KB

MD5
20d781a0b151095c650e7551af11d418

SHA1
97302ad8b8f679a208ec31a6f8ee4c9e44e03829

SHA256
e20bdc8ad9d6feabcfa67a5bd215f8b4b925a4c0e386105034885eb889572404

SHA512
d64d9b27b67238996353f72c9dc64902230d81cc9ddaf12b769b1624c84d849e95e7cd8ca08ec06c76e1f58adfcdac2c082e9cabccde58c2dc82a5d5b7381b59

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
93KB

MD5
cfc6c966e3740cf711194992dc396839

SHA1
07e2f285368e050589c6f60367937f5fdeaf1d12

SHA256
75d8bd929127754f01215f0fcd692059f7fc6ea46ed9e1b60e58ec2d151e815b

SHA512
2d3f8e1799f6e98d10b84b0ccd0f6fe906541737cc8df87f2cd2f7031fc4bee9716d44dd635bed2b4afcf50636670ccc53d3f9a3784ebe8a4fd0c87ffb1d0e70

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
93KB

MD5
919bb9e880bc52823e95afdea431eff3

SHA1
57353c946ece4778720fe973431592bfdcb51858

SHA256
64e6250ecd7df0adc76fa8f390dd3805ec36ac9cbfb1e917ee87c66c039845cc

SHA512
d1aec763b613de2416cd85e823604a844bc3d51e4d3b8dabe0c4573c0a17b7d218c4c996dd224faac9e3767bbe3bca27074e702e37d96a1e3f4ce0ed7f04f629

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
93KB

MD5
7452b2a7f2891dcfa7df5fbe2b04549d

SHA1
31bc47d5335560e5e3d672fd8d28e66d9e55385b

SHA256
6dd161ec787862b386a2e8eff7f700f989bf63a6df0649359908ced42a8984bc

SHA512
0033cd93add7137df4d7810e2dea74bd7366e34f3bdd45d7270d544604c5a7c0b46679294603a886e60bf344c5bf56a5e68bac47ed135ee9f5126d5b7c0f9691

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
3c3a23a01f808e6d55ef51549b866784

SHA1
e0ecfffb191f3da838e6828ceb6a7820bcc5ef94

SHA256
c519f6fa592b3b08c55902dc067eaa7f7d2691a9b6b33caf10e8e70834d2d5d3

SHA512
4325056d911defb307abbb7bc56dd859ca3a1e5ce58a71df8af3bd024fa83e0ce95170ce3c2574ddaca332222c3c9a5747f8b96d68d9bc66bb3fde5541a2a8c7

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
93KB

MD5
7a2d428ca74ac804666f8b2b55e2f78c

SHA1
920ada4b7056361aaef27c0fa40ae49bdf3a99ba

SHA256
7d2db26088ecf53e7e5a11dffc58e128c43df9d7c5669baa86b65b125e135748

SHA512
474b9fc53f226e7df693ee817d5c59fa32ec3bc542ce3ac9c65232b5632c4c9c04d150b487a32e425abdf5832ac8364da134eec37b19876db43b2cea4d3ac97d

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
2fa026e3c1fcef84b7c8fbef1476670f

SHA1
571fcad11df135c754b516f2e0c510e6c67170b7

SHA256
c30a3e0f35506ddb6fee3884eb553564d15d4788b381e9b94b2c5e6c6e2222d5

SHA512
ec28abde6020a0667d6745c4bbce94375a4eb5702b08d69f6ef2596f4d7919f51718780f6421b54c086f5ea3c48669c6023549d71a84e95db94b74df82219128

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
93KB

MD5
78a1961ba184b64bd96b7bb713a02daa

SHA1
2ea7eef7719a376ff482c3c67c98ca1cf6a9f98a

SHA256
1080e1313e9705349b21128cb0afb3028aec80f694170ca5e578bda4dd0edf11

SHA512
86b61567b7829708f074489dfd6e44508322571016988568c550c2d262e4a470e5218fe2ac507cc9a7a1c948886b90ac8142d524518d17e1ee41a34412459202

Download Submit
memory/320-169-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/320-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/804-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-116-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/804-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-34-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1148-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-223-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1360-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-91-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1668-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1668-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1668-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-144-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1948-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-245-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2292-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-260-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2292-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-198-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2596-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-63-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2888-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-81-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/3000-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads