berbew | b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Size

59KB
MD5

a931b2509db2a8a5aec8395ff49b1905
SHA1

4a72c7f16902512e8d74f3070edac79b532a81dc
SHA256

b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e
SHA512

8d221bda29c0349dc8a0fdbb8aeb5e240e3b884de82f45f54225b117dfcd91bc0b2f4bf5966e72d99637de108aceb3f6a2a197406bdc25d3948f4799e9f8c81d
SSDEEP

768:V3SJqHl3igCWbHIDPzm5zHY/bFTtecK+nqW6KrY6MWxEXQ/1H5rXdnhgPD4N:V3DAgVzSPSRY/bFTplDroWxEazh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2840	Bdqlajbb.exe
2740	Bgoime32.exe
2784	Bjmeiq32.exe
2564	Bgaebe32.exe
2580	Bchfhfeh.exe
2556	Bmpkqklh.exe
2608	Bbmcibjp.exe
484	Bmbgfkje.exe
2544	Cbppnbhm.exe
1164	Ciihklpj.exe
992	Cnfqccna.exe
1292	Cepipm32.exe
2876	Cgoelh32.exe
2212	Cagienkb.exe
832	Cnkjnb32.exe
1540	Ceebklai.exe
836	Cnmfdb32.exe
720	Calcpm32.exe
544	Cgfkmgnj.exe
2004	Djdgic32.exe
2380	Dmbcen32.exe
1816	Dpapaj32.exe

Loads dropped DLL 47 IoCs

pid	Process
2308	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
2308	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
2840	Bdqlajbb.exe
2840	Bdqlajbb.exe
2740	Bgoime32.exe
2740	Bgoime32.exe
2784	Bjmeiq32.exe
2784	Bjmeiq32.exe
2564	Bgaebe32.exe
2564	Bgaebe32.exe
2580	Bchfhfeh.exe
2580	Bchfhfeh.exe
2556	Bmpkqklh.exe
2556	Bmpkqklh.exe
2608	Bbmcibjp.exe
2608	Bbmcibjp.exe
484	Bmbgfkje.exe
484	Bmbgfkje.exe
2544	Cbppnbhm.exe
2544	Cbppnbhm.exe
1164	Ciihklpj.exe
1164	Ciihklpj.exe
992	Cnfqccna.exe
992	Cnfqccna.exe
1292	Cepipm32.exe
1292	Cepipm32.exe
2876	Cgoelh32.exe
2876	Cgoelh32.exe
2212	Cagienkb.exe
2212	Cagienkb.exe
832	Cnkjnb32.exe
832	Cnkjnb32.exe
1540	Ceebklai.exe
1540	Ceebklai.exe
836	Cnmfdb32.exe
836	Cnmfdb32.exe
720	Calcpm32.exe
720	Calcpm32.exe
544	Cgfkmgnj.exe
544	Cgfkmgnj.exe
2004	Djdgic32.exe
2004	Djdgic32.exe
2380	Dmbcen32.exe
2380	Dmbcen32.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cgoelh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	1816	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2840	2308	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	31
PID 2308 wrote to memory of 2840	2308	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	31
PID 2308 wrote to memory of 2840	2308	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	31
PID 2308 wrote to memory of 2840	2308	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	31
PID 2840 wrote to memory of 2740	2840	Bdqlajbb.exe	32
PID 2840 wrote to memory of 2740	2840	Bdqlajbb.exe	32
PID 2840 wrote to memory of 2740	2840	Bdqlajbb.exe	32
PID 2840 wrote to memory of 2740	2840	Bdqlajbb.exe	32
PID 2740 wrote to memory of 2784	2740	Bgoime32.exe	33
PID 2740 wrote to memory of 2784	2740	Bgoime32.exe	33
PID 2740 wrote to memory of 2784	2740	Bgoime32.exe	33
PID 2740 wrote to memory of 2784	2740	Bgoime32.exe	33
PID 2784 wrote to memory of 2564	2784	Bjmeiq32.exe	34
PID 2784 wrote to memory of 2564	2784	Bjmeiq32.exe	34
PID 2784 wrote to memory of 2564	2784	Bjmeiq32.exe	34
PID 2784 wrote to memory of 2564	2784	Bjmeiq32.exe	34
PID 2564 wrote to memory of 2580	2564	Bgaebe32.exe	35
PID 2564 wrote to memory of 2580	2564	Bgaebe32.exe	35
PID 2564 wrote to memory of 2580	2564	Bgaebe32.exe	35
PID 2564 wrote to memory of 2580	2564	Bgaebe32.exe	35
PID 2580 wrote to memory of 2556	2580	Bchfhfeh.exe	36
PID 2580 wrote to memory of 2556	2580	Bchfhfeh.exe	36
PID 2580 wrote to memory of 2556	2580	Bchfhfeh.exe	36
PID 2580 wrote to memory of 2556	2580	Bchfhfeh.exe	36
PID 2556 wrote to memory of 2608	2556	Bmpkqklh.exe	37
PID 2556 wrote to memory of 2608	2556	Bmpkqklh.exe	37
PID 2556 wrote to memory of 2608	2556	Bmpkqklh.exe	37
PID 2556 wrote to memory of 2608	2556	Bmpkqklh.exe	37
PID 2608 wrote to memory of 484	2608	Bbmcibjp.exe	38
PID 2608 wrote to memory of 484	2608	Bbmcibjp.exe	38
PID 2608 wrote to memory of 484	2608	Bbmcibjp.exe	38
PID 2608 wrote to memory of 484	2608	Bbmcibjp.exe	38
PID 484 wrote to memory of 2544	484	Bmbgfkje.exe	39
PID 484 wrote to memory of 2544	484	Bmbgfkje.exe	39
PID 484 wrote to memory of 2544	484	Bmbgfkje.exe	39
PID 484 wrote to memory of 2544	484	Bmbgfkje.exe	39
PID 2544 wrote to memory of 1164	2544	Cbppnbhm.exe	40
PID 2544 wrote to memory of 1164	2544	Cbppnbhm.exe	40
PID 2544 wrote to memory of 1164	2544	Cbppnbhm.exe	40
PID 2544 wrote to memory of 1164	2544	Cbppnbhm.exe	40
PID 1164 wrote to memory of 992	1164	Ciihklpj.exe	41
PID 1164 wrote to memory of 992	1164	Ciihklpj.exe	41
PID 1164 wrote to memory of 992	1164	Ciihklpj.exe	41
PID 1164 wrote to memory of 992	1164	Ciihklpj.exe	41
PID 992 wrote to memory of 1292	992	Cnfqccna.exe	42
PID 992 wrote to memory of 1292	992	Cnfqccna.exe	42
PID 992 wrote to memory of 1292	992	Cnfqccna.exe	42
PID 992 wrote to memory of 1292	992	Cnfqccna.exe	42
PID 1292 wrote to memory of 2876	1292	Cepipm32.exe	43
PID 1292 wrote to memory of 2876	1292	Cepipm32.exe	43
PID 1292 wrote to memory of 2876	1292	Cepipm32.exe	43
PID 1292 wrote to memory of 2876	1292	Cepipm32.exe	43
PID 2876 wrote to memory of 2212	2876	Cgoelh32.exe	44
PID 2876 wrote to memory of 2212	2876	Cgoelh32.exe	44
PID 2876 wrote to memory of 2212	2876	Cgoelh32.exe	44
PID 2876 wrote to memory of 2212	2876	Cgoelh32.exe	44
PID 2212 wrote to memory of 832	2212	Cagienkb.exe	45
PID 2212 wrote to memory of 832	2212	Cagienkb.exe	45
PID 2212 wrote to memory of 832	2212	Cagienkb.exe	45
PID 2212 wrote to memory of 832	2212	Cagienkb.exe	45
PID 832 wrote to memory of 1540	832	Cnkjnb32.exe	46
PID 832 wrote to memory of 1540	832	Cnkjnb32.exe	46
PID 832 wrote to memory of 1540	832	Cnkjnb32.exe	46
PID 832 wrote to memory of 1540	832	Cnkjnb32.exe	46

C:\Users\Admin\AppData\Local\Temp\b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
"C:\Users\Admin\AppData\Local\Temp\b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\Bdqlajbb.exe
  C:\Windows\system32\Bdqlajbb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\Bgoime32.exe
    C:\Windows\system32\Bgoime32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Bjmeiq32.exe
      C:\Windows\system32\Bjmeiq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 144
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
59KB

MD5
e8ee42c447f11881fbd9762d52ebd404

SHA1
8011bb3758e02167f2b102ee47c8c3dfc15093c8

SHA256
2324a7db7a617279b2a05686bedc0fc4ab6c70224f13915a37ed372a203ea2ee

SHA512
394b51bf869cafa49bbdd706cf0cfd81d28bb4ad88f3b60ee743807c31495a99d0df96298a1cd92173e4837149bf219bf20a4859932cf97f73f70fc5a72df324

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
59KB

MD5
1b681c2e1cbc93f7f4395c5acdfdc249

SHA1
651633bcd5b139a57d016a3105a4fe507097c74a

SHA256
3c67b166584bc9e6c18e538f3189834e04a8ac2b203334a6d1b3eb98da10b473

SHA512
c761467be73cabdf56606d218a5bcd444f25cf8e630422034fe36ffbc24dcf3a943d841effbb2415ea4c904837942183160260fb6767e57e3c0c8157ff0295af

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
59KB

MD5
ca0dd3a8be8f103c9d1ba90f49d38903

SHA1
9de625a146872fc9c20770e17b6ab82133421dd3

SHA256
c3a830511f290d5e57abe7c5160010d2f93a8d7a890ba84ebc4ee339f3a53073

SHA512
56d47210c8e25b90c54848b44614e3a558ee1d0544bb5a83a473fda048297d67836baf383660bb7eb4f60e06078a843a5341d31e91de7377a175fcf4043e04af

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
59KB

MD5
15e76a43d86367fe956bb1bcb81bbb65

SHA1
04f00b711d8874ec6c70bdc27ce9073f1be9540c

SHA256
bc5fb6ee42db83c9621b291736af24b71aac3691a4556a871cc713d15c1a1ece

SHA512
ef0f1aaf53c40b41f2089aa96797a7f8dc22c0dd0b7be690804f2a94bd159a954ab4c05ce63edca8b10b135894c2fea4bd11f20b62ee718cbf3add599600e7e1

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
59KB

MD5
20e287406152f89b794320e382c6bf2d

SHA1
af3cefe0e3633d4432dbad28b68a3e9e0ead4db3

SHA256
c4d772b3ba99449f06cb630f2355a5901a71f4252780ad512a7fab90a7ae8b78

SHA512
6034b79122cbaba04614b5b03e06c71d6960044486afca97420c73ca431db1ead8caebbf6345eeb585c15b21338d2fca38f81c283c51e5725c1b5beec109cda3

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
59KB

MD5
1026aa443be0873c0ff1103b526173ed

SHA1
da227ffb6969419e8007bd5d45c3664eeee1f45f

SHA256
c9877613dd8b9fcf462f38fb91cfc92e1af701a067e8f3c3f86285502f789c8f

SHA512
b8f8f76a18feaa5cc33e8a64a1f3c9fbdf7d65b68c006dae26eb7e7bf05a80f66193cba630e4f8a8ab1e179d0fa66643cc2c42e4bcc038b7b81f6d0c43a94084

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
59KB

MD5
2e6cd21a3882634ec5325f9faf8e0747

SHA1
525c6b60bac92ee0258129559cda5e4396c28ff3

SHA256
7e3f48320687688a57d4e33a30fa5502bf77b481e9cd028c9ea7275fe65b1b9c

SHA512
1aadd6ae6a7c415eab10a6f4b28812ac7d17b9a5ebcb216c2a5b563501799b4464b1ee1c85378528eb00d6ae6a69e11a82692fc3ed017163ca0fee74f5745a68

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
59KB

MD5
d255a1d846e98bdfcecc6aaba576905f

SHA1
6d8442270c4da72c476809f1f4dc3ba8f9cbbcf1

SHA256
7a0bfb2643c5f7113c5077a2e579602bc81875bd3ac015793e20fdddb83c2802

SHA512
7912507aeaafc855c7683a33df4eefee5c51799df50eb5dfa5f3133da77f3cf3b83a1363be67f86757a67ac14399289d3b97e07f50c3719d1536ec19dd580020

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
59KB

MD5
122521ab1895533a5c1109552c0f81b7

SHA1
2a64452785b43c893f1476ca60de4b30c5471809

SHA256
2a68419863957d0082e0054322424edaf8ab8146d765298b2c58db1f6a60376a

SHA512
0af2ccdf9ce4a6f97ce0bf78c07019d86f2002d07a1b3b3b970ba459142013a0eac61b339ebdd9cbacd2bbafb666138cfd8206a8d0892fe286a97a4d4ae4b8cf

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
59KB

MD5
bc5581251008c71dfbd1576c2b047cd9

SHA1
49569c745d20a0d69344de8aac693356c2613105

SHA256
f5528b7198332c1e0c56eb08e699efd69adf37ece79966e24924148f0705aaa8

SHA512
eb924a95994ebb3e0e0905d3497180a235f628f8ae351dfff831f176684423b6d9f1ad3e7ba573322ff7e9f994c75dd7aa6804d5420bfe58ce6753bdb406e017

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
59KB

MD5
0da67bd8001998cace8aa3293fced866

SHA1
3e9cc028968da131e01ab0dd611fd5685c5cd2f3

SHA256
a973c0b9839e70bd66e8e00c3bff96e91a0a373ae5cf0387b5db2db6596e4756

SHA512
034c91304b2517f884b6ce022837661ac03f984a07a4a843518e3d02f1eb7494043589ff56aec089c3e980dc4c16ce39dc936f5234fce31ea8858c8a31f2d6fa

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
59KB

MD5
59932d3072d06f0fb9da587758289e99

SHA1
79ad6bc27749cf0562995ab7f84cbc4b8774b281

SHA256
27840225d5fd4b4375d175f6f2bf79e5fa3976a66f951a316db0fd1231134507

SHA512
64627b460cfe6c934324e8791006ff76f5dea8a6ba7baf9c69a99d8442523184975e7f5ab717ab5a3a5d975e0dfe3eee008ed85e9362ed4017cc58b9dff1311f

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
59KB

MD5
dc9c4bf1e50055ddfeaa4798b8ba4ec5

SHA1
f122fb3edf9b8c142e66cbe062e22ffe0f4487ca

SHA256
4241159bfe77da4094974255c588bdfc128ff1d4cec1dcfd57ce565d8646172e

SHA512
e7a3acbf29c582c4bc011efd5e8bcffdf9bbfa7d1204b27fe7c91bc85b681036e62a17e6fa5a8aa4f22e975596f491d45078701db35e1f97260816c7433ac300

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
59KB

MD5
f0a1f150bef1704412e77478810d0ae4

SHA1
f14c83e7561340f778e9befc89c75cc170bf42ba

SHA256
511b30af771b5fe0b7e49f7bd9dd1a2a18763953e69d2e3f2dd2e657803949b3

SHA512
8d5285a8e3f1b2ca6bc8769e927abb07b01ce33fa6de21ac3b26c64981c570314452ca8cb56d4d519876293fff37f42d5686020135b1c12a0b3d11379dd4ac12

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
59KB

MD5
344cb9abc2f59c53fd974c8b9af1fe7c

SHA1
c181f2b9500ba5a82a340c9285a011063ee26c28

SHA256
ec97c6e99d33d41af9b008f695c18bd5fdad54985c9afe1959b1f181b20f6d24

SHA512
1fd8b0c165d50d7bdf3e877d961bb9914f60a314197584ef8802499bba994790959675caf37c8ab7e49b56dcb74e313379f7a135f4533f85eb0f18c0d9100aad

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
59KB

MD5
49e0dd539f130c8114a185dabeb87ed6

SHA1
a727f8851ebef4d29c270d644f1275711c60f1ab

SHA256
35c5772803702f7c4b6cf37733417a8e2e85614242e35a90835fe35b256d5249

SHA512
25e21e77930409d9f4755e467a625991bab468a147ecfefc03f147fa066d76213afb4fe903c92cfee3e308824f76ea5c461eab61d559c82caa29603639cd5682

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
59KB

MD5
e54fd45da2118a799cce4269b1cfd5c0

SHA1
4d491d35856efae9fa5867b5bc5b5383d5fe8cc9

SHA256
e21403d83c926b8c66181b1ef9985b424673b4f6b3578a4011f0b72e868c952a

SHA512
b5469e1fc7d616be9a2666b56150777ee49ae588f1ec240fe7ea7d95e88dbe38480713681d5b36e038a5a731bca0fdcbfb3d23494e193d539c25d83ce7aec617

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
59KB

MD5
cf3f19a113a98d18745996948b798f50

SHA1
1ce79dc6e4dc0b2898f553cd486878229e452caf

SHA256
fc66e2f141b9222016c47d0e7b256cbfb8d557f51f2ef4b061b6dee4781d558d

SHA512
8c974efed8083ee11bb14fbb7cc431dd7e4b39f2002e1816606da171de80167f462d365b648b7192ede3ddafa28bff72b02f2d3406f18dc16c6e7f17b1ec2b0d

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
59KB

MD5
7eac4c7e38b1ad08d4067e8b5fc7cb1d

SHA1
383da82d3f0533aa10cac96cde7709a3fe3eaca6

SHA256
e5dc0855b42c881a030daab9f17ba87d7654337124f0d724180dd813a8e35508

SHA512
3d8bf3e1ffb1c4be284159e2d026835e8e0008a092c20f9098a3e0b1b0f971d305f29882eb3ffdf80231370449f3520c38d86bfd4ab2f1393dd9b6c94ff61f00

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
59KB

MD5
04edc1d172e6eb9f46cbf67a8b610382

SHA1
36a8429681ffae2450428987882e4d2bfbfd3574

SHA256
1364d12d4434b4ffb15bc62a874cf5cf7db32488dcd44ef8111a555d90cf7893

SHA512
7e9dea19c34ab23b4cdfb8ff8f97b543da211b04b903705c4b211eb15c3f613f7237ce26ffda11235b50d6b25f165b2df45d861561d704d293a58019a8d979c2

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
59KB

MD5
2577975ae188870c45a45919b589cb8e

SHA1
40eb4a0d91204aea6325f6a9907e635e98315a26

SHA256
aac57c8971fd3a56ff09cbe62b912d7a866d7d4c6c2725c48a680e436b9fe6d6

SHA512
c1c22b6bff55f26d75608163d2a0ecf9fc70250880f216ac98f52d565cb98de13ae16bf126b196b54488f768baf92bcc1e4e870beb5cbdc4c5659bc7700da61b

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
59KB

MD5
0767673b0b306a66a2f5f8bda1971d86

SHA1
67478b2e35ce27bcb349ef89a2afc6424a08991f

SHA256
4c395018cd23c399865761150de89466143f4599dd07ae30927fcbe10fd74c2d

SHA512
396a6ec9c7c51595e29086334a800166624b1fc6f144c0a61ab12ba911ae089064cc73672d0262a791b997bc1743e7d761b9275bbaaf7fed5fd4df42e3a794d5

Download Submit
memory/484-119-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/484-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/484-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/544-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/544-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-246-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/720-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-218-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/836-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-147-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1164-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-178-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1540-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-227-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1540-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-265-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2004-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-25-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2308-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-17-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2380-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-138-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2544-132-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2556-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-96-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2556-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-63-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2564-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-82-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2608-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-42-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2740-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-40-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2740-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-54-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2784-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads