berbew | 1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0d

Analysis

max time kernel
111s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Size

72KB
MD5

ef1137093f6c7fba5bd105740f6422d0
SHA1

ff800ca58410fd612bcc143f93fbfeb8e0d562da
SHA256

1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0d
SHA512

9ba2bd4399a78d1b857af956944380d8c04888f88810d9ef8f596a55009d46b60d98e783ae789760f0320ba665e86e5b9e1e6b70a5158ca4f76511e68ec99cd3
SSDEEP

1536:2Fu3QqD2llegwWFGQrDVMNt37bDYFyL88cV631iqF1vDw:2tiMnrhWt3XDYILbbHvD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beldao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aankkqfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfnchfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Codeih32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Codeih32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clhecl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cofaog32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
2248	Aankkqfl.exe
2856	Bldpiifb.exe
2220	Beldao32.exe
3008	Bodhjdcc.exe
2872	Bpfebmia.exe
2772	Bkkioeig.exe
2764	Baealp32.exe
2476	Bbfnchfb.exe
636	Biqfpb32.exe
2068	Blobmm32.exe
2924	Bgdfjfmi.exe
948	Bmnofp32.exe
2884	Cbkgog32.exe
1644	Ceickb32.exe
1880	Clclhmin.exe
1040	Ccnddg32.exe
2056	Chjmmnnb.exe
1852	Codeih32.exe
1640	Cabaec32.exe
2936	Clhecl32.exe
1864	Cofaog32.exe
1720	Ceqjla32.exe
376	Cgbfcjag.exe
884	Coindgbi.exe

Loads dropped DLL 48 IoCs

pid	Process
2004	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
2004	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
2248	Aankkqfl.exe
2248	Aankkqfl.exe
2856	Bldpiifb.exe
2856	Bldpiifb.exe
2220	Beldao32.exe
2220	Beldao32.exe
3008	Bodhjdcc.exe
3008	Bodhjdcc.exe
2872	Bpfebmia.exe
2872	Bpfebmia.exe
2772	Bkkioeig.exe
2772	Bkkioeig.exe
2764	Baealp32.exe
2764	Baealp32.exe
2476	Bbfnchfb.exe
2476	Bbfnchfb.exe
636	Biqfpb32.exe
636	Biqfpb32.exe
2068	Blobmm32.exe
2068	Blobmm32.exe
2924	Bgdfjfmi.exe
2924	Bgdfjfmi.exe
948	Bmnofp32.exe
948	Bmnofp32.exe
2884	Cbkgog32.exe
2884	Cbkgog32.exe
1644	Ceickb32.exe
1644	Ceickb32.exe
1880	Clclhmin.exe
1880	Clclhmin.exe
1040	Ccnddg32.exe
1040	Ccnddg32.exe
2056	Chjmmnnb.exe
2056	Chjmmnnb.exe
1852	Codeih32.exe
1852	Codeih32.exe
1640	Cabaec32.exe
1640	Cabaec32.exe
2936	Clhecl32.exe
2936	Clhecl32.exe
1864	Cofaog32.exe
1864	Cofaog32.exe
1720	Ceqjla32.exe
1720	Ceqjla32.exe
376	Cgbfcjag.exe
376	Cgbfcjag.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djenbd32.dll	Cofaog32.exe
File created	C:\Windows\SysWOW64\Bbfnchfb.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnofp32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bmnofp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Ccnddg32.exe	Clclhmin.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfcjag.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Bkkioeig.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Baealp32.exe	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Flffpf32.dll	Baealp32.exe
File created	C:\Windows\SysWOW64\Llaqkn32.dll	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
File created	C:\Windows\SysWOW64\Eonkgg32.dll	Bldpiifb.exe
File opened for modification	C:\Windows\SysWOW64\Bodhjdcc.exe	Beldao32.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Codeih32.exe
File created	C:\Windows\SysWOW64\Acdlnnal.dll	Beldao32.exe
File created	C:\Windows\SysWOW64\Bkkioeig.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Knoegqbp.dll	Bbfnchfb.exe
File created	C:\Windows\SysWOW64\Clclhmin.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Clhecl32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Beldao32.exe	Bldpiifb.exe
File created	C:\Windows\SysWOW64\Codeih32.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Cabaec32.exe	Codeih32.exe
File created	C:\Windows\SysWOW64\Jqlidcln.dll	Codeih32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Bodhjdcc.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Clclhmin.exe
File opened for modification	C:\Windows\SysWOW64\Baealp32.exe	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Biqfpb32.exe	Bbfnchfb.exe
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Clhecl32.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Bldpiifb.exe	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Bodhjdcc.exe
File opened for modification	C:\Windows\SysWOW64\Blobmm32.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Ljkaejba.dll	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Madcho32.dll	Clclhmin.exe
File created	C:\Windows\SysWOW64\Chjmmnnb.exe	Ccnddg32.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Mjhdbb32.dll	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Hgioeh32.dll	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Bodhjdcc.exe
File opened for modification	C:\Windows\SysWOW64\Clhecl32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Aankkqfl.exe	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
File created	C:\Windows\SysWOW64\Fbflbd32.dll	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Amljgema.dll	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Lfehem32.dll	Cabaec32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Bodhjdcc.exe	Beldao32.exe
File opened for modification	C:\Windows\SysWOW64\Biqfpb32.exe	Bbfnchfb.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Bmnofp32.exe
File created	C:\Windows\SysWOW64\Blobmm32.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Bmnofp32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Bldpiifb.exe	Aankkqfl.exe
File opened for modification	C:\Windows\SysWOW64\Bbfnchfb.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Edalmn32.dll	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Dhhdmc32.dll	Ceickb32.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bodhjdcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkioeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbfnchfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Codeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aankkqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldpiifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beldao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clclhmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clhecl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfcjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clclhmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehem32.dll"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaqkn32.dll"	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amljgema.dll"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll"	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flffpf32.dll"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll"	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beldao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baealp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnofp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbfnchfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aankkqfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2248	2004	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe	30
PID 2004 wrote to memory of 2248	2004	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe	30
PID 2004 wrote to memory of 2248	2004	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe	30
PID 2004 wrote to memory of 2248	2004	1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe	30
PID 2248 wrote to memory of 2856	2248	Aankkqfl.exe	31
PID 2248 wrote to memory of 2856	2248	Aankkqfl.exe	31
PID 2248 wrote to memory of 2856	2248	Aankkqfl.exe	31
PID 2248 wrote to memory of 2856	2248	Aankkqfl.exe	31
PID 2856 wrote to memory of 2220	2856	Bldpiifb.exe	32
PID 2856 wrote to memory of 2220	2856	Bldpiifb.exe	32
PID 2856 wrote to memory of 2220	2856	Bldpiifb.exe	32
PID 2856 wrote to memory of 2220	2856	Bldpiifb.exe	32
PID 2220 wrote to memory of 3008	2220	Beldao32.exe	33
PID 2220 wrote to memory of 3008	2220	Beldao32.exe	33
PID 2220 wrote to memory of 3008	2220	Beldao32.exe	33
PID 2220 wrote to memory of 3008	2220	Beldao32.exe	33
PID 3008 wrote to memory of 2872	3008	Bodhjdcc.exe	34
PID 3008 wrote to memory of 2872	3008	Bodhjdcc.exe	34
PID 3008 wrote to memory of 2872	3008	Bodhjdcc.exe	34
PID 3008 wrote to memory of 2872	3008	Bodhjdcc.exe	34
PID 2872 wrote to memory of 2772	2872	Bpfebmia.exe	35
PID 2872 wrote to memory of 2772	2872	Bpfebmia.exe	35
PID 2872 wrote to memory of 2772	2872	Bpfebmia.exe	35
PID 2872 wrote to memory of 2772	2872	Bpfebmia.exe	35
PID 2772 wrote to memory of 2764	2772	Bkkioeig.exe	36
PID 2772 wrote to memory of 2764	2772	Bkkioeig.exe	36
PID 2772 wrote to memory of 2764	2772	Bkkioeig.exe	36
PID 2772 wrote to memory of 2764	2772	Bkkioeig.exe	36
PID 2764 wrote to memory of 2476	2764	Baealp32.exe	37
PID 2764 wrote to memory of 2476	2764	Baealp32.exe	37
PID 2764 wrote to memory of 2476	2764	Baealp32.exe	37
PID 2764 wrote to memory of 2476	2764	Baealp32.exe	37
PID 2476 wrote to memory of 636	2476	Bbfnchfb.exe	38
PID 2476 wrote to memory of 636	2476	Bbfnchfb.exe	38
PID 2476 wrote to memory of 636	2476	Bbfnchfb.exe	38
PID 2476 wrote to memory of 636	2476	Bbfnchfb.exe	38
PID 636 wrote to memory of 2068	636	Biqfpb32.exe	39
PID 636 wrote to memory of 2068	636	Biqfpb32.exe	39
PID 636 wrote to memory of 2068	636	Biqfpb32.exe	39
PID 636 wrote to memory of 2068	636	Biqfpb32.exe	39
PID 2068 wrote to memory of 2924	2068	Blobmm32.exe	40
PID 2068 wrote to memory of 2924	2068	Blobmm32.exe	40
PID 2068 wrote to memory of 2924	2068	Blobmm32.exe	40
PID 2068 wrote to memory of 2924	2068	Blobmm32.exe	40
PID 2924 wrote to memory of 948	2924	Bgdfjfmi.exe	41
PID 2924 wrote to memory of 948	2924	Bgdfjfmi.exe	41
PID 2924 wrote to memory of 948	2924	Bgdfjfmi.exe	41
PID 2924 wrote to memory of 948	2924	Bgdfjfmi.exe	41
PID 948 wrote to memory of 2884	948	Bmnofp32.exe	42
PID 948 wrote to memory of 2884	948	Bmnofp32.exe	42
PID 948 wrote to memory of 2884	948	Bmnofp32.exe	42
PID 948 wrote to memory of 2884	948	Bmnofp32.exe	42
PID 2884 wrote to memory of 1644	2884	Cbkgog32.exe	43
PID 2884 wrote to memory of 1644	2884	Cbkgog32.exe	43
PID 2884 wrote to memory of 1644	2884	Cbkgog32.exe	43
PID 2884 wrote to memory of 1644	2884	Cbkgog32.exe	43
PID 1644 wrote to memory of 1880	1644	Ceickb32.exe	44
PID 1644 wrote to memory of 1880	1644	Ceickb32.exe	44
PID 1644 wrote to memory of 1880	1644	Ceickb32.exe	44
PID 1644 wrote to memory of 1880	1644	Ceickb32.exe	44
PID 1880 wrote to memory of 1040	1880	Clclhmin.exe	45
PID 1880 wrote to memory of 1040	1880	Clclhmin.exe	45
PID 1880 wrote to memory of 1040	1880	Clclhmin.exe	45
PID 1880 wrote to memory of 1040	1880	Clclhmin.exe	45

C:\Users\Admin\AppData\Local\Temp\1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe
"C:\Users\Admin\AppData\Local\Temp\1b138ed48ace8b9070f65d1c6153da792f488aa870568b2fe07aee6434454c0dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\Aankkqfl.exe
  C:\Windows\system32\Aankkqfl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Bldpiifb.exe
    C:\Windows\system32\Bldpiifb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Beldao32.exe
      C:\Windows\system32\Beldao32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\SysWOW64\Bodhjdcc.exe
        
        C:\Windows\system32\Bodhjdcc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\SysWOW64\Bpfebmia.exe
        
        C:\Windows\system32\Bpfebmia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Bkkioeig.exe
        
        C:\Windows\system32\Bkkioeig.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Baealp32.exe
        
        C:\Windows\system32\Baealp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Bbfnchfb.exe
        
        C:\Windows\system32\Bbfnchfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Blobmm32.exe
        
        C:\Windows\system32\Blobmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Clclhmin.exe
        
        C:\Windows\system32\Clclhmin.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Codeih32.exe
        
        C:\Windows\system32\Codeih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Clhecl32.exe
        
        C:\Windows\system32\Clhecl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cgbfcjag.exe
        
        C:\Windows\system32\Cgbfcjag.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bldpiifb.exe

Filesize
72KB

MD5
dcad6cca911c7a6c220f5ac5a6484b3d

SHA1
e657f79be4c7cb0365b51d550b606116fa51cf1e

SHA256
8fb8815b0b1f0f667b86f468163decab88dd1622ee4f84ac1fd5b7025bf035db

SHA512
733b6f6980b59b1bed121ea791b1b87f279a5c31b51270fd1f635ce43ba3a029d0d03993278b8ce70c732edbb348b7c0879a4d7991cf375d7303fec87ca21c3b

Download Submit
C:\Windows\SysWOW64\Bmnofp32.exe

Filesize
72KB

MD5
54d691fe8fb841a3403ba6f7a6689300

SHA1
f40b0d0f3e93ce1639bd02d372d8d863a900714f

SHA256
0de151080f7a93a258f394580c5b064d6741f24b3f9b8255bbc1166b5ebf35a5

SHA512
3d85174e826e81e68be9e3a90c7bf8b630ddec265a8fe8d84dde627288ed5b5aede94a8b487e16727a2d78dc181611a8c9912693da6671b4078daebb022ee1f0

Download Submit
C:\Windows\SysWOW64\Bodhjdcc.exe

Filesize
72KB

MD5
3234fe7c6aad737fcc5e8e5af66d62cf

SHA1
d10b487d418a812358f119339a5bb4eca3f0ac2e

SHA256
efaf0f9ab08f119d78d06d485a3c44c2b4c0ac6686d76f79916cffb5fbbd01be

SHA512
a9accacaf707d1fcedaafa80569021f6e61f87c845218ac6847311385bf12eaecfeef6bf53a39e1c3ba3d11c9de1fc341dcbbaf8b51d4f76c2c58d950ef21285

Download Submit
C:\Windows\SysWOW64\Cabaec32.exe

Filesize
72KB

MD5
347a8a85a1124bbede246a5d579c4fd4

SHA1
90953524bdc13dce9ab31fe79f79d1691c8ca863

SHA256
5b195c6100442700346ec1445b753eb77afc6a3c0256b4f766a28fb902bcd6b6

SHA512
8c743ddc8c02692bce2b439e7177ca195511e97afd8331ba0715dd36dcd45061f884b6bc8d9ccafd2e8f1008507659c549c54694bf17d076818180b1a44decae

Download Submit
C:\Windows\SysWOW64\Ccnddg32.exe

Filesize
72KB

MD5
ffdd66abd2ccea1a44a6512d4fb62b15

SHA1
02247fdec364d42ec7188ca929e498cb07e03105

SHA256
88baa6478a6ad7f32d37022f2b409bee823ccbecbe11c6af537c27935c8b08d1

SHA512
5a77821c75af149e812a821250ef9f4164bae62101b7972bc31f55b9d17e49c7f87287be310ab625b3baaeb48862dd6606479d647bcb585452d7eccdeb24e109

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
72KB

MD5
69fb425da3f52e58e0981c2774650165

SHA1
2b5934c996a453eb857ebb7eee49f0fff93f8e95

SHA256
a0be079eb76e01dc7d910be513312b5b0796a9f6ea2b3142d5e4d3d3aa0df7b4

SHA512
0f096afed43aa138797d1aef606a1a469e255da582dd7befe824f0034e62f1dc8c7dbfddfda9e95d1de9739ee21d286441b423229d72426908667f445d674148

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
72KB

MD5
fe9a328105c8d0119676f6cde0a70fbb

SHA1
64a558c42cd31d9700f1287b08d3ff816fd168dc

SHA256
16becb543c03ee6bb1ee621a2448ae5f21cfa507abcac7771ac0062490183b0c

SHA512
ddada96a2d1c695d89c9cb272ba4d51dcf57954814d59f4552564d7479a3b49d7a5e9e7549042d249ab945d6f7189b32c5569719546820e20bce10424ce09570

Download Submit
C:\Windows\SysWOW64\Cgbfcjag.exe

Filesize
72KB

MD5
8b7d08ad8eb67ee14d869adc928b2c50

SHA1
c6d9bf8480737540010d431a51fe5525f21d63f7

SHA256
9e2c4690dae2c65dcd0bfb2b8da5f9597c91f3e6b6a1b76ba3acf318e0af324e

SHA512
9dc543a18acb8a5f0e294d4af18ee2752b91b119b06ed5818f1e326e29b3a0b73c671260ec14a8e9bb5cec435f816a32e6bef5f904f368286ffe51cc6fd09337

Download Submit
C:\Windows\SysWOW64\Chjmmnnb.exe

Filesize
72KB

MD5
c613a770179a0ffa10a36fffb92e93ab

SHA1
bf8a5f3aa80bef158023ac04e67ef6317bb30090

SHA256
0a62ae543ce84f71df9bf142160f89294f06ae7145266da99a37760b08f591aa

SHA512
8c24c8e3a8de2a4871d029af5767077217bf01af00ed04fb946162ccf888418bc76733e50c146294e8a935b8669a04892bd440281006c90bc8fa103d981a0ece

Download Submit
C:\Windows\SysWOW64\Clhecl32.exe

Filesize
72KB

MD5
0a5b4d8c632dc11ab0bb7f9e17a32d44

SHA1
4453bff280387cd35c113f8f01812fa03a690173

SHA256
e50bb99df10bf94cfadfbc09aa58de89118900b377b9a8699df22284f3bdc72f

SHA512
88ca3fbc24d46dda5a0d4a22f4addfb6abee419b9629f98008af8f4233ec86aca2ad5332cebcfc497c4b1c34b61a0953afb4c2460dfd73be1df8d51aa0473da6

Download Submit
C:\Windows\SysWOW64\Codeih32.exe

Filesize
72KB

MD5
af42953559ae16af0ef73fb989a77749

SHA1
8545303b92130cbb8cb8d4e16891763e2ff29df0

SHA256
72c2082e0085d70c5201d08fc8eb5cd18945b4fd77dfe76031e1b2ab2dbad24c

SHA512
ff85c6a0cca3f1a2630addfdac9d179ba6e594be6481a7d751488f0fd1f5e511e393f76049e525d4568f7114647b49a1e5286e2f1d5fc27784444365439e0ba6

Download Submit
C:\Windows\SysWOW64\Cofaog32.exe

Filesize
72KB

MD5
e125ed0f2163840c3b2beade90b77e28

SHA1
3a05bcc1e464f6e03043087a5527069bb95ac32c

SHA256
ac3671577fa038589fbf11572137f9fd48cd328c9d7d4e933f9e5e46b86f837a

SHA512
8bec5a842a8fc04596a93280f095ca046ecafaab062f54a248c447b5a173f50a2c3555849d2b3b8b3a9092bb5a1081498cc7297f4957109b53726001af1728c2

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
72KB

MD5
6c1c1ae1ee1d12320c07953e15a5a489

SHA1
a15dcc7b163ea18986b7cdd2edb2778b1ed94428

SHA256
1c54f1c27948c33d60370e5c99b814483c7e2138963d121f507a29d60f17ce01

SHA512
e823fd2c2161276d5f33d001167133ba89b65ad28b178555e65012d87e944504d585addd87358d4f4a3b5640b507c6a1b7a2328c72e4cbfb77400938c4679b57

Download Submit
C:\Windows\SysWOW64\Lpqafeln.dll

Filesize
7KB

MD5
133ed12c1ab83503d2c1d165a3235fbf

SHA1
0bbb4d8851c95db0fb8fda1f8513e79b1117ac3d

SHA256
a2ed00ae8e3e3f2c6b141d845322e6af8b4849641409e2e0186d71588f9182f0

SHA512
38643bbf167a1eee28a2b7d8b34d74ef6de712dd00ca28701b821ca33795e4bbcd00549f8b2125a305ac59ddea127de95a78d9e1519251e80419da7fe7abed75

Download Submit
\Windows\SysWOW64\Aankkqfl.exe

Filesize
72KB

MD5
2f720791d00e92200caf01446277c4f4

SHA1
91b52c3d45d1d0aeaac9e5d308826b133410c2f6

SHA256
1263bb4ccb97f04ced0185edf70eff5f5aacaf9761476982561cc61e43d59ac1

SHA512
cb219fb79776760f336ddb9859b1f40dfdba3bdcf9b3d85d77196b54772a2fafbebb431d3165bc70ce5b4b555fab82d79e57ebd034f9b25a667a65cd78269f52

Download Submit
\Windows\SysWOW64\Baealp32.exe

Filesize
72KB

MD5
068ea4bfc86c97565a8478db4d7bb174

SHA1
50e7c1fbf422e0e6bfdafce45c5d737914dd23ef

SHA256
f231765566669e5eac7ecf746d2ea5061bcecdbaa686078e2a54c0aa1a8ddfc1

SHA512
015cce4639009436aaef56b2b6ca6e07619b6cec956bbfeb774ca8aab0d5f6c749293079acbbe6598769aed1c880aee63d39aedeeecdbf5b1d5934f962de2d40

Download Submit
\Windows\SysWOW64\Bbfnchfb.exe

Filesize
72KB

MD5
01aea7adc60292b7e65e4db966e2947c

SHA1
43837804a3f5a41325b340b96bcf94cfef24a909

SHA256
1631f16528a3abeeda787ffc668f08b438c0f0cefab8e90dd60b04d49db3f474

SHA512
b24f1e934a4a19dce79d888b5a9e72b772cac052bd8bda04c79582f52787ef59ee15afb29694432ba72c40677a8c01360d9815e68df22e1b785ca79248602591

Download Submit
\Windows\SysWOW64\Beldao32.exe

Filesize
72KB

MD5
d97aae383a08333f3f1ea348f42b49e0

SHA1
83607984a6d49d9b617ccdeeecd59d9db21d1acd

SHA256
40017d8e61fbf10fbd61133e42e6a7b3c87098e7b062787af75a2ae5a0f92e03

SHA512
70a36aa073ac77e130e0318b6b7471f094bd7ca55a5780a73c65e0289ebf9f6372fc15f9fdcfb6d72b34301745deeba146a4089ecd99151d21e456371176b7ed

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
72KB

MD5
15649bfc85f94b1e75b5a2e5978c551c

SHA1
3b44a7206cd93541a33e41c498a4563c14b484ad

SHA256
193b4f5890343c699cc111a0c76bf6df338de6b2ff53b7886fa1816020986593

SHA512
beaa332e609d076b5f4e04a53de05608ce3eb8732af76d090a78b5f6acee6389f6b2826f8390c434e268737235732e8b1dd287f02297189f1cb8b3a13c4030fd

Download Submit
\Windows\SysWOW64\Biqfpb32.exe

Filesize
72KB

MD5
bc7b77633c76278cde23a9384101abfa

SHA1
710ed8f48aed8187b5f41dfdc87785fe7e70ec4d

SHA256
72f385fcfd376c550583fcce6588eb3bdfff2c4dc78eff2ab5165a5ace01a5f7

SHA512
bea3f6580e52aae5283d84890bde8f75ee86b33161c9ab412eca5a99008c921b0fd3381cf51f90aae2a7499e0c229bb1a472c3bb2f90e272983113667ac3919b

Download Submit
\Windows\SysWOW64\Bkkioeig.exe

Filesize
72KB

MD5
b7a4624f64a132e5d647a8c536ac9289

SHA1
fe4e6f116b39abf3938c58b2b29137d6add41873

SHA256
9857088d4bd80d7bb75d43d615eeb40c7d3f57ce189a875a1af60ce3689ada48

SHA512
cd16efae71fa7d7feb51a9dc1d109c281ccebb889e2135eeae6372b27e97e259012fdffb6f4c198153ca8a91caa35e542a586270985c17377ed77d7991760b9e

Download Submit
\Windows\SysWOW64\Blobmm32.exe

Filesize
72KB

MD5
a8d90a527e92e4a1ea336d5c9adbc90c

SHA1
7c5f011c23c2f93d4e4969a1f424e925bf325b86

SHA256
32ada9bed7f37129a1a04ab75f61070e46c2f000867b4cb115cc1ba32183a89f

SHA512
999d682ebda586e312931965e9ba43cc1fd4e109b5470cec98ac43ff969600d2265c4ef864808d2a4b26707c5d7bdb9a259c4b039d5090426edd48625db690dc

Download Submit
\Windows\SysWOW64\Bpfebmia.exe

Filesize
72KB

MD5
ef422421716b9d7155052f2b828898d4

SHA1
e1f77d57c45dd300427df323d76f23e28635b843

SHA256
9dbe82f1e3a7009df39d16e1d37ca39f80833304bc14e61cd95087bb4505c5c9

SHA512
72d5d56674a1a6b2adb587252b07918bb8934eabf08dc5fc8954c2e30cb34d11eee002f0bfd8a660afd152b7f1f187f2345462bda524316931768e8bfddba482

Download Submit
\Windows\SysWOW64\Cbkgog32.exe

Filesize
72KB

MD5
3f4d7791a6cd462b71424a84b1488c0a

SHA1
7562633815efce3069350b36235188f92033e2a0

SHA256
e251ada1ddce0a0e0dac0ed71145c8098b0523ad989dfdbe3af37e8fe6c28ea7

SHA512
917a131a28609d34978327161034fe71aacc2ab5b7af262625970e5c55bac912eb56ff8a323b1a6f7cb26facfadd82cc34f7b291e6dedeb26c6f2299e267db25

Download Submit
\Windows\SysWOW64\Clclhmin.exe

Filesize
72KB

MD5
be65cb023bc294a8fb1c94856ba7fd55

SHA1
0389418bfd5ee7deed30158ddcb14bc7707a0aa0

SHA256
a20664bd345a640af5cad457ca82c2af66ff8d1169897f0c7ada6af499814fb1

SHA512
8d0320210f421ba01552e8216eee7dbe644a5730019defbc80c44c4c91e2d4f1a0fb74d6e4e640ec0580dd6285cee0c1804a10ae10c1437c68d51bd9ac5ffdb2

Download Submit
memory/376-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-295-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/376-296-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/376-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-169-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/948-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-225-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1040-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-195-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1720-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-285-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1720-282-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1852-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-241-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1864-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-274-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1880-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-11-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2004-12-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2004-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-235-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2056-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-142-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2068-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-53-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2248-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-115-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2476-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-90-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2856-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-39-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2872-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-265-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2936-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-260-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2936-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-67-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/3008-348-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads