berbew | e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525a

Analysis

max time kernel
87s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Size

96KB
MD5

c1cb975a0e2c3b7dcc73a1efc7f03700
SHA1

69781f9c009190e2cddf97beaf8a13126479f5af
SHA256

e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525a
SHA512

91230d891360f24b68c4163434e962c35402f0663383ac996d6f7646bf363a44599dc85737c23e2abc712ba6cc355ea1fe50bc31db4bd9a25e66abc57bff3227
SSDEEP

1536:c78RmJl/QHigHXT5dqsP3va9Cl2EV6k0K4FUZETmxsxOEEEEEEEMU2Le7RZObZUV:cukl/QHXX7g7Q3TEEEEEEEeeClUUWaef

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
2256	Bqeqqk32.exe
2732	Bkjdndjo.exe
2688	Bceibfgj.exe
2700	Bnknoogp.exe
2832	Boljgg32.exe
2656	Bgcbhd32.exe
2620	Bqlfaj32.exe
2276	Bfioia32.exe
1756	Bmbgfkje.exe
876	Ccmpce32.exe
2248	Cenljmgq.exe
2900	Ckhdggom.exe
1832	Cfmhdpnc.exe
2356	Cepipm32.exe
2200	Cbdiia32.exe
840	Cgaaah32.exe
2632	Cbffoabe.exe
884	Cchbgi32.exe
3004	Cnmfdb32.exe
308	Calcpm32.exe
2016	Cgfkmgnj.exe
1944	Djdgic32.exe
1900	Dmbcen32.exe
2068	Dpapaj32.exe

Loads dropped DLL 51 IoCs

pid	Process
2312	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
2312	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
2256	Bqeqqk32.exe
2256	Bqeqqk32.exe
2732	Bkjdndjo.exe
2732	Bkjdndjo.exe
2688	Bceibfgj.exe
2688	Bceibfgj.exe
2700	Bnknoogp.exe
2700	Bnknoogp.exe
2832	Boljgg32.exe
2832	Boljgg32.exe
2656	Bgcbhd32.exe
2656	Bgcbhd32.exe
2620	Bqlfaj32.exe
2620	Bqlfaj32.exe
2276	Bfioia32.exe
2276	Bfioia32.exe
1756	Bmbgfkje.exe
1756	Bmbgfkje.exe
876	Ccmpce32.exe
876	Ccmpce32.exe
2248	Cenljmgq.exe
2248	Cenljmgq.exe
2900	Ckhdggom.exe
2900	Ckhdggom.exe
1832	Cfmhdpnc.exe
1832	Cfmhdpnc.exe
2356	Cepipm32.exe
2356	Cepipm32.exe
2200	Cbdiia32.exe
2200	Cbdiia32.exe
840	Cgaaah32.exe
840	Cgaaah32.exe
2632	Cbffoabe.exe
2632	Cbffoabe.exe
884	Cchbgi32.exe
884	Cchbgi32.exe
3004	Cnmfdb32.exe
3004	Cnmfdb32.exe
308	Calcpm32.exe
308	Calcpm32.exe
2016	Cgfkmgnj.exe
2016	Cgfkmgnj.exe
1944	Djdgic32.exe
1944	Djdgic32.exe
1900	Dmbcen32.exe
1900	Dmbcen32.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bqlfaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	2068	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2256	2312	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe	31
PID 2312 wrote to memory of 2256	2312	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe	31
PID 2312 wrote to memory of 2256	2312	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe	31
PID 2312 wrote to memory of 2256	2312	e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe	31
PID 2256 wrote to memory of 2732	2256	Bqeqqk32.exe	32
PID 2256 wrote to memory of 2732	2256	Bqeqqk32.exe	32
PID 2256 wrote to memory of 2732	2256	Bqeqqk32.exe	32
PID 2256 wrote to memory of 2732	2256	Bqeqqk32.exe	32
PID 2732 wrote to memory of 2688	2732	Bkjdndjo.exe	33
PID 2732 wrote to memory of 2688	2732	Bkjdndjo.exe	33
PID 2732 wrote to memory of 2688	2732	Bkjdndjo.exe	33
PID 2732 wrote to memory of 2688	2732	Bkjdndjo.exe	33
PID 2688 wrote to memory of 2700	2688	Bceibfgj.exe	34
PID 2688 wrote to memory of 2700	2688	Bceibfgj.exe	34
PID 2688 wrote to memory of 2700	2688	Bceibfgj.exe	34
PID 2688 wrote to memory of 2700	2688	Bceibfgj.exe	34
PID 2700 wrote to memory of 2832	2700	Bnknoogp.exe	35
PID 2700 wrote to memory of 2832	2700	Bnknoogp.exe	35
PID 2700 wrote to memory of 2832	2700	Bnknoogp.exe	35
PID 2700 wrote to memory of 2832	2700	Bnknoogp.exe	35
PID 2832 wrote to memory of 2656	2832	Boljgg32.exe	36
PID 2832 wrote to memory of 2656	2832	Boljgg32.exe	36
PID 2832 wrote to memory of 2656	2832	Boljgg32.exe	36
PID 2832 wrote to memory of 2656	2832	Boljgg32.exe	36
PID 2656 wrote to memory of 2620	2656	Bgcbhd32.exe	37
PID 2656 wrote to memory of 2620	2656	Bgcbhd32.exe	37
PID 2656 wrote to memory of 2620	2656	Bgcbhd32.exe	37
PID 2656 wrote to memory of 2620	2656	Bgcbhd32.exe	37
PID 2620 wrote to memory of 2276	2620	Bqlfaj32.exe	38
PID 2620 wrote to memory of 2276	2620	Bqlfaj32.exe	38
PID 2620 wrote to memory of 2276	2620	Bqlfaj32.exe	38
PID 2620 wrote to memory of 2276	2620	Bqlfaj32.exe	38
PID 2276 wrote to memory of 1756	2276	Bfioia32.exe	39
PID 2276 wrote to memory of 1756	2276	Bfioia32.exe	39
PID 2276 wrote to memory of 1756	2276	Bfioia32.exe	39
PID 2276 wrote to memory of 1756	2276	Bfioia32.exe	39
PID 1756 wrote to memory of 876	1756	Bmbgfkje.exe	40
PID 1756 wrote to memory of 876	1756	Bmbgfkje.exe	40
PID 1756 wrote to memory of 876	1756	Bmbgfkje.exe	40
PID 1756 wrote to memory of 876	1756	Bmbgfkje.exe	40
PID 876 wrote to memory of 2248	876	Ccmpce32.exe	41
PID 876 wrote to memory of 2248	876	Ccmpce32.exe	41
PID 876 wrote to memory of 2248	876	Ccmpce32.exe	41
PID 876 wrote to memory of 2248	876	Ccmpce32.exe	41
PID 2248 wrote to memory of 2900	2248	Cenljmgq.exe	42
PID 2248 wrote to memory of 2900	2248	Cenljmgq.exe	42
PID 2248 wrote to memory of 2900	2248	Cenljmgq.exe	42
PID 2248 wrote to memory of 2900	2248	Cenljmgq.exe	42
PID 2900 wrote to memory of 1832	2900	Ckhdggom.exe	43
PID 2900 wrote to memory of 1832	2900	Ckhdggom.exe	43
PID 2900 wrote to memory of 1832	2900	Ckhdggom.exe	43
PID 2900 wrote to memory of 1832	2900	Ckhdggom.exe	43
PID 1832 wrote to memory of 2356	1832	Cfmhdpnc.exe	44
PID 1832 wrote to memory of 2356	1832	Cfmhdpnc.exe	44
PID 1832 wrote to memory of 2356	1832	Cfmhdpnc.exe	44
PID 1832 wrote to memory of 2356	1832	Cfmhdpnc.exe	44
PID 2356 wrote to memory of 2200	2356	Cepipm32.exe	45
PID 2356 wrote to memory of 2200	2356	Cepipm32.exe	45
PID 2356 wrote to memory of 2200	2356	Cepipm32.exe	45
PID 2356 wrote to memory of 2200	2356	Cepipm32.exe	45
PID 2200 wrote to memory of 840	2200	Cbdiia32.exe	46
PID 2200 wrote to memory of 840	2200	Cbdiia32.exe	46
PID 2200 wrote to memory of 840	2200	Cbdiia32.exe	46
PID 2200 wrote to memory of 840	2200	Cbdiia32.exe	46

C:\Users\Admin\AppData\Local\Temp\e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe
"C:\Users\Admin\AppData\Local\Temp\e318dd0fb59cc440832175166b844146a96fdcb34378affdff3fc28a2609525aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Bqeqqk32.exe
  C:\Windows\system32\Bqeqqk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\Bkjdndjo.exe
    C:\Windows\system32\Bkjdndjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Bceibfgj.exe
      C:\Windows\system32\Bceibfgj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 144
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
cc4c73a0f964c6c3e93e4d27ca04f8e8

SHA1
5c809f73aef1f3d468c780ba4dcf23b562153747

SHA256
ebafc14056b89a5c3700306bf10130430631a336ce7de1414505bc85818a56a0

SHA512
e5ffd7edc3b75ee36c19922ee4b36096fe3eaf114a458d6a7e6e529038ee748bf905ff4cda0a7dfb38c0ef6dd9554bcc90a3cecbf5cacc94aa75927f1b5d99ba

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
bd5574206aeb7e572d7e955f219f5730

SHA1
7038826f1d4569bde25c7e57d1b2659107705549

SHA256
8e9d801cdf1d5f49342beba7ccc9ebfa2847684247832cd3024ed11ae5725152

SHA512
5d067cd6f2d2a95d405afeefb1a8cecc358e16981a1b4f9c14e6b8fb9327be24243c2d40784795b0397aab4593834aea2c7de5b2bfb91b0238579a0f4957d697

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
84f77d35d602c1ecf40b5c0d59081271

SHA1
4a9f963617c3b96bf03185180610b26fca5d6dfe

SHA256
c64b9ca32364fd9d8e82478f5ebe7b0af6465b0c829c7ade191b7fa72aa41c48

SHA512
a47f2e53fab9c5816d050ba6b42da714b5ad900dc02c869b5ee72a15e812947f6b4b0052ffd0f00bfa3ccb91612e27f11e8093f9205b508c2d2010d526f09f9f

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
0425ebf6b78a9cd8dbcb47135f191c43

SHA1
5bc0033d13fe1447a1e10f62a16a328245d275ee

SHA256
9aae74c5f4e109174726b05387941756cbc2d552a814c1266e4cde185b318f3c

SHA512
4d89dfd62f2097676910dfb8af81da9c009054e8797d68338f86a6fa1cb99f77b60749378e960cfc96b3b3849816f32cc0e7e9b28b15c02cf4ac46778a68fc60

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
e6451a5a35170d9c9341fbdd41f2b2c1

SHA1
2c2449216f599b9bf1e6106b86a54e9b981228e9

SHA256
9b5fe48f4a9e65a41cec1dcecd352ea152e800d73b9365618d61367937b86793

SHA512
d4ac43e6c4e3eaba0fbe89bd967963b5bc12411ae6282e151fdc3a52af440d791f09e44f82a7f200045e07b065e363e4fdbfc1d1ed4b9071b16f1269a9ded05c

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
1d8d89ff6107c774581dc2515e1b066b

SHA1
42ab9c1f33173d3facd4cd54d9f965f6e6ef4f5e

SHA256
e46debc69b82df24b8672b1a49bab92765c9025d6c87fd54767e2e9749f78557

SHA512
3d90c146bdeb91c5ce869a7abdf598aa401bff6726fc4ac9ca96837f47a554606e9785dfd672d1161e74d76b3b4c4e1b639d8e2a9f7b8a18973261e1fe676d65

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
96KB

MD5
3984e35b540108636ba295ddf68d5bd6

SHA1
ae9c52b484fddc759e3517b8aea34af1ec647371

SHA256
e4bafe193dbdbe863c10418abb76c141c14a8de2a75155cf4aef22eccc79d158

SHA512
51c1f261b8be6eebdbc04757fcf51190043caa5e005f961a4fc4d01769a60f5627231e75f5e58455d5f2a690241768b49d883255341978958bd4e37e5392063c

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
20653fb8f5b92ea8892d0ea6e0d6b1b6

SHA1
af4189aed082655e2fea050b90a827b872cfb902

SHA256
980d003b6fa4a83fb8f1b77b3dd1156e0e42e8e54a4950f8824fc044d9083d64

SHA512
a0dd83ff607c72318abbfa8c164f6451d3cced64049be6ad1a77c29aca0f2dd264cc4db24ee4c6e93ef00bd3061a113b62f0b11280a7ac8c5ce35387f2941085

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
83bc32b7d4b602875f46f494eaa025fd

SHA1
a3a8db8f06bc6fcb9e23f096b8766d93ddb9dc0b

SHA256
fc78a67295e64886c504785a040be5a2bf27b1166e8fc95785a6fa60dca20cc0

SHA512
0d3d6c5a5180821c6e9508030fff61478b85bb310868dca171665f214d50aa8faca951e42d7dc199e481f514840ea66027b5f2eb714f0cb3d14867d8ebb8671d

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
a6dbf0edbb87eccd39386de148556e66

SHA1
9ef0b0ebd314e092b96083adf7d0ada32361863f

SHA256
bed713abb03ac75e3c15cfa54362e14424433b8b6b42bd14f566c2b85610ebfe

SHA512
88cffdf4a93e1566423e6e0b3098e77fba99f2d365d507060ab95c0372abc1dfdef040caf19aef188a5b340bed120645a3ee2b36426114b140b9efcddb1a5291

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
3cf4d71931f499a3fe2a42b17df056d6

SHA1
b6345c0194c330fdbe62f1d285242e9f8813fed0

SHA256
b734ef0ff24cb8dc1e881cd08ba0a82d7b146c2782386ce57fff64aaffd9f6fc

SHA512
0b015199f5aeaed182d00b204fa9e160b6019b2ed4b209dc9a562b7c43db218ec0705f8e1a4385c603380069680f942b78f90916c774edf0dc73a523502a1656

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
96KB

MD5
6a44cfacc44cefe5ef78ee9b3d76f146

SHA1
6e9ed6ddb97c8aa32c26d7b9188b6732a17478d4

SHA256
a19244dfaa5e759e51842847ff92fb98eb6b80b17e33643fa24fc196ea7d20c2

SHA512
545c244c0f91b97f523a60f89f2a24ac0df2173d283153fbc69094400560b688411cb961037a8b54ba9f44b5448668f1daa2d508115654d61c60163531d56d41

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
96KB

MD5
4f42d2a0550b0838e69a4ebeeef5e995

SHA1
0e751293a4a9c7d0060aea64a21b6c9bfee830f0

SHA256
116340bc8c4489afb9b89a0fa91f6f032abc5d022655c92d20d228e2ae5c2a26

SHA512
5b34c3014d11cce1c96faba7aea064c2bcb384cd109386361f85b86a22e2578ef9e38c7ef7f8964e1e4186699af137a786025d9c291cd1867f3bedc9058bfdd4

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
c5e8d66e55e90d6f703d9c9ff2307071

SHA1
4a3095d65367066ee7e8f73510efa482a7e6693e

SHA256
6747e7c45ac10b5d97f399cc07d19ebd4172ee6e7fb16e62b67fbdaad6b6993c

SHA512
95a5ead22c12bc9cc36f284a6ec1515799a18618d4daa4efdbdfe4f6ef8aa4b1761980d0141615e0950d51c9e38d99f4a037256859a75b2248fe088064e4806a

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
3b17360dc87424ce52659ee4a9b8f63e

SHA1
cab864848c64a5aece973fe1c3552e94e1b8f271

SHA256
471be2b4dbc2720cc3fa7a5571d45196b95a0b04c8b2d5ad647a7606b4e304b7

SHA512
13b6a5dfebd4d154a43db19483866cd232e4cf32df36e53b919bf258bc0b73edd37816bd3edb3d58f782ab349906d58f95bf31046eb3ced3a2d49c6228706f2f

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
d3d9fec58ec7570a81d4f8dbf14b6b36

SHA1
a660164e7e1690a5fa40ea1e4bcb5e52e88c8fa7

SHA256
a5fd75bf224acbd5e76bf7dfc0116dccad71359ace104d99a7f49a508d445ff5

SHA512
7ac8e1624e0bfcfe3288e528cadf638f50dc2ed57760dd8eb55c4cf4bf3d6895eff9e2066a69d242257a53180f34cb2a54b5e05620127f7b6e970a5a1f245a7f

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
96KB

MD5
73add124abe8d83f1e912e66b1519b57

SHA1
ef2d012ed774f6b5b8caf0e934d86a3e59c497c9

SHA256
17aa22b4477e5fc5ae69e27ff6b4708066036732a27d4a9578c23e3b39c13273

SHA512
6c6690d8f740bea5b36326c780e417812475fa61fd13f63de1852ae4e7300f822a89cd221ec9356703fe130873f194b08e1c24c8bfa17341029e16ed470ce774

Download Submit
\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
3a3bd15879896dc697a5c368027d8948

SHA1
605e72f5e38cad89423c0cf3a4de9a5da4d3847a

SHA256
9c96469482a7d0fc89bf76420db7f37609724b07c616be26730a4eaca55e688a

SHA512
e9affb538263609b6dca2ac2cb7a9b038fa5298377a9b20f0a64dc748ad889cab9879f0ab67950a319bff7589b4856eb25a76c9157c642c21bc2a23b51b486df

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
c7e2748a6c5ad81a72cda0eaa83c74fe

SHA1
913c0b48595a3024eee2172ae77f2c442a0c6cc7

SHA256
a2e7b738e9b277e57ca3592829edc3e931731fdfc81ea49843e6028457d159e0

SHA512
e68ae9e4fcefee34675b02c1979f905e4d13db320ee0043dc4fffe9091ce537da49fb9e46ba7d3575678c95db9b589bed59f9aa79c1849095583d3e35c449524

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
2b9652f91db8c5566b32f5085ce66b3c

SHA1
b755489f8c7970145cc97cb7d916642633d682ca

SHA256
6fe8f391e5a8b40d05fdf4f18f5925c1d8bb22ee82c8b9cbff02c72a7ab91076

SHA512
b2b6862a865cfa67fd6139e65a2b989eaea2e62aa629c8057f40fe78c0e0a389d53ffa5092b925e329992301bf3581dd1e1dd48e4b1e5901966996ee6aea00e6

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
d230a59197b0a32b7199545051b34cb4

SHA1
af6f0a080686fcba286ed5e3221b7f21181ed25c

SHA256
1b8283062a9fc1ba7d6464faa4397a49b22f80b553d9fca4347956b03a0373ee

SHA512
2a99808d31d90ce4fc4b13b2547dee9fc3129cfbf93a158f71caf622db9802496b8e666564c861690601e54ce3bdd5a7c28d76b40535b0773455124ad0efd8fe

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
96KB

MD5
a3f274fcbbd496f40cf12ffab7495745

SHA1
431c23f72c1fa315e9b50d4d0381f2135b25a594

SHA256
4fd2d0f9a863332df6b8c691d465f8cde5e4f5fc2848dc41310242dd9b953dd6

SHA512
15881eb26ef2edc0091b4e3a32c43e26ece5342af967ad984a92808b5c28eeed867e7359ed8d996cd694eb9d813f673b0cff551f09a2b39d9ba3ee743c7a0479

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
f1f5b03342373556222b51c98816e8ba

SHA1
910d4b5f065c274b164596707df3dc1eb72fd816

SHA256
fbc2009ffc43986f4e46b5723aba2729e13a3e0b5150c22b0c457368b2663b7b

SHA512
c7cd31a75a172f86f64cf2759cf07ef7a272514a783703827ecb36c5caa549e32c519730b59e7fc6283da4c683516e9b699c15a4623d19d84c471ce7f008b50f

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
96KB

MD5
46841eeefa5c59d5b3f6651d538c4f57

SHA1
d5b1e06eaacc214913d57cf392aa8d2fc6c28a54

SHA256
1141a84f3acb0644ce97473004edcfbc21d61419eb2222cffb4efb1a9c51f685

SHA512
3288ea23718d7797e048fc2eff4cd871195bfffdbcd80d454d652ce7827c55c42c9d93a2bf49f7717f80c09d9c2dccc680545f82ac598ff8e2a59f9ceca9736a

Download Submit
memory/308-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-260-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/308-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-223-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/840-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-142-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/876-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-242-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1756-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-292-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-279-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-160-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2256-21-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2256-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-27-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2276-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-115-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2276-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2312-13-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2312-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-197-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2356-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-202-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2620-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-233-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2632-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-89-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2656-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2700-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-36-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2832-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-80-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2900-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-174-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-173-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads