berbew | 3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731a

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Size

72KB
MD5

b10caffac34a38ab5521493a45425440
SHA1

95bc8d18d92ef4a7e61e45bf47243133813b131b
SHA256

3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731a
SHA512

fbdc8e6195dfebbcd0d57abf44e199e1b736878e37cbcf762c0e4cfeedc580c9d686ba835c42af3dd504aadfccc6aa5da474e16ab07a4068f5e3c836c06b5bfd
SSDEEP

1536:3DUNRiCrkphDElEdJ39jwdtZmTHCi3PPaLbFA1oI5b5mH:zmiCrkpRtJ39jatZmmWPPav4oe5mH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2216	Bniajoic.exe
2800	Bgaebe32.exe
2688	Bgaebe32.exe
2592	Bchfhfeh.exe
2628	Bffbdadk.exe
2740	Boogmgkl.exe
764	Bjdkjpkb.exe
1992	Ccmpce32.exe
2892	Cfkloq32.exe
2672	Cocphf32.exe
2888	Cfmhdpnc.exe
2936	Cgoelh32.exe
536	Cbdiia32.exe
1652	Cinafkkd.exe
2220	Cnkjnb32.exe
2020	Cgcnghpl.exe
1660	Cnmfdb32.exe
924	Cegoqlof.exe
296	Cgfkmgnj.exe
1420	Djdgic32.exe
2348	Dmbcen32.exe
2236	Dpapaj32.exe

Loads dropped DLL 47 IoCs

pid	Process
824	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
824	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
2216	Bniajoic.exe
2216	Bniajoic.exe
2800	Bgaebe32.exe
2800	Bgaebe32.exe
2688	Bgaebe32.exe
2688	Bgaebe32.exe
2592	Bchfhfeh.exe
2592	Bchfhfeh.exe
2628	Bffbdadk.exe
2628	Bffbdadk.exe
2740	Boogmgkl.exe
2740	Boogmgkl.exe
764	Bjdkjpkb.exe
764	Bjdkjpkb.exe
1992	Ccmpce32.exe
1992	Ccmpce32.exe
2892	Cfkloq32.exe
2892	Cfkloq32.exe
2672	Cocphf32.exe
2672	Cocphf32.exe
2888	Cfmhdpnc.exe
2888	Cfmhdpnc.exe
2936	Cgoelh32.exe
2936	Cgoelh32.exe
536	Cbdiia32.exe
536	Cbdiia32.exe
1652	Cinafkkd.exe
1652	Cinafkkd.exe
2220	Cnkjnb32.exe
2220	Cnkjnb32.exe
2020	Cgcnghpl.exe
2020	Cgcnghpl.exe
1660	Cnmfdb32.exe
1660	Cnmfdb32.exe
924	Cegoqlof.exe
924	Cegoqlof.exe
296	Cgfkmgnj.exe
296	Cgfkmgnj.exe
1420	Djdgic32.exe
1420	Djdgic32.exe
2348	Dmbcen32.exe
2348	Dmbcen32.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Oabhggjd.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	2236	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2216	824	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe	31
PID 824 wrote to memory of 2216	824	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe	31
PID 824 wrote to memory of 2216	824	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe	31
PID 824 wrote to memory of 2216	824	3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe	31
PID 2216 wrote to memory of 2800	2216	Bniajoic.exe	32
PID 2216 wrote to memory of 2800	2216	Bniajoic.exe	32
PID 2216 wrote to memory of 2800	2216	Bniajoic.exe	32
PID 2216 wrote to memory of 2800	2216	Bniajoic.exe	32
PID 2800 wrote to memory of 2688	2800	Bgaebe32.exe	33
PID 2800 wrote to memory of 2688	2800	Bgaebe32.exe	33
PID 2800 wrote to memory of 2688	2800	Bgaebe32.exe	33
PID 2800 wrote to memory of 2688	2800	Bgaebe32.exe	33
PID 2688 wrote to memory of 2592	2688	Bgaebe32.exe	34
PID 2688 wrote to memory of 2592	2688	Bgaebe32.exe	34
PID 2688 wrote to memory of 2592	2688	Bgaebe32.exe	34
PID 2688 wrote to memory of 2592	2688	Bgaebe32.exe	34
PID 2592 wrote to memory of 2628	2592	Bchfhfeh.exe	35
PID 2592 wrote to memory of 2628	2592	Bchfhfeh.exe	35
PID 2592 wrote to memory of 2628	2592	Bchfhfeh.exe	35
PID 2592 wrote to memory of 2628	2592	Bchfhfeh.exe	35
PID 2628 wrote to memory of 2740	2628	Bffbdadk.exe	36
PID 2628 wrote to memory of 2740	2628	Bffbdadk.exe	36
PID 2628 wrote to memory of 2740	2628	Bffbdadk.exe	36
PID 2628 wrote to memory of 2740	2628	Bffbdadk.exe	36
PID 2740 wrote to memory of 764	2740	Boogmgkl.exe	37
PID 2740 wrote to memory of 764	2740	Boogmgkl.exe	37
PID 2740 wrote to memory of 764	2740	Boogmgkl.exe	37
PID 2740 wrote to memory of 764	2740	Boogmgkl.exe	37
PID 764 wrote to memory of 1992	764	Bjdkjpkb.exe	38
PID 764 wrote to memory of 1992	764	Bjdkjpkb.exe	38
PID 764 wrote to memory of 1992	764	Bjdkjpkb.exe	38
PID 764 wrote to memory of 1992	764	Bjdkjpkb.exe	38
PID 1992 wrote to memory of 2892	1992	Ccmpce32.exe	39
PID 1992 wrote to memory of 2892	1992	Ccmpce32.exe	39
PID 1992 wrote to memory of 2892	1992	Ccmpce32.exe	39
PID 1992 wrote to memory of 2892	1992	Ccmpce32.exe	39
PID 2892 wrote to memory of 2672	2892	Cfkloq32.exe	40
PID 2892 wrote to memory of 2672	2892	Cfkloq32.exe	40
PID 2892 wrote to memory of 2672	2892	Cfkloq32.exe	40
PID 2892 wrote to memory of 2672	2892	Cfkloq32.exe	40
PID 2672 wrote to memory of 2888	2672	Cocphf32.exe	41
PID 2672 wrote to memory of 2888	2672	Cocphf32.exe	41
PID 2672 wrote to memory of 2888	2672	Cocphf32.exe	41
PID 2672 wrote to memory of 2888	2672	Cocphf32.exe	41
PID 2888 wrote to memory of 2936	2888	Cfmhdpnc.exe	42
PID 2888 wrote to memory of 2936	2888	Cfmhdpnc.exe	42
PID 2888 wrote to memory of 2936	2888	Cfmhdpnc.exe	42
PID 2888 wrote to memory of 2936	2888	Cfmhdpnc.exe	42
PID 2936 wrote to memory of 536	2936	Cgoelh32.exe	43
PID 2936 wrote to memory of 536	2936	Cgoelh32.exe	43
PID 2936 wrote to memory of 536	2936	Cgoelh32.exe	43
PID 2936 wrote to memory of 536	2936	Cgoelh32.exe	43
PID 536 wrote to memory of 1652	536	Cbdiia32.exe	44
PID 536 wrote to memory of 1652	536	Cbdiia32.exe	44
PID 536 wrote to memory of 1652	536	Cbdiia32.exe	44
PID 536 wrote to memory of 1652	536	Cbdiia32.exe	44
PID 1652 wrote to memory of 2220	1652	Cinafkkd.exe	45
PID 1652 wrote to memory of 2220	1652	Cinafkkd.exe	45
PID 1652 wrote to memory of 2220	1652	Cinafkkd.exe	45
PID 1652 wrote to memory of 2220	1652	Cinafkkd.exe	45
PID 2220 wrote to memory of 2020	2220	Cnkjnb32.exe	46
PID 2220 wrote to memory of 2020	2220	Cnkjnb32.exe	46
PID 2220 wrote to memory of 2020	2220	Cnkjnb32.exe	46
PID 2220 wrote to memory of 2020	2220	Cnkjnb32.exe	46

C:\Users\Admin\AppData\Local\Temp\3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe
"C:\Users\Admin\AppData\Local\Temp\3fa1a97bd1f5e5c5e034ae380431582dbffae009cb4819bbd0d6907849bf731aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Bniajoic.exe
  C:\Windows\system32\Bniajoic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Bgaebe32.exe
    C:\Windows\system32\Bgaebe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Bgaebe32.exe
      C:\Windows\system32\Bgaebe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 144
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alecllfh.dll

Filesize
7KB

MD5
d035ae09f05d85d022e60936dda3d49c

SHA1
418319c348e548e90cf5da79bfc00425cb3cbb4f

SHA256
046b99c71c9ab4b9f6993cc9ca5d4cbd4d6ba67ec7a1f5f73e278559ad794cd3

SHA512
4709080914ba53695516bacedbfdd7fa18a9492c3c780e91880914fcc4801cbea122cf31d86196ebfee1fcbc345ee266f5e420e2a69dcf1f0b97bd74c1c7015f

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
72KB

MD5
0eda34004310687c172f12b55cd1ab77

SHA1
bf8410703026e50b514d9faf5b1b109efb161f94

SHA256
1758a46cee3e5aa786973ebc7fb76070c74c9fd0588f961998f52b7015055dd7

SHA512
1c031df22d9a8d924817b46d8c817085d47058de13eb38769b8aba8a665528664639014c4bedc282ea1b7a409c4d3c568f4805eada66b29fff1eeecb02a32ec6

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
72KB

MD5
3a6b54ace53511fc41d4c356e056f14c

SHA1
5958fff797889cd79c3063e40490ef3aacd4d7aa

SHA256
8c9526a2343af11295729bd4b7570d995b73521f199ebadf2500d8de00b80187

SHA512
57eef5c728eef78c63eedb01e2d158f93b65cf24f2a9e90053b238113bd9d711f2424ed05d08e2c4421e7bc82024c7dbc2424e851a9a91c883a3d35c1eb9ac91

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
72KB

MD5
752513477a5098df2130539b33c50f04

SHA1
c73ddc0af39750a098ddb2d27fd5f8bacb1e3000

SHA256
7bec51e3c9b2e2033acfec097cf7dcc44a6ed977d30237ce63f37bbeb6158ac6

SHA512
ccae366ebac5f93dc5c00792a56d257bb6e5fa60932f41bd3695b3e506a84f528613aa606babcd8625eefa259310086b73c4cd06b11ffd4ba32214b35c62e6e0

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
72KB

MD5
d272a8e2600c3a109b5edee57e00406a

SHA1
0494e425a0e62f3f4a33b62b0c49a0ad71cf0e7d

SHA256
d1eabf94a80e500052239cf510e0bb33982eabfb91eb039a13aed7d8ed5748ca

SHA512
a44fd34495337564f02d5fd0a1abf280f600ea258d951e7d57480648100ba123a9cf534526f27bb2398acef8679a470ae94a5d0bc189a1005693058a2143379a

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
72KB

MD5
d70ff245f6c704ac6e8e208f9152ede8

SHA1
5ef1e5977fa93ecea1952f6177654774749782ba

SHA256
01c098b16319563ecf10cb927968df1498c753832ef8540ca05c7b8d898d3a72

SHA512
00bff481b1627b27cd475ecfa755f349ebb078e151086cb5b8c25502afbdd78b1a54a379676cc119f911f8a67c06d093132105e5e6aabf262ff460523ec499c2

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
72KB

MD5
5a537a6684ec3f8198e0024e7094b138

SHA1
598dcea4a4e8b9b20c1d9725df8000f834f1e7d9

SHA256
8274bd1cc5d60e99ceefed0b9de3a2923c16bcff20cd860d541674ba43303304

SHA512
85f60421bd10af67f6f67c5101a4b4ebd5fb7e661d946b51979b578d08b78e2ce492af95f61cd950111d93a2579deeb1b9d15dbfc97cf2f83f53f157883ba32b

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
72KB

MD5
de43a89cf4650e83970ecc67b6941a58

SHA1
d89a2b12cd79dbf51dc7e2a574301d52adb1eaa8

SHA256
20a567776ac56ff79fae6524c874156f46a667f216e06e30974de4ec16a667d0

SHA512
d557114c19add6c6a46dcf0f0d403a5ad6e4b6e430bd6b8d0c369b2a324d7a4e3eca150d30f95d1b795e39bc1e84421762a5aee1ae76f51a258d2632da314789

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
72KB

MD5
0ae9bf8d264d62466e904557451c1157

SHA1
59eee2e16776d11c9d729437ba2e2273052446c1

SHA256
a94d7a458ae2045b1930e8286b2a553d98218a3c8062f88b2b31b2e46711d821

SHA512
6d2acae530c1d2a91dfd8373afc8757b1e08481c70edffd592d1a160dadca321bc0a92c8d913959c5302f136decdb0bd4e37d2b8fd592ebb2363eba16a9b5a76

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
72KB

MD5
68742e83b656cf6be4f3bc8fbfe9476e

SHA1
e9919da4031d086a2995ea6b1cc55125d5280ce7

SHA256
7f42404b1b55eaf69b3860d47dcd3785b2b0beae9f491ff396969d9b02a8c1b6

SHA512
fb3d4d5ddeda0de4c342687a0d10e679eb9a530c6cc9b6c3eef2dc728ff1c33356c733ad973c4a205ddbdc3756c8fea570b71fc1214f3723aaaed2631ddc2462

Download Submit
C:\Windows\SysWOW64\Oabhggjd.dll

Filesize
7KB

MD5
afb6bcb6a2b0a4bd5304fa094ca7e76b

SHA1
80e8d24d459884c73932597d498229bddaab8865

SHA256
6fba421b3228b5cc5dbcaa7156d8bb4b0ecdd3a7c387f42f136c2fea6ae670d6

SHA512
7dee756b4161aa1467dac4c6d2ab00b92d61d1d8d09c5e5a58c4eb6180e2b560c8a5c3c584857c5071858e8be456735b4ea30353744d7d461b7c9c937e62b186

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
72KB

MD5
32307f1749395634b495ca5540962120

SHA1
dc524626269fbc1a37cb1c9373336a65c896c944

SHA256
76dda4e3f8972b9fd6ccbb533b6c0785c0d73457ba3cdb56bda605880d7e9431

SHA512
5a7c81372c6b1980ab770ab8f8e52510337d5adefdba2270f34bae5e037ad2a4f8e35cfc21043c5f2c650264dc5c0c653889c097b57bdfc9f3dbb04c6f92156c

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
72KB

MD5
c7d5ec95de53265f6d0c4a46fb760d12

SHA1
c8ee495238202114e5b668db79a502b123cf301f

SHA256
5ee4ade2b1e13a9c5812921b704e18134582cfe00fd41948abe84ad196dd8d0f

SHA512
01673474c8b73c87f7b404f0e7ac1a5026915f0e97a13e58e3611291614224901267ffe8f5ded1dc78a241b1f041f6e884dd6c9324409cb7c65878ae5199033e

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
72KB

MD5
7715c4acb509eca4bfe9bbf976851c06

SHA1
bca0d3dff1ad1d080b245d3fbb0892927f842b15

SHA256
c77c7903f8e65c278c521f616ce1eb025e9a1eedb0ca9275547143889524aea1

SHA512
2d4b5eca8cc05111085854e1f224b0577181a641669933016cafb4cd511efcefe8e3b0c8b9fbb718992e8a8adea9d7c03b73f8a3307cd04f8dda22b9c9c99435

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
72KB

MD5
93a3ecbcfb8e9755e9f26d8afbbe0f91

SHA1
51ab72de9f6019304dc99de11b7d6e1c29bc41c3

SHA256
f5cff4bcbba2928adcd8db118a082de174ef74d40ffaf3f0e8881483771c0ca1

SHA512
dd8dde2d2bda12520ae1822285c56ffcd146029288ad5b340d7b493a4ce63a0792b8c93cd23c8f086d730ded3f1ec28284361246195723eb986d066db13d9bba

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
72KB

MD5
1914ff8fe3c1030e66af5d116017b791

SHA1
8eb1938149a40ecfe4e55893eea88660900b73f8

SHA256
90b8328906c90a63ad759fa1a236df8c02292558ae258f88a9f4f1dd1c6013c8

SHA512
c1b91ca5d3fc256889bf96f37fdc5a6f853968d5816dc5f605019ce3707b693fa59b91b51569871c12460e9181f9db3b343b5b0065b85fd2ea10b8aefd367acf

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
72KB

MD5
b5d137749eb583bb2500b3491c97c94e

SHA1
e4b1a09787d03967ca659e1b4afb267825d1951e

SHA256
d678537a5002a85f42b874be10a7a8cd0a94cf369b1401c2e106510224794fed

SHA512
faf0de19ef8d9784536b4798ee3ad1e3d32c80cd531352012bb10786a0114b9d1d9dfef7a7a0278b8b61dbeb7b7dd0ce32c31162edad1c7a9bbab373ba8719d1

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
72KB

MD5
7e22945b9bbaf979cf1b10d7a982c239

SHA1
2de414e2425e09880cbae4d8209694ae93ad110c

SHA256
5981873f4b15714af7e2f759eb2d9ab5bab05f0a62680e2128e301329f1b08ea

SHA512
956c84514ffc8cc628af29f847ca1ef607eca807ad62d50e143484b6057a49c552618e1e31c3d8398320186450312f97000581309e836db9dbb68122d2c05d18

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
72KB

MD5
f60ff1c03d475b935565f0dd6e6cc490

SHA1
7000333e20b4bed673f65aad869632536024c2e7

SHA256
050a9d9c34e0ab50da0b8c6814bce0f5b083ebeeadf7923de5c4a145113b33c4

SHA512
e89aa68cddc65133acedec36bdf1ec322e2bf3fa6f533bd3ad584fd9a88f5071d47346120eee40ce93f38a780ca6697df6130a2876a13518514d5663e3626605

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
72KB

MD5
3033d96c06282c8991a3bb15459f860c

SHA1
0efc9a2a2949debe74813bdc1f9b8469ecb862f2

SHA256
f298b000e3b93c243b95524f0f0be2b1ffaffe2f94e9fc8f1ce905f518d9c71a

SHA512
c8536e9b99e01b21ef1d4adc24c010f9e9b208d68a98899cd282f65a40992c7c4f4979ab3ad1afa285c68e8e5e992c06ceef72d25e89bf12f0e13883689a77a2

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
72KB

MD5
947c8d79a9a5af11b4ca2bbdd8b93bcb

SHA1
9cfcab0cbfd1c5e3e0026f1fbec5231cc25c3544

SHA256
33e2e99b7d6f9193281632844b950eee61a620ca33b2e2a5273415cbc87f68f7

SHA512
a771ba423f5275452023d72a5db480369bcd7deb71c01e9c0c1968be150123feae7058e805871baec26f69787757ed73c0947bf5f2c0f3800c6cbf194f611d5c

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
72KB

MD5
e34941f80d3c4addbdf315dc9c94a3cb

SHA1
168817dfd750ea83bc2bd7b277244136de37bdf6

SHA256
73dc2bb4d35df07d06321876f90150efb6f272bee809ab06b7c27fc61bb83372

SHA512
ea630b293b29f771a04d9e58ef8485f381f9a4d2a4acdd85012c832e3849fd2c6dce55cf453cfd9044ce4715f28ca837ba0912a387ff9b83fdef6bb5ea0cdf8f

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
72KB

MD5
f8604914e0dbfe61401009df2a63e81f

SHA1
3c93bd019ddbd580ec4fed353951796283819e23

SHA256
708473d2270ddd12c1a246112f4531bd96666813aad44b950aadc7a2b3374ff0

SHA512
ff432baab5099040c3ac95da03099547e9f882ff565c139502df8d8f6bccceb33deb90def0cd973a85d418e19d5dd4e5b963bf4367b1957acbab3d0493b5fcac

Download Submit
memory/296-243-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/296-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/296-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-176-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/764-99-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/764-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-11-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-193-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1652-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-225-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1992-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-207-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2236-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-262-0x00000000006B0000-0x00000000006E4000-memory.dmp

Filesize
208KB

Download
memory/2348-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-72-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2628-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-46-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2740-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-149-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2892-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-122-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2936-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads