berbew | 5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Size

94KB
MD5

dd55f8800196e9b7ddc190f081e939c0
SHA1

766e4cce63123cfb3a3c4618e6d13381e21b9d42
SHA256

5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3
SHA512

e396f4904c1ebdd93a1cb2b5293b926b1c77af40e3c01defae4ca8b05c6c83a54474b0e32b9de07b4ed929c697f8919626bd012e81887255f1c0922e0f6c0420
SSDEEP

1536:pY/zzym7GHREN/Fs8aPQp+vn945Skeq4Qf3k7BR9L4DT2EnINs:+/vym7lDaPQpWn945SQk6+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
868	Aficjnpm.exe
1728	Agjobffl.exe
2440	Abpcooea.exe
2888	Bnfddp32.exe
2800	Bccmmf32.exe
2636	Bmlael32.exe
2624	Bfdenafn.exe
2032	Bqijljfd.exe
1480	Bmpkqklh.exe
332	Bjdkjpkb.exe
924	Coacbfii.exe
1408	Cenljmgq.exe
1080	Cbblda32.exe
2984	Cgoelh32.exe
1928	Cagienkb.exe
1256	Ckmnbg32.exe
1468	Cnkjnb32.exe
604	Clojhf32.exe
564	Cmpgpond.exe
1632	Cgfkmgnj.exe
2556	Dmbcen32.exe
2176	Dpapaj32.exe

Loads dropped DLL 47 IoCs

pid	Process
2420	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
2420	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
868	Aficjnpm.exe
868	Aficjnpm.exe
1728	Agjobffl.exe
1728	Agjobffl.exe
2440	Abpcooea.exe
2440	Abpcooea.exe
2888	Bnfddp32.exe
2888	Bnfddp32.exe
2800	Bccmmf32.exe
2800	Bccmmf32.exe
2636	Bmlael32.exe
2636	Bmlael32.exe
2624	Bfdenafn.exe
2624	Bfdenafn.exe
2032	Bqijljfd.exe
2032	Bqijljfd.exe
1480	Bmpkqklh.exe
1480	Bmpkqklh.exe
332	Bjdkjpkb.exe
332	Bjdkjpkb.exe
924	Coacbfii.exe
924	Coacbfii.exe
1408	Cenljmgq.exe
1408	Cenljmgq.exe
1080	Cbblda32.exe
1080	Cbblda32.exe
2984	Cgoelh32.exe
2984	Cgoelh32.exe
1928	Cagienkb.exe
1928	Cagienkb.exe
1256	Ckmnbg32.exe
1256	Ckmnbg32.exe
1468	Cnkjnb32.exe
1468	Cnkjnb32.exe
604	Clojhf32.exe
604	Clojhf32.exe
564	Cmpgpond.exe
564	Cmpgpond.exe
1632	Cgfkmgnj.exe
1632	Cgfkmgnj.exe
2556	Dmbcen32.exe
2556	Dmbcen32.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	2176	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 868	2420	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe	31
PID 2420 wrote to memory of 868	2420	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe	31
PID 2420 wrote to memory of 868	2420	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe	31
PID 2420 wrote to memory of 868	2420	5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe	31
PID 868 wrote to memory of 1728	868	Aficjnpm.exe	32
PID 868 wrote to memory of 1728	868	Aficjnpm.exe	32
PID 868 wrote to memory of 1728	868	Aficjnpm.exe	32
PID 868 wrote to memory of 1728	868	Aficjnpm.exe	32
PID 1728 wrote to memory of 2440	1728	Agjobffl.exe	33
PID 1728 wrote to memory of 2440	1728	Agjobffl.exe	33
PID 1728 wrote to memory of 2440	1728	Agjobffl.exe	33
PID 1728 wrote to memory of 2440	1728	Agjobffl.exe	33
PID 2440 wrote to memory of 2888	2440	Abpcooea.exe	34
PID 2440 wrote to memory of 2888	2440	Abpcooea.exe	34
PID 2440 wrote to memory of 2888	2440	Abpcooea.exe	34
PID 2440 wrote to memory of 2888	2440	Abpcooea.exe	34
PID 2888 wrote to memory of 2800	2888	Bnfddp32.exe	35
PID 2888 wrote to memory of 2800	2888	Bnfddp32.exe	35
PID 2888 wrote to memory of 2800	2888	Bnfddp32.exe	35
PID 2888 wrote to memory of 2800	2888	Bnfddp32.exe	35
PID 2800 wrote to memory of 2636	2800	Bccmmf32.exe	36
PID 2800 wrote to memory of 2636	2800	Bccmmf32.exe	36
PID 2800 wrote to memory of 2636	2800	Bccmmf32.exe	36
PID 2800 wrote to memory of 2636	2800	Bccmmf32.exe	36
PID 2636 wrote to memory of 2624	2636	Bmlael32.exe	37
PID 2636 wrote to memory of 2624	2636	Bmlael32.exe	37
PID 2636 wrote to memory of 2624	2636	Bmlael32.exe	37
PID 2636 wrote to memory of 2624	2636	Bmlael32.exe	37
PID 2624 wrote to memory of 2032	2624	Bfdenafn.exe	38
PID 2624 wrote to memory of 2032	2624	Bfdenafn.exe	38
PID 2624 wrote to memory of 2032	2624	Bfdenafn.exe	38
PID 2624 wrote to memory of 2032	2624	Bfdenafn.exe	38
PID 2032 wrote to memory of 1480	2032	Bqijljfd.exe	39
PID 2032 wrote to memory of 1480	2032	Bqijljfd.exe	39
PID 2032 wrote to memory of 1480	2032	Bqijljfd.exe	39
PID 2032 wrote to memory of 1480	2032	Bqijljfd.exe	39
PID 1480 wrote to memory of 332	1480	Bmpkqklh.exe	40
PID 1480 wrote to memory of 332	1480	Bmpkqklh.exe	40
PID 1480 wrote to memory of 332	1480	Bmpkqklh.exe	40
PID 1480 wrote to memory of 332	1480	Bmpkqklh.exe	40
PID 332 wrote to memory of 924	332	Bjdkjpkb.exe	41
PID 332 wrote to memory of 924	332	Bjdkjpkb.exe	41
PID 332 wrote to memory of 924	332	Bjdkjpkb.exe	41
PID 332 wrote to memory of 924	332	Bjdkjpkb.exe	41
PID 924 wrote to memory of 1408	924	Coacbfii.exe	42
PID 924 wrote to memory of 1408	924	Coacbfii.exe	42
PID 924 wrote to memory of 1408	924	Coacbfii.exe	42
PID 924 wrote to memory of 1408	924	Coacbfii.exe	42
PID 1408 wrote to memory of 1080	1408	Cenljmgq.exe	43
PID 1408 wrote to memory of 1080	1408	Cenljmgq.exe	43
PID 1408 wrote to memory of 1080	1408	Cenljmgq.exe	43
PID 1408 wrote to memory of 1080	1408	Cenljmgq.exe	43
PID 1080 wrote to memory of 2984	1080	Cbblda32.exe	44
PID 1080 wrote to memory of 2984	1080	Cbblda32.exe	44
PID 1080 wrote to memory of 2984	1080	Cbblda32.exe	44
PID 1080 wrote to memory of 2984	1080	Cbblda32.exe	44
PID 2984 wrote to memory of 1928	2984	Cgoelh32.exe	45
PID 2984 wrote to memory of 1928	2984	Cgoelh32.exe	45
PID 2984 wrote to memory of 1928	2984	Cgoelh32.exe	45
PID 2984 wrote to memory of 1928	2984	Cgoelh32.exe	45
PID 1928 wrote to memory of 1256	1928	Cagienkb.exe	46
PID 1928 wrote to memory of 1256	1928	Cagienkb.exe	46
PID 1928 wrote to memory of 1256	1928	Cagienkb.exe	46
PID 1928 wrote to memory of 1256	1928	Cagienkb.exe	46

C:\Users\Admin\AppData\Local\Temp\5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe
"C:\Users\Admin\AppData\Local\Temp\5d302fa0f6f483795f1bfc1c42d24e15fc5420b390cd1b9e8675b686ed1ae4a3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\Aficjnpm.exe
  C:\Windows\system32\Aficjnpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Agjobffl.exe
    C:\Windows\system32\Agjobffl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\Abpcooea.exe
      C:\Windows\system32\Abpcooea.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 144
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
94KB

MD5
034dec35b966892a49b0941605c6a1e9

SHA1
248340877c0b409aac80abbf763bf27ca37fbba9

SHA256
d8d7d9413d86b65406ba0a66698838f828e21b40feddcca619f148f57decf80f

SHA512
c312fe1cd1a8400c8d3b5cc659c1cc255f8e16d732f688f57c08de7889c63c9378725103c509ea2fb0da895565f3cf0a8b04262c03fbab650372099aa6addba6

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
94KB

MD5
57693aea4672c0bce0756f20a4e42385

SHA1
187fd0bfab8f060e0ab41308dad61685ca1499b0

SHA256
0d0ceccdccc63fa0671052a060f36b0ae8c302731c15d27d380dd454e4d0c676

SHA512
26485068f4a87b1b7968eaa833456dd7cd09959769b3362abc4b53ed7460ec725685e4072841419907c9f860f87d384c136f9131de5d3bd46e87564f6cadfc63

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
94KB

MD5
fef05e14e58736971cd6de4d6339546e

SHA1
816c443176935827f87acb364b3372b933f0d5dc

SHA256
dd173dc647fabe8e54b52f6b1210a52904a99ab170657920068f0de4f3fde7f3

SHA512
c3c850bd6ff541817763a2350b8f1c2da8fc5d189f954baf623141666eb484c1a7820eb6b2908017db0df5d0e09b440647bb3fdf7c29f0a64c3732c939a6fbc0

Download Submit
C:\Windows\SysWOW64\Bifbbocj.dll

Filesize
7KB

MD5
a1ecfbe49dbcd7351b6e39b167f73834

SHA1
b0e95435558c8d4ab7c8aabf8e37ae32a1ed77b9

SHA256
bb10bd821596f4a7f43f089e5e67bf65ac0ea6b34f800daebbc7fb551ec5c5e2

SHA512
853c53ce00a4bc0e798a2e5860f50a06489a44df8fe3e6ebd74625e75626de74e2fef104126a52ac5f32e6a852a6882f9660f57cf3d6ab4c8a7d0e2fcbed0202

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
94KB

MD5
8f34c1eed838e7bcca6cf411074f659e

SHA1
08bc1a0fc6339ab886816bce44b48bba44fd3e4a

SHA256
0097c573986e7df3e4c7d3f77f48298853abc87585f74dd1a70e84f1800f609f

SHA512
07753a97850914e1bbb535d9ee5a782536c5cdf6802eabc74a688ef4f948f66e0137a94eaaba4e8612f4a27235d3797685ab42a9d572fe53bf442022db840c00

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
94KB

MD5
d9f15827fea0bdf501108dd5fe3510c0

SHA1
398a39e0d1d9f4ee528879975b47dce384cd02cc

SHA256
933f2ad4fc80340dffd7735022692fcda6f5c3728f8ad6ae2931656119c4ae99

SHA512
6d36a8beba76304fb5ec459992b79014450c7acfca6381afdf632e39700822e5848dc202d52cf2d1839c40eb497a5d2693d21c0458e9bcf1d0010793914599a1

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
94KB

MD5
12064b0b8740830180bd106325b04c06

SHA1
d0c01c4325a696cb80762af406e671f53485af62

SHA256
cd23968b2778bffd44068e5e82f3a6ee1daae87eeff0ea0f3e83027726356784

SHA512
419db131a3399d2fd2a0b5fd4925189e72b731e5bf0c021a4034c2340fc972aa9e2680372f958d763f997849865cdec2544cc379a2e92152b83a4ffd7322cc56

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
94KB

MD5
9ca44399cf5e56e9b5d9c04c332548b3

SHA1
e2adcc38f8083bd1853ae704309487602a70e99b

SHA256
1c0bf36209eff7fb7e00663780be674871f7903650c8eed0823e436b1095714e

SHA512
9510a12a24eaf7a2ec6ab71990c4f0192e3d658816378c1f53030c4ee96c61ef98a720b818a8e61fc389ac6a5b29ba0ef69a69bd8f166cf525c6f7f32f91c720

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
94KB

MD5
3d9cbf600f79796796b170797bb8ac8b

SHA1
4527615f19abccf54200cd6c4dad2a44d5069b08

SHA256
0499a8ac198a01b373192388e6d9f172f206f4e069522b4418252acf06054e47

SHA512
03962d052d398dc6aa46bda8cf611b24c57bf03969b54b3c6f2319f3a8060502d9e13657711b8a8e2aca38618ee25b47673009dc4ad228c5f076fdc3a4c0c407

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
94KB

MD5
ada3747b6a83e064e6cc985513b89f1d

SHA1
bda5b4305c535cde9893a4e718a121a5a418b3b2

SHA256
bf21f692f5fd4250c24fe4432c2676d7b645689bc3927f11c83206abdd40fa6b

SHA512
5d0935c77bfddc0abdae64fb820da098f8ccb2181f576c30956e76dd7f1c6ec8f1ab843a7711efb27670992a303c0d731c2902dd68170beb893a115c5ed4a0e2

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
94KB

MD5
fffaa3fa501696c2eac0010e6a5cf212

SHA1
9845253b5d70ee62de470402524fbf823e1aa478

SHA256
248ddc8c7015c7a57ea5dcdd5cd48a68618653f82c0efabbaf4af9f75b0cd938

SHA512
f99a2d5ddcd76ed2e66513bbb16af3f4522b3290e6aa19c9eb06bc28f93fee83b0f11231687986f52cb110283f6d1f2e2525aa0794a4fa034ec8d11e9f88d56d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
03d1588fb90e1138b8f93a0be4cb3694

SHA1
933bcf0bbbed5a084149f025d6e3df6012386a6d

SHA256
e88d095f87466d96e5c5795708514f9fb3cf73d01d0008f4c238a5a28b46ed12

SHA512
8db46c116e84f2c5812dbe4f3413487755cf730aecf467a607b4f73d9074e75c37d99f5f3b6f08511b22c6494f30d5d5251f3d9aea7a0c601c7e1e256dcf4f6f

Download Submit
\Windows\SysWOW64\Abpcooea.exe

Filesize
94KB

MD5
0a8ab2e4af6aac5841d9b12c87b9606d

SHA1
7b846f2c8fd40093887132ab7f007283d303ed40

SHA256
dcb2b20801d31eadc09d760ea7c0a0fd8bef90c647c2a6c8ac4061c66c6bf17a

SHA512
c4616debf5d89d49b6c8ce88267ab0b32747c138862bb97b592cc8d1d7e8a1192000a6779809b840af5f3e066e8385bffc5ff8d3b1683f26bace67bfcc607d31

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
94KB

MD5
a14124e043fc64bcea22dffcf77b9abe

SHA1
522b99da9844604974bafcfe249af391dc35a4a8

SHA256
ac28ba2c175aff272ea296c848f525434b99db2cb28aac6dd20258c1a2f55f1b

SHA512
7b6a4d3effbaea67a850bcb0ed3288358326bd18834e4923e1c12a710d2bedda8abc5040bb547a3fa71b9fbc0f52e16c0513a9c242e811b1919c45780a0ef0e0

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
94KB

MD5
32713d9a5cb4dd903939cf90d3c12387

SHA1
cdd55d292df9fd1b8656f23faf424efd97610983

SHA256
03f463e1fa57faf49b992a65dfc7c78a8e3c2456c7004fa48e0138dacf52a648

SHA512
f9ac28a8ca19dd047a4f3cab7361dbe20bd6af312c60c440f129f5a304c429ec2f413589a3247c018578bd47006a6678672fbd657812b680cd083caa3f6144a2

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
94KB

MD5
1b06b2498c34b2c7fd22b451bf77748a

SHA1
9c4ed2bb99b65a1f6e8f7d50f5cce55b65f48deb

SHA256
f88778471293759910705e9744456eb1c02e8c2fa0796f5d657d122452b1376b

SHA512
3740d898781c9270bccf341ec30ea7759288c06bbcb9532da63867398fc8b483e89783b64fa986e493acd69cce760357e72d016ce51da208154d411a90de7729

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
94KB

MD5
ff5bfeea0edff6f9d8391b1285b2a96c

SHA1
0175c685dd2489a2b818bb43fce5fca0b231c781

SHA256
ffbd5b9323fadd80f03497036c8afe0f0f61d519a38c649dc092f51d91ac4aa3

SHA512
5233196fd9ac9ec7b5b655bdc424596dce6ac4f57f7922b4872260b65cfcbdda6ef7a947a0a42b831649720da00e3972da8d35bd97c29b659a03a3de989cc76f

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
94KB

MD5
bcbc370d771690da49ff5eb019d7fbeb

SHA1
e6582d8eed0425d424153cf759b5b4251a002de4

SHA256
4bda6afd95d9c3192988243ca808571ce9c845ce5fd88d0991fedac55681fe71

SHA512
f43c9bce624e1377614e9ed58a05da6bff18f98a6e8a684b1ec084bc599114f3253c920dd68b9df4eef793ff23882e2f2ddefbcdd82d8d27c4b3b46975e818a1

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
94KB

MD5
aeccefaa39e3a6093dfd7ede8982d978

SHA1
2d49e1bafaab726d18c4fcbe74c40f545029f9e8

SHA256
5e06c77f502d160cf7925070f73d2d7b6fe412016b398ab9c6f404072f7d2d74

SHA512
7449b5738cfbe020730bf3ada5b74e0fae95fc091f63793d39922cabe567aa00cefc85be0ee0cc5b6853e5c7162a59482e870edae7bf6115e6267dc4c9ab08a6

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
94KB

MD5
326a4db47b9f259b6f8936aea70e0c33

SHA1
48f08f796d7263fc7b5760f2f4a3d3c0425800ad

SHA256
666e1153937c2246d0d2888e747d546d91fad757b4369e43fae25acc57817fdd

SHA512
58e608841f1515255820c9373ced320cf0f4b71157afe363eb94d8048dc5727f0707f69fcf0334bba65257ce7ca8c14aed9fe3de52cae3a4aefd94e2156d94c5

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
94KB

MD5
8b01b584c6b231d7af341dedcd9b10d7

SHA1
eddbe781472e7ee65f6d8a7bb4515b56e11b5c8c

SHA256
978805db78f4160b45077a09f64c620cc2821127d7a31bfee975de92468509c2

SHA512
9e15d23f324b5efc65c83670384822956530a8dcefc877b869b1419f52e188c217e868164c527f9c64d6b2d9bfa49af4a209c7d8df96ff75063776833218039d

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
94KB

MD5
a2a4d38a3f67c30a3ef3dab53c9d51a3

SHA1
51c34ebb66b89f001e9d69e2425e85adda945725

SHA256
f3b444d47f9fb440282e2d4aef03c6f3bbc37995f262af8fcfb6d218d1bf8973

SHA512
c733d4b7036809270d58b86fd68a2a69d2134c30a33359c6f09cbddfd7265005f80aa391ed34c2889c3816c3bd07bef77e9b56babe69d3e81c129b9b33552025

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
94KB

MD5
c1d181dc509339f93ef77d1a949511d1

SHA1
5f075b4185d1a0b8f565397709f2792a58b0b42a

SHA256
8e78beefb8d49ea2b84fc60d1548b935cd86791c9e76d04e58aa1a9f00a48b5e

SHA512
a15e28a479ffa92bd1986c3482c2eea6f73b76281597485d48a746ff07cb627d05936095b1f384e5f47a2234d6fa96f763be80fab3835c0b13967b0a23781a6f

Download Submit
memory/332-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/332-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/332-140-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/564-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/564-251-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/604-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/604-239-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/604-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-219-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1256-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-167-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1408-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-231-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1468-232-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1480-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-258-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1632-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-34-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1728-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-113-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2032-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-25-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2420-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-17-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2440-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-87-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2800-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-61-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/2984-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-194-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2984-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads