berbew | e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Size

64KB
MD5

f3ae7ace9fcc0b5a483c40a0cd05c78c
SHA1

39e6390b2c02b3ad8623693c39c948f8152ac786
SHA256

e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30
SHA512

939d8ce1410bc0a1b43fe10309c9f83a7095f2b6e93f86192d3ebf15f43a1cb146332c99601b962df4407758d64db84a83e6b98515da410738352ba0672ddf3f
SSDEEP

1536:8+LZN1Ys+nNq23EFp1spx3CH0U+V3Q76VG2L4rDWBi:8+P+nj3EFvspFCUUMHVr42Bi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2488	Bmnnkl32.exe
2248	Boljgg32.exe
2272	Bjbndpmd.exe
2868	Bqlfaj32.exe
2012	Bcjcme32.exe
2696	Bbmcibjp.exe
2592	Bigkel32.exe
3052	Bkegah32.exe
2908	Cenljmgq.exe
2784	Cmedlk32.exe
1976	Cocphf32.exe
1996	Cepipm32.exe
3060	Cgoelh32.exe
2208	Cnimiblo.exe
1496	Cinafkkd.exe
1804	Cjonncab.exe
1440	Caifjn32.exe
2156	Cgcnghpl.exe
2104	Cnmfdb32.exe
3020	Calcpm32.exe
624	Cfhkhd32.exe
3008	Dnpciaef.exe
888	Dpapaj32.exe

Loads dropped DLL 49 IoCs

pid	Process
1224	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
1224	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
2488	Bmnnkl32.exe
2488	Bmnnkl32.exe
2248	Boljgg32.exe
2248	Boljgg32.exe
2272	Bjbndpmd.exe
2272	Bjbndpmd.exe
2868	Bqlfaj32.exe
2868	Bqlfaj32.exe
2012	Bcjcme32.exe
2012	Bcjcme32.exe
2696	Bbmcibjp.exe
2696	Bbmcibjp.exe
2592	Bigkel32.exe
2592	Bigkel32.exe
3052	Bkegah32.exe
3052	Bkegah32.exe
2908	Cenljmgq.exe
2908	Cenljmgq.exe
2784	Cmedlk32.exe
2784	Cmedlk32.exe
1976	Cocphf32.exe
1976	Cocphf32.exe
1996	Cepipm32.exe
1996	Cepipm32.exe
3060	Cgoelh32.exe
3060	Cgoelh32.exe
2208	Cnimiblo.exe
2208	Cnimiblo.exe
1496	Cinafkkd.exe
1496	Cinafkkd.exe
1804	Cjonncab.exe
1804	Cjonncab.exe
1440	Caifjn32.exe
1440	Caifjn32.exe
2156	Cgcnghpl.exe
2156	Cgcnghpl.exe
2104	Cnmfdb32.exe
2104	Cnmfdb32.exe
3020	Calcpm32.exe
3020	Calcpm32.exe
624	Cfhkhd32.exe
624	Cfhkhd32.exe
3008	Dnpciaef.exe
3008	Dnpciaef.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2472	888	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2488	1224	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe	31
PID 1224 wrote to memory of 2488	1224	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe	31
PID 1224 wrote to memory of 2488	1224	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe	31
PID 1224 wrote to memory of 2488	1224	e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe	31
PID 2488 wrote to memory of 2248	2488	Bmnnkl32.exe	32
PID 2488 wrote to memory of 2248	2488	Bmnnkl32.exe	32
PID 2488 wrote to memory of 2248	2488	Bmnnkl32.exe	32
PID 2488 wrote to memory of 2248	2488	Bmnnkl32.exe	32
PID 2248 wrote to memory of 2272	2248	Boljgg32.exe	33
PID 2248 wrote to memory of 2272	2248	Boljgg32.exe	33
PID 2248 wrote to memory of 2272	2248	Boljgg32.exe	33
PID 2248 wrote to memory of 2272	2248	Boljgg32.exe	33
PID 2272 wrote to memory of 2868	2272	Bjbndpmd.exe	34
PID 2272 wrote to memory of 2868	2272	Bjbndpmd.exe	34
PID 2272 wrote to memory of 2868	2272	Bjbndpmd.exe	34
PID 2272 wrote to memory of 2868	2272	Bjbndpmd.exe	34
PID 2868 wrote to memory of 2012	2868	Bqlfaj32.exe	35
PID 2868 wrote to memory of 2012	2868	Bqlfaj32.exe	35
PID 2868 wrote to memory of 2012	2868	Bqlfaj32.exe	35
PID 2868 wrote to memory of 2012	2868	Bqlfaj32.exe	35
PID 2012 wrote to memory of 2696	2012	Bcjcme32.exe	36
PID 2012 wrote to memory of 2696	2012	Bcjcme32.exe	36
PID 2012 wrote to memory of 2696	2012	Bcjcme32.exe	36
PID 2012 wrote to memory of 2696	2012	Bcjcme32.exe	36
PID 2696 wrote to memory of 2592	2696	Bbmcibjp.exe	37
PID 2696 wrote to memory of 2592	2696	Bbmcibjp.exe	37
PID 2696 wrote to memory of 2592	2696	Bbmcibjp.exe	37
PID 2696 wrote to memory of 2592	2696	Bbmcibjp.exe	37
PID 2592 wrote to memory of 3052	2592	Bigkel32.exe	38
PID 2592 wrote to memory of 3052	2592	Bigkel32.exe	38
PID 2592 wrote to memory of 3052	2592	Bigkel32.exe	38
PID 2592 wrote to memory of 3052	2592	Bigkel32.exe	38
PID 3052 wrote to memory of 2908	3052	Bkegah32.exe	39
PID 3052 wrote to memory of 2908	3052	Bkegah32.exe	39
PID 3052 wrote to memory of 2908	3052	Bkegah32.exe	39
PID 3052 wrote to memory of 2908	3052	Bkegah32.exe	39
PID 2908 wrote to memory of 2784	2908	Cenljmgq.exe	40
PID 2908 wrote to memory of 2784	2908	Cenljmgq.exe	40
PID 2908 wrote to memory of 2784	2908	Cenljmgq.exe	40
PID 2908 wrote to memory of 2784	2908	Cenljmgq.exe	40
PID 2784 wrote to memory of 1976	2784	Cmedlk32.exe	41
PID 2784 wrote to memory of 1976	2784	Cmedlk32.exe	41
PID 2784 wrote to memory of 1976	2784	Cmedlk32.exe	41
PID 2784 wrote to memory of 1976	2784	Cmedlk32.exe	41
PID 1976 wrote to memory of 1996	1976	Cocphf32.exe	42
PID 1976 wrote to memory of 1996	1976	Cocphf32.exe	42
PID 1976 wrote to memory of 1996	1976	Cocphf32.exe	42
PID 1976 wrote to memory of 1996	1976	Cocphf32.exe	42
PID 1996 wrote to memory of 3060	1996	Cepipm32.exe	43
PID 1996 wrote to memory of 3060	1996	Cepipm32.exe	43
PID 1996 wrote to memory of 3060	1996	Cepipm32.exe	43
PID 1996 wrote to memory of 3060	1996	Cepipm32.exe	43
PID 3060 wrote to memory of 2208	3060	Cgoelh32.exe	44
PID 3060 wrote to memory of 2208	3060	Cgoelh32.exe	44
PID 3060 wrote to memory of 2208	3060	Cgoelh32.exe	44
PID 3060 wrote to memory of 2208	3060	Cgoelh32.exe	44
PID 2208 wrote to memory of 1496	2208	Cnimiblo.exe	45
PID 2208 wrote to memory of 1496	2208	Cnimiblo.exe	45
PID 2208 wrote to memory of 1496	2208	Cnimiblo.exe	45
PID 2208 wrote to memory of 1496	2208	Cnimiblo.exe	45
PID 1496 wrote to memory of 1804	1496	Cinafkkd.exe	46
PID 1496 wrote to memory of 1804	1496	Cinafkkd.exe	46
PID 1496 wrote to memory of 1804	1496	Cinafkkd.exe	46
PID 1496 wrote to memory of 1804	1496	Cinafkkd.exe	46

C:\Users\Admin\AppData\Local\Temp\e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe
"C:\Users\Admin\AppData\Local\Temp\e5505ff503729a0eaa2871b6ef72240db00254a7567d3758c995b5395a532d30.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\Bmnnkl32.exe
  C:\Windows\system32\Bmnnkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Boljgg32.exe
    C:\Windows\system32\Boljgg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Bjbndpmd.exe
      C:\Windows\system32\Bjbndpmd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 144
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
64KB

MD5
ad53fcc5e3601498f0888258fdb00b18

SHA1
ae1f4de785cc0a7ddcfc4d95c4d0fb90b15f2d12

SHA256
31b1842df3ed42b15067ebc7ec0ee55db1b4d89d4259d2db7e0e5e374dde83b8

SHA512
fb24e401342f50eb31da5981144d3405766dbbb858a4e7e775a604b7f2eff871f06b12301db86fee08ff5005348f212de9e17d669091439bee217d07a3698766

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
64KB

MD5
015c5e18990a2b3e4f74b6351b0ddf55

SHA1
4f2c01365f91afd91e02bc96d6576ae03d5f5793

SHA256
f641c68b266d3ba514ccf92726fd09e1215e3a2e13d2f6b127536bf55f820be3

SHA512
a5a5898a7717f71fe63809ed89eeb4c22dc49c8014b241cc8915733230971e84a7d543f1740d8c9fc5ae5c5161f3e246347d0b9dc89abb6346bae72e58e28239

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
64KB

MD5
e6f1eccda33fd4cb909a5e794190e890

SHA1
3ea14c2ba6143bf99ebf96d953139a8db71a000d

SHA256
b16d91b442a29ce571a9737794482d8544983b218c503a44d86134732c3cae35

SHA512
466b9a87fb30a1eb8ce1541ce3e34b4e89e1d815fec5a94f99c84c48224b16bda457e1c41859df7b225d9bf330d64df3ff99b9c6e6042e51d7fc0efad1cff8a5

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
64KB

MD5
9fc4974be5b747b21d31efb1e9eda5f5

SHA1
11ce7915b50d8f06d711e18623c828c6f098f271

SHA256
1470fc6862f8c8bd77e656bab48f7818bc9a7ca2d34afee3f873d99b7060aa00

SHA512
9aaf0a9fcd4e568dafb6f16e90fe38c5d704766994bfc07610dfb697d5e950d77361a4aad3ab3838da6e40f851fc993c3a2a732e0bdf4e0840e39b0205b43536

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
64KB

MD5
8dd23db865ad0738946fa2d4ab8c6c5c

SHA1
de40c94d6d43de6e6f5df0d012748afd07d2d3fb

SHA256
28cdaa1246bacc92240f13cb33457f090450ea5dbfe003c5204182ab4c9b6986

SHA512
ac7345b9e22355de3e51b2738c1b693ef452c54412b348b17b04472583b8fae747d55cc01995d96c87b681446dd7b47903dc173207bd05be86594b1e24598f1c

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
64KB

MD5
608678c2eb152c7e74818ffefb442450

SHA1
206aac39c3554365680192f1f30f4dc350f9a251

SHA256
10aaaa1e6afb5c07f36f086776f636cb8b5a592c4f1b91743bf07fae730fc85a

SHA512
168e4f0b3a08cc54cba59d2e8169a121e68b362c8cc2ea4c42642649c9acc2b6971b592c295c6a9cbd8cc50df8919719a86e5623d4b3f5ef39326705a141fee1

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
64KB

MD5
01c6ff0e51977262c5423d39b645079a

SHA1
84de14d0234f1879c53826efa60b6c7745e61047

SHA256
7ba726407eb8a0ead1722d1470d49bb8293797749e769268c91a5ece0296b3fc

SHA512
c33bc524b741a96087258b15f81fac28f75720091972c191cd0882266625cde6955157ae8d372594ba54b21b42da25673537396e0d8b45b1acd808ea9155da9d

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
64KB

MD5
928881aaf44863cc7c2de8d3387cdbdc

SHA1
b944d7a589e1b57fae2f0e067276393024c70d67

SHA256
52a24afd8e39a922c99210e90868e5da87388d701fa518a037b88a5a72237367

SHA512
2d9f50038fc8188a818048d11ad7b3dfc4eccaf3f413e37e5131d9343aed4e7aca227144f251c53a54968b7c1db4f3be51cec5d89122ab5fbb4b5aafecf78069

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
64KB

MD5
870983985dc562c9e3ab8ad5b8d9f429

SHA1
14984a303338788280e20efb3736e2295316c393

SHA256
6ce6f9873f3626240b80c319394fe59f7b0b23693c43da6a12c28959a90d0ef7

SHA512
d03dbb0eaca1d2f882308612692f78ed4dd8ce065da43c1c45b59f07c839dc96460124a78d6013eb5584f97de45ccba46c92df8e0ffbd36981d73d7e677d1253

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
c1a0c1f224d4f2b569560b85c64e7277

SHA1
cc8d4d04699ddbbd9559918aab0dfa478c8df74a

SHA256
b4d943ed4c18a0268fefd20689370e1831c2c67c523f811957bc53097575752b

SHA512
e4b22e50bef6d7193265b480abe03a5f6f022e450449eff0fcf596cd5ed2363e2cd50e108cd534ac2a764044211763001ef31889b4737b017df65dd788f54201

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
64KB

MD5
ca6707e503066f98f1453200d04281a4

SHA1
fa58508cdc8b6676d83a62ff105133a31c243f9a

SHA256
c1028ca621554308bfe98e2e2ba6a2114fdb912f8fd3401228c816f6c58b9a72

SHA512
2b379d5a71c08780089678cbdb5649db9f11b7102f2ab5b8f00e2df134c84cf4d068d50c12c48ca8079c24e71a061f7fa00ff364b8449cb39c71933b4124e2c0

Download Submit
\Windows\SysWOW64\Bcjcme32.exe

Filesize
64KB

MD5
17c0c6730dc4e6aa826c3bc48699c715

SHA1
11286668410c4850d0e978ae3ccba072860c5f03

SHA256
6d781376bc41b554a3437c44e58ac093bea62aab4e0c5dd86d8064dd8848529c

SHA512
a0fb8f450983d03b78b060c0937382ea8618cf28785bde0e016454033be0efcb2a6f5466333456b92a92b2a1172fba7ba541e65fd29f8bb022b4fbb7e9a9fa75

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
64KB

MD5
8b96f70079c56497f42e31ded42eed62

SHA1
a53ccfa7b085ad7181bef19aed5cace671f35a26

SHA256
e6c76e74a0d7b198cc01b8c5e68fe05f6cc98186670014fdcd92aecc928d6419

SHA512
ec4c7df0b412d7b524a75dec88ff6b4940cfd5a4d90291695c4013f326e2d16c1dacc4ef73c9b82735880268f92c89348dea672a505e28bbe2b69f7141a02bfd

Download Submit
\Windows\SysWOW64\Bjbndpmd.exe

Filesize
64KB

MD5
c2b79c3fae983482310bce18a8c09f40

SHA1
0d1f09dfae23d6816e28423d5b9ed1089c6f85a1

SHA256
833ccf5a820fdbc04dd4e69150838248bfce3b8bf02b216a12588bc1efc7c7bc

SHA512
5063e491c89b4c6cab4e40e57e91fc4f30fabe9a1e4d796686282ffc8c52e80526e84ca3cf3270fdabffe865ce19cd85f51430efd462a4c32a357b263cd0a629

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
64KB

MD5
d5571381f949d7ad2f87139b2fcecdb7

SHA1
38300a90353905fc7797c3bb7768dece95319a98

SHA256
e0ee893f8784ce3eb2f3609452a1e52082de9ea233faad3a05b79e9dd7ec9e7e

SHA512
6f6dddb41313fed7a33773ede3cc9994a11a56dd2a21e5fe5114deb1eec64c327979603db60e7ffc2555a99536735a7f301a486c4110a7b7a5f127eef53d77ee

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
64KB

MD5
96579247c31ea36c337eb8f02c71703f

SHA1
78104a7367b4d43a556097fd8792a2047ffe0761

SHA256
913b17e60dea1ac320184a51005e8eed21ae4de71eb62dc4e8e6e3e52d606bf1

SHA512
8dbc762a6a7e53d1183a571950e06a40f89e6b63bcb7ede97d1ef991fda6f09ceef97cf09efa31a7dd5ce11d7c01c3ee1d8a204d8d6f027648b35885cd385af7

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
64KB

MD5
eaf81c94b09962fb72578b47095812f7

SHA1
59a39af7a4f7ff89a30078b251fc495656216d51

SHA256
8a40dbb8079b073b55e02b4fa80673669e9641b9782ae9556bce735e48e32f3e

SHA512
b3521f4c1d96afaf7e8f4c9470048db84de76120c462950c6aeb4eba9834ce5a09097d4398e8aef0f8b111a253c4f3c3a1dc46207c2baca0a38abbde7862f962

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
64KB

MD5
8bc6c60e1b3429407e6e94e867a5e688

SHA1
3f444063c398eec371edd3ee0664ed5633571799

SHA256
e3d3cd3e3dac649466a5dfab2cf2c8465797948edad888a64d6901bfed979293

SHA512
ab1b4225057219a906ff9790691c1a7e993092ccfe1612df2e9541b7d32c64d7786c53b398b5ea836c62f038797f5d83d76f29afff6f163ef6eb735bd0e24549

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
64KB

MD5
751f679f9dbb950918b743a3bb2a851e

SHA1
11b41fe604702eaf3d4588782e3dac0045bcf755

SHA256
4aefd9b7be2d73519b68d3af0c762fc6693b133f81255b5ea1b95109e18ead6a

SHA512
53dffd268848a593a3a1b15bf14c2626fb98cbfb6f33148b05113caa0eee8ad70a4eddd4c2331c43285900466ee72301ffb5d541157deaf950de9d55957c012d

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
64KB

MD5
dfba62c67430ab9527ba6b3ab4a55ab0

SHA1
7c338e6e03b9424ec7fdd2a0d8575b1d2f640df3

SHA256
30333e4ef2b0f9c37384ca350c8df8528d98d2f94cfa31ecbc97e8330399bfb8

SHA512
aea87a811fe507913973bddb86c467a0dd0685a0c60358c67857ed7d968f88d33d4bbe82024ae4b8d497b3b96fef348b627b571d1f104feba903ef08f4790586

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
64KB

MD5
278477b84bd2e147f68317e2fe3d69ec

SHA1
52d717bc1af16a9dc941467fd1f8998eb0a241bf

SHA256
d5004d354621cbfdce51d1456c03cee4c10df11fd3a25ec4c1b53f95e43870dd

SHA512
b5804bb70dcca4a054e2d0bfb76f8ac58db2d5695e05ad1b9fe230a30664c4aa8795ae839f5f7afeeab198579cd9230318ded6149dda05d9742966e6a5fd3134

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
64KB

MD5
cdaef6f63cc38425df55387a677b23e4

SHA1
ba9c30c60e39b1cb745cfc45d1c3c80f9d39ba33

SHA256
46d9614041d8bccd4e2e26a4848d82dce157db0d2fbf3f9a8d5edc72164104ca

SHA512
ff7fd0f94954a7793c5aafe5407fa2a26d84863441dc6ab828716d5d825a48d5839e219591fb3977ab5032a5f36bf2aedaa7a87a73bbf7be2d2ac9e6659bd73a

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
64KB

MD5
2b6b268594d2e6c8149451e0f220fb5f

SHA1
a9a8ff5d98d453d24073b4e1e6cee14aa1eed7e3

SHA256
806b45344713bac7572b98c1ec13712698ba85d1ce8c02b120a52649d93587c1

SHA512
ae08fb449908a50392a6675afd71c60b670b7556a4fe67403fde8ab582f65e2bb7e7fda6bb2a2488bfddbfcd9994b1ceab9f8e958e088383b657231a232cc12c

Download Submit
memory/624-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1224-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1440-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-262-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1440-258-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1496-234-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1496-273-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1496-233-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1496-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-245-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1804-285-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1804-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-220-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1976-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1996-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-180-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2012-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-77-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-321-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-284-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-269-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2208-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-214-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2248-94-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2248-34-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2248-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-53-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2272-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-21-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2592-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-89-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2696-95-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2696-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-150-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2784-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-202-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2868-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-67-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2908-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-141-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2908-187-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3008-317-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3008-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3008-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-291-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3020-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-296-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3020-323-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3052-121-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3052-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-178-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3052-126-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3060-254-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3060-203-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3060-197-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3060-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-249-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3060-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads