berbew | c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Size

92KB
MD5

dab85d4b7892620494bc4f05c87ccf50
SHA1

81ab860fb0687576fb77f4d1cf8cb219d78a78ad
SHA256

c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2
SHA512

9bab2cd3f3c549ff3a633e9197592eb603a605c910275ddbdd7a57dbc7882e8627206d206e0565b112b9eb94772194b6147ac860dd5e5699435b4808f6b1873c
SSDEEP

1536:DuNVUmnwgXWI68aqwFX0uXu3hFqcqPlh18jwN3imnunGP+m:DWaS568aqwFkIu3hFq1gwVbe4+m

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
1764	Bccmmf32.exe
2772	Bniajoic.exe
2732	Bmnnkl32.exe
2768	Bgcbhd32.exe
2584	Bieopm32.exe
1896	Boogmgkl.exe
2976	Bjdkjpkb.exe
1728	Bigkel32.exe
772	Ccmpce32.exe
1832	Ciihklpj.exe
2900	Cocphf32.exe
2028	Cepipm32.exe
1996	Cpfmmf32.exe
3036	Cagienkb.exe
1136	Cgaaah32.exe
924	Cjonncab.exe
1632	Cbffoabe.exe
2024	Cgcnghpl.exe
1468	Cjakccop.exe
1616	Cmpgpond.exe
584	Cegoqlof.exe
880	Cfhkhd32.exe
1640	Dnpciaef.exe
2032	Dpapaj32.exe

Loads dropped DLL 51 IoCs

pid	Process
1780	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
1780	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
1764	Bccmmf32.exe
1764	Bccmmf32.exe
2772	Bniajoic.exe
2772	Bniajoic.exe
2732	Bmnnkl32.exe
2732	Bmnnkl32.exe
2768	Bgcbhd32.exe
2768	Bgcbhd32.exe
2584	Bieopm32.exe
2584	Bieopm32.exe
1896	Boogmgkl.exe
1896	Boogmgkl.exe
2976	Bjdkjpkb.exe
2976	Bjdkjpkb.exe
1728	Bigkel32.exe
1728	Bigkel32.exe
772	Ccmpce32.exe
772	Ccmpce32.exe
1832	Ciihklpj.exe
1832	Ciihklpj.exe
2900	Cocphf32.exe
2900	Cocphf32.exe
2028	Cepipm32.exe
2028	Cepipm32.exe
1996	Cpfmmf32.exe
1996	Cpfmmf32.exe
3036	Cagienkb.exe
3036	Cagienkb.exe
1136	Cgaaah32.exe
1136	Cgaaah32.exe
924	Cjonncab.exe
924	Cjonncab.exe
1632	Cbffoabe.exe
1632	Cbffoabe.exe
2024	Cgcnghpl.exe
2024	Cgcnghpl.exe
1468	Cjakccop.exe
1468	Cjakccop.exe
1616	Cmpgpond.exe
1616	Cmpgpond.exe
584	Cegoqlof.exe
584	Cegoqlof.exe
880	Cfhkhd32.exe
880	Cfhkhd32.exe
1640	Dnpciaef.exe
1640	Dnpciaef.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bniajoic.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2032	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1764	1780	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe	31
PID 1780 wrote to memory of 1764	1780	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe	31
PID 1780 wrote to memory of 1764	1780	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe	31
PID 1780 wrote to memory of 1764	1780	c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe	31
PID 1764 wrote to memory of 2772	1764	Bccmmf32.exe	32
PID 1764 wrote to memory of 2772	1764	Bccmmf32.exe	32
PID 1764 wrote to memory of 2772	1764	Bccmmf32.exe	32
PID 1764 wrote to memory of 2772	1764	Bccmmf32.exe	32
PID 2772 wrote to memory of 2732	2772	Bniajoic.exe	33
PID 2772 wrote to memory of 2732	2772	Bniajoic.exe	33
PID 2772 wrote to memory of 2732	2772	Bniajoic.exe	33
PID 2772 wrote to memory of 2732	2772	Bniajoic.exe	33
PID 2732 wrote to memory of 2768	2732	Bmnnkl32.exe	34
PID 2732 wrote to memory of 2768	2732	Bmnnkl32.exe	34
PID 2732 wrote to memory of 2768	2732	Bmnnkl32.exe	34
PID 2732 wrote to memory of 2768	2732	Bmnnkl32.exe	34
PID 2768 wrote to memory of 2584	2768	Bgcbhd32.exe	35
PID 2768 wrote to memory of 2584	2768	Bgcbhd32.exe	35
PID 2768 wrote to memory of 2584	2768	Bgcbhd32.exe	35
PID 2768 wrote to memory of 2584	2768	Bgcbhd32.exe	35
PID 2584 wrote to memory of 1896	2584	Bieopm32.exe	36
PID 2584 wrote to memory of 1896	2584	Bieopm32.exe	36
PID 2584 wrote to memory of 1896	2584	Bieopm32.exe	36
PID 2584 wrote to memory of 1896	2584	Bieopm32.exe	36
PID 1896 wrote to memory of 2976	1896	Boogmgkl.exe	37
PID 1896 wrote to memory of 2976	1896	Boogmgkl.exe	37
PID 1896 wrote to memory of 2976	1896	Boogmgkl.exe	37
PID 1896 wrote to memory of 2976	1896	Boogmgkl.exe	37
PID 2976 wrote to memory of 1728	2976	Bjdkjpkb.exe	38
PID 2976 wrote to memory of 1728	2976	Bjdkjpkb.exe	38
PID 2976 wrote to memory of 1728	2976	Bjdkjpkb.exe	38
PID 2976 wrote to memory of 1728	2976	Bjdkjpkb.exe	38
PID 1728 wrote to memory of 772	1728	Bigkel32.exe	39
PID 1728 wrote to memory of 772	1728	Bigkel32.exe	39
PID 1728 wrote to memory of 772	1728	Bigkel32.exe	39
PID 1728 wrote to memory of 772	1728	Bigkel32.exe	39
PID 772 wrote to memory of 1832	772	Ccmpce32.exe	40
PID 772 wrote to memory of 1832	772	Ccmpce32.exe	40
PID 772 wrote to memory of 1832	772	Ccmpce32.exe	40
PID 772 wrote to memory of 1832	772	Ccmpce32.exe	40
PID 1832 wrote to memory of 2900	1832	Ciihklpj.exe	41
PID 1832 wrote to memory of 2900	1832	Ciihklpj.exe	41
PID 1832 wrote to memory of 2900	1832	Ciihklpj.exe	41
PID 1832 wrote to memory of 2900	1832	Ciihklpj.exe	41
PID 2900 wrote to memory of 2028	2900	Cocphf32.exe	42
PID 2900 wrote to memory of 2028	2900	Cocphf32.exe	42
PID 2900 wrote to memory of 2028	2900	Cocphf32.exe	42
PID 2900 wrote to memory of 2028	2900	Cocphf32.exe	42
PID 2028 wrote to memory of 1996	2028	Cepipm32.exe	43
PID 2028 wrote to memory of 1996	2028	Cepipm32.exe	43
PID 2028 wrote to memory of 1996	2028	Cepipm32.exe	43
PID 2028 wrote to memory of 1996	2028	Cepipm32.exe	43
PID 1996 wrote to memory of 3036	1996	Cpfmmf32.exe	44
PID 1996 wrote to memory of 3036	1996	Cpfmmf32.exe	44
PID 1996 wrote to memory of 3036	1996	Cpfmmf32.exe	44
PID 1996 wrote to memory of 3036	1996	Cpfmmf32.exe	44
PID 3036 wrote to memory of 1136	3036	Cagienkb.exe	45
PID 3036 wrote to memory of 1136	3036	Cagienkb.exe	45
PID 3036 wrote to memory of 1136	3036	Cagienkb.exe	45
PID 3036 wrote to memory of 1136	3036	Cagienkb.exe	45
PID 1136 wrote to memory of 924	1136	Cgaaah32.exe	46
PID 1136 wrote to memory of 924	1136	Cgaaah32.exe	46
PID 1136 wrote to memory of 924	1136	Cgaaah32.exe	46
PID 1136 wrote to memory of 924	1136	Cgaaah32.exe	46

C:\Users\Admin\AppData\Local\Temp\c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe
"C:\Users\Admin\AppData\Local\Temp\c03a6b8ff243fd2e1f2fb6c3ce56857b298c37ba070b8e7dbce19724e2e8b5d2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\Bccmmf32.exe
  C:\Windows\system32\Bccmmf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\Bniajoic.exe
    C:\Windows\system32\Bniajoic.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\Bmnnkl32.exe
      C:\Windows\system32\Bmnnkl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 144
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
92KB

MD5
39b77f1b8e1be3f16e53a90da277188f

SHA1
eb48e30023b97f0f5bdd5f137a63a5e5d32e72db

SHA256
9f10fddcc25e9350b1d266d7776001642953422afba448fdcf0f480e5ee3f94a

SHA512
1437fc882e3d0ed0c71edcaf66e011768832503efd9e36a8864a7c3ab8fd05d356fc119f9edf639a81cf66d1f7bea01f22e42ecf4c5acb26f8d78533d9a09174

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
92KB

MD5
6ca071d29557782445654315a6a99fd5

SHA1
2b5bdb7a73bc91922f5c4a3c18f1836374057b5a

SHA256
de7cf74fc0ebf12010846902dc83fce885b1d538346b564ac072ed3fa3d0df98

SHA512
75cdb1513802325d4c7e6ea16cf1831e73f8e8027c1a6c9098db494c20c5ce7cbdc33afe2af2bae601a67cd08066073cb291c2563f396ce84117fa3d3da5b59d

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
92KB

MD5
0b2147dba7d88969b53cd4286ec4aee2

SHA1
39d0649f67f72fe78686856df5d142af5561a144

SHA256
7e4f7de524c3e18c90197a3730309b312fe85441d961f846b94cfb09735c1176

SHA512
2efcf0461609b5993862929bf73050a9186529d58f4ecf9eecb59b18f2df5ab24373a6c4ff449f37658b83558586b593f7ec764b71ff3baa0094426cc9548e6e

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
92KB

MD5
f4b16bb2fc3f7d2364538c97c23911f3

SHA1
bd9fad83994069ec790d84219597734cf9018b01

SHA256
0f043577aebaedd64c3118db61ccd93588810970a8c7bbc45124aed6fc63ed16

SHA512
d36cd76f6027787b9eaea4525c80f0b391f7603a75102185fca34478543a2544571b29d8e9b74df04b02adb861b818ef3101d37b406d7dd2cb175632658150e0

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
92KB

MD5
2729ca54c617244dcd66c88509fdd5c7

SHA1
01c1ca29eb870e7c9f57a372b68aaf2ecdb67ba1

SHA256
a0521717fdf6737a173be25f7ba7ab1cd71fe3e2cf0c200c3c68b202931d1ab1

SHA512
cde528b8c707c04e49b061dcf2aa8d14909655bbb6d42b72b9dafd9e8280571c4128ef5ee256a70c0c71648b0d41f57ff216ad31e223b6ff7f1501e5879f3bde

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
92KB

MD5
1b9d016695b90f6ef1f2cfcfb4edf8c0

SHA1
c74809085e584f2576ed1fbe3bc55dce64e100e2

SHA256
775be29152e91b6d247cc9a6e40251a16f252286b43e298209764abebcd36f2e

SHA512
012271032f0857442c29e265a1d666b997589ca4d12d0f469a54dc23b42f5fabccaf1a0cb35523645a0dcffd2c06407f886938399fd29c70c406f3e6650581f6

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
92KB

MD5
e6ae6e0183c7e41194d6ee9931b380b0

SHA1
4be0ca24fdb9c13602501879ada40421bc0d1417

SHA256
ae1b31a2e1b8401b5b7ca96468d6823c3aa9ebcee6dc344e25accb1eac0463fb

SHA512
bc398e6c024f2bdf4013ea7d947ba9464196ee07b312f8b77674fade6209299246da883ba617422d2c0092c9a4d0edd872b2702b51f075da135f4f1c34ef659d

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
92KB

MD5
081cea498a0204eccb45bb92f000eaf5

SHA1
d69d91321ae3efab7095b8b1fb9951a452cce26f

SHA256
4ad48c2aa284d5eb0431a16c0e429fcc4a243f5ac61787d9f35bb1b8d582ce96

SHA512
e2bcf09e2feb8e9bcadefd68e3dd9cb55427282be21a3d67ea50f7ff2a7ce34c663ba51aea7d08ebb3999ae3e842f0b904b3c70eb533d0790e3f178c5a06e4d1

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
92KB

MD5
c37d5f1fbf4905c317470f9ac6a70bf6

SHA1
9f391d951e90ab62c9edfd8184092f012a742729

SHA256
e491bf247eafad9cda880bb811637d865ad5a0a10cfe40de165dea53bfc06084

SHA512
8e29dbc368ffb983dfc00ed5278e24d950ca64a7011f4e542e487a908495ed4db98f623366aa6194dfe3611a55a93c1d60bdd094d19481fa17d8bcf1084ac567

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
92KB

MD5
1dc59407c844b73f093afd7ee06b7222

SHA1
ff2af3ece5e3ebb1dc8e2bc055f4859231aa287e

SHA256
de4f78d47813399b777dcc7408e6144168a32602b162d30665ede083a29b8ecc

SHA512
1b4fdc10baec064dca676d601a7ba10ba147e1b7a97e78afe2d2d561a09293c18248079388c082cad5d9a8a6083edf490cbd6708079c2bc520007bba48b6ef85

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
92KB

MD5
9a9b16e2231f8870c7a016eaf43b10fc

SHA1
a6f7931641c429c312341016118fa546469ceb3d

SHA256
ac7acbad948af7ee2c387e8292565506806f4b0904e7f2befeb5ebc31e0bc06c

SHA512
a19c15a93fcc1c690076389b3d729bfaa7a77f33281fe56f84c37a1638888503e47ff4bdca51f96bc379db3e3a40851180d118e1c08923891b72870f042057fa

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
92KB

MD5
11904f9e3ec21fbf75e03a88711ae17d

SHA1
8bc77b600a437acae6a36286fdd2fae8d8ad4a1f

SHA256
4007a40508e9ed11b38c891130f8c26437173ee09b904b6327d2dc15e3d44a53

SHA512
6da691391f805d2bad5bb55780087f36ddf4ed63fd6abcaf81c1ba38140570f3778c7f25cac4e55fb723feaa9e26bf07e6448a69f97806c2f62d3a41ca02635f

Download Submit
C:\Windows\SysWOW64\Jpebhied.dll

Filesize
7KB

MD5
05af5a26120e03fcd95caa97fa304651

SHA1
7157c43ffc6d550726471a55f5ecfd887f9feabb

SHA256
c72e9f5e890c43902705c79d22834b8623336bddebc96fe60a9184fdde025fe2

SHA512
345b00459a2a6822ab19db6de38cf1b242cc12536611139095bd24870d8d0cedcfa15883d29b27abe14a38edc8b975e36372c623eadd833f7869d26bf65af9c7

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
92KB

MD5
d2b93ec0c63825d209496dbf2fff15cd

SHA1
02b471d6ae1ccf2f693c3160cdc0a3f6a80ad956

SHA256
36e48a8584e1783b76c4846d29dab1f064fc6a403de4a05dcada12955fd793d7

SHA512
4290bc8f6afeec8de6b424c8afcd7f2c707a91221d34002988df6681bd58409b8f8c6287bb074b8ccd983ae82de05d71e28c077facab3457e36f3228c34dd18e

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
92KB

MD5
d9a6cefefa89c970e35b09720db86f76

SHA1
9102b7733afbf2b6e960435a5700a8141c0034a5

SHA256
2cc0ff1083131ae1c0762e8d4a98bcebe4a73eef3725c16ee38c681601e953f0

SHA512
c000cc4d5346dc8fc53f8d91b6608a88914562d4baa3972739d370ea3507b1015fbd830065241eb0a1b70a06cc1afd5f6c9fb1f0bf3ae789330cd285c2db7a6d

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
92KB

MD5
f452578d2a3e89369acfb422bf5c67e1

SHA1
2c66411554cfe6e719a0f4ba27ba2ed06bf216f3

SHA256
7cd9ea4116b4c16949c055e095b69d312bda805f464ba52697d326e707e51a3b

SHA512
45c63ae6debbe8c26e4df022d25c0773dac6cabe0e1793429e9b2e5ab828d5f1ed137d692250790764d5503b0896bb057e1c03b4a909b7fc1b35e0f06887360b

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
92KB

MD5
cd8efeba9e671a818a64e7d32d041761

SHA1
cc1d03bf464256f32255e3af6c1f4442e322e341

SHA256
1b2a6fa10d80f6934c465d5550cc4eaf941183a7031623ce0dc9eb94b27fe8ef

SHA512
486cd1ef53ce437e50380a7e6b3d033e9e860bced8536ca2fbd298db2848283acb1fc902107f3582986eb7b69f27e9a28e4bac2580589c8644135bf62f0686a7

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
92KB

MD5
09f7f3624c0aec1328aef3cb16b263b4

SHA1
f2b002d2e6aaac840baa59f687e96336f9ebf24b

SHA256
60d6332ca83b9eda4efd34aba4103ffa4cd3d139eb19c2bebac239bbd03584f7

SHA512
a4729f78be1eb4bf6af91e62865ffb10b67b5b20e645bf5c11ddc614c3744ce29538c6746859462ae542083907be3e9c7ad3928f24f3090e64d033a24170533f

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
92KB

MD5
191e66070b0c3b1b3dca97477529c0f4

SHA1
8ba3eee85ac9f52b6dd89ae94304cc54eceeb7e4

SHA256
7c5af59b031660e0681d49870ee59bc8809a7cbe155b624e797687d0893b991a

SHA512
499dd7d326698615adc946fe57c7921fac9192c1c3b484831328ba6f4d7fbcece2c2c6ca200aae6beddeaa9c88b7a99c282d5750fa6fe08673253e9e762a4128

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
92KB

MD5
2cf245e5642ca635133bccb155305dca

SHA1
bb7887009a18e430f8856bf8ca274ed0e0979acc

SHA256
63c843c27f47efd852a3eafc04b806b25c7602ae29894e0a9bb3dff8a4ea37c7

SHA512
2dc6d591ee24f1adf0dcd4aff9aaa774ec0ed10798c569ce6c2bb5e773e60254e6d4cdf5c716c027a25cd1fc0fdb20a09588a0e3cc13ba24a19816ec2df1508a

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
92KB

MD5
5b95e1d586958f0705e4de4ccfc37f16

SHA1
da5b657fe847216c1bfaf92f9d39b2522c0d84f6

SHA256
3dfda1bc4f15851915ee5b9b7fcaba135949ec14d4a918181cb086fd7c2dccbc

SHA512
b001d5b22220b05301a40a2178ff11e0949fd03a1e8ac8b767ff1cea46ed4a573372692ff132a6a081baf73418d17457a6c077d826958eadf4f55eb7547e9f72

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
92KB

MD5
16c0c1018968111fc10f19f58ddd7672

SHA1
c2e2b32bbe5590f4b1eb46dbbf84a1d7c0c24e69

SHA256
dcc88f6881918ec2015b77a6f71fa4c98964d7b1990e7381a68ac5091705cfa8

SHA512
e261a6e15566fbc41c2d23632499cdcf4167328e794ecf339042d583c4eab2dd12c9ed89d39825997cbd0934d082f403db78b032072ed1f91fc9b15ca6a012d9

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
92KB

MD5
40b4d5474d7655a2ac307efc1b073c98

SHA1
17acac2d9448d08df8cfd0c04812864a196a91a8

SHA256
5925076819d09a088f3776d2d2a137622216be837c1cdf61021e06f07671a317

SHA512
ff112aef8d5e7f59cd62787f1f1a780935c2747fcc1a09d52fe008d496eb9d2555c79b9a41b7ae3a7718849a7806e3392aa32a5ee5b2ddf47e9aeea1729200a3

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
92KB

MD5
68da03851274cae91de5f63f1f4f60fe

SHA1
7ecd5764799a9884fd9de89df3e860eff474a837

SHA256
a275e15775e9df4524bee129ef6c25ec8a97ea2ed5df84398a13d0859b7ad1b0

SHA512
993c69cd764150e83ac98adebce01ece5ae94b928d94da44ff3c5f08c3c6c1ea9f64f876546d290535db3553daf4a165407ca4a2b7500cb78d992a8593e26a1f

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
92KB

MD5
65bef21c11cc98ec4006b58ecd0ca207

SHA1
314d62c64d15985df90141a4c35f37e659e8f372

SHA256
9e8ac51af790c5529703cea0dff130d0025ab554e15efea676a1a9ef7d2b9a37

SHA512
d8a029e77ac6c7ffa312ac380b53799fe9d5078bde14221af3a7740c718d9d85718cd42d4880a02ed69109e933eb5599ea1a8a8bbbb74043ecb5ebe135389c42

Download Submit
memory/584-274-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/584-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/584-270-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/772-136-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/772-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/772-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/772-130-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/880-280-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/880-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-284-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/924-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1136-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-261-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1616-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-233-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1640-294-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1640-290-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1640-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-121-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1764-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1764-24-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1764-27-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1764-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-13-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1780-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-12-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1832-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1896-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1996-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1996-186-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1996-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-301-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-165-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2032-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2032-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-78-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2584-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-55-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2768-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-65-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2772-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-40-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2900-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-159-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2976-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-104-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/3036-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads