berbew | 3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Size

93KB
MD5

f329986e97d3cdc9dca75c5c8b1ecb51
SHA1

4435626a51554a40e7eba90cb778c22f3d68e3c2
SHA256

3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226
SHA512

bc5004bd344492c4f61bcd281b5c9f8df133c7edce2db58d6206654f85098418dafb1d6f04da6538b805f8c578bd8e10f4b5dd835f3f22b501a680f44145770e
SSDEEP

1536:JW0VhySj3kxIuRN2hTuYaAe1DaYfMZRWuLsV+1J:JWPNuuYfegYfc0DV+1J

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 22 IoCs

pid	Process
316	Bjpaop32.exe
972	Bmnnkl32.exe
2708	Bqijljfd.exe
2940	Bchfhfeh.exe
2660	Bjbndpmd.exe
1676	Bfioia32.exe
2732	Bkegah32.exe
1460	Cbppnbhm.exe
2892	Cenljmgq.exe
1564	Ckhdggom.exe
580	Cbblda32.exe
1528	Cileqlmg.exe
3016	Cnimiblo.exe
2176	Cebeem32.exe
2104	Cnkjnb32.exe
1716	Cgcnghpl.exe
1356	Cmpgpond.exe
1312	Calcpm32.exe
924	Cgfkmgnj.exe
2204	Dnpciaef.exe
1532	Danpemej.exe
2396	Dpapaj32.exe

Loads dropped DLL 47 IoCs

pid	Process
2348	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
2348	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
316	Bjpaop32.exe
316	Bjpaop32.exe
972	Bmnnkl32.exe
972	Bmnnkl32.exe
2708	Bqijljfd.exe
2708	Bqijljfd.exe
2940	Bchfhfeh.exe
2940	Bchfhfeh.exe
2660	Bjbndpmd.exe
2660	Bjbndpmd.exe
1676	Bfioia32.exe
1676	Bfioia32.exe
2732	Bkegah32.exe
2732	Bkegah32.exe
1460	Cbppnbhm.exe
1460	Cbppnbhm.exe
2892	Cenljmgq.exe
2892	Cenljmgq.exe
1564	Ckhdggom.exe
1564	Ckhdggom.exe
580	Cbblda32.exe
580	Cbblda32.exe
1528	Cileqlmg.exe
1528	Cileqlmg.exe
3016	Cnimiblo.exe
3016	Cnimiblo.exe
2176	Cebeem32.exe
2176	Cebeem32.exe
2104	Cnkjnb32.exe
2104	Cnkjnb32.exe
1716	Cgcnghpl.exe
1716	Cgcnghpl.exe
1356	Cmpgpond.exe
1356	Cmpgpond.exe
1312	Calcpm32.exe
1312	Calcpm32.exe
924	Cgfkmgnj.exe
924	Cgfkmgnj.exe
2204	Dnpciaef.exe
2204	Dnpciaef.exe
1532	Danpemej.exe
1532	Danpemej.exe
348	WerFault.exe
348	WerFault.exe
348	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bjbndpmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
348	2396	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 316	2348	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe	31
PID 2348 wrote to memory of 316	2348	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe	31
PID 2348 wrote to memory of 316	2348	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe	31
PID 2348 wrote to memory of 316	2348	3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe	31
PID 316 wrote to memory of 972	316	Bjpaop32.exe	32
PID 316 wrote to memory of 972	316	Bjpaop32.exe	32
PID 316 wrote to memory of 972	316	Bjpaop32.exe	32
PID 316 wrote to memory of 972	316	Bjpaop32.exe	32
PID 972 wrote to memory of 2708	972	Bmnnkl32.exe	33
PID 972 wrote to memory of 2708	972	Bmnnkl32.exe	33
PID 972 wrote to memory of 2708	972	Bmnnkl32.exe	33
PID 972 wrote to memory of 2708	972	Bmnnkl32.exe	33
PID 2708 wrote to memory of 2940	2708	Bqijljfd.exe	34
PID 2708 wrote to memory of 2940	2708	Bqijljfd.exe	34
PID 2708 wrote to memory of 2940	2708	Bqijljfd.exe	34
PID 2708 wrote to memory of 2940	2708	Bqijljfd.exe	34
PID 2940 wrote to memory of 2660	2940	Bchfhfeh.exe	35
PID 2940 wrote to memory of 2660	2940	Bchfhfeh.exe	35
PID 2940 wrote to memory of 2660	2940	Bchfhfeh.exe	35
PID 2940 wrote to memory of 2660	2940	Bchfhfeh.exe	35
PID 2660 wrote to memory of 1676	2660	Bjbndpmd.exe	36
PID 2660 wrote to memory of 1676	2660	Bjbndpmd.exe	36
PID 2660 wrote to memory of 1676	2660	Bjbndpmd.exe	36
PID 2660 wrote to memory of 1676	2660	Bjbndpmd.exe	36
PID 1676 wrote to memory of 2732	1676	Bfioia32.exe	37
PID 1676 wrote to memory of 2732	1676	Bfioia32.exe	37
PID 1676 wrote to memory of 2732	1676	Bfioia32.exe	37
PID 1676 wrote to memory of 2732	1676	Bfioia32.exe	37
PID 2732 wrote to memory of 1460	2732	Bkegah32.exe	38
PID 2732 wrote to memory of 1460	2732	Bkegah32.exe	38
PID 2732 wrote to memory of 1460	2732	Bkegah32.exe	38
PID 2732 wrote to memory of 1460	2732	Bkegah32.exe	38
PID 1460 wrote to memory of 2892	1460	Cbppnbhm.exe	39
PID 1460 wrote to memory of 2892	1460	Cbppnbhm.exe	39
PID 1460 wrote to memory of 2892	1460	Cbppnbhm.exe	39
PID 1460 wrote to memory of 2892	1460	Cbppnbhm.exe	39
PID 2892 wrote to memory of 1564	2892	Cenljmgq.exe	40
PID 2892 wrote to memory of 1564	2892	Cenljmgq.exe	40
PID 2892 wrote to memory of 1564	2892	Cenljmgq.exe	40
PID 2892 wrote to memory of 1564	2892	Cenljmgq.exe	40
PID 1564 wrote to memory of 580	1564	Ckhdggom.exe	41
PID 1564 wrote to memory of 580	1564	Ckhdggom.exe	41
PID 1564 wrote to memory of 580	1564	Ckhdggom.exe	41
PID 1564 wrote to memory of 580	1564	Ckhdggom.exe	41
PID 580 wrote to memory of 1528	580	Cbblda32.exe	42
PID 580 wrote to memory of 1528	580	Cbblda32.exe	42
PID 580 wrote to memory of 1528	580	Cbblda32.exe	42
PID 580 wrote to memory of 1528	580	Cbblda32.exe	42
PID 1528 wrote to memory of 3016	1528	Cileqlmg.exe	43
PID 1528 wrote to memory of 3016	1528	Cileqlmg.exe	43
PID 1528 wrote to memory of 3016	1528	Cileqlmg.exe	43
PID 1528 wrote to memory of 3016	1528	Cileqlmg.exe	43
PID 3016 wrote to memory of 2176	3016	Cnimiblo.exe	44
PID 3016 wrote to memory of 2176	3016	Cnimiblo.exe	44
PID 3016 wrote to memory of 2176	3016	Cnimiblo.exe	44
PID 3016 wrote to memory of 2176	3016	Cnimiblo.exe	44
PID 2176 wrote to memory of 2104	2176	Cebeem32.exe	45
PID 2176 wrote to memory of 2104	2176	Cebeem32.exe	45
PID 2176 wrote to memory of 2104	2176	Cebeem32.exe	45
PID 2176 wrote to memory of 2104	2176	Cebeem32.exe	45
PID 2104 wrote to memory of 1716	2104	Cnkjnb32.exe	46
PID 2104 wrote to memory of 1716	2104	Cnkjnb32.exe	46
PID 2104 wrote to memory of 1716	2104	Cnkjnb32.exe	46
PID 2104 wrote to memory of 1716	2104	Cnkjnb32.exe	46

C:\Users\Admin\AppData\Local\Temp\3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe
"C:\Users\Admin\AppData\Local\Temp\3c87620a6132cc666b55761fd0511496524badc093f2b7473b0f3c7341db5226.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\Bjpaop32.exe
  C:\Windows\system32\Bjpaop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Bmnnkl32.exe
    C:\Windows\system32\Bmnnkl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\Bqijljfd.exe
      C:\Windows\system32\Bqijljfd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 144
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
93KB

MD5
204c1d2c72529d57be5c260ac7e69183

SHA1
5124dd747c8e2c5b21d18b24fd69de607fb35ba6

SHA256
212b2cfb6855b6054e91dbf6c44afd951ec5b406e533a2fe4ff2f3d77a89d06a

SHA512
177079dbe362fdb2a71421ae64ab372f3ac2226615da53125ca92f9d1c88c89542757047399422f5c3901c01647aa5091b7e6617db98c9689de0aa37137512b3

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
93KB

MD5
e50fd5019e79f8a85ab6a83e2954b40a

SHA1
bdd6cbb80fc43cb19a10e0f6f97df80bf2a75448

SHA256
6df2a93af596c2dc919d9db9197c3df9f19952a69ddc306a9ca7a4c14658d749

SHA512
0fe82615c53b7cc7a30ac4dc053deda1312d5bfb6188d11ae22544f23bbe10db05f6907065db31803ba6df877418792c59228be245554c27b1bbdbc29c302def

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
93KB

MD5
e68ad7e7ffd9719713a41a93daabd107

SHA1
2f5f16b3a7302d826a3bc481d6371410977bed3f

SHA256
9c8466e4fcaae11cbdb8b46ceb54cd1c060b6e8395c9063ef8bcfacd594469f4

SHA512
bbfc93e518ab7fddd0d33f6196199efc693881f15665942f61036c0292a3117a97cce7b6148ebe3073d6da2fa676ad4456bca5fab57cda380f5f1f7e37694de3

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
93KB

MD5
717d38566949650ab38c091e666b2349

SHA1
45bc29e37c47247b46cd7c30528b56bd1a12567a

SHA256
bef722b925611d28cc8e32a9f8c1c310cfec2679e7cc1741e9e2de4aabfa4f85

SHA512
68b5a2e6bc7e9a63e8b9240d7474291552439bc39634674c7a481b2be010978b68d5ef4bc8fae17f954c48eae1f4bf8ee38f7b230a0ee2f034e95da4f39f7166

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
93KB

MD5
162846c0416a7e48db4cefb6d600534b

SHA1
7208299908367f160c172cdf2f32f24dc17a9e30

SHA256
249f14f911465199256c3f54276bbf599cfd62d14b8a06f1beceea56e923e435

SHA512
d11185ed03762005ab304718d01f97b0e911fb8cdb17099d7d6aa4b333ae3d52979d99413a78d4d0e1e177b5636fbaf9023d20e7ef0cdccf4bc0d50438bf861a

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
93KB

MD5
7cd0089d45fa7a3a11c5a2ca2757de67

SHA1
78fcdc65e050e08f4f7de1e66532ce98c655628c

SHA256
f9271be65eaef184ca5682641dbd2756a15beac22c692f0b30bcf62987ee772a

SHA512
0b21b0809ddf70d4cf8fec0512f353b17f6a0282a5a550d6cee2ec61b423b7c108b61e2184d4914bf8dbe5b80759615cee378cf90c43ff3bff013e1e4ad4218a

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
93KB

MD5
abf823c6f85d605bd246cc9d9b580e17

SHA1
4c5d2a800399519534dda302ae99ae7f3360d43a

SHA256
8b19ee2bde3ec0beecb7723e679920e32ed4830d61bfa4a0605110621a391695

SHA512
61f67bb9ac98a3e5aa0b47b8cf513dea2b4c0ea5127e2d78a3dff05344cae687095970b27972d2da4081556215e727fdc38ac225cdd09145733bbe79fff1627c

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
93KB

MD5
1478e2aba604072a247d26d15073453d

SHA1
a508d86dbbd698f5ed34bf1aa66db6751ff1e39d

SHA256
5ab726f42487835bbee0290fe68aa26662faefa063a05d9aae74efd71a26d500

SHA512
056730616ea1c4c49bee523168dfaf280a3723e847eb6f539b3357c3a481743570bc30a4ab67e3c718180a6c9af4844eecb98c1f2f062e30af02a6e7111e99aa

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
93KB

MD5
c6c28464f1e14bf6e08f428e6396ef86

SHA1
f5141e9ed94f3562a60bd1cfb70ab5c0a9d38fa6

SHA256
fb2c71ca546b7bea86a49fa35f7a0837ca8d443e6bd95674b6f133ae806d3430

SHA512
a616d87e7e56048b3387498bcfee6d9fce066d009767c9c3e86e2b98583b513c2b53c8dda8d452a3d58f5a2ec13f94b2be3c1155abf9f4aad3c09c7bfda68156

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
c2f107a81946fd2030fcc9a494f972ec

SHA1
f8a90572f512167a61acde67b10711ac419b0cd6

SHA256
1d6e51d691673ad797e4c431ee102e52a564984f66f33a79bcf9ba672297cbf2

SHA512
091db17bef843022b2bd6bb40f3dd043d5f9c1f62d23df37e2fdb774533bfaa42672403585b22a3da30231df5e1d10434fcb1a266a35575230a75d41e68f57e9

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
93KB

MD5
99ab9f37ba70a878fc4a3c96cce41261

SHA1
aa7b353fe0b91bca47c63e4d3241035bb9af81c1

SHA256
1c5b67e7f1616476bec0d701ddb23fed5ba4ded138523de338c7d56e9f4796e7

SHA512
ee12382528e0789a8adbe2cd2912c8c086cda53ba881d9c8bdf559c1edf9e31aca4cb05ce286945a8b5eda1431f0ecdcaefe387dcaba2664f13b2b88b889a172

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
93KB

MD5
72d90cc2b8aacb2f7df5e2fe9b88415b

SHA1
e6f7ff2020fabb6609593842febd6219bba6bf5e

SHA256
a8eefc96cadb4909bfd29fd2357fce266ee0ff56819a1b85402e8566e9816fd0

SHA512
adb3546017d96646bdc577694a6636c8109c09edc5b10ef0a12d1bccd9cf17734c80819f6937eb578a8d253f9fa540a6d7531e489e7e04db90318ade9469a7ed

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
65ec457e95f96a527cbfd1e1766acc91

SHA1
54ed3b711bd9ac4b5f0c019a6619a6faf4beb291

SHA256
24bd62fb7165f3ac319ae87a9dc2e1267711a74123991a15c305df12cda9e24c

SHA512
38a42922ee87b65a2634eec6e6aa4a6b4b47e1c144da0c74b6109ab694b8200871cee3599b4cef978e61910c7054458cd7ff08011530f8135e7819e32d4572ef

Download Submit
\Windows\SysWOW64\Bjbndpmd.exe

Filesize
93KB

MD5
def9de3f40e73c41e482e37846314a8b

SHA1
8420aeab23ac3a027fbd549e0c8394bbfe273914

SHA256
005c853a096ffb410f81884909b55498727ce2230570057bdd0c8554c7220756

SHA512
3e1e90fe4ca2f062ea0f26070acb2eb20c2656656341eaa4899e5f758ef6f109e75d0e1a619f4ec1c348bc10d63ec7382ebbd91ee5290f25f125ff623358039a

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
93KB

MD5
15fe7f42a5f67650baa3732a1f6a9e78

SHA1
1d2f18fb051c002b92b463fe322a1c924631fba2

SHA256
f2a367dc810c30576107ebeabf37cbc0d91ebac8d1ed359ca0970590ca366b01

SHA512
8d9d1c929923d17d531699c49c7882ffaf4fcb4376849ba819c71b4488efa3f209d343fe6479f0fddf1b1353504c87f62c3f079b08ebef0eb20e32aa221c4461

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
07a664486497b24ae6eb0425917daba0

SHA1
7fdddc5ae6007ac8a46b19e33479509322a3d6d5

SHA256
8e0fe641d0a90d2a34d7a136df7cef9afafea83c28f5e4de87bf915d91db9aef

SHA512
d7148ed2e5f16e82da28c35d6435f8e33d317257174c5ecdc5da2ef96531bb0867b7022e1922049c4a432ac1be979a1e39e7124774defbb60b7ea3ab7c0fa0ef

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
93KB

MD5
baaa672c68ee2b5f9fada83fbb65d2e7

SHA1
07debd60c1c6a5290f926662a0d46ee7865e253b

SHA256
3ceb9b1bcf598c1bdb76d9a5a929815a619dcc5297135f3dfed3ac509fe47f34

SHA512
4e99d56cc2834944422bd8a08c1a658b4133b079bb4c40d6b0a03ce976388b515736a274f3a02194186ce107000d3b4c6613f49e217343106f19fb7ece283eaf

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
7e6f3438e81704be796cab71ea532008

SHA1
674f9674a4b6124defc2c01955e17b81109965fd

SHA256
bcc6147103172f040e1ec603d478bf0116328e321878d55567290225fe629290

SHA512
c14a706c59f50f7911b0143dd9e582cc01aab06dc6f2d81c3e8d72172d2b42bff75afe30ca61507ca3e234feb883998c44f6cd129acf27165becc0fe5282da7f

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
93KB

MD5
d213c1268d4f3cda2dd506dc7675a276

SHA1
607afdbd6f48d1b3a0a01737c4a60fd3253f0e01

SHA256
b720863d9fbb928e2cbed5dd43215d8905f5e848ed548e08af4e1bfd7cfce1ee

SHA512
ef83334343b7fcf82144087b65f9a3e23383f298a1a0893c48bf3dceb48b16c01d5b533bdc6181cd1c3453d174988bff5e6c12819f71951a90cd35500ca09e84

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
93KB

MD5
dc52f321737856d5c9ddb8153d735555

SHA1
5b2ebf2303c82aeda98aa06730ca88ffd01664f5

SHA256
88ab53c2f6fd1f08dc363c90618cfffe385e0a34f8a8eb3fd0c297f6f9a6ad87

SHA512
4972a809ea489e4079db3df18f8359dc712e555ddff52dd38cf6f1e99ea42bfce81def9e1dc7fd24bfbe63425684b73aecddd1376104787bd2b89114a8b2ba28

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
93KB

MD5
5b7acb0abdb9912438c82f5a6e7011d2

SHA1
5058898d1f556debb353fb7f2311a73bb7a6e228

SHA256
1419713f05cd0621fc32126645c524b2202fb7cbf3d55319dd49c0a54d4b722f

SHA512
ec1fe6203e7186a97a9a16aeb11c9bda5dbaf5f041e4268416088fa86867872d5215d09dc1e7cf10b1110d71920545d727d3108523714ed68f4cc841771f65f3

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
93KB

MD5
b47baadef4a1d23319d5180bbc8459a8

SHA1
02937eeb3fc3c0dbceeb52931127da251fab1ba6

SHA256
4dfca788b90bf9731b47a0de88bdfb1bf42912e3d4891aaf040eef6d82065bec

SHA512
84f707bb1161477103cdf0d0eff01a252acce6da9d61d2ea2978b77d1cebd710a59500b9d58e32570de8b0b7e5eabd65d463bc02e4581abdafa3eabbced6e185

Download Submit
memory/316-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-241-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1356-232-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1356-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-116-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1460-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-169-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1528-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-143-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1564-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-94-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1716-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-222-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1716-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2176-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-259-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2204-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-14-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2348-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2348-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-80-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2708-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-66-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2940-65-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2940-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads