berbew | 2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Size

84KB
MD5

72bfe3fd1a28c7f9287109025fa1f9f0
SHA1

8ea7a0382cce4574227b05f82a13c91e32e774b7
SHA256

2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9
SHA512

66137807fb509e47a1e3ae912be2380a5ac861cd896096c40cff9c9ad2bae3696daee3595a88591feed8153e236c6f6c134c523221a6ec53b79d6648386d6531
SSDEEP

1536:a1NR1MbusUdeW07wVos7OkXxusXSREXHfVPfMVwNKT1iqWUPGc4T7VLt:aL1IkOkgsCREXdXNKT1ntPG9px

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhekfeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddkbqfcp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgplq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Claake32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckndmaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dijgnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcackdio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjhdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgplq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Claake32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcackdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjhdi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciebdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpabqoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcgik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckndmaad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhekfeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijgnm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2348	Aqanke32.exe
2964	Aofklbnj.exe
2328	Aioodg32.exe
2776	Agdlfd32.exe
2628	Aalaoipc.exe
2816	Bejiehfi.exe
976	Bnbnnm32.exe
1624	Bcoffd32.exe
2508	Bcackdio.exe
3044	Bmjhdi32.exe
1808	Bbgplq32.exe
1968	Bbimbpld.exe
2092	Claake32.exe
2084	Ciebdj32.exe
1956	Cjikaa32.exe
2012	Ckndmaad.exe
1308	Dkpabqoa.exe
2636	Ddhekfeb.exe
932	Ddkbqfcp.exe
908	Dmcgik32.exe
1620	Dijgnm32.exe
2644	Eceimadb.exe

Loads dropped DLL 48 IoCs

pid	Process
2820	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
2820	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
2348	Aqanke32.exe
2348	Aqanke32.exe
2964	Aofklbnj.exe
2964	Aofklbnj.exe
2328	Aioodg32.exe
2328	Aioodg32.exe
2776	Agdlfd32.exe
2776	Agdlfd32.exe
2628	Aalaoipc.exe
2628	Aalaoipc.exe
2816	Bejiehfi.exe
2816	Bejiehfi.exe
976	Bnbnnm32.exe
976	Bnbnnm32.exe
1624	Bcoffd32.exe
1624	Bcoffd32.exe
2508	Bcackdio.exe
2508	Bcackdio.exe
3044	Bmjhdi32.exe
3044	Bmjhdi32.exe
1808	Bbgplq32.exe
1808	Bbgplq32.exe
1968	Bbimbpld.exe
1968	Bbimbpld.exe
2092	Claake32.exe
2092	Claake32.exe
2084	Ciebdj32.exe
2084	Ciebdj32.exe
1956	Cjikaa32.exe
1956	Cjikaa32.exe
2012	Ckndmaad.exe
2012	Ckndmaad.exe
1308	Dkpabqoa.exe
1308	Dkpabqoa.exe
2636	Ddhekfeb.exe
2636	Ddhekfeb.exe
932	Ddkbqfcp.exe
932	Ddkbqfcp.exe
908	Dmcgik32.exe
908	Dmcgik32.exe
1620	Dijgnm32.exe
1620	Dijgnm32.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjikaa32.exe	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Pfaokb32.dll	Ddhekfeb.exe
File created	C:\Windows\SysWOW64\Danmddgh.dll	Bbimbpld.exe
File opened for modification	C:\Windows\SysWOW64\Ciebdj32.exe	Claake32.exe
File created	C:\Windows\SysWOW64\Kbqgpc32.dll	Ckndmaad.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
File created	C:\Windows\SysWOW64\Kagbmg32.dll	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Bcackdio.exe	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Bmjhdi32.exe	Bcackdio.exe
File opened for modification	C:\Windows\SysWOW64\Claake32.exe	Bbimbpld.exe
File opened for modification	C:\Windows\SysWOW64\Bejiehfi.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Bcoffd32.exe	Bnbnnm32.exe
File opened for modification	C:\Windows\SysWOW64\Aalaoipc.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Bejiehfi.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Olfclj32.dll	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Hbbhogeg.dll	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Ciebdj32.exe	Claake32.exe
File created	C:\Windows\SysWOW64\Eijhgopb.dll	Cjikaa32.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
File opened for modification	C:\Windows\SysWOW64\Aofklbnj.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpabqoa.exe	Ckndmaad.exe
File created	C:\Windows\SysWOW64\Ddhekfeb.exe	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Modipl32.dll	Ddkbqfcp.exe
File opened for modification	C:\Windows\SysWOW64\Dijgnm32.exe	Dmcgik32.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Aofklbnj.exe
File created	C:\Windows\SysWOW64\Bbimbpld.exe	Bbgplq32.exe
File created	C:\Windows\SysWOW64\Adfoppcf.dll	Bbgplq32.exe
File opened for modification	C:\Windows\SysWOW64\Ckndmaad.exe	Cjikaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ddhekfeb.exe	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Eddmalde.dll	Dmcgik32.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Agdlfd32.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Nadann32.dll	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Ckndmaad.exe	Cjikaa32.exe
File created	C:\Windows\SysWOW64\Dkpabqoa.exe	Ckndmaad.exe
File created	C:\Windows\SysWOW64\Agdlfd32.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Fdakhmhh.dll	Claake32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcgik32.exe	Ddkbqfcp.exe
File opened for modification	C:\Windows\SysWOW64\Cjikaa32.exe	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Dmcgik32.exe	Ddkbqfcp.exe
File created	C:\Windows\SysWOW64\Lgcpif32.dll	Bcackdio.exe
File created	C:\Windows\SysWOW64\Bbgplq32.exe	Bmjhdi32.exe
File created	C:\Windows\SysWOW64\Dijgnm32.exe	Dmcgik32.exe
File created	C:\Windows\SysWOW64\Jichkb32.dll	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoffd32.exe	Bnbnnm32.exe
File opened for modification	C:\Windows\SysWOW64\Eceimadb.exe	Dijgnm32.exe
File created	C:\Windows\SysWOW64\Lnofaf32.dll	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Pddehh32.dll	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Olaphh32.dll	Bmjhdi32.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Bmjhdi32.exe	Bcackdio.exe
File created	C:\Windows\SysWOW64\Jahonm32.dll	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Bbgplq32.exe	Bmjhdi32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Dijgnm32.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
File created	C:\Windows\SysWOW64\Aofklbnj.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Bcackdio.exe	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Hjfmdp32.dll	Dkpabqoa.exe
File opened for modification	C:\Windows\SysWOW64\Ddkbqfcp.exe	Ddhekfeb.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Dijgnm32.exe
File created	C:\Windows\SysWOW64\Aalaoipc.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Bnbnnm32.exe	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Claake32.exe	Bbimbpld.exe
File created	C:\Windows\SysWOW64\Ddkbqfcp.exe	Ddhekfeb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	2644	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdlfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejiehfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciebdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalaoipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjhdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbimbpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjikaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckndmaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcgik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoffd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcackdio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Claake32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dijgnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aofklbnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbnnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgplq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpabqoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhekfeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkbqfcp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgplq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijgnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcackdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcgik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Claake32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckndmaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfmdp32.dll"	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dijgnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfclj32.dll"	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmjhdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danmddgh.dll"	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modipl32.dll"	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jichkb32.dll"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnofaf32.dll"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcackdio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Claake32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhogeg.dll"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgcpif32.dll"	Bcackdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckndmaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhekfeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhekfeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagbmg32.dll"	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgplq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfoppcf.dll"	Bbgplq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddkbqfcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaphh32.dll"	Bmjhdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqgpc32.dll"	Ckndmaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakhmhh.dll"	Claake32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfaokb32.dll"	Ddhekfeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddehh32.dll"	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbimbpld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2348	2820	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe	30
PID 2820 wrote to memory of 2348	2820	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe	30
PID 2820 wrote to memory of 2348	2820	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe	30
PID 2820 wrote to memory of 2348	2820	2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe	30
PID 2348 wrote to memory of 2964	2348	Aqanke32.exe	31
PID 2348 wrote to memory of 2964	2348	Aqanke32.exe	31
PID 2348 wrote to memory of 2964	2348	Aqanke32.exe	31
PID 2348 wrote to memory of 2964	2348	Aqanke32.exe	31
PID 2964 wrote to memory of 2328	2964	Aofklbnj.exe	32
PID 2964 wrote to memory of 2328	2964	Aofklbnj.exe	32
PID 2964 wrote to memory of 2328	2964	Aofklbnj.exe	32
PID 2964 wrote to memory of 2328	2964	Aofklbnj.exe	32
PID 2328 wrote to memory of 2776	2328	Aioodg32.exe	33
PID 2328 wrote to memory of 2776	2328	Aioodg32.exe	33
PID 2328 wrote to memory of 2776	2328	Aioodg32.exe	33
PID 2328 wrote to memory of 2776	2328	Aioodg32.exe	33
PID 2776 wrote to memory of 2628	2776	Agdlfd32.exe	34
PID 2776 wrote to memory of 2628	2776	Agdlfd32.exe	34
PID 2776 wrote to memory of 2628	2776	Agdlfd32.exe	34
PID 2776 wrote to memory of 2628	2776	Agdlfd32.exe	34
PID 2628 wrote to memory of 2816	2628	Aalaoipc.exe	35
PID 2628 wrote to memory of 2816	2628	Aalaoipc.exe	35
PID 2628 wrote to memory of 2816	2628	Aalaoipc.exe	35
PID 2628 wrote to memory of 2816	2628	Aalaoipc.exe	35
PID 2816 wrote to memory of 976	2816	Bejiehfi.exe	36
PID 2816 wrote to memory of 976	2816	Bejiehfi.exe	36
PID 2816 wrote to memory of 976	2816	Bejiehfi.exe	36
PID 2816 wrote to memory of 976	2816	Bejiehfi.exe	36
PID 976 wrote to memory of 1624	976	Bnbnnm32.exe	37
PID 976 wrote to memory of 1624	976	Bnbnnm32.exe	37
PID 976 wrote to memory of 1624	976	Bnbnnm32.exe	37
PID 976 wrote to memory of 1624	976	Bnbnnm32.exe	37
PID 1624 wrote to memory of 2508	1624	Bcoffd32.exe	38
PID 1624 wrote to memory of 2508	1624	Bcoffd32.exe	38
PID 1624 wrote to memory of 2508	1624	Bcoffd32.exe	38
PID 1624 wrote to memory of 2508	1624	Bcoffd32.exe	38
PID 2508 wrote to memory of 3044	2508	Bcackdio.exe	39
PID 2508 wrote to memory of 3044	2508	Bcackdio.exe	39
PID 2508 wrote to memory of 3044	2508	Bcackdio.exe	39
PID 2508 wrote to memory of 3044	2508	Bcackdio.exe	39
PID 3044 wrote to memory of 1808	3044	Bmjhdi32.exe	40
PID 3044 wrote to memory of 1808	3044	Bmjhdi32.exe	40
PID 3044 wrote to memory of 1808	3044	Bmjhdi32.exe	40
PID 3044 wrote to memory of 1808	3044	Bmjhdi32.exe	40
PID 1808 wrote to memory of 1968	1808	Bbgplq32.exe	41
PID 1808 wrote to memory of 1968	1808	Bbgplq32.exe	41
PID 1808 wrote to memory of 1968	1808	Bbgplq32.exe	41
PID 1808 wrote to memory of 1968	1808	Bbgplq32.exe	41
PID 1968 wrote to memory of 2092	1968	Bbimbpld.exe	42
PID 1968 wrote to memory of 2092	1968	Bbimbpld.exe	42
PID 1968 wrote to memory of 2092	1968	Bbimbpld.exe	42
PID 1968 wrote to memory of 2092	1968	Bbimbpld.exe	42
PID 2092 wrote to memory of 2084	2092	Claake32.exe	43
PID 2092 wrote to memory of 2084	2092	Claake32.exe	43
PID 2092 wrote to memory of 2084	2092	Claake32.exe	43
PID 2092 wrote to memory of 2084	2092	Claake32.exe	43
PID 2084 wrote to memory of 1956	2084	Ciebdj32.exe	44
PID 2084 wrote to memory of 1956	2084	Ciebdj32.exe	44
PID 2084 wrote to memory of 1956	2084	Ciebdj32.exe	44
PID 2084 wrote to memory of 1956	2084	Ciebdj32.exe	44
PID 1956 wrote to memory of 2012	1956	Cjikaa32.exe	45
PID 1956 wrote to memory of 2012	1956	Cjikaa32.exe	45
PID 1956 wrote to memory of 2012	1956	Cjikaa32.exe	45
PID 1956 wrote to memory of 2012	1956	Cjikaa32.exe	45

C:\Users\Admin\AppData\Local\Temp\2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe
"C:\Users\Admin\AppData\Local\Temp\2ccee7ee3f6f7ac9a995939674d70053f55f9bc8b59d9bbf0c695bd899388ff9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\Aqanke32.exe
  C:\Windows\system32\Aqanke32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Aofklbnj.exe
    C:\Windows\system32\Aofklbnj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Aioodg32.exe
      C:\Windows\system32\Aioodg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\Agdlfd32.exe
        
        C:\Windows\system32\Agdlfd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\Aalaoipc.exe
        
        C:\Windows\system32\Aalaoipc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Bejiehfi.exe
        
        C:\Windows\system32\Bejiehfi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Bnbnnm32.exe
        
        C:\Windows\system32\Bnbnnm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Bcoffd32.exe
        
        C:\Windows\system32\Bcoffd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bcackdio.exe
        
        C:\Windows\system32\Bcackdio.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bmjhdi32.exe
        
        C:\Windows\system32\Bmjhdi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Bbgplq32.exe
        
        C:\Windows\system32\Bbgplq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Bbimbpld.exe
        
        C:\Windows\system32\Bbimbpld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Claake32.exe
        
        C:\Windows\system32\Claake32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ciebdj32.exe
        
        C:\Windows\system32\Ciebdj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Cjikaa32.exe
        
        C:\Windows\system32\Cjikaa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ckndmaad.exe
        
        C:\Windows\system32\Ckndmaad.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Dkpabqoa.exe
        
        C:\Windows\system32\Dkpabqoa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Ddhekfeb.exe
        
        C:\Windows\system32\Ddhekfeb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Ddkbqfcp.exe
        
        C:\Windows\system32\Ddkbqfcp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Dmcgik32.exe
        
        C:\Windows\system32\Dmcgik32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Dijgnm32.exe
        
        C:\Windows\system32\Dijgnm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddhekfeb.exe

Filesize
84KB

MD5
328ee7dfe29e7a1c3bbfd4fb63897371

SHA1
5854f9cfd465e3f9d84401f9cd12a971da2e0c1b

SHA256
9e426f7b4f3f7cc0a895fac33d9f4d512f589045caa5dbe1b1e7c440fe50703c

SHA512
23d1fed70f4982df4cbe481aa466cb415f4420d957f00117458097d2739db0623a672c4b9dcfb8fd30a40bc79a279581e63aee023be7062f099bdc9a28803820

Download Submit
C:\Windows\SysWOW64\Ddkbqfcp.exe

Filesize
84KB

MD5
b839f5ee8723d5b86ac64fcaa1aeb102

SHA1
2a14e7af3da8a6d81f7d98979245203294c36754

SHA256
1c105663016d888ebfa753b240a178825a3bf0ef16ec88a71a5528c0281a88ac

SHA512
9e9b7327e070412d177e6a1e73cfc2b5f6f5dcd8b06de24c8d4b39b25c3189a84eef67fd6bd68038b4de42928fba0ef34c33902d0b093c18511a3aa1a7309fc6

Download Submit
C:\Windows\SysWOW64\Dijgnm32.exe

Filesize
84KB

MD5
ffc424a42f2b1d36a59f09c3cb320db6

SHA1
86d355923c03f6b8ecec08e9f17dffee857dae9b

SHA256
2cb2c32d31cbdb178357f8f481e8ba98ca050934aeaf430fe01a4ad17a81a240

SHA512
3b120bfb258263cae231da2c52ea180ace33bad1095d565dc2169b555b564d3b5f7eef11f2d903c48e5bca804164f4900e7dc6030bfd7de93fefde8fe71e14c4

Download Submit
C:\Windows\SysWOW64\Dkpabqoa.exe

Filesize
84KB

MD5
501330526d7db8e32c82f1fb2363d464

SHA1
99754e66a6e686285eab128a5058197f3bd5acd3

SHA256
e2fdb6241d3f05a445017a957cb2ef07a5bdbf2c21e2b0002afd8df07bab39ba

SHA512
2b06ad0139c918fca1d8fcc83f9921cae81c88106aa8ad386c104cc464d3ca5b149850cc231e7585192bdd0265b125219f5d3d299b5e10acce3985c44a1c0f6a

Download Submit
C:\Windows\SysWOW64\Dmcgik32.exe

Filesize
84KB

MD5
65e5c1b651c5be1eef794ce43ec633a9

SHA1
3360e06e1e2644a0bb92129fff52c9a40764c8bb

SHA256
e5cb9d9b4341b90921a7198fb5b6b8e4c1bb97aed11ff523aedc3ee46bf9dba1

SHA512
8f77af3b9d519037d78b0f2ef0151fe80b6ee2739dcbe20735939f3c5ba47972dc48deffcc7535845fb4ba2be54592f72ca50bb3a218c76664042feb8aad652e

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
84KB

MD5
42658de48c3a3d7402885fcf9f0a0eac

SHA1
05ca8c69851b1d2a19db5ee340b71ade8e675707

SHA256
d7b656645e442261e9625a6113060efdbd9c47aafede660e17b61f6435b54a0c

SHA512
abbe51223bfff88117cfd2be12cbadf47e88b0ef2797e05635acd6949ebcf7649776e1deb34b528412dfac19650b60477d9fb0787e7b916d0fa44ea62d188af4

Download Submit
\Windows\SysWOW64\Aalaoipc.exe

Filesize
84KB

MD5
ad4e8236901651b414e1776d5d55cba6

SHA1
b92492108b57af00cefbbdb30153c07e6d0b96b4

SHA256
2815de31f2deb0ca44adc1a490a11a01814d924b34123b394a39c4f62d4cef1c

SHA512
c19c1a5cc60a07b477a2e6e5599e017316c792d6874286c7f65d43b55f0cc6595e36e7bd77af9f4e6f4e9d8aa42fca091e0bda97ad36c933e71b8079be0ec87f

Download Submit
\Windows\SysWOW64\Agdlfd32.exe

Filesize
84KB

MD5
c755b2ec0176f192174cab13a09444a5

SHA1
6a5110f9cef14002ff68eaf09efbb5297e83aa7d

SHA256
0f9f53d6089679637bc32311cb458b11d894748bdd9034fb4bf2536826215b00

SHA512
c1710d9ba54ce94a4e1ef3de8cbfac302c1420e1f39b38056b9af0ab9bfec68e814fc2f7727acb1a101cd03a2ae4c25d6754a54644140c2810589c118b2b6c59

Download Submit
\Windows\SysWOW64\Aioodg32.exe

Filesize
84KB

MD5
e6f6330eb5286a3ba8fe870aa36a77bb

SHA1
6897a6301c196b0d32ea9dbda8468ecca1eb31eb

SHA256
cc46f1db97592e39c791b02419c76375744fd6d425b3a8c1e44ce2c24ce4a267

SHA512
41d8012be574501a90034ecc710a0681a7ee636579d00c16abdbe2c70e20f79143ebe0dcf766de3dbf415c4b1b9135485204b2e3f8d81693f36d1328d0780c21

Download Submit
\Windows\SysWOW64\Aofklbnj.exe

Filesize
84KB

MD5
45f95317fe7b5d65c8d7639ceb733625

SHA1
5b624137701641b03531be49d6147021635f54fe

SHA256
f8fc9e91c86bd9f5d76f66db3eabfec160bcc7ed31287f433f62db0045c9ac45

SHA512
f6c7b22d842a10a22061926a4f6150fae6c64e3f8d90f893efcf7ac3b8da526a44a200d2cc201b5d9e90035cd892b713fb572f1b25b34b95a324e95c831388b5

Download Submit
\Windows\SysWOW64\Aqanke32.exe

Filesize
84KB

MD5
eb7d035f2c454dea55c51659ce9bde36

SHA1
a340916417af454e1781a850419377f10d53099d

SHA256
b3226afa940b8b12f81ea16ae52f72b0f161219d046a06a4e111562f34a07e49

SHA512
2ad2530792edd00bf8c9bb338094470e7a0a0fd2ab5fae2c2f889d0ade0ae09ae7dd0e13ecd7a5c307b0f9233239e3c80a3b50ea6aa212b7ff94a8b371e7d714

Download Submit
\Windows\SysWOW64\Bbgplq32.exe

Filesize
84KB

MD5
da96fd6073e22f323af8e3f49a9bc025

SHA1
dce2c4952a3395e2eacd60ef1413a88bb63e064c

SHA256
97e716097f8a71f53824c4a77b585c4d70f4e290f7af8675aa8967627e53ae41

SHA512
e4e782c6110e98a3fcdcd951414ee13108a919a798d5d840ee433e15e3248f52e057a76aa3378ed0eeec017e15b2e2aaf70803e24b4c9728cf76dcd1dba22b10

Download Submit
\Windows\SysWOW64\Bbimbpld.exe

Filesize
84KB

MD5
022a93f7b225d9526e2fc4ed9d2ae81c

SHA1
3c0e2ab74cf858429a7eb781e1bbe7a7304df0c1

SHA256
576f9aedf151f29d38d740fdc31b89d38c23a57e0f226f987ade6c01c27e0f72

SHA512
02da15b063d7a8d961d8c7fd385856ba17652fe9758d323e3b553846dd4615b8d9e44955fb874cae2c2157a9ef346ffcd073d9365febd505d72288cc9ba1bb62

Download Submit
\Windows\SysWOW64\Bcackdio.exe

Filesize
84KB

MD5
6dd7ed214473c9128e1397b7c2045993

SHA1
046b1cf2a465bfdbc8e5e38b49e1589c5272bdb4

SHA256
535e86e402f30f24e7d3fd426c8cf578d191150d717a3599b286c753368a5dfb

SHA512
02b79382ed96b5fb8f5ea047f1414c34ea07f99f4287ed7a92b9a479c4a495602dcf90897040a027fa1bf1c2e03076a4a66334151274f72d3f240a67a3fc6b11

Download Submit
\Windows\SysWOW64\Bcoffd32.exe

Filesize
84KB

MD5
b18e543c842b5c34b7e13c620566d52f

SHA1
aa122686507388b8d68519db744d8cedff5cabcc

SHA256
e7546156277060a22c009c9c186e156c2963f5a7768212168dc56948f300a3b8

SHA512
681c2ae7f3a4bd4cb20478c485bd5ad799cbe314cf9c772b0833f6069b30433b4027f2c497f105392b2889e6cb0c59330f29008faed8b40b219d3e9158794944

Download Submit
\Windows\SysWOW64\Bejiehfi.exe

Filesize
84KB

MD5
74349264d4572947f08598f5febddf5b

SHA1
f8916023d1c41f04e835bccc408ab192c4b84ed3

SHA256
efd90f77629ef5ed546ad721875d6aec9ad44c83999faac4cd50277b4244e844

SHA512
0d36cfb510568fc482f2bbcc10c6ab8004b928fba7bd05f189501f9d412c8dd895d6bc83915a5535332a5c78897953ca2e6e6a2e88e9c70e7b1a32b904594891

Download Submit
\Windows\SysWOW64\Bmjhdi32.exe

Filesize
84KB

MD5
ae9f6c32ff15b86ecff35333806114ec

SHA1
7c7a6d65836cfe2d4b97f7af752f7a3a4b2cf1c5

SHA256
4922fb0c4ea83be0c0cb93be17272214c519609d1327a9db2d6c49f61353ada5

SHA512
df7c6e9fbbf3e8b7d844740ac6d622ee50538e5fce8eafde5b09c9c25abf6a38b99bef0ac582e64cb3af7eacaf2d117f8fe94dea4da524314475a334c06b9107

Download Submit
\Windows\SysWOW64\Bnbnnm32.exe

Filesize
84KB

MD5
e28c6910ec0d9b47314f3bf913ac2cd6

SHA1
69a875c725f1ebc4cf601c3b922151aeb04d4c4a

SHA256
2da955037a895d27e27e1b5c00bed708edaa4796a30c2f247630693c35234cc5

SHA512
ef309cf6e8c48879e0469e3beb9a63ec470a7f4c96311e80b4b30f526292f6a4fc41460efb347b45b534a0699dd188d46797ffe26fa85133974de0b0e13b52e9

Download Submit
\Windows\SysWOW64\Ciebdj32.exe

Filesize
84KB

MD5
847c35159c6b248c3b944ca9426e12af

SHA1
334e6e7620bbcf817ce1d32602fe64477b8629c6

SHA256
0650de1b76ed5ae1f8d2a58ae60151c0df6bfd17f3621b613de632bb7ca87524

SHA512
d749db3649d5ea394f9dd0fcbf69872b4aed4bfccf3c33e12d4b21b2b2156e277f93dbb1e8ced373ece08114bdeec576a68e7fcd219c571a940bea5aef1ca611

Download Submit
\Windows\SysWOW64\Cjikaa32.exe

Filesize
84KB

MD5
d90d5ce155a95d6c34566c8275fd122b

SHA1
e014f9e36dc1381a06a0b441fa05b0483dc9237f

SHA256
6b41f890c33b7117029798f3191afa38b8ffe4e63fd321bec29c4fc9d800847a

SHA512
a766b957a0e7c28f8c31c7a136261d1dd0fb9e68c9179d2dc81068e683b47300c335ee5728316182241db45733f68648bda6d71c2e01e62aa6ad78735f307c18

Download Submit
\Windows\SysWOW64\Ckndmaad.exe

Filesize
84KB

MD5
fdfaccc0f9844c6e39bc7c8488ecb090

SHA1
900180679e6235fbd511b27e9599781b87fc09ab

SHA256
c7d020a84a8ea4c306758f32b16a4bcb3a2176a97b410563e4afef375592d465

SHA512
fcf39757ed28e474e30e8fa951302afa651610e6f3891f34b135af6e26ce7ae9c8e8068309a22701745890c0072e6b176fef8a63f6b80eea4904a671d2cfb78e

Download Submit
\Windows\SysWOW64\Claake32.exe

Filesize
84KB

MD5
b1063859fa082139f0fda44094eceb64

SHA1
865cb68fc1fe6c48abea2fb763c5cce642ad0fc1

SHA256
f4c4554d67572fcfbab22527dcb3484b3b15bd8376e23dbf3ae3944b36bbe93f

SHA512
28184326c4a11906064687178afaa2b7c353042e073fc9ca15aec4bbf6bd16be8492bfe4732b3363683faf8545ed4b4d0272565dfc56d2e318e9321dc2347fc3

Download Submit
memory/908-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/908-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/908-258-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/908-262-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/932-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/932-248-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/932-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-101-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1308-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-272-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/1620-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-158-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1808-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2084-196-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2084-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-187-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2092-180-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2092-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-48-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2328-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2508-131-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2508-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2508-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-241-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2636-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-62-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2816-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-11-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2820-12-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2820-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-35-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/3044-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads