berbew | 5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Size

163KB
MD5

6dc4cf75fdb9845de8294ee45d7da44a
SHA1

0b18e52b944e8a648d5564c534e35585bc685424
SHA256

5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd
SHA512

496e99b0e6792a4555816cad0c63a5df0736c77ead0d86b8e9ef44430217f625a0dac3a3a4cd53afb1f052b6afe8766204d1123ea4222f5001fa3f0f001ed9c2
SSDEEP

1536:PEpF8AMH1VxuG4aFWCRUWLGuX64Deg9zpxqOlProNVU4qNVUrk/9QbfBr+7GwKrj:UkROuX6BMxqOltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 25 IoCs

pid	Process
848	Bjfaeh32.exe
3068	Bapiabak.exe
2236	Cfmajipb.exe
224	Cndikf32.exe
2104	Chmndlge.exe
3340	Cmiflbel.exe
3912	Cdcoim32.exe
3700	Cnicfe32.exe
5072	Ceckcp32.exe
3704	Chagok32.exe
2904	Cmnpgb32.exe
4160	Ceehho32.exe
3968	Cdhhdlid.exe
1760	Calhnpgn.exe
4912	Dfiafg32.exe
3656	Danecp32.exe
3480	Ddmaok32.exe
540	Daqbip32.exe
4956	Dhkjej32.exe
1728	Dmgbnq32.exe
3044	Ddakjkqi.exe
4760	Dfpgffpm.exe
4084	Dmjocp32.exe
3052	Dhocqigp.exe
1200	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4708	1200	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 848	3336	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe	83
PID 3336 wrote to memory of 848	3336	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe	83
PID 3336 wrote to memory of 848	3336	5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe	83
PID 848 wrote to memory of 3068	848	Bjfaeh32.exe	84
PID 848 wrote to memory of 3068	848	Bjfaeh32.exe	84
PID 848 wrote to memory of 3068	848	Bjfaeh32.exe	84
PID 3068 wrote to memory of 2236	3068	Bapiabak.exe	85
PID 3068 wrote to memory of 2236	3068	Bapiabak.exe	85
PID 3068 wrote to memory of 2236	3068	Bapiabak.exe	85
PID 2236 wrote to memory of 224	2236	Cfmajipb.exe	86
PID 2236 wrote to memory of 224	2236	Cfmajipb.exe	86
PID 2236 wrote to memory of 224	2236	Cfmajipb.exe	86
PID 224 wrote to memory of 2104	224	Cndikf32.exe	87
PID 224 wrote to memory of 2104	224	Cndikf32.exe	87
PID 224 wrote to memory of 2104	224	Cndikf32.exe	87
PID 2104 wrote to memory of 3340	2104	Chmndlge.exe	88
PID 2104 wrote to memory of 3340	2104	Chmndlge.exe	88
PID 2104 wrote to memory of 3340	2104	Chmndlge.exe	88
PID 3340 wrote to memory of 3912	3340	Cmiflbel.exe	89
PID 3340 wrote to memory of 3912	3340	Cmiflbel.exe	89
PID 3340 wrote to memory of 3912	3340	Cmiflbel.exe	89
PID 3912 wrote to memory of 3700	3912	Cdcoim32.exe	90
PID 3912 wrote to memory of 3700	3912	Cdcoim32.exe	90
PID 3912 wrote to memory of 3700	3912	Cdcoim32.exe	90
PID 3700 wrote to memory of 5072	3700	Cnicfe32.exe	91
PID 3700 wrote to memory of 5072	3700	Cnicfe32.exe	91
PID 3700 wrote to memory of 5072	3700	Cnicfe32.exe	91
PID 5072 wrote to memory of 3704	5072	Ceckcp32.exe	92
PID 5072 wrote to memory of 3704	5072	Ceckcp32.exe	92
PID 5072 wrote to memory of 3704	5072	Ceckcp32.exe	92
PID 3704 wrote to memory of 2904	3704	Chagok32.exe	93
PID 3704 wrote to memory of 2904	3704	Chagok32.exe	93
PID 3704 wrote to memory of 2904	3704	Chagok32.exe	93
PID 2904 wrote to memory of 4160	2904	Cmnpgb32.exe	94
PID 2904 wrote to memory of 4160	2904	Cmnpgb32.exe	94
PID 2904 wrote to memory of 4160	2904	Cmnpgb32.exe	94
PID 4160 wrote to memory of 3968	4160	Ceehho32.exe	95
PID 4160 wrote to memory of 3968	4160	Ceehho32.exe	95
PID 4160 wrote to memory of 3968	4160	Ceehho32.exe	95
PID 3968 wrote to memory of 1760	3968	Cdhhdlid.exe	96
PID 3968 wrote to memory of 1760	3968	Cdhhdlid.exe	96
PID 3968 wrote to memory of 1760	3968	Cdhhdlid.exe	96
PID 1760 wrote to memory of 4912	1760	Calhnpgn.exe	97
PID 1760 wrote to memory of 4912	1760	Calhnpgn.exe	97
PID 1760 wrote to memory of 4912	1760	Calhnpgn.exe	97
PID 4912 wrote to memory of 3656	4912	Dfiafg32.exe	98
PID 4912 wrote to memory of 3656	4912	Dfiafg32.exe	98
PID 4912 wrote to memory of 3656	4912	Dfiafg32.exe	98
PID 3656 wrote to memory of 3480	3656	Danecp32.exe	99
PID 3656 wrote to memory of 3480	3656	Danecp32.exe	99
PID 3656 wrote to memory of 3480	3656	Danecp32.exe	99
PID 3480 wrote to memory of 540	3480	Ddmaok32.exe	100
PID 3480 wrote to memory of 540	3480	Ddmaok32.exe	100
PID 3480 wrote to memory of 540	3480	Ddmaok32.exe	100
PID 540 wrote to memory of 4956	540	Daqbip32.exe	101
PID 540 wrote to memory of 4956	540	Daqbip32.exe	101
PID 540 wrote to memory of 4956	540	Daqbip32.exe	101
PID 4956 wrote to memory of 1728	4956	Dhkjej32.exe	102
PID 4956 wrote to memory of 1728	4956	Dhkjej32.exe	102
PID 4956 wrote to memory of 1728	4956	Dhkjej32.exe	102
PID 1728 wrote to memory of 3044	1728	Dmgbnq32.exe	103
PID 1728 wrote to memory of 3044	1728	Dmgbnq32.exe	103
PID 1728 wrote to memory of 3044	1728	Dmgbnq32.exe	103
PID 3044 wrote to memory of 4760	3044	Ddakjkqi.exe	104

C:\Users\Admin\AppData\Local\Temp\5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe
"C:\Users\Admin\AppData\Local\Temp\5577a7b0948b5632b8fe08decacbb747db176635332ebb4394a9c918b45efbdd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\Bapiabak.exe
    C:\Windows\system32\Bapiabak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Cfmajipb.exe
      C:\Windows\system32\Cfmajipb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 400
        27⤵
        Program crash
        
        PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1200 -ip 1200
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
163KB

MD5
60d1f4c949fb256345b28b856ec14839

SHA1
ee2683606dd963e28e9f5e00ee52be5a6d0336c9

SHA256
f57ab60bc7b7baffc99ca811c3c5c0602be7d425658dc77423a3c09842644d42

SHA512
7f764f4baf6a5127134f8a675219072d1e1e99b4840c48bf0590050fe82c3f1088f9d61134f7e69b5673829466c38b4eb230ad9f5b6b8cf47f88be7dce42b548

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
163KB

MD5
18453d91c3b7ad4134849b40edf61c6b

SHA1
bef8a281c72f45a081c6a3a8f29199f5a87d81b8

SHA256
0435422b136306a9f6c60deb04144e2f099e6106ab829a5f4e93f0361e4ddd9c

SHA512
0cb2c001f21204ae5c189b4707dcf0627b31dc0d370f8416ea01e5d46edb76ae5133024a1c07d7fe8859fa8300b706040b7fdda4efbf13a4c2091a180914cc1f

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
163KB

MD5
00ac16a7901e2c209e8167414642a8aa

SHA1
a47ab9d9df7e85893ded425abbc8e49393e5625d

SHA256
5f2d950b25ab30eb61a501084dd8c797152b97cc3734b571c136fbd11b1fae19

SHA512
c74b8072455fecf4fbc40c6dca37aa78530beeada5f18e3df136f287d97ee4ba2a137818d50321f09b408bb95cbace3a7e94808b429165d125369d219353b874

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
da642014cc11a1275076f5e49a598a1d

SHA1
359f26f348fe9629f278ba57e2147f15162359a2

SHA256
811472f6c0c95fdceba6abd5dc2d2d8ddbee266bea591872c852dd7495a2f37a

SHA512
43c33f8394abeaed4ce7050aeafa8f8257d23150df30a317af83b9c314e7767d6ac70756a3d65cb253c09de5aad54b4393de7a6f1c62f726b269ef1ffad2a5ec

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
163KB

MD5
423134f37860d9a2677dd3bf5300b73c

SHA1
707c877138d3b50622cfe83e226d91e9a11ff568

SHA256
e983967c09c4818576f21478472566242a6665325a0b46178f9d2ef9197f96b3

SHA512
1231f14170df839e6c93c88a0386093c8248d7d01669db602924a23fbc678218e03588c5985acfef8f02025956bb102a133d130fd4abf05e580a33457d055dfc

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
163KB

MD5
e6e208068c589e91f72d75eebe610087

SHA1
ac696db1a93426c1971cde16512212eab5abbc52

SHA256
7b710cccc853290325eedb3c91eb8a141d5913fb04efa6f4569b92d55779168e

SHA512
23a65a5f15dbbe05b326f14822b81a8d70fa64abf347e4c234b10619c5e4a7ffcb641a5de5e658d76202f09638e7e4f3caf7399ff35fbd7a2c552763de0afe5a

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
163KB

MD5
7d4f7cbde3e7ef1af999d675d4927a4e

SHA1
2cca3575ae6d06b95370124281ddc2c34a6de06f

SHA256
ef6aa32a636f8dda377dfd948d3c293e993cd6024e022e5ef20a42e1f16d5181

SHA512
173cb70046c2ef42c283f9efe8af9f5bcc1aa0ff9c2d0af4c104f3ac9537ec21db5ea5d3f389793600e8af84f50da82ea75c28b73e7f24d52821ec78b5622ccf

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
733e923ca4cbe79e952c8e847e652739

SHA1
e4595bd4fe6867ad897c820cd8aa24c8389e0e7a

SHA256
a879f4d4693e77cbf74b92263b603f3cca83fd38b7e76ab65a5480230717e7f1

SHA512
43422fd6cff9b564611b1cfa96d80fad00ddbfe90894a356d007ed151fa32b22f3fb7d2b39b504006454d02d54c7c32d54c99c20035a4add6cf374d4956573ca

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
d71537a0446ba8d687eeb082f728334d

SHA1
2405d1ca2aea64fd9ebd24c2417c6345f6587d65

SHA256
5907f261452f35c8ef3987fcff2c74d1762cd12d58a1bc06024df30fb1bdfc8b

SHA512
744dd290bfd6c4b61df468eb09ea9331006d97e3ad3278a4c1eba711fa4c9adb50c1825cd74793fce0b55d4545291854a6cff166fa7116abbe6a7905a1b004f8

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
163KB

MD5
7505acb49b22dd2c9e3fe2122b651c46

SHA1
54542eb24bb8106be8ec2f9d8bfe08ee8e6cb94f

SHA256
f9268da0579e13fe3ab2ebd35e3d8879f9d2e877882994e703d7f4f5235d995c

SHA512
b2b41d2c0f121bf1d87fc1d430f4966437fe5078a2a95b9290b68cafee929c444be307e6b788e9c741bfd6ae246457d9832b0490a78c2bbf0e77a31b23da1edd

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
163KB

MD5
6a88b565626dc29ed7f5f1c6f89e2e33

SHA1
61d2f58ff4ed44cd183f07fa83cc68c966074d78

SHA256
a7bcea6ca6f4bca671c90a6cf484679a66b12df0194768dffe2432fd958032a3

SHA512
c7f9b311598b0960f2a1f753101d31b6bec6125e31fd17f89dda20dafe8a81e0ac393ec2e3778cd314c8bc3447c5af8bded97802749abbc7043e657382e20137

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
163KB

MD5
16cf948755abd4ca3ee4b8b616b29b77

SHA1
f8c4eff753d63bf94d6de8c3faea74617c1e53f7

SHA256
f3115639fa776dc67ad4d976e4cdffdc238686d7e6b98fc0b71a270df7041a3b

SHA512
f95cb4662b9543a2b361e698651f5fe2fb6bd7829891d52ceb87ce6a1e202afc9715a546e6ded789c9360994acaab3e81bc43b0bd88601bff1669cdd552eaca0

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
163KB

MD5
8dd720a9a9e92a5a90b7447d35d784d1

SHA1
d46f96cb1a057482cb9d39351041264f2b627b93

SHA256
5ed93ade14345a46eaf75a6d0584e4f935c02497ecc03f89f2a78c2fd3c67552

SHA512
82d1577e3be0012009d39efa51aed7c1b206f995f727a4248ba6ba6b4807679ca547f442d2ee27c354011b24e6a20e3d9b4d0a09ffc69c1bbd1a2e214942f314

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
128KB

MD5
d19586e4fdf0b7315626bee2177632c1

SHA1
77af7bd625cf22a706ee3ae78e06ddf935ee1ea6

SHA256
0f96ba8f65da46656c7b90216acb9ea7327bc2570e805e4f42f31a58a336ec3b

SHA512
f758baf437e15383ab0c5279c27c29d0373fd55b9cfd81ebf65c495e665a62ddd3c36de06ba454873c8c3629d0a99cc9d6ab239512e048bc757d9ac4c9246f74

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
fc2061e8a7cec4b72fecbbdf4e6330cb

SHA1
c392cd89f6743e368760ff5c7f16f8ed335fe244

SHA256
5e1a3b575d7f81eec096ec0355c71c8d02579e5dfd5e92264f6b84dbe31919bb

SHA512
b5ed4a8eb9c2da0bf5c58346e21f5cdbe30c3ec0c9dbaba6983be85426bf3b6d86c08b6ec7b6e726254d0efa74ba4fe7f5edb3872b354ebf3781e253fd2149e8

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
163KB

MD5
a0ca562d3a08844ea6dde6e563812d1d

SHA1
e32d90bbc4d499ef17e453860b45a0a604f63f9f

SHA256
a98992e9f9f245942a1bd93486bba85e08eb6b9d5b8e09896b48587e684d7963

SHA512
5a1fc349a511becdf4febe67f125e614ae96d85f4136925dfac943858e4e2db5a7346977db265df85d2a8487bbfd5f0d9fa5726ebccbdd7022bc4df8701fde08

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
163KB

MD5
0b99707541856eca2200b832c241225d

SHA1
00e15361137a88e17fa401e38befcf12cbdcad89

SHA256
d5e71818242bd102c6e3f9e2e0340886924571da0e1563c0b37985676fc9adb8

SHA512
16fd90e8ea0bb290084d835ee01cbbe1f43d54beb4750454f32ecccf53e8b0b3309f77d6c25bede0b2f54fb95f103cab3e991efc99527166882b621021fbac17

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
163KB

MD5
97842011235192a905997b3657aea244

SHA1
3c1ec4d2f3009ba2ac5d8adf4380e9ef8320805e

SHA256
76d2b04d2adc25a5ba3d0378b731db917d9e79b43be0286b676ba5b30b3c4282

SHA512
c8cd18a9a1086904b9b6c486d1ffedaea60848569f0549d30daa324d391c26286f86ee8edcbc8c6d4cc532b24e203e284dfed5de83a8395e3a55b321f318c3c6

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
163KB

MD5
d6eb6e90534db0a72a51b68dad6c76f9

SHA1
72e39b0dcdc3c0820fd7f7b6fc22f8ceb3a969dd

SHA256
89389aee7e3327f7b5935d93f0c948a0a5694d1a22d9a7d9c602eadd336c23ae

SHA512
1379f3e71ef2bcd229ac04cc71a4ea5433a0998a200195658e9735c3e2e7a53e0aee7651f99081ad26a7b5b991da222e093903f237ac54d926be0f1e26dcae20

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
163KB

MD5
de72e3b00624dab1723fadae7f183c0d

SHA1
b651e1133fb0cb568b45527554fb17e5c35c9c95

SHA256
16db27ba24083b1d4126090a138ba5c2d64d23708b708a62c83c0958300fdb7a

SHA512
35492cc818cb0cc6a60a1c7de6eeaa320a0ea593bded20f7bc81d7df6125073ac475634b28035c17c5c14cb075b78a03ff9440f5cbb5e34ea33ca2069c47d8b7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
163KB

MD5
ae17dbd31ea8d1c189bccc3f3cfa94ed

SHA1
19a04bd5d19a5544a38c5db57c5631f825d58a94

SHA256
0e49da280f91f259334181137d854a57c795d9d87fc339742c7e6084f99c5576

SHA512
8ca03aca4112f06329ecb3da359d849ce245a5177ca93c27cc3c25e2037568bdfd42bb91f1458a38a10a8eb360e548ec18bc85b0eab9aa7e35cdf4e605624ef4

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
163KB

MD5
bf95afbdf16ddbf18bd36947247ce7ca

SHA1
0ec9cfce0977d7be397912e0e89a95ccfa5c268f

SHA256
25ece02b8a58c5034e7f421dfc907ff8e1d9f8892f900007ea6adca1309044ef

SHA512
5ec06be053f9a8b359eccd400c705528f6bc4c0361ee5e69e45f606ea598073eb01afca7a5b7bdc0dcd75d7d541a97b0eeadc8abb93df9ec0a36b247c86910f3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
163KB

MD5
3cf594d91fa555cbb73e9dd2a34caa94

SHA1
828a815f47a3ba7458e134a19ef6537476e94aaa

SHA256
a360db7bcc8d314e1277f1129d78077e7cbddd13d7096c4d03e7e2ff82a4b7e2

SHA512
7595f91eaae92bd210eb8f4823c190ef6dfc9801f169b86e9ae29900eb6fa31cc0dd9e3fbe5a6fd6207f51c6057a50b1e8fecb45eb92ea8095affce0c4a8d0aa

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
163KB

MD5
cf4967464aca1198cd5cead1ae79eadc

SHA1
b57204781cacdbaa5d2b1facce9ff2986bf1d4cc

SHA256
ed1388269ae49efa7668216135725faf4add282c584b4d804fca75f09c0760c4

SHA512
8b57a7b54574ae8c28a1ac481105e99c4bbb17dc3cc561ece8fe6220402898f4d68c57ef5d0628e5b4cf2a42d23a0ea1239a8b3d314c0d3905739ec418b9168d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
163KB

MD5
bd2f943eb59e4eb203972580fead2c26

SHA1
7ae59aa8629dfd5bcf32e1b34e66b1eb4df9aba3

SHA256
3019e5ed81e65f76522feec0c62fbeecb4446850ad45d723738e64c553aa9325

SHA512
66dec897836ce6f5ae7740a4fa3e8f1b320640f1295d58217f78bc8ba38b999b97cd744316512f114e7afc34c0da6782ccb0648979aeec5d3e1b10a17c8ae87a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
04c328efe0c2d1c0a8bff2c82bcb957f

SHA1
cd6ac540e1146f8b489f78c6dbf8286dd39cf1d2

SHA256
e676fc36e45f023c6977b9865e60fb1b93043a2be7a5b813551e1e65b0eddfbf

SHA512
7c2a89e58afc594ee19838f4125770990542dc5715bd5cf98fe3a1880144473591e604706d72deab4709cf77ac3b7505c867eeedb0db30ce88c3224d66fc52b0

Download Submit
memory/224-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/540-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/540-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/848-251-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/848-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1200-204-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1200-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1760-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1760-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3044-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3044-210-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3068-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3068-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3336-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3336-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3336-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3340-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3340-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3700-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3700-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3912-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3912-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-101-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4760-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4760-212-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4912-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4912-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-235-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads